Hi folks.
Im reading in the wiki Dmitry’s firewall, and some post in the forum.
The question is why in the posts suggest to mark connection first and the mark packets to identify the traffic, (dns, http, pop, smtp for example), but in the firewall just do the connection mark.
regards!
Guille
for downstream packet, if you are using src-nat or masquerading, you have to use connection mark first, and then packet mark.
Why?
The translation process of src-nat will be held at almost the last step in the router.
So when the packet come from the internet, no way to know to whom the client have those packets, because the destination address is still the NAT IP, not the real client IP.
With connection-mark, the router will prepare and remembering each connection, sinca the client requesting the packet. That’s why, the router can identify the packet.
Please read and learn the IP Flow Diagram on manual for detail.
valens , so nice ..
now , if I have a limited bandwidth , using satellite terminal with 512k download , and I want to share this band equally between users , i have to use PCQ , and this is what i’m using right now … but when i read your reply i thought of somthing , i think even i’m sharing the band equally between users in the MT this will not effect the download made by the sat terminal … correct or not ??
example :
user1 requesting for download a 400k file
user2 requesting for download a 400k file
MT PCQ will give each of them 256k = 512k/2 ..
but what about the first stage .. the internet source ( sat terminal ) ? would it sharing the band equally ?
The PCQ will still work for the client. No problem, as long as you make correct mangle and choosing the right interface as queue parent.