- This topic is empty.
-
Posts
-
Hi all,
I’m new in Zoneshell. I’ve manage to setup zoneshell in CF and slot it to my Pentium D Desktop to ask as a bridge between my Internet router and LAN. The bridge is working because all and traffic can pass through the bridge to Internet. however, the L7 part is not working well. I’ve create second class named P2P and allocate 1Kbps only to the class and set the classifier for all P2P tag into the P2P class. The rest of traffic will just fall into Default class. Below is the config for the classifier:
1 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb P2P no
2 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb P2P no
3 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb P2P no
4 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb P2P no
5 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb P2P no
6 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb P2P no
7 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb P2P no
8 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb P2P no
9 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb P2P no
10 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb P2P no
11 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb P2P no
12 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb P2P no
13 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb P2P no
14 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb P2P no
15 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb P2P no
16 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb P2P no
17 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb P2P no
18 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb P2P no
19 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb P2P no
20 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xb P2P no
21 * * MARK all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 MARK set 0xa DEFAULT noDEFAULT Default class for unclassified traffic High 1000Mbit/s 1000Mbit/s
P2P P2P Low 1Kbit/sInterface/Class Priority Maximum Guaranteed Traffic Sent (bytes) Rate
ETH00 — 1000Mbit/s 1000Mbit/s 20877371 68048bit
DEFAULT High 1000Mbit/s 1000Mbit/s 20777945 67368bit
P2P Low 1Kbit/s — 99386 664bitETH01 — 1000Mbit/s 1000Mbit/s 5327860 62464bit
DEFAULT High 1000Mbit/s 1000Mbit/s 5226778 61600bit
P2P Low 1Kbit/s — 114276 912bitWhen I activate the Xunlei and Ares, I’m still able to go up to 40KBps. Looking for your kind assistance to look into my problem…. My office Internet usage is out of control now and we are struggling with the P2P traffic. I tried monowall and pfsense b4 and doesn’t help me to resolve the issue.
Thanks,
Log for QoS as below, looks like no P2P have been marked..
Chain FORWARD (policy ACCEPT 136K packets, 46M bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb
18663 8694K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
103 15463 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
30 3545 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb
18560 8679K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb
291 110K MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xb
18542 8678K MARK all — * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xaTry to remove the rule 21. The DEFAULT class is automatically selected if no QoS rules match the packets.
Regards
Fulvio@fulvio wrote:
Try to remove the rule 21. The DEFAULT class is automatically selected if no QoS rules match the packets.
Regards
FulvioWill try that and update you the result. Thanks,
Still the same, the XunLei still bypass the policy after remove the default policy. You may find the stats below for the your perusal.
Thanks,
Chain FORWARD (policy ACCEPT 14182 packets, 4790K bytes)
pkts bytes target prot opt in out source destination
12120 3844K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
154 17398 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
71 7585 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb
11966 3827K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xbAres however have been tracked but the download speed can be archive up to 10KBps.
Chain FORWARD (policy ACCEPT 18680 packets, 6054K bytes)
pkts bytes target prot opt in out source destination
16698 5124K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
234 33239 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
74 7837 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xb
16464 5091K CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xb
57 2424 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xb
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xbI had not been running the L7 filters for the P2P protocols, I have had some luck with other L7 filters, see below:
Chain FORWARD (policy ACCEPT 2160M packets, 1330G bytes)
pkts bytes target prot opt in out source destination
606K 332M CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
3869 778K ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
355 84740 MARK all — * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 –kazaa –gnu –edk –dc –bit MARK set 0xc
602K 331M CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
4 373 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto thecircle MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto tesla MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soulseek MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto poco MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto openft MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto mute MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto kugoo MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto imesh MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto goboogy MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto freenet MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto audiogalaxy MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto applejuice MARK set 0xc
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao MARK set 0xc
18640 3540K MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto skypetoskype MARK set 0x12
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto quicktime MARK set 0x10
0 0 MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http-rtsp MARK set 0x10
34949 36M MARK all — * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto httpvideo MARK set 0x10
3699 575K MARK all — * * xxx.xxx.216.58 0.0.0.0/0 MARK set 0x1b
5286 6717K MARK all — * * 0.0.0.0/0 xxx.xxx.216.58 MARK set 0x1b
9060 5339K MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 MARK set 0x16
9358 7802K MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x16
22058 2517K MARK tcp — * * 0.0.0.0/0 xxx.xxx.8.1 tcp dpt:8080 MARK set 0x14
37459 47M MARK tcp — * * xxx.xxx.8.1 0.0.0.0/0 tcp spt:8080 MARK set 0x14
117K 151M MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x15
71103 8280K MARK tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x15
3018 203K MARK udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 MARK set 0x17
2918 687K MARK udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 MARK set 0x17I do have some traffic picked up with Xunlei, but not others. It may be just that the filters need updating.
I have had other strange issues with the Skype-to-phone L7 filter which seems to block (or slow up a lot) certain ICMP packets, pings from a machine work fine, but fping doesn’t and neither does “Peer Monitor”. L7 filters should be used cautiously.
Fulvio: Any chance of a feature to automatically update the L7 filetrs? I notice that the option exists but is not functioning, yet?
I think it can be done manually, although maybe not using the CD boot version?
Andrew
- You must be logged in to reply to this topic.