August 21, 2008 at 3:18 pm #41151
First of all I will tell you about my network.
1) I have a central zeroshell server with two Ethernet adapters. One facing the Internet (ETH00) with a static IP address and the other one to my LAN (ETH01).
2) I have 5 lan-to-lan VPN’s in this central server working with open VPN. These VPN’s are all routed (not bridged).
3) The remote servers connecting to this VPN are also zeroshell boxes and have a dynamic IP address.
4) My Internet bandwidth is much less than my LAN bandwidth.
Now, what I want to do is very simple in theory, but I am not sure I’m using the right approach to achieve it. I want to guarantee some bandwidth (download & upload) for the VPN’s in first place and prioritize the VPN’s traffic. Once bandwidth is assured for the VPN’s I want to assign bandwidth and priority to other services that go between the Internet and the LAN, (from eth01 to eth00 and vice versa).
Here are my rules for the QoS classifier:
Seq Input Output Description QoS Class Log Active
1 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto msn-filetransfer MARK set 0xb P2P no
2 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 ipp2p v0.8.2-pomng –kazaa –gnu –edk –dc –bit LAYER7 l7proto edonkey MARK set 0xb P2P no
3 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb P2P no
4 * * MARK tcp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25 MARK set 0xc MEDIUM no
5 VPN00 ETH01 MARK all opt — in VPN00 out ETH01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x17 Invpn00 no
6 VPN01 ETH01 MARK all opt — in VPN01 out ETH01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x11 Invpn01 no
7 VPN02 ETH01 MARK all opt — in VPN02 out ETH01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x18 Invpn02 no
8 VPN03 ETH01 MARK all opt — in VPN03 out ETH01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x13 Invpn03 no
9 VPN04 ETH01 MARK all opt — in VPN04 out ETH01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x15 Invpn04 no
10 ETH01 VPN00 MARK all opt — in ETH01 out VPN00 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x16 Outvpn00 no
11 ETH01 VPN01 MARK all opt — in ETH01 out VPN01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x10 OUTVpn01 no
12 ETH01 VPN02 MARK all opt — in ETH01 out VPN02 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x19 OUTvpn02 no
13 ETH01 VPN03 MARK all opt — in ETH01 out VPN03 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x12 OUTVpn03 no
14 ETH01 VPN04 MARK all opt — in ETH01 out VPN04 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x14 OUTvpn04 no
15 ETH00 ETH01 MARK all opt — in ETH00 out ETH01 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0xc MEDIUM yes
16 ETH01 ETH00 MARK all opt — in ETH01 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0xc MEDIUM no
For each VPN class I have a maximum equal to my total Internet bandwidth and a guaranteed of 10% of my total Internet bandwidth, priority is high. When that works as I expect I will assign the bandwidth to the other services.
Global bandwidth in ETH00 (internet interface) is set to the real speed of the line, guaranteed = maximum in this case.
All the IN rules are applied to the eth01 (LAN) interface in the interface manager.
All the OUT rules are applied to each VPN interface in the interface manager.
I think that with these settings I have limited the bandwidth each VPN can use but I have not guaranteed the bandwidth for the VPN.
Any ideas or comments will be very useful.
Thanks.August 21, 2008 at 7:38 pm #46811
I do not think your setup is correct. Could you post a diagram of your network?August 21, 2008 at 9:20 pm #46812
Thanks for your answer. Here is the diagram. Any information you need, please ask me.
[/img]August 21, 2008 at 10:21 pm #46813
On my opinion you should assign a guaranteed bandwidth and priority to the OpenVPN tunnels (UDP or TCP).
Suppose that VPN00 is in server mode and uses the port 1195/TCP on the central server.
You have to add on the central server the following QoS classifier rule:
ETH00 MARK tcp opt — in * out ETH00 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:1195 MARK set 0x16 Outvpn00 no
and on the remote server the rule:
ETH00 MARK tcp opt — in * out ETH00 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1195 MARK set 0x16 Outvpn00 no
where the class Outvpn00 is applied to the Internet interface (ETH00 in you case)
Note that on the central server you check the source port and on the remote the destination port.
The rules 10-14 are useless at this point.August 23, 2008 at 2:51 pm #46814
Thank you very much for your help.
Today I will try these settings.
I have a question, in my originl set up, rules 5 to 9 seem ok?
IAZSAugust 23, 2008 at 3:21 pm #46815
Actually, what you want to get is not easy. The Linux traffic shaping directly manages outgoing traffic. To manage instead incoming traffic you need to limit the flows on the others interfaces. In your case, I am confused about the better strategy. You should try to see if you obtain good results.
FulvioAugust 23, 2008 at 4:38 pm #46816
I was all this morning making tests.
With the set up you sugested i did not capture any traffic.
Then I made a rule:
10 * ETH00 MARK tcp opt — in * out ETH00 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0x10 OUTVPN1 yes
And then I filtered the log using the IP Address from the remote VPN client (Internet IP) and had no results. As we were talking in another post about qos+proxy, I think the traffic for open VPN is not seen by the QOS clasifier at the Internet interface.
I will continue making tests and, of course, i will post any results i get.
I know that what i am trying here is not easy, but i am sure its a way to make it work.
Thanks for allyour help.
IAZSAugust 23, 2008 at 7:06 pm #46817
You are right. What I forgot is that in your case the OpenVPN daemon is a local process to the box that performs traffic shaping and its connections cannot be classified by the FORWARD chain (table mangle) in which the web interface of Zeroshell put the QoS rules.
You can try one of the following workarounds:
– split the QoS tasks to a separated box. You can configure it in bridge mode and put it across the Internet router and the VPN router. On my opinion this is the best solution but you need of additional hardware.
– apply the QoS rules to shape the OpenVPN tunnels with manual iptables commands on the INPUT and OUTPUT chains of the table mangle.
FulvioAugust 23, 2008 at 8:04 pm #46818
Thanks again for your answer.
How difficult could it be to add to the QOS Classifier a selector to put int input, output or forward chain the different rules just like in the firewall configuration screen?
I think this would be the best solution as with one piece of hardware we could solve all the network needs, including the QoS for the proxy and for the VPN`s.
IAZSAugust 24, 2008 at 6:12 am #46819
It wouldn’t be hard, but would be a partial solution. Infact you could control only the outgoing traffic of the local processes. Instead, with an external box dedicated to the traffic shaping you could also control the incoming traffic.
FulvioAugust 24, 2008 at 4:47 pm #46820
Thank you very much for all your help and for bringing us the ZS project. Its just great.
The company where I am using ZS wont give me budget for separate shaping boxes, so I have to do the best with the boxes I have now. As i have 5 VPN’s I am using 6 ZS boxes and using a separate box for shaping in each place I need shaping would mean 6 new boxes.
I was thinking the following, if we could set the QoS in the POSTROUTING chain we could catch the traffic going to the LAN and to the internet from vpn and proxy + all the forwarded traffic. I think that would be the more precise way to apply QoS in any case where the same box does several tasks besides routing. What do you think?
I have some questions. What should I modify so the QoS applies to the POSTROUTING chain as default?
Where can I find the QoS rules stored in the database?
IAZSAugust 24, 2008 at 7:29 pm #46821
In the directory /root/kerbynet.cgi/scripts you must change
FORWARD -> POSTROUTING in the bash scripts:
fw_initrules (near line 8 )
fw_makerule (near line 10)
The rules are stored in the directory
FulvioAugust 31, 2008 at 7:49 am #46822
Thank you very much. This really helped me with the QoS.
You must be logged in to reply to this topic.