Do not apply this update unless you have easy access to the system in question. Always backup your configuration before upgrading.

Read the previous beta release notes before applying this update.

Release notes for v2.00.3b6:
*) added the ability to shape and qshape based on netfilter marks.
*) added layer-7 support, which can be used using 'iptables' firewall commands. Shaping based on layer-7 can be achieved by setting netfilter marks based on rule matches.

Release Caveats:
*) layer-7 is a new feature with little testing.

As with all betas, please report your success using this release.

STARUTIL 1.11
Linux:
http://www.star-os.com/downloads/starutil-linux-1.11.tgz
Windows:
http://www.star-os.com/downloads/starutil-windows-1.11.zip

DESKTOP SYSTEMS
Desktop Edition:
http://www.star-os.com/downloads/oem-vnc/strr-2.00.3b6-4382.iso
http://www.star-os.com/downloads/oem-vnc/strr-2.00.3b6-4382.bin
http://www.star-os.com/downloads/oem-vnc/strr-2.00.3b6-4382.raw

SPECIAL PURPOSE SYSTEMS
Soekris & MODO Edition:
http://www.star-os.com/downloads/oem-vnc/strrs-2.00.3b6-4382.iso
http://www.star-os.com/downloads/oem-vnc/strrs-2.00.3b6-4382.bin
http://www.star-os.com/downloads/oem-vnc/strrs-2.00.3b6-4382.raw

WRAP Edition:
http://www.star-os.com/downloads/oem-vnc/strrw-2.00.3b6-4382.iso
http://www.star-os.com/downloads/oem-vnc/strrw-2.00.3b6-4382.bin
http://www.star-os.com/downloads/oem-vnc/strrw-2.00.3b6-4382.raw

Routerboard Edition:
http://www.star-os.com/downloads/oem-vnc/strrb-2.00.3b6-4382.iso
http://www.star-os.com/downloads/oem-vnc/strrb-2.00.3b6-4382.bin
http://www.star-os.com/downloads/oem-vnc/strrb-2.00.3b6-4382.raw

CPE SYSTEMS
CPE Editions for v1.13.4b2 are available.

For more information on layer7, please visit: http://l7-filter.sourceforge.net/

StarOS contains the full classifier suite, and should be able to match on most file sharing applications, and much more.

To shape based on a netfilter 'mark', use the following syntax:

Firewall script:# give mark 100 to all http packets, regardless of port
iptables -A POSTROUTING -t mangle -m layer7 --l7proto http -j MARK --set-mark 100

CBQ script:# shape http (mark 100) to 256K download speed.
pipe 5 bw 256k
shape all to pipe 5 from mark 100 out via $client

WOW THIS IS GREAT. Just enabled the following rule on my main internet router.

CBQ:

pipe 7000 bw 32K
shape all to pipe 7000 from mark 100 out via ether2
shape all to pipe 7000 from mark 100 in via ether2

Firewall:

iptables -A POSTROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 100

and the result is fantastic!!! did some tests with kazaa, and download was going over 100K.
Activated script changes... and oops... download only 3 to 4 K

THIS IS SOOOOOO COOOL :P :P :P :P :P :P :P :P :P

Thanks guys!!! another piece of great work!!!!

This is what my CBQ report shows...

pipe 7000 ( 3.91K): Total: 2.18M 0.00B/sec
Rule: 2.18M, 0.00B - netfilter mark 100 out via eth1
Rule: 0B, 0.00B - netfilter mark 100 in via eth1

Just who is interested in this. here's the catch all for P2P
Just change pipe 7000 in any bw you like.

Check it for typo's first. did a quick cut and paste from staros..

