Hi. I think, I have quite common configuration on my firwall: eth0 - to provider (1Mbps) (imq0 attached on prerouting) eth1 - local network (100Mbps) (private IPs) - users with certain priorities eth2 - DMZ (100Mbps) (public IPs) I'm trying to set up traffic shaping that would give both networks (local and DMZ) 512kbps for connection to/from the Internet and unlimited traffic between them (local <-> DMZ) while still managing same priorities for the local users (some of them should have 'better' service then others within the 512kbps limit). The problem I cannot overcome is the NAT - packets enter imq0 have public IP so I can't distinguish the local users packet is heading for. On the other hand if I try to shape them on eth1 I will have to create a class with 100Mbps throughput and then a subclass with 512kbps which seems very 'unelegant' solution to me. Is there any other way to shape in that kind of situation? best regards przem
