[LARTC] Patch for easier dynamic SAD PBR
Yesterday I posted a patch on the netdev list but it occurred to me that folks here might have more to say about the proposed feature (and a stake in it since it would add syntax to iproute) http://www.spinics.net/lists/netdev/msg49450.html Comments very welcome. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] a browse the code website for iproute2 source files ?
On Tue, 2007-07-17 at 05:48 +0200, Vincent Dautremont wrote: Hi, I'm searching is there is a website to browse iproute2 source code as we can do with the kernel here http://lxr.linux.no/source/ It's a very useful tool to follow function calls and macros across the multitude of files of the package. I've already searched google for a websie like this but i haven't found anything so I ask here. Why not just download a tarball, make tags and used tagged editing? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Thu, 2007-02-15 at 00:30 +0100, Paul Viney wrote: Wow! That made a difference. One echo 0 /proc/sys/net/ipv4/conf/eth1/rp_filter and everything started working. Thanks a lot Torsten and Alex - I wouldn't have solved it without your suggestions. But the question I have had about this subject is when one has two default routes, load balanced, does this evaluation of which interface would be used when the packet is reverse-path-tested test all of the default routes or just the route that is currently active given the load balancing algorithm? If only the one, current default route is used in the evaluation it seems to me even in the most straightforward dual-load-balanced-default-route configuration there is a race between the time a packet is assigned an outgoing address sent out the then current default route and the routing code re-balancing and switching the active default route (i.e prior to the reply packet -- or even in the middle of active tcp connections). The situation gets even worse (not even just a race condition) when you apply policy routing to force the use of a particular default route. Thots? b. Paul Viney On Wednesday 14 February 2007 21:17, Torsten Luettgert wrote: This is one of my favourites :-) Usually that problem is caused by the rp_filter feature, which silently drops packets that arrive on an interface answers wouldn't be routed to. Just try for i in /proc/sys/net/ipv4/conf/eth*/rp_filter; do echo 0 $i done and see if that helps. (indeed, you don't really need to switch it off for all of them, just the uplink interfaces would be enough) Hth, Torsten ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] mutliple default routes, rp_filter and martians
I have a theory on the cause of a problem but it is still only a theory. I wonder if anyone here can confirm. I have a multi-isp configuration with a multi-path default route to each ISP, equally weighted. I am seeing, periodically, traffic dropped due to martian detection and errors logged on inbound traffic, but at other times, that same exact traffic will be allowed, no errors. My supposition is this: If I use ip route get source_addr for the source address that rp_filter is dropping traffic from I can see that it's reporting that traffic to that address would use the alternate ISP interface from the one it's being received on (and logged as a martian and dropped). If I continue to use ip get route on that address eventually it will report the interface that the traffic is being received on -- that would be the balancing feature of the multiple paths. I believe that during these times when ip route get is reporting the alternate interface, the kernel would also log inbound packets from that address as martians. Is this the case? To further confirm my supposition, while my gateway is dropping packets and logging them as martians, I can install a route specifically for that source pointing to the interface that they are being received on and the dropping/martian logging stops and the traffic is received. So to summarize it seems that when doing the rp_filter tests, the kernel only uses the current default route and not all available default routes when determining the reverse path. Is this true? Thanx, b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] FS: Cyclades PC300/TE2 Dual T1 Interface PCI Card For Linux PC!
Title: Message Hi. I have a Cyclades PC300/TE2 card that turns a Linux PC into a Dual T1 interface router. It is well made and high performance. I used it for a few years. It includes two T1 cables. Cyclades has gotten out of this business but the Linux kernel developer community supports this cardso no additional driver is needed. It cost me $700+. I would like to sell it for about $300. Put this in a PC with Linux and you get a dual T1 router. Run BGP4 with freeware like Zebra. Way way cool. http://www.cyclades.com/products/6/pc300 http://www.cyclades.com/resources/?wp=6 http://www.kernel.org/pub/linux/utils/net/hdlc/#cards ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB - prio and rate
On Sat, 2005-12-03 at 07:04 +0100, Andreas Klauer wrote: On Friday 02 December 2005 23:24, Brian J. Murrell wrote: Yeah, that is what I want, but why do I need HTB? You need it only if you also want to limit bandwidth somehow. But surely HTB is overkill for simply limiting bandwidth and keeping the queue on Linux and not in the modem no? In my followup message on this subject, I used TBF instead. I don't want to classify bandwidth usage, just prevent the queing on the modem. I haven't looked at the code, but I think it's just a plain fifo queue, Indeed, but if multiple users are trying to stuff packets in, it will be more or less evenly distributed when they come out, no? How can a single user monopolize a FIFO given that there are other users making equal demands of it? unless you attach SFQ or similar to replace it. Which I did in my follow example BTW. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] tbf and prio blocking some flows entirely
43844240 8735300
11:26:47.857866 IP 66.9.8.7.55318 66.1.2.3.922: P 2261:2373(112) ack 1968 win
2548 nop,nop,timestamp 43844242 8735300
11:26:48.072776 IP 66.1.2.3.922 66.9.8.7.55318: P 1968:2016(48) ack 2373 win
9968 nop,nop,timestamp 8735316 43844242
11:26:48.321959 IP 66.1.2.3.922 66.9.8.7.55318: P 1968:2016(48) ack 2373 win
9968 nop,nop,timestamp 8735352 43844242
11:26:48.322384 IP 66.9.8.7.55318 66.1.2.3.922: . ack 2016 win 2548
nop,nop,timestamp 43844707 8735352,nop,nop,sack 1 {1968:2016}
So maybe for some reason that last ack is not being dequeued? But
surely it should as classes 2:1 and 2:2 are virtually quiet and class
2:3 while having steady traffic, should at least treat it all fairly,
no?
