April 3, 2009 at 12:59 am #41609
Hi fulvio, first of all, congratulations for your excellent work, thank so much for your dedication to this project, Zeroshell is an excellent distribution and i love it.
I start using it four months ago and i never has a problem until now, it’s not a problem exactly, I was trying to use http proxy and QoS at the same time, i can shape the most of traffic but i have a problem with HTTP traffic using the layer 7 filter.
I was reading some posts and i found this comment from you:
You should classify the traffic manualy with iptables applied to mangle table and OUTPUT chain instead of FORWARD.
I understand that so i use the console and put the following iptables rule:
iptables -t mangle -A OUTPUT -m layer7 –l7proto http -j MARK –set-mark 0x11
But im still not able to shape http traffic and use http proxy at the same time, am i missing something?
thanks for your support, and sorry for my bad english.
greetins.April 3, 2009 at 8:19 am #47960
I think that if you apply rules to OUTPUT table, they will be applied to traffic originating from the ZeroShell itself only. The FORWARD table is used for traffic passing through ZS, for example client traffic going to the internet.April 3, 2009 at 3:40 pm #47961
Thanks for your reply, i’m gonna use some words from fulvio in other post:
The problem is that the QoS classifier works only for the forwarded traffic (bridged and routed). The classifier acts in the FORWARD chain (mangle table). Instead, if the transparent proxy is activated, it redirects the packets to a localhost daemon during the POSTROUTING. This process forward the requests to the destination web servers in the OUTPUT chain and hence the FORWARD one is never used.
I think that’s the reason for the rule that i applied but correct me if i’m wrong please. Thanks for your attention.April 5, 2009 at 1:17 pm #47962
You didn’t mention transparent proxy on the first post. When you have a transparent proxy, you need to mark packets on the OUTPUT, cause the traffic originates from the ZS itself.April 6, 2009 at 2:40 pm #47963
Sorry, my mistake. But I’m applying the rule to the OUTPUT chain, as you can see on my first post i’m marking them or am i doing something wrong?
Thanks for your reply.October 19, 2009 at 5:54 pm #47964
hello all, zs user here as a router and http proxy at the school i work for (stopping the kiddie winks accessing pr0n!)
i would like to implement qos to control users downloading and stealing the bandwidth but i am hitting a few snags.
firstly i am unable to create a bridge as per the official qos zs document, when i do it via the shell it says “error bridge not created” and when i try under the gui i get the same error however under the “networking” section the bridge has no ip assigned to it and in the status messages at the foot of the page it says “error bridge not created”.
secondly i have read on this forum that using the qos along with http proxy doesn’t work out of the box and requires some extra commands etc, thus far i haven’t read that anyone in my boat has resolved this successfully.
could anyone help me with this?
steve.October 21, 2009 at 9:48 am #47965
It seems to be marked, but I am not sure if it is marked indeed. If you have netbalancer then the QoS mangling is disabled. A well known bug.October 21, 2009 at 10:59 am #47966
1) It may be something wrong with the interfaces you want to add on the BRIDGE. Could you describe exactly what interfaces you have and which you want to add in the bridge?
2) I knew that QoS is not working correctly along with Netbalancer and that HTTP Proxy should be stopped when taking a backup. Could you point the topic you read that?November 16, 2009 at 3:44 pm #47967
been very busy at school and have had no time to pick up this project again.
ppalias i read that due to the fact that the proxy is running as well then iptable commands need to be entered manually etc, all this is far outside my abilities so i built another box just to be used for qos.
i placed this between the network switch and the gateway and proxy (another zs box).
i have read the traffic shaping document found here http://www.zeroshell.net/eng/qos/ and this is where i get lost.
the box has 2 nics all recognised by zs and i have configured them to link the student network and the zs gateway and proxy using the default gateway option in the router section.
i then enabled qos on both nics and set about testing the config, playing with the default class for unclassified traffic, i can alter this and throttle traffic down but when i test this live at school the limit is shared by the students as opposed to each student having his own limit. also i can create classes (for example a faster speed for me using ip or mac) but they have no effect, in fact i think that there is no classification of traffic at all.
i tried a bridge, however i couldn’t get the bridge to pass through to the gateway.
i really need to get to grips with qos, i know i have a deficit in my knowledge that i am furiously making up (or trying to) using google.
but could anyone help me out a little with a real basic qos setup?
my aim is to have 2 classes for all traffic (as i block p2p at the port level using the gateway) one called students (150kbps down / 20kbps up) and another called admins (unlimited for me essentially so i can download large files when and as needed).
i think my problem is the bridge or router part.
steve.November 16, 2009 at 10:46 pm #47968
If you bridge the interfaces then you will only have one IP on the box for the remote management. All the traffic will flow through the box transparently. So your client PCs will have gateway IP address the IP of the gateway ZS.
You cannot limit each student independently unless you create one class map for everyone. They will share the bandwidth you allow for them.
Bridge is a bit faster than routing, but this is not something you’ll ever notice. Also take my advise and enable QoS only on the outgoing interface towards the internet.November 19, 2009 at 9:11 am #47969
right ok now i see it.
i used the bridge method and finally got it working, i was expecting 2 ips a little like a router i guess, now the 1 ip is clearer to me thanks.
i was worried that a clever student could discover the other gateway and use that to avoid the bw limits but yes i just checked and it doesn’t matter which of the 2 gateways he uses, the limits are in place.
i have set up a separate rule per ip (there are only 50 clients), one for me thats faster and left the rest of the bw for the default unclassified or unknown wireless users.
so far its working great, feel more in control of the network now, think it could still be tweaked a little.
for example i have a 6 meg line (works out to 777 kilobytes a sec) and i have given 5mbits to me, 2mbits to the 50 client computers and left 1mbit to the default wireless users. this means that i am over accounted for, is this an issue? i guess it may be if the line gets very busy.
should you always allocate ONLY the bw you have?
i have set the priority to low for default, medium for the clients and high for me, is that also best practice?
thanks for the help, i appreciate it a lot.
steve.November 19, 2009 at 3:07 pm #47970
Usually you specify the maximum bandwidth and then you allocate some portions from it for guaranteed. In total they shouldn’t exceed the maximum. Priorities seem ok but you should know that your clients will definitely starve once you utilize the bandwidth.
You must be logged in to reply to this topic.