[EMAIL PROTECTED] wrote: > Send LARTC mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ds9a.nl/mailman/listinfo/lartc > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of LARTC digest..." > > Today's Topics: > > 1. Re: HTB or CBQ ? (Stef Coene) > 2. Re: Iptables, SNAT/MASQ, Multiple gateways (Don Cohen) > 3. Re: RE:u32 filters and compression (Tobias Geiger) > 4. ip route (Rimas) > 5. Re: Rip problems (James Sneeringer) > 6. Re: Iptables, SNAT/MASQ, Multiple gateways (Michael T. Babcock) > 7. Re: Iptables, SNAT/MASQ, Multiple gateways (Jose Luis Domingo Lopez) > 8. Two ISP and NAT (Rimas) > 9. Re: Iptables, SNAT/MASQ, Multiple gateways (Julian Anastasov) > 10. Re: Iptables, SNAT/MASQ, Multiple gateways (Simon Matthews) > 11. Re: Iptables, SNAT/MASQ, Multiple gateways (Simon Matthews) > 12. RE: Iptables, SNAT/MASQ, Multiple gateways (Greg Scott) > > --__--__-- > > Message: 1 > From: Stef Coene <[EMAIL PROTECTED]> > Organization: None > To: "Michael T. Babcock" <[EMAIL PROTECTED]> > Subject: Re: [LARTC] HTB or CBQ ? > Date: Mon, 30 Sep 2002 17:37:03 +0200 > Cc: SERBAN Rares <[EMAIL PROTECTED]>, > [EMAIL PROTECTED], [EMAIL PROTECTED] > > On Monday 30 September 2002 17:26, Michael T. Babcock wrote: > > Stef Coene wrote: > > >And one of the mose convincing arguments to me : htb is actively > > > maintained. If there is a bug or performance problem, it will get fix= > ed. > > > > And, being newer code that many of us have looked at, patches / fixes > > will probably flow to the maintainer faster than CBQ ones. > > > > BTW, how many people are using the patched SFQ (ESFQ?) these days, and > > how stable is it? > I used it and it was stable. I'm going to switch over to kernel 2.5. Wi= > ll=20 > the efsq patch apply? > > Stef > > --=20 > > [EMAIL PROTECTED] > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > > --__--__-- > > Message: 2 > From: [EMAIL PROTECTED] (Don Cohen) > Date: Mon, 30 Sep 2002 08:55:27 -0700 > To: Simon Matthews <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > > Simon Matthews writes: > > OK, this may be a reasonable approach, but how do I force it initiate > > connections from the "fast" interface, yet allow it to fail over to the > > slow interface if the sytem removes the route to the fast gateway because > > it has detected that it is not responding? > > Off hand I don't know anything built in for this (I look forward to > hearing an answer from someone who does), but I don't think this is > really what you want anyway. It's not as if your link is the only one > that could fail! > If ISP1's upstream link fails then you want to use ISP2 for all > traffic other than that intended for ISP1 itself. And of course, > problems further upstream prevent you from reaching certain addresses > but not others, and you don't really know which without a global view > of the routing. > > I think the "right" solution involves monitoring the traffic. > There's a wide range of things you could do, the simplest being > simply detecting that the link is not responding. You could also > try to detect tcp retransmits, measure RTT, aggregate data to measure > how well individual connections are working, further aggregate data to > determine which addresses blocks are working well and which poorly, etc. > Then use that data to decide which of your links to use for a given > destination. > > I actually sent a proposal to this list that I think provides a good > solution to the general problem: an extension to TCP (possibly even > IP) that supports multiple addresses/ports. This would even allow you > to switch addresses in the middle of a connection. I think what I > described before applies more to the machine on the other side of your > connection, which now would know both of your addresses. Whenever it > does a tcp retransmit it switches the address. It therefore tends to > stay on the one that works most reliably. (Perhaps this algorithm > could be improved to take speed into account too.) This discussion > points out that something similar should be done on your end: you > should switch the output interface you use when you retransmit. > > Of course this is not yet implemented. It's on my queue, but not > close to the beginning. I'd be glad if