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB - prio and rate
On Sun, 2005-12-04 at 10:14 -0500, Jeffrey B. Ferland wrote: To prioritize, you must classify. HTB allows prioritization and classification... and limitation as well. Seems the combination of TBF and PRIO does too. Attaching something like this: Root -- TBF -- Prio would be nice, but I haven't succeeded in ever attaching anything to a TBF.. or any other classless qdisc. Hrm. I *think* that is what I have done with the help of http://edseek.com/~jasonb/articles/traffic_shaping/scenarios.html#guarprio qdisc tbf 1: rate 12bit burst 1199b lat 4294.9s Sent 26658509 bytes 511623 pkt (dropped 176, overlimits 8118 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc prio 2: parent 1:1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 26658509 bytes 511623 pkt (dropped 0, overlimits 0 requeues 8118) rate 0bit 0pps backlog 0b 0p requeues 8118 qdisc sfq 10: parent 2:1 limit 128p quantum 1452b perturb 20sec Sent 3525247 bytes 56520 pkt (dropped 0, overlimits 0 requeues 88) rate 0bit 0pps backlog 0b 0p requeues 88 qdisc sfq 20: parent 2:2 limit 128p quantum 1452b perturb 20sec Sent 1939846 bytes 19450 pkt (dropped 0, overlimits 0 requeues 5457) rate 0bit 0pps backlog 0b 0p requeues 5457 qdisc sfq 30: parent 2:3 limit 128p quantum 1452b perturb 20sec Sent 21193416 bytes 435653 pkt (dropped 0, overlimits 0 requeues 2573) rate 0bit 0pps backlog 0b 0p requeues 2573 I'm using iptables/pp2p to classify bittorrent into 2:3 and it seems to be working just fine (even classifying the outgoing ACKs from the bittorrent download there) while I have classified ping into 2:1 and it seems to be working there. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tbf and prio blocking some flows entirely
On Sun, 2005-12-04 at 17:54 +0100, Andreas Klauer wrote: On Sunday 04 December 2005 17:36, Brian J. Murrell wrote: Even if they end up in 2:3, they should at least be treated fairly. 2:3 will not be treated at all as long as 2:1 and 2:2 (which have higher priority) are occupied. Right. I think I said in my last message that both 2:1 and 2:2 were very quiet (which is what I would expect) and that there was a lot of traffic going through 2:3. My point there was that even if 2:3 was processing a lot of packets, since it is an SFQ, everybody should eventually get use of it. If the queues in 2:1 and 2:2 resp. never empty, the packets in 2:3 will never be sent. Understood. But they were empty and lots of packets from 2:3 were being sent. There is no fair treatment in PRIO. No, it's priority based. Got that. Exactly what I am looking for in fact. That's the whole purpose of this scheduler, to give one band of packets absolute priority over the other. Yup. My interactive/latency sensitive traffic should always get best service. This is just out of personal interest, but could you try using instead of your TBF qdisc, a very simple HTB Qdisc / class with the same bandwidth limitation? Hrm. OK. But I'm not sure how I would use HTB to replace a classless TBF though. for TBF I use: tc qdisc add dev ppp0 root handle 1: tbf rate 120kbit burst 1200 limit 1 So to replace that with HTB I tried: tc qdisc add dev ppp0 root handle 1: htb default 10 tc class add dev ppp0 parent 1 classid 1:1 htb rate 120kbit But nothing seems to be getting put into any of the child classes which are configured as: tc qdisc add dev ppp0 parent 1:1 handle 2: prio bands 3 tc qdisc add dev ppp0 parent 2:1 handle 10: sfq perturb 20 tc qdisc add dev ppp0 parent 2:2 handle 20: sfq perturb 20 tc qdisc add dev ppp0 parent 2:3 handle 30: sfq perturb 20 I'm probably misunderstanding all of the class naming and handles and such. If that solves the problem, then you're suffering from a problem that I failed to solve when I last tried to use TBF; for some reason it got stuck on me too. Well, TBF does not seem to be getting stuck. There is still lots of traffic moving when these other flows seem to just stop, so TBF can't be the problem can it? It has to be PRIO, not dequeuing anything for these particular stalled flows to TBF right? I don't understand what you mean by fair treatment, but do try putting all ACKs into high priority band, then it will have to be dequeued. I think I am doing that. I thought that is what: 859K 42M CLASSIFY tcp -- * ppp00.0.0.0/00.0.0.0/0 tcp flags:0x16/0x10 length 0:128 CLASSIFY set 2:1 in the POSTROUTING chain should be doing. It's the result of the iptables rule: iptables -t mangle -I POSTROUTING -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length :128 -j CLASSIFY --set-class 2:1 b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tbf and prio blocking some flows entirely
On Sun, 2005-12-04 at 19:46 +0100, Patrick McHardy wrote: Your burst is too small. It needs to be at least one MTU. Bingo! I guess it's obvious that I don't really understand how burst works. :-) But setting it to 1600 seems to have solved the problem. Thanx! b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB - prio and rate
I really don't seem to be getting this. ~sigh~ As I wrote before I'm not interested in dividing bandwidth up, just prioritizing the use of the full bandwidth by all-comers. So I figure I want a TBF in my root class to prevent the queue in my DSL modem from filling up. I have about 128kb/s upstream so I added: # tc qdisc add dev ppp0 root handle 1: tbf rate 120kbit latency 50ms burst 1540 (not sure what values I want for latency and burst) Then I figure I want a PRIO classifier with 3 bands. I want anything not otherwise matching a filter to go in band 2, known bulk to go in band 3 and priority, latency sensitive interactive stuff (i.e. ssh, not scp) to go in band 1: # tc qdisc add dev ppp0 parent 1: handle 10: prio And then only because some examples showed using it, I put an SFQ in each band. Do I really need this? Should I not do this step? # tc qdisc add dev ppp0 parent 10:1 handle 100: sfq # tc qdisc add dev ppp0 parent 10:2 handle 200: sfq # tc qdisc add dev ppp0 parent 10:3 handle 300: sfq Now I want to use iptables to put stuff into the different bands. Again, by example I have been trying to do some iptables rules with -j CLASSIFY --set-class (this one to get ping to be processed in the highest priority band to test the effectiveness of interactive traffic): # iptables -t mangle -I POSTROUTING -p icmp --icmp-type echo-request -j CLASSIFY --set-class 10:100 I'm not sure what the class numbers I should be using. Would they be 10:100, 10:200 and 10:300 for the 3 bands? or 10:1, 10:2 and 10:3? Thanx, b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB - prio and rate
On Fri, 2005-12-02 at 21:25 +0100, Andreas Klauer wrote: Actually, a class is always able to use it's rate at any time. The prio has only an effect when the class is trying to borrow bandwidth from others - then the high prio classes are allowed to take what they need first. I have wondered about something like this too. I want to simply prioritize my upstream bandwidth use, not limit it's use by anything. Just say (for example) that if an SSH packet is somewhere in the outbound direction when it hits the queue it gets put to the front of the queue to minimize the latency of SSH whereas something like bittorrent waits for SSH but otherwise gets full use of the upstream bandwidth. In fact if I were to saturate the upstream with SSH, something like bittorrent should effectively get no bandwidth at all. I think this is what Mark wants to, if I'm understanding him correctly. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB - prio and rate
