Traffic Control with iproute2

Tux-Slack · 03-19-2008, 02:47 PM

Hello,

I've got setup a traffic control on my server/router to prevent a box that is constantly downloading to fill the line up. So I've limited its download to 512Kbps with a ceiling with 640Kbps, and upload to 128Kbps with a ceiling of 196Kbps. It works great, it limits it's download and upload, but the problem is that now the server and that box can't communicate faster, on a full 100MBit connection of a LAN.

This is my firwall rule for NAT:

Code:

IPT = /usr/sbin/iptables
EXTIF=ppp0
INTIF=eth1
VPNIF=vpn0
VPNIPRANGE=10.8.0.0/24

$IPT -A FORWARD -i $EXTIF -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT --table mangle -A FORWARD -i $EXTIF -o $INTIF -j MARK --set-mark 10
$IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPT --table mangle -A FORWARD -i $INTIF -o $EXTIF -j MARK --set-mark 20
$IPT -A FORWARD -i $VPNIF -o $INTIF -s $VPNIPRANGE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $VPNIF -d $VPNIPRANGE -j ACCEPT
$IPT --table nat -A POSTROUTING -o $VPNIF -d $VPNIPRANGE -j MASQUERADE
$IPT --table nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

And then this is the traffic control section:

Code:

TC=/sbin/tc
IP=/sbin/ip
BANDMAX=102400
DOWNMAX=512000
DOWNCEIL=640000
UPMAX=128000
UPCEIL=196000


$TC qdisc del dev $INTIF root

$TC qdisc add dev $INTIF parent root handle 1:0 htb default 20
$TC class add dev $INTIF parent 1:0 classid 1:1 htb rate ${BANDMAX}kbit quantum 1500

# Download
$TC class add dev $INTIF parent 1:1 classid 1:10 htb rate ${DOWNMAX}kbit ceil ${DOWNCEIL}kbit
$TC qdisc add dev $INTIF parent 1:10 handle 10:0 sfq
# Upload
$TC class add dev $INTIF parent 1:1 classid 1:20 htb rate ${UPMAX}kbit ceil ${UPCEIL}kbit
$TC qdisc add dev $INTIF parent 1:20 handle 20:0 sfq

$TC filter add dev $INTIF parent 1:0 protocol ip handle 10 fw classid 1:10
$TC filter add dev $INTIF parent 1:0 protocol ip handle 20 fw classid 1:20

$IP rule add fwmark 20 table 20
$IP rule add fwmark 10 table 10

Could someone please point to the problem why the connection between the box and the server isn't faster?

iiv · 03-20-2008, 04:34 AM

It is very easy

you should control traffic on ppp0, NOT on eth1!
so change $INTIF to $EXTIF in your second section where tc goes

Tux-Slack · 03-20-2008, 05:06 PM

But I want the server to have full bandwidth on ppp0, I don't want to limit that. Wont I limit it that way?

iiv · 03-21-2008, 01:24 AM

So you want full speed 100Mbit on ppp0 and traffic control on eth1? ppp0 is a virtual interface, it is a gre tunnel(or somewhat else tunnel), it's traffic actually goes through eth1.

So if you eliminate traffic on eth1, you do so for ppp0 too.

You mentioned that you do want full speed on LAN, than OK, LAN interface, I am sure, is eth1, while your internet i-face is ppp0. (wrote that just to make it clear)

Tux-Slack · 03-21-2008, 05:35 AM

I know, ppp0 is a external link, virtual interface running over eth0 with is the LAN card connected to the XDSL modem, I don't want to limit this speed for the server, I just want to limit the speed which comes in through the ppp0 and is being routed over to eth1 which is connected to another machine.