someone out there could beat > me to it. > > --__--__-- > > Message: 3 > Date: Mon, 30 Sep 2002 18:04:17 +0200 > From: Tobias Geiger <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [LARTC] RE:u32 filters and compression > > Hi, > > thanks for the thanks :) > i looked at the whitepaper on www.peribit.com and it seems that they do > much more than the standard (lzw-) compression: > they use kind of proxy for cachable protocols, and their MSR ("Molecular > Sequence Reduction", sounds great ! :) Algorithm to find repeating > patterns even across multiple packets. > > although i can't really believe that this doesn't effect latency the > technical approach sounds amazing. > > The great "disadvantage" is that u need such a box at both ends > (obviously) unlike compressed pppd (at least i think windows understands > compressed-pppd, or?) which is more platform independent. But i admit > this is like comparing apples with pears... > > Allan Gee wrote: > > Thanks: To Stef and Tobias Geiger for giving me the answer. I used > > the prio to get the order right. Don't know why I did'nt think of it > > myself. Compression: Another thing that might be useful to the list > > is the use of compression (Deflate etc.) to get better bandwidth > > across links. This requires a Linux router at both ends of the link. > > I got the idea from a product called Peribit see www.peribit.com ( > > and mainly from Martin Devera who pointed out to me that Linux does > > compression already with ppp. ) I have now started to work on getting > > compression built into my traffic shaping/router products that are > > Linux based. Putting that in place of Cisco should be a much > > better/cheaper solution do you not think? One could even shape the > > port that the pppoe runs on. I have looked at Zebedee which also has > > a solution for "Windows" boxes. Anyway I've just started to do this > > and If anyone is interested I will let you know the outcome. > > > > Regards Allan Gee Equation 021 4181777 www.equation.co.za ,S > > f??)?+-?L)??Y???=jya???f??f?v?Z?_?j)fj??b??????ps?L?m??????r??/=== > > --__--__-- > > Message: 4 > From: "Rimas" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Mon, 30 Sep 2002 17:11:22 +0100 > Subject: [LARTC] ip route > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0258_01C268A4.66DDC390 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hi folks, > > How with ip route permanently delete default route and add a new one? > I use RedHat 7.3. > > Thank you in advance > > Rimas > ------=_NextPart_000_0258_01C268A4.66DDC390 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=3DContent-Type content=3D"text/html; = > charset=3Diso-8859-1"> > <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=3D#ffffff> > <DIV><FONT face=3DArial size=3D2> > <DIV><FONT face=3DArial size=3D2>Hi folks,</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>How with ip route permanently = > delete default=20 > route and add a new one?</FONT></DIV> > <DIV><FONT face=3DArial size=3D2>I use RedHat 7.3.</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>Thank you in advance</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial = > size=3D2>Rimas</FONT></DIV></FONT></DIV></BODY></HTML> > > ------=_NextPart_000_0258_01C268A4.66DDC390-- > > --__--__-- > > Message: 5 > Date: Mon, 30 Sep 2002 11:42:40 -0500 > From: James Sneeringer <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [LARTC] Rip problems > > On Sat, Sep 28, 2002 at 01:46:37PM -0400, Joseph Watson wrote: > | EXPORT_GATEWAY="no" > | SILENT="no" > > This should cause the equivalent of "routed -s" to be run. The "-s" tells > routed to send routing updates. Check with "ps ax". You can get further > debugging out of it with "-d" and "-t". > > | When I start routed, the appropriate routes show up in the portmaster after > | about a 30 seconds, and all works good for about 2 1/2 minutes. Then the > | portmaster sets the Metric to 16 for the route to my subnet behind the > | firewall, and routing quits working. > > PortMasters do this when they think they need to remove the route from the > routing table. They set the "O" flag (for obsolete, I guess) and set the > metric to 16 (because 16 is the largest metric permitted