On Fri, 2005-12-02 at 21:48 +0100, Andreas Klauer wrote: That's exactly what the PRIO qdisc does. In combination with HTB and SFQ, it can be quite powerful, as low priority connections will completely starve as long as there are higher priority packets to be sent. Yeah, that is what I want, but why do I need HTB? I notice also that the LARTC Howto says: Because it doesn't actually shape, the same warning as for SFQ holds: either use it only if your physical link is really full or wrap it inside a classful qdisc that does shape. The latter holds for almost all cable modems and DSL devices. I guess I am missing the reasoning for partitioning up the bandwidth with HTB rather than just letting everyone/everything have an opportunity to use the full bandwidth as long as something/somebody more important is not using it. However, PRIO does no bandwidth limiting at all (has to be done by HTB or similar), and does not provide connection-based fairness Surely it will be connection based fairness within the priority class. IOW, two ssh sessions could starve bittorrent but would each get about 50% of the available bandwidth. I am fine with that. I am also fine with assigning priorities to users and their traffic within their user priorities. (has to be done by SFQ or similar), if you want to avoid one SSH session taking all the bandwidth from the other. Oh? So one ssh could starve another? Why? Are the outbound SSH packets not just put to the front of the queue in FIFO order? I.e. appended to the end of the top of the queue (the top band I guess it is)? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Starting from scratch w/ multiple uplinks
On Mon, 2005-05-09 at 16:05 +0200, Rafael A Barrero wrote: Hi guys; I'm sure you are all bored of hearing the same story over and over... but here it comes again. :) Yep, tomorrow I'm getting another ADSL line installed and I wanted my linux router to handle both providers (new and old). I have my linux router (fedora core 2) setup to do NAT for my current line, but I know I'll need to change my configuration to accommodate the second line. I inquired about this a while ago and the final word seemed to be that in order for you to use two uplinks, both NATting the internal outbound-originated traffic (i.e. clients behind the gateway going to Internet based services) and both accepting inbound-originated traffic (i.e. running services behind the NAT for Internet users to use), one needs to patch the kernel. I could not seem to get the traffic leaving the gateway to go via the uplink that was relevant for it's NATted source. All traffic wanted to leave by only one interface even though it was NATted for the other. Of course the upstream dropped the packets because the source address violated their egress filters. b. signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Starting from scratch w/ multiple uplinks
On Mon, 2005-05-09 at 20:11 +0200, Markus Schulz wrote: Am Montag, 9. Mai 2005 16:05 schrieb Rafael A Barrero: Hi guys; [...] Here's what I want to know: 1. Does an updated guide exist for multiple providers? Look at this howto: http://www.ssi.bg/~ja/nano.txt Indeed, and herein contains the patched needed to a kernel for it to route packets with a given NATted source address out the right interface. Not sure which patch(es) exactly in there do it if not all of them are really needed for just that functionality. I sure wish this patch would get rolled into the main kernel. I hate having to maintain umpteen kernels for different tasks. b. signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Too stupid to figure out shaping
John, Personally I think you're doing too much. All the ISPs here offer a specified amount of bandwidth to different classes of customer. However, they also list a contention ratio. Thus they might say customer class A gets 512Kbit/s with a contention rate of 8:1 and customer class B gets 256Kbit/s with a contention ratio of 12:1. This is very simple to set up. Assume we have eight class A customers and twelve class B customers. Similar to what you did before, set up two HTB classes off the root and use ip tables to mark customer packets according to their assigned IP address. Make sure that the HTB classes are using SFQ. Now all eight class A customers will share the 512Kbit/s class, with traffic distributed evenly among all active flows. If this type of solution is not satisfactory for your customers then you will need to set up a separate class for each individual customer and mark their packets appropriately. This may be more hassle than its worth, depending on the number of customers you have. Regards Brian Carrig On 27 Apr 2005 at 10:35, John Gorkos wrote: First I'll confess my sins, then I'll beg for help. I own a small wireless ISP, and I sell service at three levels, 256kb/s, 384kb/s, and 512kb/s. For about 18 months, I thought I had this bandwidth limiting figured out. I had three HTB classes off the root, one each with the limits above. Since each customer has a single IP address, I used iptables to mark packets destined for each subscriber with level 1,2 or 3. It looked like it worked great: Customer A got 256, B got 384, and C got his 512. In hindsight, it was wishful thinking, since ALL 256kb/s customers got dumped into the same 256 class and had to duke it out for that 256kb/s, instead of each customer getting their own 256kb/s slice. Eventually, as I added more customers, people started complaining that they weren't getting what they're paying for (rightly). So, now I'm running my ISP with no bandwidth shaping and I'm struggling to get my brain wrapped around how make sure everyone gets what they pay for, but not more. From the reading I've done, it looks like I need a separate class for each subscriber. Inside that class, I'd like to have a standard set of queues to prioritize each customer's slice of bandwidth by port (typical three band stuff: interactive, web,bulk). So assuming I've got three customers: 10.0.0.10 gets256kb/s 10.0.0.11 gets 386 kb/s 10.0.0.12 gets 256kb/s I think I'd have a tree like this: CLASS 10 (256kb/s) (inner classes prioritize) ROOT -CLASS 11(384kb/s) CLASS 12 (256kb/s) plus three filters to direct iptables-marked traffic to the appropriate queue and three iptables entries to mark the traffic appropriately. The problem is, I'm simply not smart enough to actually IMPLEMENT this. I tried setting up the HTB classes, and when I added the 5th one (class 15 in the little diagram above), my interactivity to the router went to near 1000ms RTT (I was ssh'ed into it). I started getting calls from my customers immediately saying something was 'wrong with the internet'. I'm not sure what happened, since I hadn't installed any filters or anything. Anyway, I'd dearly appreciate some help on this. Surely this is a nut that someone has already cracked, but for the life of me all I can find on the internet are how-to shape your own outbound traffic to your ISP so your P2P traffic (the BANE of ISPs) doesn't interfere with your Doom3 deathmatch. Thanks in advance, John Gorkos ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Brian Carrig Research Assistant Department of Computing Networking Institute of Technology, Carlow Tel. No.: +353 59 9176314 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] limiting bandwidth on iface
Marcus, I'm a little confused. Downstream is 1mbit and upstream is 128kbit but the root limit in your code is 1mbit. Surely this could be the cause of your problem? Regards Brian On 23 Mar 2005 at 14:33, Marcus Fritzsch wrote: ~ 27 # shapiung class of root -- not more than 1mbit bandwidth ~ 28 $tc class add dev $tun parent 1: classid 1:1 htb rate 1mbit \ ~ burst 0 cburst 128 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Packet Counting...
