[ previous ] [ next ] [ threads ]
 
 From:  Mark Ryan <markryan at cfl dot rr dot com>
 To:  Chris Hoy Poy <chrishp at dugeo dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] can i adadpt my linux traffic shaping rules to monowall?
 Date:  Sun, 22 Oct 2006 22:37:20 -0400
Chris Hoy Poy wrote:
> seriously, if you've done LARTC and iptables previously, you'll have m0n0wall 
> doing it in minutes, not days. ;) so the 12-pack might not last the few 
> days ;) 
>
> if you wanted to permanently cap FTP at say, 20% of bandwidth, that could be 
> confusing. I think you need to set up multiple pipes and it starts to get a 
> bit ugly there (the ordering of the rules makes it a bit ugly to look at, it 
> makes sense, but I think I'd want to see different logical groupings of 
> rules).  the GUI is flat-structured, be nice to have a tree structure, but 
> thats probably a heap more complex to develop as well. 
>
> //chris
>
> On Monday 23 October 2006 10:21, Mark Ryan wrote:
>   
>> Chris Hoy Poy wrote:
>>     
>>> theres actually considerably more documentation "online" inside monowall
>>> ;) especially for the traffic shaper :) More then enough to understand
>>> how it works, and the shaper wizard is pretty good for an initial
>>> starting point (its prolly easier not to include the peer-to-peer tweaks,
>>> as these make the initial list huge, and I found it difficult to
>>> interpret what was going on with those rules there.. not that they are
>>> bad rules, just that there are heaps of them and if you are trying to
>>> learn, best not to include etc).
>>>
>>> The traffic shaper in m0n0wall is pretty good I think - it'll do the same
>>> capping as your rules.. if FTP is set to have a guarantee or 5% (or even
>>> 1%) it'll still take up the full 100% if thats available. Any other
>>> traffic can take away etc.. so yeah, it does what I think you're
>>> concerned about..
>>>
>>>
>>> //chris
>>>
>>> On Monday 23 October 2006 10:02, Mark Ryan wrote:
>>>       
>>>> Chris Hoy Poy wrote:
>>>>         
>>>>> As far as I can see, nothing special in that mix..
>>>>>
>>>>>      Inbound NAT (FTP, SMTP)
>>>>>      Traffic shaping
>>>>>
>>>>> in which case, M0n0wall will do the trick, and this will be much more
>>>>> readable in M0n0wall's portal anyway.
>>>>>
>>>>> cheers;
>>>>> I made the same move from ipCop to M0n0wall, albeit I knew nothing
>>>>> about ipCop and just wanted something I knew a bit better. Monowalls
>>>>> pretty simple, and that makes it a lot easier to troubleshoot. Plus
>>>>> some of the gurus on this list dont seem to be able to leave their
>>>>> email for longer then 10 mins, and you usually get good replies pretty
>>>>> quickly ;)
>>>>>
>>>>> //chris
>>>>>
>>>>> On Sunday 22 October 2006 23:04, Mark Ryan wrote:
>>>>>           
>>>>>> Hi,
>>>>>> I currently use ipcop on an old machine and I love it however I am
>>>>>> interested in moving to an embedded box with monowall.  I wrote my own
>>>>>> custom traffic shaping rules for linux and I would like to know if the
>>>>>> same setup is possible with monowall.  Here are my rules:
>>>>>>
>>>>>> #!/bin/bash
>>>>>> # clear out the chain and setup a new chain
>>>>>> iptables -t mangle -D OUTPUT -o eth1 -j BW-OUT 2> /dev/null >
>>>>>> /dev/null iptables -t mangle -F BW-OUT 2> /dev/null > /dev/null
>>>>>> iptables -t mangle -X BW-OUT 2> /dev/null > /dev/null
>>>>>> iptables -t mangle -N BW-OUT
>>>>>> iptables -t mangle -I POSTROUTING -o eth1 -j BW-OUT
>>>>>> # mark packets: 3 is active ftp and passive ftp, 2 is email, 1 is ACK
>>>>>> for downloads and everything else
>>>>>> iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j MARK
>>>>>> --set-mark 1
>>>>>> iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j RETURN
>>>>>> iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j MARK
>>>>>> --set-mark 2 iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j
>>>>>> RETURN iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j MARK
>>>>>> --set-mark 3 iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j
>>>>>> RETURN
>>>>>> iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000 -j MARK
>>>>>> --set-mark 3 iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000
>>>>>> -j RETURN # clear the qdisc
>>>>>> tc qdisc del dev eth1 root
>>>>>> #add the root qdisk
>>>>>> tc qdisc add dev eth1 root handle 1: htb default 10
>>>>>> #add main rate limit class and 2 leafs
>>>>>> tc class add dev eth1 parent 1: classid 1:1 htb rate 105kbps ceil
>>>>>> 105kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 45kbps
>>>>>> ceil 105kbps prio 0
>>>>>> tc class add dev eth1 parent 1:1 classid 1:11 htb rate 40kbps ceil
>>>>>> 105kbps prio 1
>>>>>> tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbps ceil
>>>>>> 105kbps prio 2
>>>>>> #filter traffic into classes
>>>>>> tc filter add dev eth1 parent 1:0  prio 0 protocol ip handle 1 fw
>>>>>> flowid 1:10
>>>>>> tc filter add dev eth1 parent 1:0  prio 1 protocol ip handle 2 fw
>>>>>> flowid 1:11
>>>>>> tc filter add dev eth1 parent 1:0  prio 2 protocol ip handle 3 fw
>>>>>> flowid 1:12
>>>>>>
>>>>>> These rules work perfectly for my setup.  They cap my ftp server to
>>>>>> 100K and when an email is sent, the email has priority.  The sharing
>>>>>> and priority setup is also great so that the higher priority root
>>>>>> class can borrow from the ftp if needed.  They also allow the small
>>>>>> ack packets to get priority so that downloads dont suffer.
>>>>>>
>>>>>> Is this possible with monowall?
>>>>>>
>>>>>> Thanks,
>>>>>> Mark
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>             
>>>> Unfortunately the docs for the traffic shaper are sparse.  Not enough
>>>> detail to learn without actually installing monowall and hacking away.
>>>>
>>>> Maybe I will just buy a WRAP package and just go for it, figure it out
>>>> later.  If I can't get monowall to shape like I want, I could always use
>>>> something else I guess.
>>>>
>>>> Mark
>>>>         
>> Ok.  Yes, thats exactly what i want.  I want FTP to have 100% of the
>> capped rate until something else needs it, wether it be email, http, ack
>> or whatever.  It took me a long time to figure out LARTC and Iptables to
>> do what I wanted.
>>
>> It seems that I will be able to specify ports 50000-51000 as ftp in
>> m0n0wall just as i do in linux.  Assign that a lower weight pipe and
>> then assign normal stuff a higher weight.
>>
>> I guess I should just pull the trigger and order that sweet looking
>> m1n1wall embedded box from netgate and give it a shot.  That, along with
>> a 12 pack and a few days, ought to be enough to figure it out.
>>
>> Mark
>>     
>
>   
Ok.  I want to permanently cap the upload of my connection. I have a 
10/1mbit cable connection.  So i would want to cap the upload at 
100KBytes/sec.  Then i would want 2 pipes (i think).  1 pipe for ftp 
(ports 50000-51000) and the 2nd pipe for everything else (www, ack, dns, 
smtp).  The way i have it now is when a ftp is going 100K, and i kick 
off a large email, the ftp speed drops to almost nothing until the email 
is finished.  Also my ack packets go to the front of the que so my 
download doesnt suffer.

So it looks like m0n0wall will do what i want.

Mark