by RIPv1). The > route will eventually disappear from the table unless another update is > received. > > | If I restart routed, we will repeat the > | process. If I stop routed during the 2 1/2 mins, it will immediately set the > | Met to 16. This tells me that they are communicating because when I shut > | routed down the metric is set to 16. But why does this happen exactly at 2 > | 1/2 min?? I am quite confused? > > It sounds like routed isn't sending routing updates. RIPv1 sends the whole > routing table every 30 seconds to the broadcast address (which is why it > takes about 30 seconds for the PortMaster to see the routes). My guess is > it's only sending out the initial announcement, and when the PM doesn't see > subsequent announcements for a couple minutes, it drops the routes. > > If possible, consider using OSPF instead. RIPv1 is quite obsolete and > generally useless on subnetted networks like yours. PortMasters have done > OSPF since ComOS 3.5, and you can implement it on Linux with zebra or gated. > For further PortMaster-specific help, consider subscribing to the > [EMAIL PROTECTED] list. See http://www.portmasters.com/ > for more info. > > -James > > --__--__-- > > Message: 6 > Date: Mon, 30 Sep 2002 13:05:54 -0400 > From: "Michael T. Babcock" <[EMAIL PROTECTED]> > Organization: FibreSpeed Ltd. > To: Don Cohen <[EMAIL PROTECTED]> > Cc: Simon Matthews <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > > Don Cohen wrote: > > >I actually sent a proposal to this list that I think provides a good > >solution to the general problem: an extension to TCP (possibly even > >IP) that supports multiple addresses/ports. This would even allow you > >to switch addresses in the middle of a connection. I think what I > > > > > SCTP actually supports this already; look it up -- its quite a bit > different from TCP but allows you to do all the same types of things, > with more options. > > That said, a Zebra (routing software) plugin that would run iptables > scripts would be all you'd need in many cases. > > -- > Michael T. Babcock > C.T.O., FibreSpeed Ltd. > http://www.fibrespeed.net/~mbabcock > > --__--__-- > > Message: 7 > Date: Mon, 30 Sep 2002 20:11:58 +0200 > From: Jose Luis Domingo Lopez <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > > On Sunday, 29 September 2002, at 22:18:30 -0700, > Don Cohen wrote: > > > > ip route add default nexthop via $CONN1_IP dev $ETHX weight $X \ > > > nexthop via $CONN2_IP dev $ETHX weight $Y > > > > Note that this only shapes outgoing traffic and also relies on your > > ISPs to NOT do the ingress filtering that they're really supposed to do. > > > Just a note. The above routing doesn't prevent you from applying > SNAT/MASQ to the outgoing traffic, at least not when you have an > ethernet card for each connection (not the case) and you can know > through each one the traffic will go out. > > So adding another ethernet card and a couple of "iptables" rules can > avoid problems with ISPs filtering "alien" incoming traffic :) > > -- > Jose Luis Domingo Lopez > Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) > > --__--__-- > > Message: 8 > From: "Rimas" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Mon, 30 Sep 2002 19:28:36 +0100 > Subject: [LARTC] Two ISP and NAT > > This is a multi-part message in MIME format. > > ------=_NextPart_000_007A_01C268B7.92A0F0C0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hi folks, > > I have 2 ISP Inet connections. > > 1 Inet I (eth0) use have used for everything (SMTP server, MASQ for = > local network) > I got the 2 INET (eth1) and made some changes: > > They both have MASQ: > iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_2 -j = > MASQUERADE (2 Inet) > iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_1 -j = > MASQUERADE (1 Inet) > > I changed default route to eth1 and put some additional route:=20 > ip route rep default via ext_ip2 dev eth1 > ip route add 1.2.3.4 via ext_ip1 (eth0) > > And now I'm having a problem with my email server (Lotus Notes on = > Linux). > It can send emails via SMTP but cannot use encrypted Lotus connection = > and receive emails as well. > > iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d = > $EXTERNALIP_1 --dport 