I’m trying to understand the global and interface queues. I read Wiki, and some discussions here, but few basic questions are still standing.
When you use global-in or global-out? Usually the goal is to control WAN in/out separately from LAN traffic, so why/when would you use a queue for ALL traffic entering router from anywhere Or anything exiting router? It doesn’t differentiate whether local (LAN) or LAN<>WAN traffic… How is it relevant?
Usual suggestion for simple QoS is upload queue on WAN interface, and download queue on LAN interface. But LAN interface handles both from-WAN AND local, within-LAN, traffic. Setting limit-at and max-limit parameters on LAN interface queue I intend to manage only from-WAN traffic - the actual downloads, not all the internal stuff. What I’m missing here?
When you use global-in or global-out? Usually the goal is to control WAN in/out separately from LAN traffic, so why/when would you use a queue for ALL traffic entering router from anywhere Or anything exiting router? It doesn’t differentiate whether local (LAN) or LAN<>WAN traffic… How is it relevant?
When you want to shape the total traffic for the device. Might not be useful for you, but it’s nice to have. Global queues also fire before simple queues, so you can use them to override simple queues.
Usual suggestion for simple QoS is upload queue on WAN interface, and download queue on LAN interface. But LAN interface handles both from-WAN AND local, within-LAN, traffic. Setting limit-at and max-limit parameters on LAN interface queue I intend to manage only from-WAN traffic - the actual downloads, not all the internal stuff. What I’m missing here?
Include packet marks in queue matching, and mark only the packets from LAN to WAN. That way LAN to LAN traffic doesn’t have the mark, doesn’t match the queue and doesn’t get shaped.
Random example: Global-in receives traffic before packet filtering, so if you’re under attack to the point that your packet filter ruleset can’t process it, you can shape in global-in.
Generally speaking, it’s best to first mark the connection and then to mark packets based on the connection mark. Think about it in terms of what kind of decisions the mangle rule has to make. Let’s say you want to mark all traffic from 192.168.1.0/24 to the WAN, but not to 192.168.2.0/24 or 192.168.3.0/24. If you directly marked packets, for every packet you’d have to look at its source address and ensure a match, and its destination address and ensure it doesn’t match two networks. If you mark the connection based on those criteria and then further up in the ruleset mark all packets that match a specific connection mark without passthrough, you only have to compare for the three matches once, and then all further packets in the connections can be found by just one comparison (is it part of a connection with this mark).
The question is - is it true that I should take LAN-LAN traffic into account? Even if both in-LAN parties are connected via switch, which in turn connected to router?
A little example:
modem <==(ether1) RB450G (ether2)==> switch ==> PC A
|==> PC B
|==> PC C
Let’s say I’m copying large Gb files between PCs B and C.
PC A is uploading something to WAN
Both activities, A’s upload, and B to C copying enter router via ether2, correct me if I’m wrong. When setting limit-at and max-limit on ether2, should that B to C traffic be taken into account?
B talking to C on a switch behind the router doesn’t involve the router at all. They talk directly and the router never sees the traffic. Traffic on the same subnet passes beween hosts directly.
But that implies I cannot restrict access from one machine to another within the same subnet, i.e. isolate 192.168.1.122 from the rest of 192.168.1.0/24; make sure it sees WAN but no other PCs. I thought it’s possible - and if it is, the traffic must go through the router?
You cannot do that on the layer 3 hop for that network. You can use smart switches to control traffic, but a router only gets involved when traffic flows from one network to another. 192.168.1.122 is on the same network as any other host on 192.168.1.0/24 so the router doesn’t get involved. Wireless is a different beast because clients connect through the access point, but in a wired switched network hosts just ARP for one another if the destination is within their own network and talk directly without getting the router involved.
I’d suggest you read some fundamental documentation on how TCP/IP works. http://www.ipprimer.com/overview.cfm is old but still relevant for fundamentals. Or some CCNA or even Network+ books would also be a good choice.