Ok, I messed around with 6 different setups over 10 hours yesterday. The
only one I can get to work properly is my original one.
So, now I'm to the theory stage of trying to figure this out. I got a
reply from a mailing list user saying I need to do egress filtering in
two places.
While I could not understand what they were saying very well, it did
leave me to ponder this theory. It seems to me the whole problem has
been how I am handling ingress traffic on eth0 (WAN interface). As it
stands, I do rate limit it and will drop if its coming in to fast. But
is there anything thats stopping me from routing ingress traffic through
the egress queues on its way to the LAN? Or will that seriously break
traffic shaping?
Is what I'm thinking is, the ingress qdisc doesn't really control
anything. So, if I were to route it (say with an iptables rule) to an
egress qdisc on eth1, I could truly control ingress traffic.
I really don't think this will work as it seems like I am quashing all
the traffic down one side of what should be a two sided link. While I
cannot think of a way to visualize this with ASCII art, I can summarize
the ingress and egress pathways in linear format, as such:
Egress (LAN to Internet)
--------> LAN traffic ---> eth1 (egress) ---> eth0 (egress) ---> WAN
------------------------------------------
|
|
|
|
|
|
| Ingress (Internet to LAN)
|
--------LAN <--- eth1 (ingress) <--- eth0 (egress to eth1 ingress) <---
eth0 (ingress) <--- WAN traffic <--------
or
Egress (LAN to Internet)
--------> LAN traffic ---> eth1 (egress) ---> eth0 (egress) ---> WAN
------------------------------------------
|
|
|
|
|
|
| Ingress (Internet to LAN)
|
--------LAN <--- eth1 (egress) <--- eth0 (ingress to eth1 ingress) <---
eth0 (ingress) <--- WAN traffic <--------
I hate to be so pessimistic. But so far all I've gotten is everyone
saying "You need to filter ingress traffic" with no real or concrete
examples of how to do such a thing. And the LARTC How To doesn't
describe it very well either. It's like ingress filtering is just not
done, and those that do it are using such complicated methods that it's
not worth sharing them.
So, unless someone can provide me with a concrete example of true
ingress filtering, or how to filter ingress on the LAN side or WAN side
or whichever side I need to filter it on, I am completely stuck.
Vadtec
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