You could use a custom ip chain. Add a rule to forward matching packets (such as all packets with a source port of 5001) to this chain. Then just simply add a return line in the chain itself. Chains automatically track bytes/packets so you could easily keep tabs that way. On 16 Mar 2005 at 9:46, M. A. Imam wrote: Hi, How can i count the number of packets on an interface evry 2 or 5 seconds. and i want to count only specific packets like only arriving packets from port 5001 Any thoughts... Muhammad ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Brian Carrig Research Assistant Department of Computing Networking Institute of Technology, Carlow Mobile: +353 86 3867467 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ESFQ?
Cheers Andy, great work. Brian On 11 Jan 2005 at 15:28, Andy Furniss wrote: Justin Schoeman wrote: Woohoo - that would be great! -justin Andy Furniss wrote: Justin Schoeman wrote: Ouch... Is there any other way to do host-based fair sharing (well, other than actually classifying each host :-( )? I don't think it will take much to get it to work - though I haven't tried :-) . I'll have a look at doing a 2.6.10 in the next few days. Well I gave it a go (first patches I've made) and they work for me though Thomas or Stephen may notice something :-) . Hopefully they won't be needed in the future if Thomas gets esfq in mainline. They are based on Alexander Clouters patches at www.digriz.org.uk. I only used the first iproute one. I was hampered a bit because kernel.org have turned off the diff viewer. The remove db iproute patch is from LFS, you may not need it if you have Berkley DB installed ( search for db_185.h ). If you don't have it *and* you don't use arpd then use the patch, it just removes arpd from the build. Andy. -- Brian Carrig Research Assistant Department of Computing Networking Institute of Technology, Carlow Tel. No.: +353 59 9176314 ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iptables tc - 3 marks
On Tue, 2004-11-30 at 00:12 -0200, [EMAIL PROTECTED] wrote: Hi Help me please!!! I am using Linux Redhat as router of the my network. I am to making NAT and firewall. In my iptables script, I need make 3 MARKs for the same packet, as following # It marks the packets that will go for link ADSL (I have 2 links - adsl 2Mb and 'dedicate link' 256Mb ) # I am using 'ip rule / ip route' to make this iptables -t mangle -A PREROUTING -p tcp --dport 21 -j MARK --set-mark 2000 iptables -t mangle -A PREROUTING -p tcp --dport 20 -j MARK --set-mark 2000 # It marks the packets that will be shapped ( upload with cbq ) iptables -t mangle -A PREROUTING -m mac 00:11:22:33:44:55 -j MARK --set-mark 501 iptables -t mangle -A PREROUTING -m mac aa:bb:cc:dd:ee:ff -j MARK --set-mark 631 ###. I have 130 hosts in my network # It marks the packages that priority has ( with 'tc prio' command) iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 100 iptables -t mangle -A PREROUTING -p tcp --dport 23 -j MARK --set-mark 100 iptables -t mangle -A PREROUTING -p udp --dport 27000:27015 -j MARK --set-mark 110 But only last mark does function I have just this hour started looking at marking packets, so my information could be wrong, but I believe that --set-mark n where n is an integer from 1-255. You cannot use values greater than 255. b. signature.asc Description: This is a digitally signed message part
Re: [LARTC] simple dual Internet connection setup not sending return packetson correct interface
On Thu, 2004-11-25 at 21:40 -0800, gypsy wrote: Guessing from the lack of any mention of KeepState KeepState? If you are referring to: 52459 2774K ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED rules, I have those sprinkled throughout my ruleset where necessary. The iptables snippet I included in my previous message was just that. Just the relevant portion that does the NATting. in your iptables setup, Like I said, the RELATED,ESTABLISHED state rules are in there. My full set of iptables rules is 400. I did not see see a need to post that fully here. my guess is that you ignored the advice to vist Julian Anastasov's web site. No I didn't ignore it. But what that site is promoting is some kind of floppy disk based router distribution or something. Start with this: http://www.geocities.com/mctiew/ffw/dual.htm I am not looking to replace/rebuild my whole firewall. I simply want to add a second link to my existing one and have the packets use the correct interface -- to travel back out the interface from which they came. I don't want to do load balancing or failover or anything fancy. I want two interfaces where I use one for all outgoing traffic and the only time the alternate is used is to send response packets to connections that come _in_ that interface or for routes that are specifically directed through that interface via a routing table entry. You should also google LARTC Finally: A working case of two adsl load balance. Read Ron Senykoff's post load balance a file download across two connections - success!. Interesting. Followed a few links too. Looks like a lot of bells and whistles I am not really looking for (load balancing and failover, etc.) but there is some hint of indication that there is a patch needed to make sure NAT uses the right physical interface. Maybe I will go bug the netfilter guys to see if this is the case. Thanx, b. signature.asc Description: This is a digitally signed message part
Re: [LARTC] simple dual Internet connection setup not sending return packets on correct interface
To followup on my own posting, with more information... On Thu, 2004-11-25 at 10:59 -0500, Brian J. Murrell wrote: I have a very simple setup exactly as described in the HOWTO section 4.2. Routing for multiple uplinks/providers. One is cable (eth1: dhcp) and the other is PPPoE (ppp0). These are both on the same physical interface, eth1. IOW, the PPPoE packets are sent to the PPPoE modem on eth1. eth1 is also plugged into the cable provider's modem as such: +-- Cable Modem ++| || +--+--+ | GW eth1 --| HUB | || +--+--+ ++| +-- PPPoE Modem This set up works, physically. I can tcpdump on eth1 and see both regular ethernet traffic going to an from my cable provider, as well as PPPoE encapsulated traffic coming in through my PPPoE connection: 09:29:58.109041 00:08:e2:33:f8:54 00:a0:24:2a:1f:72, ethertype IPv4 (0x0800), length 130: IP 66.96.26.190.922 24.235.240.15.52814: P 49:113(64) ack 48 win 28800 nop,nop,timestamp 59750486 1599607031 09:29:58.109344 00:a0:24:2a:1f:72 00:08:e2:33:f8:54, ethertype IPv4 (0x0800), length 66: IP 24.235.240.15.52814 66.96.26.190.922: . ack 113 win 32740 nop,nop,timestamp 1599607172 59750486 09:29:58.117164 00:90:1a:40:43:d7 00:a0:24:2a:1f:72, ethertype PPPoE S (0x8864), length 82: PPPoE [ses 0x1473] PPP-IP (0x0021), length 62: IP 66.96.26.190.52797 66.11.173.224.25: S 3517919246:3517919246(0) win 5840 mss 1400,sackOK,timestamp 59750486 0,nop,wscale 0 09:29:58.118789 00:a0:24:2a:1f:72 00:08:e2:33:f8:54, ethertype IPv4 (0x0800), length 74: IP 66.11.173.224.25 66.96.26.190.52797: S 3862223559:3862223559(0) ack 3517919247 win 5792 mss 1460,sackOK,timestamp 2207063156 59750486,nop,wscale 0 As you can see, packets 1 and 2 are an established TCP session over the cable connection and packet 3 is an incoming PPPoE encapsulated packet coming in on the PPPoE connection and interestingly enough, packet 4 is an erroneously transmitted packet demonstrating exactly my problem. It