Firewall Script

#Application shaping
iptables -A POSTROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 100
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 101
iptables -A POSTROUTING -t mangle -m layer7 --l7proto edonkey -j MARK --set-mark 102
iptables -A POSTROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 103
iptables -A POSTROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 104
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bearshare -j MARK --set-mark 105
iptables -A POSTROUTING -t mangle -m layer7 --l7proto openft -j MARK --set-mark 106

CBQ:

# Application shape
pipe 7000 bw 32K

# Outgoing
shape all to pipe 7000 from mark 100 out via ether2
shape all to pipe 7000 from mark 101 out via ether2
shape all to pipe 7000 from mark 102 out via ether2
shape all to pipe 7000 from mark 103 out via ether2
shape all to pipe 7000 from mark 104 out via ether2
shape all to pipe 7000 from mark 105 out via ether2
shape all to pipe 7000 from mark 106 out via ether2

# Incoming
shape all to pipe 7000 from mark 100 in via ether2
shape all to pipe 7000 from mark 101 in via ether2
shape all to pipe 7000 from mark 102 in via ether2
shape all to pipe 7000 from mark 103 in via ether2
shape all to pipe 7000 from mark 104 in via ether2
shape all to pipe 7000 from mark 105 in via ether2
shape all to pipe 7000 from mark 106 in via ether2

I searched on google before asking this question in the hope of not sounding stupid...but didn't find my answer. How does layer 7 filtering/shaping work? Do the packets coming to/from these programs actually have a 'name' text in them, and all starOS has to do is filter each packet for them?

So you don't even have to know what port range these programs work in?

If all the above is true, then what's to stop a layer 7 firewall from scanning and blocking someone's email with the words kazaa or bittorrent in it?

Also, isn't it a lot of cpu usage to filter each packet this way going through the firewall... when you have a huge customer base?
Bob C

This is what they say about this on the project website. http://l7-filter.sourceforge.net/technicaldetails


Technical Details of L7-filter


The basic idea of L7-filter is quite simple: Use regular expression matching of connections' application layer data to determine what protocol is being used. Of course, it wouldn't make sense to run a regular expression matcher on every packet. Not only would that be a huge waste of clock cycles, but it would be useless for matching most packets, which are likely to consist of the middle of some file or whatnot. Instead, l7-filter just looks at the first few packets of a connection for "hello" messages such as "220 ftp server ready", "* ok", or "HTTP/1.1 200 ok".


Instead of having the user provide regular expressions on the command line, l7-filter provides a set of pattern definition files. To match the protocol "foo", the user types "iptables ... -m layer7 --l7proto foo", and iptables reads the regular expression that defines "foo" out of /etc/l7-protocols/*/foo.pat.


In other words, l7-filter is essentially what you'd get if you added the CONNMARK patch to the string patch, used regexec() instead of strstr(), removed the need to set up the connection tracking manually, added the ability to match patterns across several packets and included a collection of protocol signatures that could be identified by name. :-)


Because only a few packets per connection are examined, L7-filter is reasonably efficient despite using a much more involved matching algorithm than most packet classifiers. We have heard reports of L7-filter being sucessfully used on modest hardware to filter dorm traffic, for instance.

I am pleased to see positive results. The code should be quite reliable, however we have not tested all the possible filter combinations for matching accuracy.

As a note (for those who don't already know), you can use iptables to match more than one ptp application to the same mark number, so the cbq script would only need a single pipe to shape the works. Of course having different rules for each protocol lets you know how much traffic each application is using, instead of a combined total.

Thanks for the post.

After upgrade to this new version, i can see the next message in begin of dmesg, in the version 2.00.3b3 did´t appear

048 es: 0058 ss: 0018
Process insmod (pid: 887, stackpage=c6ca5000)
Stack: c910c4ba c3f8c331 0000c2ff 00580048 00180018 0001c2e6 00860050 c6ca5ee8
0038000a 00000001 00000050 00020058 00000048 c8990040 00000010 c8987000
c6077190 c7e069cc c8987000 00000000 c7e069cc c6ca5f18 c89903c0 c6ca5f13
Call Trace: [<c8990040>] [<c89903c0>] [<c8990281>] [<c898a082>] [<c898a09d>]
[<c012cc9b>] [<c0116edd>] [<c8987060>] [<c0108a03>]

Code: Bad EIP value.

