<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>1) Are there any problems you can think of with using QoS on the LAN side to shape Internet traffic? I’ve never heard of doing it this way, but can try it if it’ll work.</div><div><br></div><div>2) Thanks for the clarification, will be more careful with masquerade…</div><div><br></div><div>PS- By the way, I tried using connmark in my firehol.conf to classify traffic coming in on the LAN side by MAC address, then using “match mark #” in fireqos.conf. That worked for the outgoing traffic, but the mark wouldn’t restore to classify incoming traffic into eth1 or eth1-ifb (the WAN side). Probably because the IFB stuff happens outside of netfilter.</div><br><div><div>On Aug 18, 2014, at 1:55 PM, Tsaousis, Costa <<a href="mailto:costa@tsaousis.gr">costa@tsaousis.gr</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">1) I don't think there is a way to place QoS to any other place. Both ingress and egress QoS are applied outside netfilter and routing. So, your only option is to apply QoS on the LAN side, not the WAN.<div>
<br></div><div>2) masquerade is applied on the outface of routers. It does not limit the traffic further. Everything on the outface will be masqueraded. If you want to limit it, you have to add optional rule parameters to the masquerade yourself. Keep in mind though that inface matches are not possible there. Check the manual: <a href="http://firehol.org/firehol-manual/firehol-masquerade/">http://firehol.org/firehol-manual/firehol-masquerade/</a></div>
<div><br></div><div>Costa</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 18, 2014 at 11:49 AM, Phineas Gage <span dir="ltr"><<a href="mailto:phineas919@gmail.com" target="_blank">phineas919@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>1)</div><div><br></div><div>Thanks Costa, the srcmac and dstmac parameters do seem to work.</div>
<div><br></div><div>But in my situation, I may not be able to use them. The reason is, the MAC address that’s matched is the one after routing has occurred. I shape traffic on eth1, my external interface, and of course, the source and destination MAC addresses for traffic going in and out of eth1 are always the MAC address for eth1.</div>
<div><br></div><div>It would be great if you could match by source or destination IP, MAC address or ports either before or after routing has occurred. Earlier this year, I had to stop using NAT on my firewall/router in order for IP based classification to work right, then add a static route on my ADSL modem for the return traffic. This is working, but it doesn’t help when trying to classify traffic by MAC address.</div>
<div><br></div><div>The only other way I can think to do this is to shape on the internal interface, eth0. I could classify by IP or MAC address pre-routing, but that would also mean I’m effectively using IFB for my outgoing Internet traffic, which is counterintuitive, and I don’t know the implications of doing it.</div>
<div><br></div><div>2)</div><div><br></div><div>Also, it took me a while to test this out, because I was at first confused by a few rules I had added to firehol a couple days ago for OpenVPN, which caused my traffic to be classified incorrectly:</div>
<div><br></div><div><div>interface tun0 vpn </div><div> server all accept</div><div> client all accept</div></div><div><br></div><div><div>router4 internet2vpn inface eth1 outface tun0</div>
<div> route all accept</div></div><div><br></div><div><div>router4 vpn2internet inface tun0 outface eth1</div><div> masquerade</div><div> route all accept</div></div><div><br></div><div>For some reason, ALL traffic was then masqueraded, even traffic from the eth0 interface, and not just traffic from the tun0 interface, so my “match src $ip_address” and “match dst $ip_address” rules weren’t working. Once I removed those “router4” rules, which I only need in a limited case anyway, everything was fine again. Is this a bug, or do I not understand something? (We can start a separate thread on this if that’s better).</div>
<div><div class="h5"><div><br></div><div>On Aug 17, 2014, at 5:34 PM, Tsaousis, Costa <<a href="mailto:costa@tsaousis.gr" target="_blank">costa@tsaousis.gr</a>> wrote:</div><div><br><blockquote type="cite"><div dir="ltr">
Hi Phineas,<div><br></div><div>I just pushed a version of fireqos that support srcmac and dstmac parameters.</div><div>I cannot test it. I just verified the rules are accepted by the kernel.</div><div><br></div>
<div>As always you can add multiple MAC addresses in a single parameter, enclosed in quotes.</div><div><br></div><div>Could you please test it and report back success or failure?</div><div><br></div><div>I generated rules according to <a href="http://www.docum.org/faq/cache/62.html" target="_blank">http://www.docum.org/faq/cache/62.html</a></div>
<div><br></div><div>Thanks.</div><div><br></div><div>Costa</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Aug 17, 2014 at 3:49 PM, Phineas Gage <span dir="ltr"><<a href="mailto:phineas919@gmail.com" target="_blank">phineas919@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It would be nice to be able to create a “match” rule in FireQOS to match traffic by MAC address.<br>
<br>
I’m interested in this because we’ll be transitioning to a dual-stack network with both IPv4 and IPv6 support. Currently, we assign IPv4 addresses using DHCP (some are assigned fixed addresses, and others put into different pools), then in fireqos.conf classify using “match src” and “match dst” rules with IP addresses. I know this isn’t bulletproof, but since I control all of the hosts, it works. With IPv6, we'll get a /64 address from our ISP, which can’t be subnetted further, and I suppose we’ll be using SLAAC instead of DHCP (haven’t sorted that out yet). So, the only way I can think of to do traffic classification on a per-host basis is using the MAC address.<br>
<br>
Anything I’m missing?<br>
<br>
_______________________________________________<br>
Firehol-support mailing list<br>
<a href="mailto:Firehol-support@lists.firehol.org" target="_blank">Firehol-support@lists.firehol.org</a><br>
<a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a><br>
</blockquote></div><br></div>
</blockquote></div><br></div></div></div></blockquote></div><br></div>
</blockquote></div><br></body></html>