On Wed, 2011-11-16 at 09:50 -0600, Lloyd Standish wrote: > I have improved my previous post in hope of some advice, or at least a > suggestion on where to ask this sort of question. Yep, I am planning on reading your other post when I get round to it, but it was quite long... > Suppose one is building a netfilter router, LAN to Internet, with > multiple outward-facing interfaces (eth1, eth2, and eth3). There needs > to be load-balancing over the outward interfaces. Have you got this part working okay? > There needs to be > bandwidth-limiting for users on the LAN. Users are typical Internet > users (primarily http download with some important interactive traffic > such as VOIP.) > > Theoretically, can per-user bandwidth-limiting be done on egress of the > LAN using htb+prio+sfq without encountering insurmountable latency > problems due to queuing of incoming packets in the router? If you are limiting per-user, then depending on the number of users, you may run into problems. There was a similar discussion here a while ago: http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.general/41664 The upshot of that thread was to switch to u32 hashing filters if you can. > Should > traffic shaping (prioritizing of packets for interactive traffic) > probably be an adequate solution to any latency problems? I do it reasonably successfully with a lot of users on a small link. http://andybev.com has some of the details. > Is there a way to use a policing queuing discipline in a case like > this? My personal opinion is that you shouldn't limit per user. You should instead prioritise traffic properly. This way you'll have a lot less classes and a lot less overhead. The traffic of heavy users over-using the link will get less priority than low-bandwidth applications, so you will achieve the same effect. > (I assume it would have to be on egress of the LAN interface, > since I cannot see how to police on ingress of the Internet-facing > interfaces due to the per-user bandwidth-limiting.) Correct, you need to stick with egress shaping, so your inbound links from the internet will need to be shaped on the internal LAN interface. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