We will check this out. Thanks. Does everything seem to work? The error might be non fatal in that the process was restarted later and did not fail. It might be a startup timing thing, but we'll know more when we get back to work.

This is Thanksgiving weekend here and we all have family returning home so it is time off for us.

If you reboot, does the problem occur again, or just that once?

If it happens again, try and upgrade again to the same version, and if that does not help, please send us a support file.

You can get a support file using starutil's -support option.

Thanks!

with wrap board this version working fine.But cant set new cbq&fw feature.I test e.g. DC and FTP
Without this feature: 450kbit
With this feature: 450kbit

I just tested layer-7 FTP shaping, and it functions correctly. Can you please post your firewall and CBQ rules.

Hi!

Layer-7 shaping is a great improvement!

Are pppoe sessions affected by these pipes ? Or pppoe sessions has his own pipe (via radius or general config in pppoe server) and not affected by these rules?

Thanks,
Pacux

depending on how you have your rules setup, all traffic should be effected.

client = "ether1" #czfree
net = "wpci1" #internet via babka

forward tcp to 10.32.1.27 22 from any to 82.142.74.35 22222 out via $client
forward tcp to 10.32.1.27 80 from any to 82.142.74.35 22228 out via $client

#deny tcp from any to any 411 in via $client # Disabled DC
#deny tcp from any to any 4411 in via $client # Disabled DC hubs
#deny tcp from any to any 413 in via $client # Disabled DC hubs
#deny tcp from any to any 80 in via $client # Disable www hosting (except for server listed above)
#deny tcp from any to any 8888 in via $client # Disable napster hosting
#deny tcp from any to any 137 in via $client # NetBios (TCP)
#deny udp from any to any 137 in via $client # NetBios (UDP)
#deny tcp from any to any 445 in via $client # Windows 2000/XP NetBios over TCP/IP
#deny udp from any to any 445 in via $client # Windows 2000/XP NetBios over TCP/IP
#deny tcp from any to any 8080 in via $client # Internal Proxy
#deny tcp from any to any 1080 in via $client # Socks Server
#deny tcp from any to any 666 in via $client # Satan trojan (disable to/from clients)
#deny tcp from any to any 37337 in via $client # Used by many trojans (disable to/from clients)

admin_ip = "127.0.0.1" # ie. 64.124.65.19 or 64.124.65.0/24 for the entire class 'C'
admin_ip = "10.32.1.10"

ldeny tcp from ! $admin_ip to any 791 in # CBQ Report
ldeny tcp from ! $admin_ip to any 792 in # Firewall and NAT Report
ldeny tcp from ! $admin_ip to any 793 in # W/LAN Device statistics
ldeny tcp from ! $admin_ip to any 794 in # System ARP Table
ldeny tcp from ! $admin_ip to any 795 in # Active Routing Table
ldeny tcp from ! $admin_ip to any 800 in # IP Accounting collection
ldeny tcp from ! $admin_ip to any 801 in # Results from previous IP Accounting collection

iptables -A POSTROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 100
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 101
iptables -A POSTROUTING -t mangle -m layer7 --l7proto direct connect -j MARK --set-mark 102
iptables -A POSTROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 103
iptables -A POSTROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 104
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bearshare -j MARK --set-mark 105
iptables -A POSTROUTING -t mangle -m layer7 --l7proto openft -j MARK --set-mark 106

Dunno if the probelm is specific to me or a general issue.

Before I did the upgrade the cpu was at 40-50%. After I did the upgrade the cpu is stuck at 100%. But if I shut off squid it goes to about 20%

it is a p4 1.5ghz w/ 2gb of ram.

Is this layer 7 filtering basically 'content filtering', the terminology that mikrotik used many months ago?
Bob C

It filters based on packet contents, as opposed to port numbers, so you an call it a form of content filtering.

Hi ,
I asked this once , is there gonna be a shaping rule that will bypass the PPPoE interface Cbq engine .

