Can someone please help with a tcng setup? I have played with tc and tcng in the past, and now would like to get some serious rules in place. However, I have a difficulty in setting them up.
My setup is as follows: One machine working as a firewall: eth0 is the interface connected to a 512K DSL line eth1 is connected to a LAN eth2 is connected to another LAN, a bit like a DMZ
eth1 and 2 are totaly different subnets, 10.1.1.x and 10.2.1.x both class B, (sorry, this is a system I inherited, I am slowly getting ready to collapse it all to class C).
I wanted to set the following rules:
High priority data needs to be some ssh from 10.1.1.x/16 (all) to external IPs.
Priority is to be given to data going to 10.1.1.x/16 over the DMZ data.
Input is 55KB/s, output is 25KB/s
To the DMZ from the LAN, there should be no throttling. To the LAN from the DMZ, there should be no throttling. (100Mbs/s) SSH data should be given priority over HTTP SMTP should be given priority over HTTP HTTP is given priority over anything else Interfaces, eth0, 512Kb/s input, 256 Kb/s output eth1, 100Mb/s each way eth2, 100Mb/s each way
And I wrote out some rules. These rules seem to be correct, as far as I can tell, but I stupidly forgot that this is all egress, and it cannot be done as easily with ingress. Can someone please help by showing me how I can modify these to give me control over the bandwidth in (albeit limited) as well as out? Also could someone explain how I can easily write flows to test all of the possible traffic I might be experiencing?
My aim is, that any normal ssh to any machine, whether comming from the DMZ to the internet, or from the LAN to the internet, should get at least 2KB/s low-latency traffic each, even if other machines or other connections are being made in the background.
I am wondering whether my first qdisc should infact be an SFQ and then HTBs below it?
All help will be gratefully received.
Thank you,
Gareth
----- Start long probably incorrect tcng code (I have left out the ingress code I had, because it didn't work at all, and I didn't understand any of it)
#define INTERNET eth0
#define LAN eth1
#define DMZ eth2
#define INTERNET_IP 0.0.0.0/0 #define DMZ_IP 10.2.1.0/16 #define LAN_IP 10.1.1.0/16
#define maxadsl 600kbps/2 #define highadsl 500kbps/2 #define medadsl 400kbps/2 #define midadsl 300kbps/2 #define lowadsl 200kbps/2 #define intadsl 150kbps/2 #define vloadsl 100kbps/2 #define noadsl 50kbps/2
dev INTERNET {$meter = trTCM( cir 128kbps, cbs 10kB, pir 200kbps, pbs 10 kB );
egress {
class(<$lanssh>)
if tcp_sport == 22 || tcp_dport == 22
if ip_src == LAN_IP || ip_dst == LAN_IP;
class(<$dmzssh>)
if tcp_sport == 22 || tcp_dport == 22
if ip_src == DMZ_IP || ip_dst == DMZ_IP;
class(<$ssh>)
if tcp_sport == 22 || tcp_dport == 22
if ip_tos_delay==1 ;
class(<$smtp>)
if tcp_sport == 25 || tcp_dport == 25;
class(<$lanhttp>)
if tcp_sport == 80 || tcp_dport == 80
if ip_src == LAN_IP || ip_dst == LAN_IP;
class(<$dmzhttp>)
if tcp_sport == 80 || tcp_dport == 80
if ip_src == DMZ_IP || ip_dst == DMZ_IP;
class(<$http>)
if tcp_sport == 80 || tcp_dport == 80;
class(<$othermed>)
if trTCM_green( $meter);
class(<$otherslow>)
if trTCM_yellow( $meter);
drop if trTCM_red ( $meter);
class(<$otherslow>) if 1;
drop if 1;htb(){
class ( rate maxadsl, ceil maxadsl){
$ssh = class ( rate medadsl, ceil highadsl) {
$lanssh = class ( rate midadsl , ceil medadsl){ sfq ( perturb 10 sec );};
$dmzssh = class (rate vloadsl, ceil lowadsl){ sfq ( perturb 10 sec );};
};
$smtp = class ( rate midadsl, ceil highadsl) {sfq ( perturb 10 sec );};
$http = class ( rate lowadsl, ceil highadsl) {
$lanhttp = class (rate lowadsl , ceil highadsl) {sfq ( perturb 10 sec );};
$dmzhttp = class (rate lowadsl, ceil highadsl) {sfq ( perturb 10 sec );};
};
$othermed = class ( rate lowadsl, ceil medadsl) {sfq ( perturb 10 sec );};
$otherslow = class ( rate noadsl, ceil intadsl) {sfq ( perturb 10 sec );};
}
}
}
}
_________________________________________________________________ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
