QoS and HTTP Proxy question

Home Page Forums Network Management ZeroShell QoS and HTTP Proxy question

This topic contains 10 replies, has 0 voices, and was last updated by  abulas 9 years, 7 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #41609

    abulas
    Member

    Hi fulvio, first of all, congratulations for your excellent work, thank so much for your dedication to this project, Zeroshell is an excellent distribution and i love it.
    I start using it four months ago and i never has a problem until now, it’s not a problem exactly, I was trying to use http proxy and QoS at the same time, i can shape the most of traffic but i have a problem with HTTP traffic using the layer 7 filter.

    I was reading some posts and i found this comment from you:
    You should classify the traffic manualy with iptables applied to mangle table and OUTPUT chain instead of FORWARD.

    I understand that so i use the console and put the following iptables rule:

    iptables -t mangle -A OUTPUT -m layer7 –l7proto http -j MARK –set-mark 0x11

    But im still not able to shape http traffic and use http proxy at the same time, am i missing something?

    thanks for your support, and sorry for my bad english.
    greetins.

    #47960

    ppalias
    Member

    I think that if you apply rules to OUTPUT table, they will be applied to traffic originating from the ZeroShell itself only. The FORWARD table is used for traffic passing through ZS, for example client traffic going to the internet.

    #47961

    abulas
    Member

    Thanks for your reply, i’m gonna use some words from fulvio in other post:

    The problem is that the QoS classifier works only for the forwarded traffic (bridged and routed). The classifier acts in the FORWARD chain (mangle table). Instead, if the transparent proxy is activated, it redirects the packets to a localhost daemon during the POSTROUTING. This process forward the requests to the destination web servers in the OUTPUT chain and hence the FORWARD one is never used.

    I think that’s the reason for the rule that i applied but correct me if i’m wrong please. Thanks for your attention.

    #47962

    ppalias
    Member

    You didn’t mention transparent proxy on the first post. When you have a transparent proxy, you need to mark packets on the OUTPUT, cause the traffic originates from the ZS itself.

    #47963

    abulas
    Member

    Sorry, my mistake. But I’m applying the rule to the OUTPUT chain, as you can see on my first post i’m marking them or am i doing something wrong?
    Thanks for your reply.

    #47964

    foncused
    Member

    hello all, zs user here as a router and http proxy at the school i work for (stopping the kiddie winks accessing pr0n!)

    i would like to implement qos to control users downloading and stealing the bandwidth but i am hitting a few snags.

    firstly i am unable to create a bridge as per the official qos zs document, when i do it via the shell it says “error bridge not created” and when i try under the gui i get the same error however under the “networking” section the bridge has no ip assigned to it and in the status messages at the foot of the page it says “error bridge not created”.

    secondly i have read on this forum that using the qos along with http proxy doesn’t work out of the box and requires some extra commands etc, thus far i haven’t read that anyone in my boat has resolved this successfully.

    could anyone help me with this?
    much appreciated.
    steve.

    #47965

    ppalias
    Member

    abulas

    It seems to be marked, but I am not sure if it is marked indeed. If you have netbalancer then the QoS mangling is disabled. A well known bug.

    #47966

    ppalias
    Member

    Steve:
    1) It may be something wrong with the interfaces you want to add on the BRIDGE. Could you describe exactly what interfaces you have and which you want to add in the bridge?

    2) I knew that QoS is not working correctly along with Netbalancer and that HTTP Proxy should be stopped when taking a backup. Could you point the topic you read that?

    #47967

    foncused
    Member

    hi all.
    been very busy at school and have had no time to pick up this project again.
    ppalias i read that due to the fact that the proxy is running as well then iptable commands need to be entered manually etc, all this is far outside my abilities so i built another box just to be used for qos.
    i placed this between the network switch and the gateway and proxy (another zs box).
    i have read the traffic shaping document found here http://www.zeroshell.net/eng/qos/ and this is where i get lost.
    the box has 2 nics all recognised by zs and i have configured them to link the student network and the zs gateway and proxy using the default gateway option in the router section.
    i then enabled qos on both nics and set about testing the config, playing with the default class for unclassified traffic, i can alter this and throttle traffic down but when i test this live at school the limit is shared by the students as opposed to each student having his own limit. also i can create classes (for example a faster speed for me using ip or mac) but they have no effect, in fact i think that there is no classification of traffic at all.
    i tried a bridge, however i couldn’t get the bridge to pass through to the gateway.
    i really need to get to grips with qos, i know i have a deficit in my knowledge that i am furiously making up (or trying to) using google.
    but could anyone help me out a little with a real basic qos setup?
    my aim is to have 2 classes for all traffic (as i block p2p at the port level using the gateway) one called students (150kbps down / 20kbps up) and another called admins (unlimited for me essentially so i can download large files when and as needed).
    i think my problem is the bridge or router part.
    any ideas?
    thanks again.
    steve.

    #47968

    ppalias
    Member

    If you bridge the interfaces then you will only have one IP on the box for the remote management. All the traffic will flow through the box transparently. So your client PCs will have gateway IP address the IP of the gateway ZS.
    You cannot limit each student independently unless you create one class map for everyone. They will share the bandwidth you allow for them.
    Bridge is a bit faster than routing, but this is not something you’ll ever notice. Also take my advise and enable QoS only on the outgoing interface towards the internet.

    #47969

    foncused
    Member

    right ok now i see it.
    i used the bridge method and finally got it working, i was expecting 2 ips a little like a router i guess, now the 1 ip is clearer to me thanks.
    i was worried that a clever student could discover the other gateway and use that to avoid the bw limits but yes i just checked and it doesn’t matter which of the 2 gateways he uses, the limits are in place.
    i have set up a separate rule per ip (there are only 50 clients), one for me thats faster and left the rest of the bw for the default unclassified or unknown wireless users.
    so far its working great, feel more in control of the network now, think it could still be tweaked a little.
    for example i have a 6 meg line (works out to 777 kilobytes a sec) and i have given 5mbits to me, 2mbits to the 50 client computers and left 1mbit to the default wireless users. this means that i am over accounted for, is this an issue? i guess it may be if the line gets very busy.
    should you always allocate ONLY the bw you have?
    i have set the priority to low for default, medium for the clients and high for me, is that also best practice?
    thanks for the help, i appreciate it a lot.
    regards.
    steve.

    #47970

    ppalias
    Member

    Usually you specify the maximum bandwidth and then you allocate some portions from it for guaranteed. In total they shouldn’t exceed the maximum. Priorities seem ok but you should know that your clients will definitely starve once you utilize the bandwidth.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.