Question regarding QoS, NetBalancing and Traffic shaping

Home Page Forums Network Management ZeroShell Question regarding QoS, NetBalancing and Traffic shaping

This topic contains 16 replies, has 0 voices, and was last updated by  orallo 9 years, 7 months ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #42334

    orallo
    Member

    First off, thanks to all members of the comunity for the great support and specially to Fulvio for all his hard work and dedication to this project.

    Lets see, we are a couple of programmers that got “stuck” with a network administrator task (on top of our programming jobs.)

    We are not network gurus, but we are familiar with the tecnology, the terminology and damn it we are kinda smart people.

    Anyway, here is the situation that we have:

    We have a LAN with about 80 PCs connected to various switches, and those switches are connected to two aDSL internet routers.

    Router 1 is 192.168.1.1/255.255.255.0 and router 2 is 192.168.2.1/255.255.255.0.

    Right now we have split the LAN into 2 groups (about 40 PCs on IPs 192.168.1.XXX and the rest of the PCs 192.168.2.XXX) to “share” the load on the routers but this is not optimal to say the least.

    We are trying to setup ZS to implement Load Balancing and also traffic shaping.

    We got a PC with two network cards and we’ve set them up like this:

    Then on the Net Balance side we set them up like this:

    We are not sure if all this is correct so far, but we think it is…

    If we uncheck one of the DSL lines on the previous screenshot, traffic seems to flow over to the other DSL… so this is a good step.

    Now the other part of the problem is that we have some IPs that need guaranteed bandwidth.

    So we thought we’d set up some classes on the QoS class manager and configure them as needed. So we split the LAN by IPs as follows:

    But what we see is that no matter what IP I pick from the pool (for example one of the IPs with low priority and low bandwidth, or one with High priority and high bandwidth) if I go to a website to measure my connection speed I get the same results.

    Can someone help us see what we are doing wrong? And point us in the right direction. Thanks in advance for all your help, and when we get this all fixed up I promise to write up a tutorial to see if I can earn my license code to see all the pretty network graphics 😆

    Best regards,
    Orallo.

    P.S.
    By the way, does it matter that ZS is not phisically between the routers and the network??? we have the LAN laid out like this:

    #50051

    ppalias
    Member

    It is not your fault that QoS is not working properly. There is a known bug that QoS doesn’t work properly when used in conjunction with netbalancer.

    Regarding your second question about the topology, it is not exactly an error but your users are able to change their IP and go out of any DSL they want, thus avoiding any QoS rules you might want to enforce in the future. My suggestion is to install another ethernet card on the box and connect the 2 DSL modems directly on ZS, using the switches only to connect clients.

    #50052

    orallo
    Member

    Is this true??? can anybody confirm?

    If so, I read this morning that a new release of ZS is comming out soon, does anybody know if this problem will be fixed with the new release?

    Thanks a lot.
    -Orallo

    #50053

    ppalias
    Member

    Fulvio hasn’t confirmed it yet, but since it is an important problem and the current version was released about a year ago we all hope that it will be fixed.

    #50054

    atheling
    Member

    If you can’t wait for the new release from Fulvio, let me know and I’ll send you the patches I sent Fulvio last November/December to fix the netbalance/qos conflict.

    If he does not include those fixes (or equivalent) into the new release, I’ll update them for that release when it come.

    I do wish he would set up a CVS, SVN or other repository for people to submit fixes so that this type fix could get out to the community faster.

    #50055

    marti vielha
    Member

    Hello.
    I want put another ADSL to the zeroshell router, i can have problems with p2p qos?

    thank you

    #50056

    ppalias
    Member

    Atheling I wouldn’t mind doing some beta testing for ZS’ sake. Give me a link where I could download the patches.

    #50057

    ppalias
    Member

    @marti vielha wrote:

    Hello.
    I want put another ADSL to the zeroshell router, i can have problems with p2p qos?

    thank you

    It won’t work with multiple wans.

    #50058

    orallo
    Member

    Hi All,

    We patched the system so netbalancing and QoS can work together but unfortunatelly we cant seem to get it to work.

    We create the clases, classify the traffic by IP ranges as described above and when I assign an IP on the (for example) IT range to my workstation, I still go to the WAN through the DEFAULT class.

    We´re not sure what we are doing wrong or not doing.

    One of the tutorials (http://www.zeroshell.net/listing/QOS-zeroshell.pdf) suggests that we HAVE TO create a bridge between ETH00 and ETH01 in order for QoS to work, so we tried that too, but what happened is that it took our whole network down. Which is very strange to us…

    Our LAN is laid out right now with static IP addreses for each computer on the 192.168.1.x and 192.168.2.x ranges and the only computers “behind” zeroshell are our test computers until we get everything working…

    But when we create a bridge with the two interfaces as they are pictured above every computer on the LAN stops being able to access the WAN.

    Any ideas?? What are we missing??

    Thanks to all for any and all input.

    -Orallo

    #50059

    atheling
    Member

    orallo,

    Bridging should not be required.

    Are the screen shots you posted at the beginning of this thread still valid?

    Could you log into the Zeroshell console and run the following command:


    iptables -t mangle -nv -L

    This should help see what the web interface actually set up for you with respect to net balancing and QoS.