is the response to packet 3. As you can see it has all of the correct IP and TCP headers, it is just sent physically via eth1 and not ppp0. Heh. Indeed if my cable provider were not filtering packets from me that don't have my assigned source address, this would all work. Just a reminder of my iptables SNAT rules for context of my point below... My iptables nat setup looks like this: Chain POSTROUTING (policy ACCEPT 364 packets, 26735 bytes) pkts bytes target prot opt in out source destination 258 19801 eth1_masq all -- * eth10.0.0.0/00.0.0.0/0 0 0 ppp0_masq all -- * ppp00.0.0.0/00.0.0.0/0 Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 252 19021 SNAT all -- * * 10.75.22.0/240.0.0.0/0 to:24.235.240.15 0 0 SNAT all -- * * 192.168.66.0/24 0.0.0.0/0 to:24.235.240.15 Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.75.22.0/240.0.0.0/0 to:66.11.173.224 0 0 SNAT all -- * * 192.168.66.0/24 0.0.0.0/0 to:66.11.173.224 Is this a problem in that iproute2 selects the default route before SNATting is done to change the source address of the packet, which does not happen of course until POSTROUTING? The answer to this is of course no. Because the source address of the erroneously-sent-via-eth1 packet (#4 in the above trace) has been correctly re-written (NATted) to 66.11.173.224, then according to the SNAT rules above, the packet is being sent through the correct interface (ppp0). What still remains inconsistent however is that according to the rules above and currently on my gateway, the ppp0_masq rules show 0 hits. How can the source address be correctly re-written to 66.11.173.224 and the rule that does the re-writing show 0 hits? There is definitely something fishy going on here. b. signature.asc Description: This is a digitally signed message part
Re: [LARTC] simple dual Internet connection setup not sending return packets on correct interface
On Fri, 2004-11-26 at 09:39 -0500, Brian J. Murrell wrote: To followup on my own posting, with more information... And yet more... On Thu, 2004-11-25 at 10:59 -0500, Brian J. Murrell wrote: I have a very simple setup exactly as described in the HOWTO section 4.2. Routing for multiple uplinks/providers. One is cable (eth1: dhcp) and the other is PPPoE (ppp0). These are both on the same physical interface, eth1. IOW, the PPPoE packets are sent to the PPPoE modem on eth1. eth1 is also plugged into the cable provider's modem as such: +-- Cable Modem ++| || +--+--+ | GW eth1 --| HUB | || +--+--+ ++| +-- PPPoE Modem Which is irrelevant. I have just put a third NIC in the machine to put the PPPoE and Cable connections on different NICs and still the same problem. Packets have PPPoE's source address, but are sent physically on Cable connected NIC. b. signature.asc Description: This is a digitally signed message part
Re: [LARTC] simple dual Internet connection setup not sending return packets on correct interface
On Fri, 2004-11-26 at 17:17 +0100, diab wrote: iirc, to have two working internet connections on one (nat'ing) computer you basically need two things (in my example its eth0 and eth1) 1) SNAT to the right source address, like iptables -A POSTROUTING -j nat -t SNAT [-s from.where or -d to.where]\ --to-source source.addr.of.eth0 Surely you mean -t nat -j SNAT? iptables -A POSTROUTING -j nat -t SNAT [-s from.where or -d to.where]\ --to-source source.addr.of.eth1 Ditto on the transposition of -j and -t. But these two iptables rules conflict with each other. If -s from.where is my internal lan and the same in both rules, they are both trying to do the SNATting of the same packets. In my two rules, I added a -o iface (where iface is the interface matching the source.addr.of.iface). 2) two routing tables, like ip route add default via eth0.gateway.ip.address dev eth0 table 1 got it: ip route add 0/0 via 66.11.190.1 dev ppp0 table 1 ip route add default via eth1.gateway.ip.address dev eth1 table 2 got it: ip route add 0/0 via 24.235.240.1 dev eth1 table 2 maybe you dont even need the via xx thing, the dev xxx is enough. then you can classify packets to use the connection you want using ip rule add WHATEVER lookup N (whatever could be to x.x.x.x or from x.x.x.x, same as in the SNAT example, N could be 1 or 2) if you want the router to respond to packets correcty (ie. to answer ping on both interfaces) you need to ip rule add iif eth0 lookup 1 ip rule add iif eth1 lookup 2 I have: ip rule add from 66.11.173.224 lookup 1 ip rule add from 24.235.240.15 lookup 2 what is iif in your above examples? I don't see an iif syntax when I do ip rule help. I get: Usage: ip rule [ list | add | del ] SELECTOR ACTION SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK ] [ dev STRING ] [ pref NUMBER ] ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ prohibit | reject | unreachable ] [ realms [SRCREALM/]DSTREALM ] TABLE_ID := [ local | main | default | NUMBER ] Thanx much for your input! b. signature.asc Description: This is a digitally signed message part
Re: [LARTC] simple dual Internet connection setup not sending return packets on correct interface
On Fri, 2004-11-26 at 18:25 +0100, diab wrote: yes they are conflicting with each other.. i thought that you could select which connection the packets should be using either based on the address the packets are coming FROM (-s some.ip.on.the.lan) or going TO (-d wan.destination.address.). No. The problem is that outbound reply packets (i.e. a SYN-ACK packet) to incoming packets (i.e. SYN) are being NATted correctly (i.e. they have the correct source address) they are just not being put on the right interface. They are being put on the interface of the default route in the main routing table. iif is the interface packets are coming in (there is also oif).. if it's not a static ip address it might be convenient not having to use the IP of the connection but the interface. (same goes for the via XX when you are doing ip route add default dev XY table N) if you do man ip it reads (ip rule add/ip rule del): ~sigh~ My man page for ip says only: NAME ip - TCP/IP interface configuration and routing utility SYNTAX ip DESCRIPTION This utility allows you to configure your network interfaces in various ways. OPTIONS For the complete command reference please look at the following docu- ment: /usr/share/doc/iproute-2.4.7/ip-cref.ps SEE ALSO ifconfig(8), route(8), netstat(8), arp(8), rarp(8), ipchains(8) AUTHORS Alexey Kuznetsov [EMAIL PROTECTED] and no /usr/share/doc/iproute-2.4.7/ip-cref.ps exists. iif NAME select the incoming device to match. If the interface is loopback, the rule only matches packets originating from this host. This means that you may create separate routing tables for forwarded and local packets and, hence, comĀ pletely segregate them. OK. But I don't know the device to use. That is the *whole point* of the ip rule add (from iface address lookup table) isn't it? To select the routing table (and therefore the outbound device) to send the return packets on. Maybe I am completely missing something in your explanation. b. signature.asc Description: This is a digitally signed message part
[LARTC] simple dual Internet connection setup not sending return packets on correct interface
