Shaping in Linux (vlan + nat + in / out)?

Asked byanggraini

I know that a great many articles have been written about this, but unfortunately so far all of them have not clarified. = (

There is a linux router (in a small home provider, distro - gentoo), distributing the Internet to 150+ users.

It is necessary to provide a speed limit for both in and out for users according to their tariffs.

Each house has its own vlan, then all these vlans come to the router. At the exit, one eth interface to the Internet. All users sit at nat.

The scheme is as follows:

{vlan1, vlan2, ..., vlann} eth0 = & gt; (pc-router) [nat] = & gt; eth1

It is necessary accordingly to limit the speed of both incoming and outgoing for each of the users according to its TP.

Do not offer: Separation for different cars, tsiska.

Need to do it on one wheelbarrow. At least, the fryakh with this task in another segment copes with a bang (I will go to it if I still don’t master the shaper in Linux, but still I don’t feel like giving up)

In theory, you need to make a virtual ifb interface, but I can not figure out how to make friends with it in + out + nat + vlan.


And what is the problem? Mark through iptables in mangle :: FORWARD, then the usual HTB on vlan * and eth1, through traffic filter fw drive traffic in acc. classes.
Shape will respectively outcome from the interface. NAT is absolutely not a hindrance since traffic coloring occurs before it.
Since there are a lot of vlans, I would like to get rid of the need to turn on the shaper on all interfaces, besides, it is necessary to calculate on which interface the subscriber is hanging, so as not to force the kernel to search for the user where it is not. I read somewhere else that there can be no more than 255 markings, although maybe it was in the old kernels.

In general, I want to find a simpler way. - flissc
michelle mcgrath
Frankly speaking, the shaper in ipfw is MUCH more convenient than iproute2, so it is quite possible to switch to the fryahu after all the right decision ... Although it is Linux itself, but still.
This is yes. The reason that prompted to try to go to Linux is a much more convenient firewall than ipfw, although this is probably a matter of taste.
But personally, I have experience of using ipfw quite large and having felt and built iptables, I understood that iptables is a hundred times more transparent and simple in configuration. - ollie latham
Curiously, I have quite the opposite experience with using iptables, and having tried ipfw I found it much more convenient ... hmm) - sueann
anita harris
Shaper in Linux is severe. The tc syntax only contributes to this. Especially if you need to honestly divide the incoming band, I don’t know a simple native way to do it. Only with crutches in the form of IFB or IMQ, better than IFB is it ideologically correct, and even it seems you don’t need to patch the kernel and iptables. Outgoing traffic (going from the router to the users in Vilana) I would shape right on their network interfaces. Inbox from users tagged and wrapped in IFB. At IFB, the HTB class tree is hung up and users are filtered by brand each on their own leaf. My traffic will be redirected here by this wonderful team
$ TC filter add dev $ VLAN parent ffff: protocol ip prio 1 u32 match u32 0 0 flowid 1: 1 action ipt -j MARK --set-mark $ VID action mirred egress redirect dev $ IFB
In short, put fryahu there, if you understand it, it will be easier for you and more reliable for users.
New project from the creator of Habr :: Call asterisk and play mp3? :: Google Accounts :: Using e-books in the winter and in other bad weather :: Nginx setup problem on 1st IP had multiple domain names?
Leave Repply forShaping in Linux (vlan + nat + in / out)?
Useful Links