Hello, I'm new to this list and also new to tc and only a bit experienced to iptables and iproute2. I've problems with traffic control on our Linux DSL router running kernel 2.4.3. Ok, first a small introducing to our network and what we want to achieve with tc. Our office have 5 clients with IP's from the local LAN net 192.168.100.0/24. Our connection to the internet is made by a 1Mbit DSL connection. To get our clients access to the internet, I've set up iptables on the Linux router with IP masquerading. The DSL connection is a dial like connection with a dynamic IP, so only the router have one internet registered ip. Ok, this works fine, all our office PC's can browse the internet etc. Now, we want to do a bit bandwidth controlling with tc. We want to achieve, that 3 of the 5 office pc's don't get the full internet bandwidth of 1Mbit. They should only have 128kb for incoming traffic of the internet. The 2 other clients should have the full bandwidth. Because the Linux router also acts as a Samba-Fileserver, it shouldn't limit the complete bandwidth that coming from the router to the office PC's. Only the traffic that comes from the internet should be controlled. Ok, now I've read the Linux 2.4 Advance Routing Howto and some other documents that I could found about tc. All the examples describes an environment with a linux box that has 2 ethernet cards, but our router only have 1. This ony ethernet adapter (eth0) is bounded to the ppp0 device and handles the LAN traffic. Here's a short sheme: INTERNET <-----> [ ppp0/Dynamic IP --- Linux router --- eth0/192.168.100.250] <------> Office Lan 192.168.100.0/24 Ok my thoughts were to mark the incoming packets from ppp0 in the mangle table of the firewall. Now, first here is how I set up tc. tc qdisc add dev eth0 root handle 100: cbq bandwidth 100Mbit avpkt 1000 tc class add dev eth0 parent 100:0 classid 100:1 cbq bandwidth 100Mbit rate 100Mbit \ allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000 tc class add dev eth0 parent 100:1 classid 100:128 cbq bandwidth 100Mbit rate 128Kbit \ allot 1513 weight 13Kbit prio 5 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 100:128 sfq quantum 1514b perturb 15 tc filter add dev eth0 protocol ip parent 100:0 prio 1 handle 1 fw classid 100:128 Nothin spectacular. You see, I want to limit the traffic of all firewalled marked packets to 128Kbit. I think this don't limit any traffic that comes directly from the Linux box, like Samba fileservices. Now, the thing on which I have the problems. The marking of the packets. As I've introduced at this mail, I want only mark packets that comes from my ppp0 device and only the packets for 3 clients of my office. I've tried it with following command: iptables -I PREROUING -t mangle -i ppp0 -d 192.168.100.4 -j MARK --set-mark 0x1 This should mark all packets that come from ppp0 and destined for 192.168.100.4. But it don't work, the workstation still have the full bandwidth, because no packets are marked. If I mark all the packets from ppp0 with: iptables -I PREROUTING -t mangle -i ppp0 -j MARK --set-mark 0x1 it works. The traffic is limited to 128Kbit, but now for all clients on the lan and not only for some specific ones. Hmm, what is the problem here? Maybe I think it's a problem with the IP masquerading. As the packets arrive the PREROUTING chain of the mangle table, the destination ip for the lan client is still masqueraded with the real internet ip of the ppp0 device. I also tried to mark packets in the OUTPUT chain of mangle, but this also don't work. To mark packets in any other table as mangle isn't possible. Now, what can I do? Could some of the experts here could assist me a bit with my problem? I know I could do the traffic control for specific ip's with u32, but this would shape all packets from the Linux box and not only the packets incoming from the internet. Maybe is it possible to mix the u32 and fw classifier so that the shaping only do affect on firewall marked packets for specific ip's? I would be nice if anyone could help me. Thanks. Greetings, Markus mdages@xxxxxxx Germany
