Chris Hoy Poy wrote:
> theres actually considerably more documentation "online" inside monowall ;)
> especially for the traffic shaper :) More then enough to understand how it
> works, and the shaper wizard is pretty good for an initial starting point
> (its prolly easier not to include the peer-to-peer tweaks, as these make the
> initial list huge, and I found it difficult to interpret what was going on
> with those rules there.. not that they are bad rules, just that there are
> heaps of them and if you are trying to learn, best not to include etc).
> The traffic shaper in m0n0wall is pretty good I think - it'll do the same
> capping as your rules.. if FTP is set to have a guarantee or 5% (or even 1%)
> it'll still take up the full 100% if thats available. Any other traffic can
> take away etc.. so yeah, it does what I think you're concerned about..
> On Monday 23 October 2006 10:02, Mark Ryan wrote:
>> Chris Hoy Poy wrote:
>>> As far as I can see, nothing special in that mix..
>>> Inbound NAT (FTP, SMTP)
>>> Traffic shaping
>>> in which case, M0n0wall will do the trick, and this will be much more
>>> readable in M0n0wall's portal anyway.
>>> I made the same move from ipCop to M0n0wall, albeit I knew nothing about
>>> ipCop and just wanted something I knew a bit better. Monowalls pretty
>>> simple, and that makes it a lot easier to troubleshoot. Plus some of the
>>> gurus on this list dont seem to be able to leave their email for longer
>>> then 10 mins, and you usually get good replies pretty quickly ;)
>>> On Sunday 22 October 2006 23:04, Mark Ryan wrote:
>>>> I currently use ipcop on an old machine and I love it however I am
>>>> interested in moving to an embedded box with monowall. I wrote my own
>>>> custom traffic shaping rules for linux and I would like to know if the
>>>> same setup is possible with monowall. Here are my rules:
>>>> # clear out the chain and setup a new chain
>>>> iptables -t mangle -D OUTPUT -o eth1 -j BW-OUT 2> /dev/null > /dev/null
>>>> iptables -t mangle -F BW-OUT 2> /dev/null > /dev/null
>>>> iptables -t mangle -X BW-OUT 2> /dev/null > /dev/null
>>>> iptables -t mangle -N BW-OUT
>>>> iptables -t mangle -I POSTROUTING -o eth1 -j BW-OUT
>>>> # mark packets: 3 is active ftp and passive ftp, 2 is email, 1 is ACK
>>>> for downloads and everything else
>>>> iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j MARK
>>>> --set-mark 1
>>>> iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j RETURN
>>>> iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j MARK --set-mark
>>>> 2 iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j RETURN
>>>> iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j MARK --set-mark 3
>>>> iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j RETURN
>>>> iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000 -j MARK
>>>> --set-mark 3 iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000 -j
>>>> RETURN # clear the qdisc
>>>> tc qdisc del dev eth1 root
>>>> #add the root qdisk
>>>> tc qdisc add dev eth1 root handle 1: htb default 10
>>>> #add main rate limit class and 2 leafs
>>>> tc class add dev eth1 parent 1: classid 1:1 htb rate 105kbps ceil
>>>> 105kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 45kbps
>>>> ceil 105kbps prio 0
>>>> tc class add dev eth1 parent 1:1 classid 1:11 htb rate 40kbps ceil
>>>> 105kbps prio 1
>>>> tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbps ceil
>>>> 105kbps prio 2
>>>> #filter traffic into classes
>>>> tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1 fw flowid
>>>> tc filter add dev eth1 parent 1:0 prio 1 protocol ip handle 2 fw flowid
>>>> tc filter add dev eth1 parent 1:0 prio 2 protocol ip handle 3 fw flowid
>>>> These rules work perfectly for my setup. They cap my ftp server to 100K
>>>> and when an email is sent, the email has priority. The sharing and
>>>> priority setup is also great so that the higher priority root class can
>>>> borrow from the ftp if needed. They also allow the small ack packets to
>>>> get priority so that downloads dont suffer.
>>>> Is this possible with monowall?
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>> Unfortunately the docs for the traffic shaper are sparse. Not enough
>> detail to learn without actually installing monowall and hacking away.
>> Maybe I will just buy a WRAP package and just go for it, figure it out
>> later. If I can't get monowall to shape like I want, I could always use
>> something else I guess.
Ok. Yes, thats exactly what i want. I want FTP to have 100% of the
capped rate until something else needs it, wether it be email, http, ack
or whatever. It took me a long time to figure out LARTC and Iptables to
do what I wanted.
It seems that I will be able to specify ports 50000-51000 as ftp in
m0n0wall just as i do in linux. Assign that a lower weight pipe and
then assign normal stuff a higher weight.
I guess I should just pull the trigger and order that sweet looking
m1n1wall embedded box from netgate and give it a shot. That, along with
a 12 pack and a few days, ought to be enough to figure it out.