For example i have
ether1 >> internet connection
ether2 >> PPPoe listener
we set PPPoe shapes by radius and working well .

All i need is to be able to do appliction shaper that will be exluded in the PPPoe interface shaper .


# Local Banner server ip:1.2.3.4
pipe 60 bw 2000K
p1="pipe 60"
shape tcp to $p1 from any 1.2.3.4 to any in via ether1
shape tcp to $p1 from any to 1.2.3.4 out via ether1

Ok i know this way shape will work until reaching ether1 but since will go back to ether2 and this is the PPPoe interface it will be shaped back to the PPPoe assigned shape .


I need user accessing 1.2.3.4 to have 2M and not the shaper they have .
Some kind of exclusion to the cbq rules .


I know this is not possible till now , but we are still waiting the good new any time frame ?

thanks in advance .

pipe 5 bw 2000K
p1="pipe 5"
shape tcp to $p1 from 1.2.3.4 to any in via ether1
shape tcp to $p1 from any to 1.2.3.4 out via ether1


If you use the following it should work. You had a syntax error in the example you posted with "from any 1.2.3.4" which made any IP from port 1.2.3.4

Our CBQ matches the first rule and exits, so all you need to do is have the rule for 1.2.3.4 the very first rule to hit and no other shaping rules will get hit. We did this so that you could have the PPPoE rules be overriden by your manual CBQ rules by simply having the rule lower than PPPoE automatic rules. set by radius.

This is a form of priority and allows you to give a boost to certain users or types of traffic. It forms the basis for the default rule of "any" getting 5 kbps if they do not have a previous rule to give them more.

Lonnie,


What you are saying is correct and my example i paste it i was typing fast so maybe i did some errors .

But the idea some users come and try to connect on PPPoe let's say he have 128K and 32K up .

He is trying to download from our 1.2.3.4 server and or upload he will be stuck on his cbq rates and not conform to pipe 5 as we decribed if the interface ether2 was an ip based yes that was going to work . and applying pipe on ether2 .

but here we have ether2 PPPoe listener will it be the same , on one post you said till now this will not work .

thanks in advance

We tried shaping following the example posted by bwbboot except that we split upstream and downstream to different pipes so that we could have asymetrical transfer.

Unfortunately nothing is hitting the upstream pipe. the downstream pipe config is nearly identical and it seems to be working.

pipe 7001 bw 128k

# Incoming (from clients to internet)
shape all to pipe 7001 from mark 100 out via ether1
shape all to pipe 7001 from mark 101 out via ether1
shape all to pipe 7001 from mark 102 out via ether1
shape all to pipe 7001 from mark 103 out via ether1
shape all to pipe 7001 from mark 104 out via ether1
shape all to pipe 7001 from mark 105 out via ether1
shape all to pipe 7001 from mark 106 out via ether1

I noticed that. might be correct behaviour. The orginal example from tony or lonnie did not include an upstream definition either.

Ya but our testing seems to indicate that tere is no shaping being applied to upstream traffic and really I would be happier if it were the other way around.

It is upstream transfer that kills.

Can you post your firwall marking rule (if any), and the associated bandwidth rules you are using?

To match both directions:
itables "POSTROUTING" rule is to be used with a cbq 'out via' rule, and the "PREROUTING" rule is to be used with a cbq 'in via' rule.

Tried your suggestion but still no luck. Here are my configs.

fw:

#Layer 7
iptables -A POSTROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 100
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 101
iptables -A POSTROUTING -t mangle -m layer7 --l7proto edonkey -j MARK --set-mark 102
iptables -A POSTROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 103
iptables -A POSTROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 104
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bearshare -j MARK --set-mark 105
iptables -A POSTROUTING -t mangle -m layer7 --l7proto openft -j MARK --set-mark 106

iptables -A PRETROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 200
iptables -A PRETROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 201
iptables -A PRETROUTING -t mangle -m layer7 --l7proto edonkey -j MARK --set-mark 202
iptables -A PRETROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 203
iptables -A PRETROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 204
iptables -A PRETROUTING -t mangle -m layer7 --l7proto bearshare -j MARK --set-mark 205
iptables -A PRETROUTING -t mangle -m layer7 --l7proto openft -j MARK --set-mark 206

