Wouldn't stuff coming from Squid have a defined source port number? If = so, would a fwmark on all packets from that IP Address and Squid's TCP = source port do the trick? - Greg Scott -----Original Message----- From: Aaron A. Wolfe [mailto:aaron@aaronwolfe.com] Sent: Monday, December 23, 2002 3:40 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Multiple rate limited networks and transparent http proxy - tricky problem Hello, We have a box with good connectivity which we divide among several internal networks by having a different interface for each internal network and rate limiting outgoing traffic on each of these interfaces. We are using cbq and a u32 match on the destination to organize the packets. This works very well for us, but there may be a better way, I'm no expert at this! We also use a squid proxy set up in transparent mode with a NAT rule to send all outgoing http requests to the proxy. This also works very well to save some of our bandwidth. My "problem" is that of course the rate limiting applies to *all* traffic going out the internal interfaces, so even objects that are in the squid cache are given to the clients at a fairly slow speed. =20 I am trying to figure out a way to allow cached objects to be sent at full ethernet speed while still rate limiting objects that have to be fetched from the internet. It is puzzling to me because I cannot differentiate cached and noncached data coming from squid at the packet level. I was actually think about a quick hack on Squid to set some qos or other bit in the tcp headers for connections containting cached objects but this is probably beyond my limited skills. I havent found anyone on the web doing something similar in a quick search. =20 The other theory I had was to limit the traffic on it's way to squid rather than after.. This would eliminate the need to distinguish between cache and noncache post squid. The problem here is how do I apply the different rate limits to the different internal networks, since all incoming traffic will be bound for the squid proxy not the destination clients. I have considered creating several external interfaces, running a separate squid for each internal network and having each squid use a different outgoing interface.. This allows what I want I think but gets very complicated, and I'm not sure if I can have all the instances share a cache directory.. If not the usefulness of the cache is quite limited. Any thoughts on this are much appreciated! -Aaron _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