25 \ > -j DNAT --to-destination 1.2.3.196:25 > > # Lotus Notes Encrypted connection (tcp 1352) port forward from eth0 to = > internal ip 10.105.105.196 =20 > iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d = > $EXTERNALIP_1 --dport 1352 \ > -j DNAT --to-destination = > 1.2.3.196:1352 > > And how to route with ip route command that email server have to use not = > the default route (eth1) but eth0. > > What I need to configure more to get working back my email server? > > Thank you in advance > > Rimas > > ------=_NextPart_000_007A_01C268B7.92A0F0C0 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=3DContent-Type content=3D"text/html; = > charset=3Diso-8859-1"> > <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=3D#ffffff> > <DIV> > <DIV><FONT face=3DArial size=3D2>Hi folks,</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>I have 2 ISP Inet = > connections.</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>1 Inet I (eth0) use have used for = > everything (SMTP=20 > server, MASQ for local network)</FONT></DIV> > <DIV><FONT face=3DArial size=3D2>I got the 2 INET (eth1) and made = > some=20 > changes:</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>They both have MASQ:</FONT></DIV> > <DIV><FONT face=3DArial size=3D2> iptables -t nat -A = > POSTROUTING=20 > -o $EXTERNAL_INTERFACE_2 -j MASQUERADE (2 Inet)<BR> = > iptables=20 > -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_1 -j MASQUERADE (1=20 > Inet)</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>I changed default route to eth1=20 > and </FONT><FONT face=3DArial size=3D2>put some additional = > route:=20 > </FONT></DIV> > <DIV><FONT face=3DArial size=3D2>ip route rep default via ext_ip2 dev = > eth1<BR>ip=20 > route add 1.2.3.4 via ext_ip1 (eth0)</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>And now I'm having a problem with my = > email server=20 > (Lotus Notes on Linux).</FONT></DIV> > <DIV><FONT face=3DArial size=3D2>It can send emails via SMTP but cannot = > use=20 > encrypted Lotus connection and receive emails as well.</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2> iptables -t nat -A PREROUTING -i=20 > $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport 25=20 > \<BR> &n= > bsp; &nb= > sp; =20 > -j DNAT --to-destination 1.2.3.196:25</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2># Lotus Notes Encrypted connection (tcp = > 1352) port=20 > forward from eth0 to internal ip 10.105.105.196 <BR> iptables = > -t nat=20 > -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport = > 1352=20 > \<BR> &n= > bsp; &nb= > sp; =20 > -j DNAT --to-destination 1.2.3.196:1352</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>And how to route with ip route command=20 > that email server have to use not the default route = > (eth1) but=20 > eth0.</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>What I need to configure more to get = > working back=20 > my email server?</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>Thank you in advance</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>Rimas</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV></DIV></BODY></HTML> > > ------=_NextPart_000_007A_01C268B7.92A0F0C0-- > > --__--__-- > > Message: 9 > Date: Mon, 30 Sep 2002 22:24:03 +0000 (GMT) > From: Julian Anastasov <[EMAIL PROTECTED]> > To: "Michael T. Babcock" <[EMAIL PROTECTED]> > Cc: Don Cohen <[EMAIL PROTECTED]>, > Simon Matthews <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > Subject: Re: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > > Hello, > > On Mon, 30 Sep 2002, Michael T. Babcock wrote: > > > Don Cohen wrote: > > > > >I actually sent a proposal to this list that I think provides a good > > >solution to the general problem: an extension to TCP (possibly even > > >IP) that supports multiple addresses/ports. This would even allow you > > >to switch addresses in the middle of a connection. I think what I > > Yes, we can implement it as separate IP protocol :) > Of course, at the beginning the idea may sound too stupid, we > have to change that. May be there is already solution for that? > A "simple" tunnel without encryption that will support failover > and balancing of the negotiated traffic, ability