I have a very simple setup exactly as described in the HOWTO section 4.2. Routing for multiple uplinks/providers. One is cable (eth1: dhcp) and the other is PPPoE (ppp0). I used the following commands to configure the routing once all of my interfaces are up and i have configured SNATing for them: ip route add 66.11.173.0/24 dev ppp0 src 66.11.173.224 table 11 ip route add default via 66.11.190.1 table 11 ip route add 24.235.240.0/22 dev eth1 src 24.235.240.15 table 12 ip route add default via 24.235.240.1 table 12 ip route add 66.11.173.0/24 dev ppp0 src 66.11.173.224 ip route add 24.235.240.0/22 dev eth1 src 24.235.240.15 ip rule add from 66.11.173.224 table 11 ip rule add from 24.235.240.15 table 12 My iptables nat setup looks like this: Chain POSTROUTING (policy ACCEPT 364 packets, 26735 bytes) pkts bytes target prot opt in out source destination 258 19801 eth1_masq all -- * eth10.0.0.0/00.0.0.0/0 0 0 ppp0_masq all -- * ppp00.0.0.0/00.0.0.0/0 Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 252 19021 SNAT all -- * * 10.75.22.0/240.0.0.0/0 to:24.235.240.15 0 0 SNAT all -- * * 192.168.66.0/24 0.0.0.0/0 to:24.235.240.15 Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.75.22.0/240.0.0.0/0 to:66.11.173.224 0 0 SNAT all -- * * 192.168.66.0/24 0.0.0.0/0 to:66.11.173.224 When an IP packet enters my machine via interface ppp0 everything is fine. However when a responding packet (i.e. a SYN-ACK in response to a SYN) is sent from my machine, it is sent with the correct source address (66.11.173.224) but on the eth1 interface. It is worth noting at this point that eth1 is the default gateway interface. Is this a problem in that iproute2 selects the default route before SNATting is done to change the source address of the packet, which does not happen of course until POSTROUTING? Surely I am not the first person who has this need. How does one solve it? Current routing tables: # ip route list 66.11.190.1 dev ppp0 proto kernel scope link src 66.11.173.224 66.11.173.0/24 dev ppp0 scope link src 66.11.173.224 10.75.22.0/24 dev eth0 proto kernel scope link src 10.75.22.254 24.235.240.0/22 dev eth1 proto kernel scope link src 24.235.240.15 default via 24.235.240.1 dev eth1 # ip route list table 11 66.11.173.0/24 dev ppp0 scope link src 66.11.173.224 default via 66.11.190.1 dev ppp0 # ip route list table 12 24.235.240.0/22 dev eth1 scope link src 24.235.240.15 default via 24.235.240.1 dev eth1 and current ip rules: # ip rule list 0: from all lookup local 32764: from 24.235.240.15 lookup 12 32765: from 66.11.173.224 lookup 11 32766: from all lookup main 32767: from all lookup default Any ideas what I am doing wrong? b. signature.asc Description: This is a digitally signed message part
Re: [LARTC] University Project: QoS with Ai
GoMi, For an ongoing project on QoS we looked at something similar but were weary of complex decisions being made at high speeds, particularly as most users questioned would prefer to have a guaranteed equal share of the bandwidth. Currently we are working on a GUI that allows users to mark their traffic as belonging to Gold/Silver or Bronze classes of service. They are then charged appropriately per volume. The results obtained by this approach thus far are quite satisfactory. Regards Brian On 24 Aug 2004 at 18:47, GoMi wrote: Hi there guys, i am on my last year of career, and as my final Project i am interested in doing something about QoS. The thing is, I have a couple of QoS solutions working, and since the beginning I though it was great but it lacked some kind of dynamicity. Let me explain myself.. I was thinking in creating a classful queue that based on some parameters (kind of users, bw, packets, etc...) could learn in some way the kind of traffic passing through the box, and change the parameters of the classes, classifying also not only the packets, but the users. For example there could be p2p users, HTTP users, etc.. and if the queue itself could create classes for those users, maybe increase productivity. What do you think? Am I talking bullocks or it makes some sense? All critics welcome :) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Brian Carrig Department of Computing Networking Institute of Technology, Carlow Tel. No.: +353 59 9176209 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Problems routing mail to particular interface
You could try adding a rule to each table with a -j LOG target (logging to standard out). This would allow you to see how the packet is mangled/handled at each step and what tables it traverses ... Thats what I usually do when I'm stuck. Regards Brian On 22 Jul 2004 at 17:08, Jens wrote: On Thursday 22 July 2004 16:50, George Alexandru Dragoi wrote: Hehe, maybe it is this: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Well I wouldn't be surprised if it was something as stupid as that. I tried your suggestion but no luck :( . but it could easily be something along similar lines. I will have to think thru this a bit more. I will try and see if tcpdump can tell me what is happening but I sure wish there was something easier available where you can follow the packet and see exactly what is happening and where . Jens ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Brian Carrig Department of Computing Networking Institute of Technology, Carlow Tel. No.: +353 59 9176209 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Difficulties with filtering based on TOS byte
Hi all, I want to setup link sharing with a filter that places traffic into different queues based on values within the TOS byte. Strangely I can't get this to work. I use the following command for the filter: tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 1:10 I then mark the packets on the user machine using the 'mangle' table in iptables. I have captured the packets on the wire, examined them and the tos field is set correctly. Yet it is ignored on my router and packets are sent to the default queue. As a test I changed the filter to place packets marked with a tos byte of 0x00 to flowid 1:10 and despite the packets being marked as minimum delay (0x10) they were now sent to the correct queue. No problems are presented when I place packets into different queues based on a source address or a port number. Has anyone else experiences problems like this or know what might be causing it? Its very frustrating. Thanks in advance. Regards -- Brian Carrig Department of Computing Networking Institute of Technology, Carlow Tel. No.: +353 59 9176209 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Trouble with Mutli Link Redundancy
I am running kernel 2.6.5, gentoo linux...julian's routes-2.6.4-10 installed eth0 = local eth1 = cable modem eth2 = T1 I am having issues with the machine actually sending packets out over each hop, it tends to default to eth2, almost never will it use eth1- I can make a rule to send traffic through the eth1 from certain hosts, and it will force the IP through that interface, but general traffic is defaulted through eth2 Also I have implemented a redundancy script (which pings each interface, as listed in the docs) and it will not flag the down interface as dead...any ideas? # ip route show 67.106.221.0/29 dev eth2 proto kernel scope link src 67.106.221.4 10.1.10.0/24 dev eth0 proto kernel scope link src 10.1.10.239 24.98.192.0/22 dev eth1 proto kernel scope link src 24.98.192.221 127.0.0.0/8 via 127.0.0.1 dev lo scope link default proto static nexthop via 67.106.221.4 dev eth2 weight 1 nexthop via 24.98.192.221 dev eth1 weight 5 # ip rule show 0: from all lookup local 10: from all lookup main 100:from 10.1.10.0/16 lookup 100 32764: from 24.98.192.221 lookup T2 32765: from 67.106.221.4 lookup T1 32766: from all lookup main 32767: from all lookup default #ip route get 66.218.71.114 66.218.71.114 dev eth2 src 67.106.221.4 cache mtu 1500 advmss 1460 every IP I try to get, goes through eth2any ideas?? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] patching kernel and iptables for IMQ
