Traffic shaping based on gateway
-
Hi
Is it possible to add traffic to different shaping or limiter queues based on which outgoing gateway the traffic uses ie: traffic leaving through gateway1 gets added to one queue while traffic leaving gateway2 is added to a different queue?
If possible, how would that be implemented? Maybe using packet marking?
-
Anyone?
-
I think the common use for shaping is to have matching floating rules on outgoing. Assuming matching works on outgoing traffic, you can bind the matching rule to the Interface you want to shape and have different shaping rules per outgoing interface.
-
Unfortunately that does not work. By the time the traffic reaches the outgoing interface, NAT has already happened so matching the traffic won't work.
There is an option under advanced settings -> miscellaneous that is supposed to completely disable a firewall rule if the gateway specified in the rule goes down, however it doesn't work as expected. If it did work correctly, then one could create a quick firewall rule linked to each gateway interface with the correct queues defined. The defined traffic would match the first rule and thus go out the corresponding gateway and land in the correct queue. Then if the gateway goes down, the corresponding rule would be ignored and the next rule would be matched.
The only way to get fail-over to work is by using gateway groups. State killing also only works correctly with gateway groups, and not if separate gateway rules are used.
This would of course only work for fail-over, not load-balancing.
-
By the time the traffic reaches the outgoing interface, NAT has already happened so matching the traffic won't work.
You can still match on the destination, even if you don't know the LAN source. You could try to assign on the LAN side. I think matching is based on queue names, and possibly if the names on the interfaces are the same, it will work.
-
With the following example
2 internet connections - WAN1 & WAN2
WAN1 is 10mbit down 1 mbit up
WAN2 is 20mbit down 20mbit upOn the LAN side there are two VLANs - VLAN 1 is the office network, VLAN 2 is the guest network
Both VLANs use WAN2 as the default gateway, but VLAN 1 has a failover to WAN1
Now I would like to use Limiter dynamic queues to equally share the available bandwidth with all the clients. So the office network traffic needs to go into the same queues as the guest network until it fails over. Then the traffic needs to go into queues for WAN 1
What I am trying to accomplish, is to mark traffic with specific marks, based on which gateway the traffic leaves the firewall through. I want to then use those marks to assign the traffic on the LAN side, to specific limiter or traffic shaping queues defined for each WAN interface.
Unfortunately, as far as I can see, there is no way to do this. I can't find a way to mach traffic based on which gateway gets used seeing as neither the gateway or the WAN interface are the destinations.
-
How about using 2 floating rules to catch "outgoing" packets; one for each WAN interface? Of course, the appropriate limiter pipes will need to be created for the separate WANs.
If you need to match LAN source, then mark the packets as they originate from vlan1 or vlan2, then match the tag as the packet is "outgoing" whichever WAN… though, I do not see how that is useful.
-
I have already tried catching the "outgoing" packets like that, but I'm not sure what I should use as the source and destination.
The problem is by the time the packets reach the WAN interface, NAT has already been applied, so I can't use the VLAN as the source. I can't use the WAN interface as the destination either, because that isn't the actual destination, an internet address is.
Would it work if I first mark the packets as coming from VLAN1, then use a match floating rule, with the interface set as either WAN1 or WAN2 and with source and destination as any, that matches the VLAN mark and then marks the packet depending on which WAN interface it leaves?
Then I could use two floating match rules to assign the packets to the correct queues depending on the second mark.
-
I have already tried catching the "outgoing" packets like that, but I'm not sure what I should use as the source and destination.
The problem is by the time the packets reach the WAN interface, NAT has already been applied, so I can't use the VLAN as the source. I can't use the WAN interface as the destination either, because that isn't the actual destination, an internet address is.
Would it work if I first mark the packets as coming from VLAN1, then use a match floating rule, with the interface set as either WAN1 or WAN2 and with source and destination as any, that matches the VLAN mark and then marks the packet depending on which WAN interface it leaves?
Then I could use two floating match rules to assign the packets to the correct queues depending on the second mark.
Would 2 floating rules:
floating rule, Match, Direction: outgoing, Interface: WAN1, Destination: any, Source: any
floating rule, Match, Direction: outgoing, Interface: WAN2, Destination: any, Source: anynot work?
Edit: I mean, why are you trying to mark packets from vlan? I thought you only wanted to separate traffic by the WAN/gateway.
-
Thanks for the help so far
The reason I want to also mark packets depending on VLAN is
On the LAN side there are two VLANs - VLAN 1 is the office network, VLAN 2 is the guest network
Both VLANs use WAN2 as the default gateway, but VLAN 1 has a failover to WAN1
Now I would like to use Limiter dynamic queues to equally share the available bandwidth with all the clients. So the office network traffic (VLAN1) needs to go into the same queues - for WAN2 - as the guest network (VALN2) until it fails over. Then the office network (VLAN1) traffic needs to go into queues for WAN 1
@Nullity - So what I'm thinking is, first mark packets from VLAN1, and then only match those marked packets in the two rules you suggested
VLAN2 will be directly added to the queues for WAN2 as that is the only gateway it uses.
-
Thanks for the help so far
The reason I want to also mark packets depending on VLAN is
On the LAN side there are two VLANs - VLAN 1 is the office network, VLAN 2 is the guest network
Both VLANs use WAN2 as the default gateway, but VLAN 1 has a failover to WAN1
Now I would like to use Limiter dynamic queues to equally share the available bandwidth with all the clients. So the office network traffic (VLAN1) needs to go into the same queues - for WAN2 - as the guest network (VALN2) until it fails over. Then the office network (VLAN1) traffic needs to go into queues for WAN 1
@Nullity - So what I'm thinking is, first mark packets from VLAN1, and then only match those marked packets in the two rules you suggested
VLAN2 will be directly added to the queues for WAN2 as that is the only gateway it uses.
If WAN2 (default GW) fails, you want the guest network (VLAN2) to be completely blocked?
If so, you could mark/tag the VLAN2 originating packets, then create a floating rule on WAN1 that blocks/rejects said packets.
I guess you could do the inverse and explicitly PASS only office (VLAN1) packets through WAN1, but I am too tired to comprehend whether that makes sense…