Re: [m0n0wall] can i adadpt my linux traffic shaping rules to monowall?

From:	Chris Hoy Poy <chrishp at dugeo dot com>
To:	Mark Ryan <markryan at cfl dot rr dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] can i adadpt my linux traffic shaping rules to monowall?
Date:	Mon, 23 Oct 2006 10:29:32 +0800
seriously, if you've done LARTC and iptables previously, you'll have m0n0wall 
doing it in minutes, not days. ;) so the 12-pack might not last the few 
days ;) 

if you wanted to permanently cap FTP at say, 20% of bandwidth, that could be 
confusing. I think you need to set up multiple pipes and it starts to get a 
bit ugly there (the ordering of the rules makes it a bit ugly to look at, it 
makes sense, but I think I'd want to see different logical groupings of 
rules).  the GUI is flat-structured, be nice to have a tree structure, but 
thats probably a heap more complex to develop as well. 

//chris

On Monday 23 October 2006 10:21, Mark Ryan wrote:
> Chris Hoy Poy wrote:
> > theres actually considerably more documentation "online" inside monowall
> > ;) especially for the traffic shaper :) More then enough to understand
> > how it works, and the shaper wizard is pretty good for an initial
> > starting point (its prolly easier not to include the peer-to-peer tweaks,
> > as these make the initial list huge, and I found it difficult to
> > interpret what was going on with those rules there.. not that they are
> > bad rules, just that there are heaps of them and if you are trying to
> > learn, best not to include etc).
> >
> > The traffic shaper in m0n0wall is pretty good I think - it'll do the same
> > capping as your rules.. if FTP is set to have a guarantee or 5% (or even
> > 1%) it'll still take up the full 100% if thats available. Any other
> > traffic can take away etc.. so yeah, it does what I think you're
> > concerned about..
> >
> >
> > //chris
> >
> > On Monday 23 October 2006 10:02, Mark Ryan wrote:
> >> Chris Hoy Poy wrote:
> >>> As far as I can see, nothing special in that mix..
> >>>
> >>>      Inbound NAT (FTP, SMTP)
> >>>      Traffic shaping
> >>>
> >>> in which case, M0n0wall will do the trick, and this will be much more
> >>> readable in M0n0wall's portal anyway.
> >>>
> >>> cheers;
> >>> I made the same move from ipCop to M0n0wall, albeit I knew nothing
> >>> about ipCop and just wanted something I knew a bit better. Monowalls
> >>> pretty simple, and that makes it a lot easier to troubleshoot. Plus
> >>> some of the gurus on this list dont seem to be able to leave their
> >>> email for longer then 10 mins, and you usually get good replies pretty
> >>> quickly ;)
> >>>
> >>> //chris
> >>>
> >>> On Sunday 22 October 2006 23:04, Mark Ryan wrote:
> >>>> Hi,
> >>>> I currently use ipcop on an old machine and I love it however I am
> >>>> interested in moving to an embedded box with monowall.  I wrote my own
> >>>> custom traffic shaping rules for linux and I would like to know if the
> >>>> same setup is possible with monowall.  Here are my rules:
> >>>>
> >>>> #!/bin/bash
> >>>> # clear out the chain and setup a new chain
> >>>> iptables -t mangle -D OUTPUT -o eth1 -j BW-OUT 2> /dev/null >
> >>>> /dev/null iptables -t mangle -F BW-OUT 2> /dev/null > /dev/null
> >>>> iptables -t mangle -X BW-OUT 2> /dev/null > /dev/null
> >>>> iptables -t mangle -N BW-OUT
> >>>> iptables -t mangle -I POSTROUTING -o eth1 -j BW-OUT
> >>>> # mark packets: 3 is active ftp and passive ftp, 2 is email, 1 is ACK
> >>>> for downloads and everything else
> >>>> iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j MARK
> >>>> --set-mark 1
> >>>> iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j RETURN
> >>>> iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j MARK
> >>>> --set-mark 2 iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j
> >>>> RETURN iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j MARK
> >>>> --set-mark 3 iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j
> >>>> RETURN
> >>>> iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000 -j MARK
> >>>> --set-mark 3 iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000
> >>>> -j RETURN # clear the qdisc
> >>>> tc qdisc del dev eth1 root
> >>>> #add the root qdisk
> >>>> tc qdisc add dev eth1 root handle 1: htb default 10
> >>>> #add main rate limit class and 2 leafs
> >>>> tc class add dev eth1 parent 1: classid 1:1 htb rate 105kbps ceil
> >>>> 105kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 45kbps
> >>>> ceil 105kbps prio 0
> >>>> tc class add dev eth1 parent 1:1 classid 1:11 htb rate 40kbps ceil
> >>>> 105kbps prio 1
> >>>> tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbps ceil
> >>>> 105kbps prio 2
> >>>> #filter traffic into classes
> >>>> tc filter add dev eth1 parent 1:0  prio 0 protocol ip handle 1 fw
> >>>> flowid 1:10
> >>>> tc filter add dev eth1 parent 1:0  prio 1 protocol ip handle 2 fw
> >>>> flowid 1:11
> >>>> tc filter add dev eth1 parent 1:0  prio 2 protocol ip handle 3 fw
> >>>> flowid 1:12
> >>>>
> >>>> These rules work perfectly for my setup.  They cap my ftp server to
> >>>> 100K and when an email is sent, the email has priority.  The sharing
> >>>> and priority setup is also great so that the higher priority root
> >>>> class can borrow from the ftp if needed.  They also allow the small
> >>>> ack packets to get priority so that downloads dont suffer.
> >>>>
> >>>> Is this possible with monowall?
> >>>>
> >>>> Thanks,
> >>>> Mark
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>
> >> Unfortunately the docs for the traffic shaper are sparse.  Not enough
> >> detail to learn without actually installing monowall and hacking away.
> >>
> >> Maybe I will just buy a WRAP package and just go for it, figure it out
> >> later.  If I can't get monowall to shape like I want, I could always use
> >> something else I guess.
> >>
> >> Mark
>
> Ok.  Yes, thats exactly what i want.  I want FTP to have 100% of the
> capped rate until something else needs it, wether it be email, http, ack
> or whatever.  It took me a long time to figure out LARTC and Iptables to
> do what I wanted.
>
> It seems that I will be able to specify ports 50000-51000 as ftp in
> m0n0wall just as i do in linux.  Assign that a lower weight pipe and
> then assign normal stuff a higher weight.
>
> I guess I should just pull the trigger and order that sweet looking
> m1n1wall embedded box from netgate and give it a shot.  That, along with
> a 12 pack and a few days, ought to be enough to figure it out.
>
> Mark

-- 
Chris Hoy Poy
System Administrator
DownUnder GeoSolutions
http://www.dugeo.com