I have a linux box with kernel 2.4.22 and iptables 1.2.9 First, i patch linux kernel with Norbet Buckmuller's .diff #cd \usr\src\linux #patch -p1 imq-combo-debian-2.4.22.diff All correct Second, i -try to- patch iptables (following www.linuximq.net/faq.html) #cd /usr/src/linux/net/ipv4/netfilter I edit IMQ.pom-ng.patch and replace $KERNEL_DIR with /usr/src/linux #patch -p1 IMQ.pom-ng.patch #cd /usr/src/linux/net/ipv4/netfilter/extensions #chmod +x .IMQ-test*. #cd /usr/src/linux #make dep make modules ... plonk! :-( any idea? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] NAT and policy routing?
I'm confused about what might be going on here, and hope someone will be able to suggest a way of the thicket for me. I am using a rule to route a private network to the outside world: # ip rule show from 192.168.1.0/24 lookup bc-routes On the router box I have this rule (public IP obfuscated): SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:111.11.11. I can ssh out of any of the boxes on 192.168.1.0 just fine, and the other end sees me coming in from the public address above. But the Vonage phones that are on that network somehow seem to be eluding the rule: 14:10:15.050505 192.168.1.11.5062 64.157.171.19.5061: udp 430 [tos 0x68] 14:10:15.284244 192.168.1.9.5063 12.144.47.27.5060: udp 412 [tos 0x68] 14:10:16.443637 192.168.1.6.5060 12.144.47.27.5060: udp 411 [tos 0x68] I know the ssh sessions are TCP and the Vonage units are (obviously) using UDP. I wonder what I'm misunderstanding? Earlier, on another machine that was using plain old routing instead of the rule/table method, the Vonage units worked just fine. Thanks in advance for any help that might be out there. B. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Changing default route for an entire subnet/NIC
Oops, made a mistake in my example, I actually enter ip rule add from 192.168.0.0/24 table John As soon as I do this, that subnet loses all contact with my firewall, so it can't DHCP an address, do DNS servers, ping, anything.. Any clues? [EMAIL PROTECTED] [EMAIL PROTECTED] [2003-12-17 22:34:14 -0700]: Greetings, If you look at Section 4.1 of the howto, they give asimple example of changing the default route for a single IP address by doing the following # echo 200 John /etc/iproute2/rt_tables # ip rule add from 10.0.0.10 table John # ip route add default via 195.96.98.253 dev ppp2 table John # ip route flush cache I'm trying to do something very similar, except that I want to route an entire class C subnet out a different NIC card in my firewall.. I did the exact same thing as above except used the line ip rule add from 192.168.0.1/24 table John ip route add default via 192.168.1.1 dev eth4 table John This doesn't work, what happens is that the entire subnet loses conect with the firewall, so DNS lookups fail and I basically can't go anywhere. Using just one IP like the example above seems to work fine.. Any ideas? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Changing default route for an entire subnet/NIC
Greetings, If you look at Section 4.1 of the howto, they give asimple example of changing the default route for a single IP address by doing the following # echo 200 John /etc/iproute2/rt_tables # ip rule add from 10.0.0.10 table John # ip route add default via 195.96.98.253 dev ppp2 table John # ip route flush cache I'm trying to do something very similar, except that I want to route an entire class C subnet out a different NIC card in my firewall.. I did the exact same thing as above except used the line ip rule add from 192.168.0.1/24 table John ip route add default via 192.168.1.1 dev eth4 table John This doesn't work, what happens is that the entire subnet loses conect with the firewall, so DNS lookups fail and I basically can't go anywhere. Using just one IP like the example above seems to work fine.. Any ideas? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] QoS / VoIP
Hello, Please excuse any of my errors, as I am new to this list (Just signed last night!) Here is my situation. I have four remote offices, one connected by a wireless link, one connected by a regular T1 and two connected by frame. We have just switched PBX's and are now using VoIP phones instead of landlines. My problem is (obviously) with VoIP, the voice is getting choppy whenever there is high data transfers. My question is, for the office with a T1, should I put a QoS box on both ends? (One here at HQ, and one there?) Same with the frame? And correct me if I'm wrong, but I will need one at both ends for the wireless link. If have read most of the LARTC HOW-TO, but it hasn't sank in totally (trying to take a drink from a fire hydrant) Thanks in advance, -- Brian M. Diehl Network Admin A-1 Limousine Inc. 609-919-2019 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Using HTB as an ISP provisioning engine
I am new to shaping but not to routing; forgive me if this request is inappropriate for this list. I am a very small ISP and would like to use HTB to enforce contractual bandwidth limits on my customers. I am trying to think through one aspect of this that is vexing me. I'm sure it's no great secret that many ISPs oversell their bandwidth, and in our case we have a combination of accounts that total approximately 2.2Mbs on our feed, which is 1.2Mbs. (Concentrating right now on our download stream) How could something like this be accomodated? The documentation says that the total bandwidth allocations of a set of subclasses should total that assigned to the class. But my understanding is that if I bump up the bandwidth on the primary class to a value greater than my actual bandwidth, then I'm going to be filling up queues at the upstream ISP and negatively affecting my performance. I'm sure there is something I'm missing, but I've discussed this with a couple of fellow network engineers and neither was able to posit how such thing might work, although they both said they were sure that it is a common scenario. Thanks. B. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Re: LARTC digest, Vol 1 #907 - 2 msgs
From: Stef Coene [EMAIL PROTECTED] ; does it matter that the rate is being reported differently by each invocation of tc? I don't know exactly how the rate is calculated, but I don't think you sh= ould=20 not trust it. The upload speed of the first runs 252, 258, 254, etc.; on the second 86, 150, 92, 78, etc. Is this reported by tc or by iperf ?? By iperf. One little detail, and I guess this is the explaining fact but it's interesting to think about why: all the machines reported on here are using wireless access. The two which are working well have no jitter or packet loss, but the two that are acting up both have a fair amount of jitter, and about 6-8% packet loss because of their being marginal links. I'm assuming that is the explanation (I hadn't thoroughly tested the link quality before sending that other mail) but I wonder why. They show average throughput well above the rate limits I set when they are operating without HTB. Thanks. B. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] How accurate should HTB be?
