My L7-filtering is not working in bridge mode

Home Page Forums Network Management ZeroShell My L7-filtering is not working in bridge mode

This topic contains 7 replies, has 0 voices, and was last updated by  tsku 11 years, 10 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #40785

    tsku
    Member

    Hi all,

    I’m new in Zoneshell. I’ve manage to setup zoneshell in CF and slot it to my Pentium D Desktop to ask as a bridge between my Internet router and LAN. The bridge is working because all and traffic can pass through the bridge to Internet. however, the L7 part is not working well. I’ve create second class named P2P and allocate 1Kbps only to the class and set the classifier for all P2P tag into the P2P class. The rest of traffic will just fall into Default class. Below is the config for the classifier:

    1 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb P2P no
    2 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb P2P no
    3 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb P2P no
    4 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb P2P no
    5 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb P2P no
    6 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb P2P no
    7 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb P2P no
    8 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb P2P no
    9 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb P2P no
    10 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb P2P no
    11 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb P2P no
    12 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb P2P no
    13 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb P2P no
    14 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb P2P no
    15 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb P2P no
    16 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb P2P no
    17 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb P2P no
    18 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb P2P no
    19 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb P2P no
    20 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xb P2P no
    21 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0xa DEFAULT no

    DEFAULT Default class for unclassified traffic High 1000Mbit/s 1000Mbit/s
    P2P P2P Low 1Kbit/s

    Interface/Class Priority Maximum Guaranteed Traffic Sent (bytes) Rate
    ETH00 — 1000Mbit/s 1000Mbit/s 20877371 68048bit
    DEFAULT High 1000Mbit/s 1000Mbit/s 20777945 67368bit
    P2P Low 1Kbit/s — 99386 664bit

    ETH01 — 1000Mbit/s 1000Mbit/s 5327860 62464bit
    DEFAULT High 1000Mbit/s 1000Mbit/s 5226778 61600bit
    P2P Low 1Kbit/s — 114276 912bit

    When I activate the Xunlei and Ares, I’m still able to go up to 40KBps. Looking for your kind assistance to look into my problem…. My office Internet usage is out of control now and we are struggling with the P2P traffic. I tried monowall and pfsense b4 and doesn’t help me to resolve the issue.

    Thanks,

    #45900

    tsku
    Member

    Log for QoS as below, looks like no P2P have been marked..

    Chain FORWARD (policy ACCEPT 136K packets, 46M bytes)
    pkts bytes target prot opt in out source destination
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb
    18663 8694K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
    103 15463 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    30 3545 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb
    18560 8679K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb
    291 110K MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xb
    18542 8678K MARK all — * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa

    #45901

    imported_fulvio
    Participant

    Try to remove the rule 21. The DEFAULT class is automatically selected if no QoS rules match the packets.

    Regards
    Fulvio

    #45902

    tsku
    Member

    @fulvio wrote:

    Try to remove the rule 21. The DEFAULT class is automatically selected if no QoS rules match the packets.

    Regards
    Fulvio

    Will try that and update you the result. Thanks,

    #45903

    tsku
    Member

    Still the same, the XunLei still bypass the policy after remove the default policy. You may find the stats below for the your perusal.

    Thanks,

    Chain FORWARD (policy ACCEPT 14182 packets, 4790K bytes)
    pkts bytes target prot opt in out source destination
    12120 3844K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
    154 17398 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    71 7585 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb
    11966 3827K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xb

    #45904

    tsku
    Member

    Ares however have been tracked but the download speed can be archive up to 10KBps.

    Chain FORWARD (policy ACCEPT 18680 packets, 6054K bytes)
    pkts bytes target prot opt in out source destination
    16698 5124K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
    234 33239 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    74 7837 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb
    16464 5091K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb
    57 2424 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xb

    #45905

    tsku
    Member

    Anyone can help for this??

    #45906

    tsku
    Member

    Anyone can help???

    #45907

    ajl37
    Member

    I had not been running the L7 filters for the P2P protocols, I have had some luck with other L7 filters, see below:

    Chain FORWARD (policy ACCEPT 2160M packets, 1330G bytes)
    pkts bytes target prot opt in out source destination
    606K 332M CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
    3869 778K ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    355 84740 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xc
    602K 331M CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
    4 373 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xc
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xc
    18640 3540K MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto skypetoskype MARK set 0x12
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto quicktime MARK set 0x10
    0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http-rtsp MARK set 0x10
    34949 36M MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto httpvideo MARK set 0x10
    3699 575K MARK all — * * xxx.xxx.216.58 0.0.0.0/0 MARK set 0x1b
    5286 6717K MARK all — * * 0.0.0.0/0 xxx.xxx.216.58 MARK set 0x1b
    9060 5339K MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 MARK set 0x16
    9358 7802K MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x16
    22058 2517K MARK tcp — * * 0.0.0.0/0 xxx.xxx.8.1 tcp dpt:8080 MARK set 0x14
    37459 47M MARK tcp — * * xxx.xxx.8.1 0.0.0.0/0 tcp spt:8080 MARK set 0x14
    117K 151M MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x15
    71103 8280K MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x15
    3018 203K MARK udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 MARK set 0x17
    2918 687K MARK udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 MARK set 0x17

    I do have some traffic picked up with Xunlei, but not others. It may be just that the filters need updating.

    I have had other strange issues with the Skype-to-phone L7 filter which seems to block (or slow up a lot) certain ICMP packets, pings from a machine work fine, but fping doesn’t and neither does “Peer Monitor”. L7 filters should be used cautiously.

    Fulvio: Any chance of a feature to automatically update the L7 filetrs? I notice that the option exists but is not functioning, yet?

    I think it can be done manually, although maybe not using the CD boot version?

    Andrew

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.