CBQ

#Layer 7
# Application shape

#client upstream p2p
pipe 7001 bw 128k

# Incoming (from clients to internet)
shape all to pipe 7001 from mark 200 in via ether2
shape all to pipe 7001 from mark 201 in via ether2
shape all to pipe 7001 from mark 202 in via ether2
shape all to pipe 7001 from mark 203 in via ether2
shape all to pipe 7001 from mark 204 in via ether2
shape all to pipe 7001 from mark 205 in via ether2
shape all to pipe 7001 from mark 206 in via ether2

#client downstream p2p
pipe 7000 bw 1024k

# Outgoing (from internet to clients)
shape all to pipe 7000 from mark 100 out via ether2
shape all to pipe 7000 from mark 101 out via ether2
shape all to pipe 7000 from mark 102 out via ether2
shape all to pipe 7000 from mark 103 out via ether2
shape all to pipe 7000 from mark 104 out via ether2
shape all to pipe 7000 from mark 105 out via ether2
shape all to pipe 7000 from mark 106 out via ether2

You have a typo in your script. your using preTrouting instead of PREROUTING.

Guess working on it at 4am does that . . . :P

Seems to work now!

Allthough now I have new problem. Seems my cpu spends most of it's time between 80 and 100%.

It is a 1.5 ghz p4 with 2gb of ram, 80G HD. I think I am just asking too much of it. I am typically running 2-5mbit through it.

Layer 7 filtering does task the CPU, however as long as you do not see many speed-related issues (ie. the system is able to keep up with the traffic flow), you should be Ok.

is layer 7 filtering case sensitive? Will 'napster' catch Napster, NAPSTER, etc?

Would it also catch fadkfjadfaNAPSTERkfadfal;kdfj?

Sorry if that sounds dumb... I was just thinking that the p2p software people will catch on in the future and modify how their packets look.
Bob C

Those names are application / protocol names, and not the name it searches for in the packets. These names should be lower-case.

Thanks... again I haven't grasped this yet. I just make the suggestions to the sys adm :)
Bob C

Just a caution - if anyone gets a little overzealous about adding protocols.

Skaught went through and added all the protocols in the list that had "PTP" mentioned in them (although I seriously doubt anyone on our network is using "GoBoogy") - and it seems some of them that are indicated may cause false matches, should be taken seriously : )

If you severely shape the upstream on "openft", it breaks windows update and most download managers (symantec liveupdate, adobe download manager). Scratched our heads for awhile on that one.

THANKS for the info, it had me puzzled for a while also..

It also seems to affect IE as well..

Can I use layer7 after the nat (Public IP) on my SDSL line or should be on the inside (Private) of the nat

SDSL = ether1 #(Public IP)
uplink = ether6 # (Internal IP)

# Application shape
pipe 7000 bw 32K

# Outgoing
shape all to pipe 7000 from mark 100 out via ether1
shape all to pipe 7000 from mark 101 out via ether1
shape all to pipe 7000 from mark 102 out via ether1
shape all to pipe 7000 from mark 103 out via ether1
shape all to pipe 7000 from mark 104 out via ether1
shape all to pipe 7000 from mark 105 out via ether1
shape all to pipe 7000 from mark 106 out via ether1

# Incoming
shape all to pipe 7000 from mark 100 in via ether1
shape all to pipe 7000 from mark 101 in via ether1
shape all to pipe 7000 from mark 102 in via ether1
shape all to pipe 7000 from mark 103 in via ether1
shape all to pipe 7000 from mark 104 in via ether1
shape all to pipe 7000 from mark 105 in via ether1
shape all to pipe 7000 from mark 106 in via ether1


Thanks

Reed

You can use it on either LAN or WAN interface without problems.