I have been playing with HTB for a couple of weeks on one of my testbed routers, and was astounded at how accurate it seemed to be (measuring with iperf). So I rolled it out on two production machines, and now, Murphy's Law, those both seem to be throttling too much. Same hardware, same kernel version, same iproute2 utils. I have pored over the output of tc -s shows and the only thing I can see different between the highly accurate machine and the two that are overthrottled is shown in the snippets below. I'm grasping at straws; does it matter that the rate is being reported differently by each invocation of tc? The upload speed of the first runs 252, 258, 254, etc.; on the second 86, 150, 92, 78, etc. I don't know how to debug this, and hope this isn't something obvious and stupid. Thanks in advance for any help that might be forthcoming. B. *** Good: $ tc -s -d class show dev eth0 class htb 1:1 root rate 256Kbit ceil 256Kbit burst 1926b/8 mpu 0b cburst 1926b/8 mpu 0b level 7 Sent 18417658 bytes 132268 pkts (dropped 0, overlimits 0) rate 2bps lended: 0 borrowed: 0 giants: 0 tokens: 45375 ctokens: 45375 Overthrottled: $ tc -s -d class show dev eth1 class htb 1:1 root rate 256Kbit ceil 256Kbit burst 1926b/8 mpu 0b cburst 1926b/8 mpu 0b level 7 Sent 6612505 bytes 10225 pkts (dropped 0, overlimits 0) rate 6179bps 4pps lended: 0 borrowed: 0 giants: 0 tokens: 45375 ctokens: 45375 * ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Redhat 7.3 / SuSE 8.0
I have a question here? why in SuSE 8.0 pro I can slect all the networking options and none of them are gray out? while under Redhat 7.3 most of them are? I can't modify the IP:Netfilter Config under Redhat 7.3? ANY IDEA's why I can't? I am using make xconfig... ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] RE: Redhat 7.3 / SuSE 8.0
You would think?, but you never know. I am loading SuSE 8.0 on the same box as my Redhat 7.3 box having the problem...hu -Original Message- From: Greg Scott [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 06, 2002 8:18 PM To: Brian; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Redhat 7.3 / SuSE 8.0 I'll bet something is messed up in your source tree. All the distros use the same base kernel after all (don't they?) As I recall, the .config from Red Hat sets up the netfilter stuff as modules. I'll work on cleaning up my compile notes. - Greg -Original Message- From: Brian [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 06, 2002 5:36 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Greg Scott Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Redhat 7.3 / SuSE 8.0 I have a question here? why in SuSE 8.0 pro I can slect all the networking options and none of them are gray out? while under Redhat 7.3 most of them are? I can't modify the IP:Netfilter Config under Redhat 7.3? ANY IDEA's why I can't? I am using make xconfig... ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Blocking ICQ and MSN Messager
Does any one no how to block ICQ and MSN Instant messenger? I want to block them using iptables ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Blocking ICQ and MSN Messager
This one Blocks AOL IM and ICQ iptables -A FORWARD --dport 5190 -j REJECT iptables -A FORWARD -d login.oscar.aol.com -j REJECT -- This one Blocks MSN Messenger iptables -A FORWARD -p TCP --dport 1863 -j REJECT iptables -A FORWARD -d 64.4.13.0/24 -j REJECT -Original Message- From: dhaval patel [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 3:55 PM To: [EMAIL PROTECTED] Subject: Re: [LARTC] Blocking ICQ and MSN Messager Brian [EMAIL PROTECTED] said: Does any one no how to block ICQ and MSN Instant messenger? I want to block them using iptables run them yourself figure out the ports kill the ports iming helps improve productivity :) you shouldnt disable it. dhaval ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Firewall Question?
I have a iptables firewall version 1.2.5, I LOVE IPTABLES SO MUCH MORE THINGS YOU CAN DO. I have a small network off my eth0 interface 192.168.0.X network and my ppp0 is my DSL connection, with the current firewall how would I block someone going to the Internet from my eth0 interface. I have tried many of things here and had no luck. Both my INPUT and OUTPUT used a DROP policy by default and I am using NAT to route my traffic to the Internet. echo 1 /proc/sys/net/ipv4/ip_dynaddr echo 2 /proc/sys/net/ipv4/conf/all/rp_filter echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 0 /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 /proc/sys/net/ipv4/tcp_timestamps echo 1 /proc/sys/net/ipv4/tcp_syncookies echo 0 /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 /proc/sys/net/ipv4/conf/all/log_martians echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack modprobe ip_conntrack modprobe ip_tables modprobe iptable_filter modprobe iptable_mangle modprobe iptable_nat modprobe ipt_LOG modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe ip_conntrack_ftp modprobe ipt_owner modprobe ip_conntrack_irc echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -A FORWARD -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i ppp0 -p udp --dport 1024: -j ACCEPT iptables -A INPUT -i ppp0 -p udp --sport 67 --dport 68-j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8 --sport 53 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT iptables -A INPUT -i ppp0 -p icmp -j DROP iptables -P INPUT DROP iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT iptables -P OUTPUT DROP ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