to negotiate > multiple IPs for each endpoint. Of course, there should be some > problems with the proper tunneling of this traffic in each end, > see how difficult is routed the IPSec traffic. Each endpoint will do > failover detection of all negotiated links and will do balancing (if > desired) over these links, based on relative ratio. This tunnel > should be transparent to the upper layers (TCP/UDP/ICMP/SCTP). > > > SCTP actually supports this already; look it up -- its quite a bit > > different from TCP but allows you to do all the same types of things, > > with more options. > > But this feature is only for SCTP. We want the traffic > from one multihomed router to use multiple links when talking > to another router, both understanding this "our new" IP tunneling > protocol. > > I see it in this way: when such packet is received, we > decapsulate it and place it on the expected interface. As > result, the upper layers will see the packet on the right > input interface even if it is received on another input > interface (for example, if it is the only alive). > > Regards > > -- > Julian Anastasov <[EMAIL PROTECTED]> > > --__--__-- > > Message: 10 > Date: Mon, 30 Sep 2002 12:24:58 -0700 (PDT) > From: Simon Matthews <[EMAIL PROTECTED]> > To: Don Cohen <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > > On Mon, 30 Sep 2002, Don Cohen wrote: > > > Simon Matthews writes: > > > OK, this may be a reasonable approach, but how do I force it initiate > > > connections from the "fast" interface, yet allow it to fail over to the > > > slow interface if the sytem removes the route to the fast gateway because > > > it has detected that it is not responding? > > > > Off hand I don't know anything built in for this (I look forward to > > hearing an answer from someone who does), but I don't think this is > > really what you want anyway. It's not as if your link is the only one > > that could fail! > > Don, there are some kernel patches (already installed on my system) that > support dead gateway detection and static routes. "Static" means that the > routes are not forgotten when the system removes an interface because the > gateway is not working. > > But the problem remains: how to handle this in iptables MASQ/SNAT > commands? One can postulate that if the interface is removed because the > gateway is dead, then the MASQ command will use the source related to the > other gateway. > > However, the question now is: how to force the system to use the source > address related to the "fast" gateway under normal operation while > allowing a failover to the the slow gateway? > > Simon > > --__--__-- > > Message: 11 > Date: Mon, 30 Sep 2002 12:26:43 -0700 (PDT) > From: Simon Matthews <[EMAIL PROTECTED]> > To: "Michael T. Babcock" <[EMAIL PROTECTED]> > Cc: Don Cohen <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > Subject: Re: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > > On Mon, 30 Sep 2002, Michael T. Babcock wrote: > > > Don Cohen wrote: > > > > > > That said, a Zebra (routing software) plugin that would run iptables > > scripts would be all you'd need in many cases. > > The ISP that provides the "fast" connection won't provide any IGP routing > information (RIP, OSPF, etc), so I don't think this is possible. > > > > > > > --__--__-- > > Message: 12 > Subject: RE: [LARTC] Iptables, SNAT/MASQ, Multiple gateways > Date: Mon, 30 Sep 2002 14:41:34 -0500 > From: "Greg Scott" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: "Chris Leiseth (E-mail)" <[EMAIL PROTECTED]> > > =20 > > ip route add default nexthop via $CONN1_IP dev $ETHX weight $X \ > > nexthop via $CONN2_IP dev $ETHX weight $Y > > > > Would this technique work for more than two gateways? How many nexthop = > clauses are allowed? Is there a limit? > > thanks > > - Greg Scott > > --__--__-- > > _______________________________________________ > LARTC mailing list > [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc > > End of LARTC Digest
begin:vcard n:Diwakar;VedaVyas tel;cell:98450 61219 tel;work:+91 80 6587116, 6582923 x-mozilla-html:FALSE org:Yukthi Systems Pvt. Ltd.;www.yukthi.com adr:;;;;;; version:2.1 email;internet:[EMAIL PROTECTED] title:Manager OPS fn:VedaVyas Diwakar end:vcard