    #50060

    orallo
    Member

    Good Morning Atheling,

    Here is the output from the command you posted:

    Thanks

    root@zeroshell root> iptables -t mangle -nv -L
    Chain PREROUTING (policy ACCEPT 87966 packets, 9104K bytes)
    pkts bytes target prot opt in out source destination
    87966 9104K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
    55448 6317K NB_CT_PRE all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
    87966 9104K NetBalancer all — * * 0.0.0.0/0 0.0.0.0/0

    Chain INPUT (policy ACCEPT 78598 packets, 7898K bytes)
    pkts bytes target prot opt in out source destination
    46080 5111K NB_CT_POST all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
    78598 7898K NetBalancer all — * * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 33130 packets, 3072K bytes)
    pkts bytes target prot opt in out source destination
    33130 3072K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
    33130 3072K NetBalancer all — * * 0.0.0.0/0 0.0.0.0/0
    33130 3072K OpenVPN all — * * 0.0.0.0/0 0.0.0.0/0

    Chain POSTROUTING (policy ACCEPT 33130 packets, 3072K bytes)
    pkts bytes target prot opt in out source destination
    32117 2682K NB_CT_POST all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
    33130 3072K NB_STAT all — * * 0.0.0.0/0 0.0.0.0/0
    33130 3072K QoS all — * * 0.0.0.0/0 0.0.0.0/0

    Chain NB_CT_POST (2 references)
    pkts bytes target prot opt in out source destination
    934 70783 MARK all — * * 0.0.0.0/0 0.0.0.0/0 realm 0x66 MARK set 0x66
    935 71036 MARK all — * * 0.0.0.0/0 0.0.0.0/0 realm 0x65 MARK set 0x65
    78197 7793K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save

    Chain NB_CT_PRE (1 references)
    pkts bytes target prot opt in out source destination
    27717 3158K MARK all — ETH01 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x66
    27717 3158K MARK all — ETH01 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x65

    Chain NB_STAT (1 references)
    pkts bytes target prot opt in out source destination
    999 75366 all — * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x66
    1817 447K all — * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x65

    Chain NetBalancer (3 references)
    pkts bytes target prot opt in out source destination

    Chain OpenVPN (1 references)
    pkts bytes target prot opt in out source destination

    Chain QoS (1 references)
    pkts bytes target prot opt in out source destination
    33130 3072K MARK all — * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x0
    0 0 MARK all — ETH01 * 172.16.1.112 0.0.0.0/0 MARK set 0xa
    0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    root@zeroshell root>

    #50061

    atheling
    Member

    @orallo wrote:

    Good Morning Atheling,

    Here is the output from the command you posted:

    Thanks

    I am seeing a couple of things in your capture that are either wrong or I don’t understand.

    First,


    Chain NB_CT_PRE (1 references)
    pkts bytes target prot opt in out source destination
    27717 3158K MARK all -- ETH01 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x66
    27717 3158K MARK all -- ETH01 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x65

    This is a problem in the patches I posted. You have two different Internet routes accessible via the same interface. My patches assumed only one destination per interface. The NB_CT_PRE chain only affects new traffic coming in from the Internet so you probably won’t notice an issue unless you are running publicly accessible servers on your LAN. But I will have to look into this and fix my changes.

    Second:


    Chain QoS (1 references)
    pkts bytes target prot opt in out source destination
    33130 3072K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x0
    0 0 MARK all -- ETH01 * 172.16.1.112 0.0.0.0/0 MARK set 0xa
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0

    This looks like it will only set a QoS value on packets coming in from ETH01 with a source address of 172.16.1.112. But If I understood your screen shots and explanation, ETH01 is your Internet connection. And the addresses on that should be in the 192.168.1.0/24 or 192.168.2.0/24 so no traffic will match this rule and everything will be classified as “default”.

    Looks like you need to set this classification on your LAN interface rather than your WAN interface. Or don’t even set the interface in the matching rule, just the source address.

    #50062

    atheling
    Member

    By the way, your network diagram shows a network topology that I would not even consider setting up myself.

    While I might put both DSL modems onto one switch and from there run them into Zeroshell, I certainly would not put my LAN and WAN traffic into the same switching fabric.

    And it looks like you are doing double NAT for all Internet traffic (once in each DSL modem and again in Zeroshell). Given the issues I’ve seen with NAT and VoIP (VoIP is crucial for me) that would be just asking for more problems.

    Given enough Ethernet cards, I’d have at least three interfaces on the Zeroshell box so that each DSL modem was directly connected to the Zeroshell router and the LAN was off the third. And then I’d set the DSL modems to bridging mode and do the PPPoE for each ISP in Zeroshell. That would allow better detection of failed links (via the PPPoE handshaking) and you would have only one place where NAT was being performed.

    #50063

    orallo
    Member

    Hi Again Atheling,

    Regarding the topology… I know, its bad, I just dropped the ZS box on the switch in my office.

    If/when I get all the NB/QoS stuff working I will move ZS to the server/switch room where it will be placed between the DSL modems and the LAN. But for now, for testing purposes, I think it should do.

    Regarding the NB/QoS stuff…

    Here is what I’m trying to accomplish: (its a slight variation from what I had stated before)

    – Put all computers on the 172.16.1.XXX segment.
    – Balance both internet connections in ZS.
    – Apply QoS rules by IP ranges, for example I want to make sure an IP (for example 172.16.1.112 gets a guaranteed 1mb up/down pipe for all traffic combined )
    – And eventually I’d like to setup a captive portal to filter some content too, but thats not important for right now.

    And by the way, there is a typo on the diagram, my DSL routers are on IPs 192.168.1.1 and 192.168.2.1 NOT on 192.168.1.1 and 192.168.1.2.

    If you could give me a list of the things I need to do to get all this working I’d greatly appreciate it.

    I think a list should be enough, I dont think I need step by step instructions (but then again… if you feel typey… go nuts!! lol)

    Thanks again,
    -Orallo

    #50064

    atheling
    Member

    Well, load balancing of traffic originating from your 172.16.1.0/24 segment should work as you now have it set up.

    Your classification for QoS is failing because it only matches traffic originating on the Internet (ETH01). Drop the interface match in your Classifier rule and use only the source address and you should start classifying traffic.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.