Tux-Slack · 03-21-2008, 03:27 PM

Fixed, I added a few rules for the external link and another one for server<->box communication.
This is how it looks now:

Code:

if [ $FWD = "1" ]; then
        echo "Starting NAT (Network Address Translation)..."
        $IPT -A FORWARD -i $EXTIF -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
        $IPT -A FORWARD -i $VPNIF -o $INTIF -s $VPNIPRANGE -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -A FORWARD -i $INTIF -o $VPNIF -d $VPNIPRANGE -j ACCEPT
        $IPT --table nat -A POSTROUTING -o $VPNIF -d $VPNIPRANGE -j MASQUERADE
        $IPT --table nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# MANGLES
        $IPT --table mangle -A INPUT -i $EXTIF -j MARK --set-mark 10
        $IPT --table mangle -A OUTPUT -o $EXTIF -j MARK --set-mark 11
        $IPT --table mangle -A INPUT -i $INTIF -j MARK --set-mark 20
        $IPT --table mangle -A OUTPUT -o $INTIF -j MARK --set-mark 21
        $IPT --table mangle -A FORWARD -o $INTIF -i $EXTIF -j MARK --set-mark 22
        $IPT --table mangle -A FORWARD -i $EXTIF -o $INTIF -j MARK --set-mark 24
        echo 1 > /proc/sys/net/ipv4/ip_forward

####
####### Traffic Control
####
        echo "Starting traffic control..."

        # Flush all first
        $TC qdisc del dev $EXTIF root
        $TC qdisc del dev $INTIF root

        # Add roots
        $TC qdisc add dev $EXTIF parent root handle 1:0 htb default 20
        $TC qdisc add dev $INTIF parent root handle 2:0 htb default 20
        $TC class add dev $EXTIF parent 1:0 classid 1:1 htb rate ${NETMAX}kbit quantum 1500
        $TC class add dev $INTIF parent 2:0  classid 2:1 htb rate ${BANDMAX}kbit quantum 1500

        # Download
        $TC class add dev $EXTIF parent 1:1 classid 1:10 htb rate ${NETMAX}kbit
        $TC qdisc add dev $EXTIF parent 1:10 handle 10:0 sfq
        $TC class add dev $INTIF parent 2:1 classid 2:20 htb rate ${BANDMAX}kbit
        $TC qdisc add dev $INTIF parent 2:20 handle 20:0 sfq
        $TC class add dev $INTIF parent 2:1 classid 2:22 htb rate ${DOWNMAX}kbit ceil ${DOWNCEIL}kbit
#       $TC qdisc add dev $INTIF parent 2:22 classid 22:0 sfq

        # Upload
        $TC class add dev $EXTIF parent 1:1 classid 1:11 htb rate ${NETMAX}kbit
        $TC qdisc add dev $EXTIF parent 1:11 handle 11:0 sfq
        $TC class add dev $INTIF parent 2:1 classid 2:21 htb rate ${BANDMAX}kbit
        $TC qdisc add dev $INTIF parent 2:21 handle 21:0 sfq
        $TC class add dev $INTIF parent 2:1 classid 2:24 htb rate ${UPMAX}kbit ceil ${UPCEIL}kbit
#        $TC qdisc add dev $INTIF parent 2:24 classid 24:0 sfq

        $TC filter add dev $EXTIF parent 1:0 protocol ip handle 10 fw classid 1:10
        $TC filter add dev $EXTIF parent 1:0 protocol ip handle 11 fw classid 1:11
        $TC filter add dev $INTIF parent 2:0 protocol ip handle 20 fw classid 2:20
        $TC filter add dev $INTIF parent 2:0 protocol ip handle 21 fw classid 2:21
        $TC filter add dev $INTIF parent 2:0 protocol ip handle 22 fw classid 2:22
        $TC filter add dev $INTIF parent 2:0 protocol ip handle 24 fw classid 2:24

        $IP rule add fwmark 24 table 24
        $IP rule add fwmark 22 table 22
        $IP rule add fwmark 21 table 21
        $IP rule add fwmark 20 table 20
        $IP rule add fwmark 11 table 11
        $IP rule add fwmark 10 table 10

fi

But I don't know why I had to comment out those 2 liens, they were there before and it worked but now it's saying that it's unparsable?