Bandwidth Queues with VLANS

uk52rob · April 15, 2008, 9:35pm

Hi all.

Overview
We have several VLANS on our network, for which our MT is the gateway on each. Most VLANS access files / printers on a general shared VLAN (VLAN ID 1 by default). All port 80 traffic is marked via the transparent Web Proxy, and is routed via a bonded ADSL server. All other internet traffic is passed to a leased line.

Intention
We now want to be able to bandwidth shape or queue the traffic coming from the VLANS to the internet, with each VLAN being assigned a separate bandwidth declaration.

The problem
The queues I have created work successfully, however they are also limiting the bandwidth between the VLANS, which in turn makes file server and print transfers to / from the VLAN ID 1 network exteremly slow! Below is an example of one simple queue:

17 X name=“Test” dst-address=0.0.0.0/0 interface=test_vlan
direction=both priority=8
queue=ethernet-default/ethernet-default limit-at=512000/512000
max-limit=512000/512000 burst-time=2s/2s total-queue=default-small

Ideally what I would need here is a ‘!’ exception to the 192.168.1.0/24 (VLAN ID 1) network.. but there is no option.

I’m sure there’s a simple way but I must be missing something obvious here!

Thanks

fatonk · April 16, 2008, 7:08am

What you can do is that mark the traffic that you do not want to limit, and than mark the rest of traffic and lastly add that packet mark to the simple queue, or create new simple queue rules where you will limit traffic between VLANs at 100 Mbit/s and put these rules before the rules that limit traffic towards internet.

Regards.

Faton

uk52rob · April 16, 2008, 8:58am

Thanks Faton.

Any idea how to do this easily? I can imagine how I would want it to work, but how do you include ALL internet traffic in one mark, and ALL internal LAN traffic in another?

Regards

uk52rob · April 16, 2008, 9:14am

Would this literally be as simple as:

0 ;;; Mark LAN Traffic
chain=prerouting action=mark-packet new-packet-mark=LAN Traffic
passthrough=yes src-address=192.168.0.0/16 dst-address=192.168.0.0/16

1 ;;; Mark I-Net Traffic
chain=prerouting action=mark-packet new-packet-mark=I-Net Traffic
passthrough=yes src-address=!192.168.0.0/16 dst-address=!192.168.0.0/16

and setting the parent queue to packet mark ‘Mark LAN Traffic’, and the individual queues to ‘Mark I-Net Traffic’? Or am I being completely stupid here?!

Thanks

uk52rob · April 16, 2008, 9:23am

Ok, the above is processing many packets, but the queues are not doing anything, ie. no packets are being identified by them. Here is an example of two of the queues, the parent and a child:

10 name=“Internal LAN” dst-address=0.0.0.0/0 interface=all
parent=none packet-marks=LAN Traffic direction=both priority=1
queue=default/default limit-at=0/0 max-limit=0/0
total-queue=default-small

12 name=“VLAN 3 Queue” dst-address=0.0.0.0/0 interface=VLAN_3
parent=Internal LAN packet-marks=I-Net Traffic direction=both
priority=8 queue=ethernet-default/ethernet-default
limit-at=128000/128000 max-limit=128000/128000 burst-time=5s/5s
total-queue=default-small

uk52rob · April 16, 2008, 10:01am

Ok, I think i’ve sorted this now by following the queue instructions.

Cheers

fatonk · April 16, 2008, 10:13am

Correct, that’s what I was telling you. Good Job

Regards.

Faton

uk52rob · April 16, 2008, 10:25am

Ahh crap… I spoke too soon! That has not worked.

Check the attachments… The bits in red on the images have been edited for privacy reasons… not that they would be of any use to anyone!

Regards

uk52rob · April 16, 2008, 10:30am

The top queue and highlighted queues in question are below:

10 name=“Server Internal” target-addresses=192.168.1.5/32
dst-address=0.0.0.0/0 interface=all parent=none direction=both
priority=8 queue=default/default limit-at=0/0 max-limit=0/0
total-queue=default-small

13 name=“Removed” target-addresses=192.168.3.0/24
dst-address=0.0.0.0/0 interface=all parent=none direction=both
priority=8 queue=default/default limit-at=0/0 max-limit=128000/128000
total-queue=default-small

uk52rob · April 19, 2008, 6:45pm

Does anyone have an idea??

Thanks

fatonk · April 19, 2008, 7:34pm

have you try to put on top of all queue rules, the rule with 100 Mbit/s target address=192.168.0.0/24 dst-address=192.168.0.0/16, put this rule should be number “0” no rules before.

Regards.

Faton

fatonk · April 19, 2008, 8:14pm

OK, here it is another example:

ip firewall mangle add chain=prerouting src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=accept
ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=queue passthrough=yes src-address=192.168.0.0/16 dst-address=0.0.0.0/0

queue simple name=“Limit” target-addresses=192.168.1.5 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=queue direction=both priority=8 queue=default-small/default-small limit-at=256000/256000 max-limit=256000/256000 total-queue=default-small

This will give unlimited bandwidth through local interfaces, and will limit at 256k/256k host 192.168.1.5 towards internet.

I hope this wil help you.

Regards.

Faton

uk52rob · April 20, 2008, 8:56pm

Faton,

Thanks, I will give this a try!