A piece of feedback to Lonnie and crew. L7 is working GREAT. before L7 60% of our transfer was upstrem, now only 10% is upstream. This has cut our need for upstream bandwidth signifigantly and means our current feed should last us a long time.

Saved us ALOT of money.

We have had only really one complaint from users about p2p throughput. Overall he was not that upset and even if we lost one client, some clients cost you money, and he was one.

kudos.

Thanks for the feedback.

Wow, just wow. I was looking into a packeteer just the other day.

I'm going to test the l7 filtering on a very active 3meg connection with a bunch of states (2226 currently). The star router doing the l7 filtering will sit between (bridging) two other routers and is a 1.9ghz p4 w/512megs ram & 2 intel pro/100s. It will be using the following rulesets:


iptables -A POSTROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 100
iptables -A POSTROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 101
iptables -A POSTROUTING -t mangle -m layer7 --l7proto directconnect -j MARK --set-mark 102
iptables -A POSTROUTING -t mangle -m layer7 --l7proto ftp -j MARK --set-mark 103
iptables -A POSTROUTING -t mangle -m layer7 --l7proto gnucleuslan -j MARK --set-mark 104
iptables -A POSTROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 105
iptables -A POSTROUTING -t mangle -m layer7 --l7proto goboogy -j MARK --set-mark 106
iptables -A POSTROUTING -t mangle -m layer7 --l7proto hotline -j MARK --set-mark 107
iptables -A POSTROUTING -t mangle -m layer7 --l7proto msn-filetransfer -j MARK --set-mark 108
iptables -A POSTROUTING -t mangle -m layer7 --l7proto mute -j MARK --set-mark 109
iptables -A POSTROUTING -t mangle -m layer7 --l7proto openft -j MARK --set-mark 110
iptables -A POSTROUTING -t mangle -m layer7 --l7proto tesla -j MARK --set-mark 111
iptables -A POSTROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 112




pipe 5 bw 2050k

shape all to pipe 5 from mark 100 out via ether0
shape all to pipe 5 from mark 100 out via ether1
shape all to pipe 5 from mark 101 out via ether0
shape all to pipe 5 from mark 101 out via ether1
shape all to pipe 5 from mark 102 out via ether0
shape all to pipe 5 from mark 102 out via ether1
shape all to pipe 5 from mark 103 out via ether0
shape all to pipe 5 from mark 103 out via ether1
shape all to pipe 5 from mark 104 out via ether0
shape all to pipe 5 from mark 104 out via ether1
shape all to pipe 5 from mark 105 out via ether0
shape all to pipe 5 from mark 105 out via ether1
shape all to pipe 5 from mark 106 out via ether0
shape all to pipe 5 from mark 106 out via ether1
shape all to pipe 5 from mark 107 out via ether0
shape all to pipe 5 from mark 107 out via ether1
shape all to pipe 5 from mark 108 out via ether0
shape all to pipe 5 from mark 108 out via ether1
shape all to pipe 5 from mark 109 out via ether0
shape all to pipe 5 from mark 109 out via ether1
shape all to pipe 5 from mark 110 out via ether0
shape all to pipe 5 from mark 110 out via ether1
shape all to pipe 5 from mark 111 out via ether0
shape all to pipe 5 from mark 111 out via ether1
shape all to pipe 5 from mark 112 out via ether0
shape all to pipe 5 from mark 112 out via ether1



Any suggestions on tweaks or any limitations I may run into?

Thanks!

Edit: forgot fasttrack

The ruleset above doesn't seem to work properly. If I download from bittorrent at 170kB/sec, the cbq report shows 19.9kB/sec and the traffic does not get restricted, even if I lower the pipe to 384k.

Perhaps theres an error in the ruleset? I can't seem to find it.



While downloading at 170kB/sec from bittorrent:
Rule: 14.52M, 19.97K - netfilter mark 101 out via eth0

Oh duh! I was confusing eth0 and ether0! Fixed works now.

Also note, ethernet device numberings start at 1, and not 0 so the rules above should be for ether1 & ether2

Thanks!