Re: [LARTC] double gateway - new thread
Paul, On Thu, 2003-01-30 at 16:59, Paul Evans wrote: > Yes, the usual learning cycle of break/repair, break/repair cycle takes a > looong time. I sure spent my time in the trenches. > Thanks very much. I suppose it's back to my old script then. I was stuck with > a 'file exists error', because of the existing default route. Of course, if I > were to delete it, I'd suddenly not be 'there' anymore to apply the script. > Maybe I can do both via cron instead. In that case you will want to use two different scripts. The existing one and the new one. Have cron simply restart the network every so often probably like you are. Also in part of your script is sounds like you need to flush out everything the default network script adds that you do not want. > Thanks yet again, I skipped Julian's page, because I thought it was just for > the patch. I will go and read it. When I finally get my head around this > part, I will probably have to consider recompiling the kernel and applying > the patch (I think we're talking about the one to eliminate the route > caching). Yes, I tried to play with the cache settings directly, but no combo made things work like the patches. You must also adhere to the nano-how-to rules on routes and such. > I'm familiar with bash functions and I will follow your advice, for me I am > still trying to untangle all the nested calling of the many and varied > scripts that come into play when bringing up all the interfaces. Which do you > recommend my redoing exactly. I mean the existing one for network, ifxxup, > adsl-start are all doing fine the way they are (except for the bit where I > don't know how to prevent a default route being set by adsl-start that is). I > had hoped I could end up with a single script from, say rc.local or > something. Not to be huh? ( I still haven't read the nano you ref'ed > earlier). You can still use your existing network script, just make another one that removes the default ADSL route and anything else that is getting in your way, and then run your commands to get things working your way. Once you are done with your script put it in /etc/rc.d/init.d and add a symbolic link in the proper run level(s) with the necessary startup number. Probably just after the standard network script is run. If you want a single one, add everything you need to your new script and use instead of the default. Although depending on the type of ADSL, PPOE type, you may want to keep and use the default startup script. There is nothing wrong with two, but it is Linux so do what you like and put things were you want them. Make sure to read the nano-how-to or at least make sure all your rules are exactly the same within reason. I tried some deviations, but all failed. Obviously you do need to use the exact IP's as in the example, but use the same rules, and commands using your IP info. > > The way it works for me, and to my knowledge the only way it works is by > > masquerading. That's where the patches make things work. > Ok good. That part realy confused me after all the reading I've done on stef's > site etc. That part still some what confuses me. What is clear is I had a goal and was able to reach it. Masquerading was not a requirement for me, but I did not mind doing it as well. I simply ended up with two rounds of NAT/PAT or two back to back firewalls on either link. More on my config can be found in the archives, but feel free to contact me directly for any questions and specific configuration examples. -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax707.766.8989 http://www.obsidian-studios.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] controlling the tc system
Jody any info you have would be nice to know... I'm a programmer my self and while I don't post much I read this group alot (I've been quietly learning the concepts in preperation of putting a whole suburb on line in my local community in New Zealand). Cheers DiG - Original Message - From: "Jody Belka" <[EMAIL PROTECTED]> To: "LARTC list " <[EMAIL PROTECTED]> Sent: Thursday, January 30, 2003 4:26 PM Subject: [LARTC] controlling the tc system > hi, > > i've been trying to find some information on this but haven't had any > luck. what i'm interested in is any way to control the tc system > progmatically without having to shell out to the tc program. i've already > found some stuff for controlling iptables progmatically, but have been out > of luck so far with traffic control. does anyone have any ideas? > > Jody > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ip route + equalize and related problems ....
root ~ # ip route ls default 10.0.9.200 dev eth1 scope link 10.0.1.200 dev eth2 scope link 10.0.3.200 dev eth4 scope link 10.0.2.200 dev eth3 scope link default dev eth3 scope link root ~ # ip route ls table http default equalize nexthop dev eth1 weight 1 nexthop dev eth2 weight 1 root ~ # ip route ls table ssh default equalize nexthop dev eth1 weight 1 nexthop dev eth2 weight 1 root ~ # ip rule ls 0: from all lookup local 32762: from all fwmark 80 lookup http 32763: from all fwmark 22 lookup ssh 32764: from all lookup main 32765: from all lookup default this is after have been used fwmark + ip rule add and a specific: ip route add default table http equalize nexthop dev eth1 nexthop dev eth2 ip route add default table ssh equalize nexthop dev eth1 nexthop dev eth2 ip route add default dev eth3 but alla packets are forwarded to default host, and without a default host other routing ruleset appears to be ignored ... how I could give a priority to http and ssh table ? and how work exactly "equalize" keyword in ip route ? I've not find example in internet... TIA, v. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] double gateway - new thread
At 05:58 PM 1/30/2003, Paul Evans wrote: << Snip >> I am doing it from the *outside* via ssh, which makes it a little more difficult, since when I mess up I lose access until I can get someone to restart the network without my changes... Might I suggest mgetty and a POTS line so you can "phone home" and undo the damage yourself. ;-) John <*>
Re: [LARTC] double gateway - new thread
Paul, On Thu, 2003-01-30 at 15:58, Paul Evans wrote: > I've been subbing this list for a couple of months now, knowing this day would > come :-) My gut says I was not alone, you are not alone, and others will eventually be going down this path as well. > I too am trying to do an equalize/next hop for 2 adsl lines. At the moment > though I am testing with 1 2MB adsl modem and an ether connection to a switch > from a second 2MB line. > > I am doing it from the *outside* via ssh, which makes it a little more > difficult, since when I mess up I lose access until I can get someone to > restart the network without my changes... Ouch, that will slow things down during testing. > I began by using the example from lartc.org, combined with a cron to undo my > changes every half hour, but moved to following this page from sysadmin > magazine: > http://www.samag.com/documents/sam0201h/ Good article, I cam across it as well. However it really only is accurate on the DNS point of view from the outside world. For things to work the other way around, from the inside going out you will need the nano-how-to and possible Julian's patches applied to a custom compiled kernel. http://www.linuxvirtualserver.org/~julian/#routes > For some reason I got a better sense of what I was trying to do from it, plus > it included a section on just where to place the new rules into the system > scripts. It did not say just where to place the section for ifup-routes > though. When doing something of this nature I recommend not using any provided networking scripts and make your own. It's fairly straight forward and easy to do. Just put all your commands into a function that can be called from outside of the script. Like ./mynetwork.sh start will call the start function. > I think I've got it pretty close, but since I just locked myself out again... That sucks. :) > It's a mandrake 9.0 box and I didn't see where to prevent a default route from > being set when it brings up ppp0 on the adsl line. I sort of hoped that my > default routes would get set first and force the other to fail with the > Exists error. Since I couldn't find it, I don't know in what order it gets > run. I think that's where I messed up, but I can't get back in to read the > logs right now. Like is said make your own scripts and do not use the originals for now, if possible. I think that your doing this from the outside may require you to use the default ones until you get things working. Then make your own and forget about the default ones. > Also, the above article uses ip to route to the lan, and I had > intended/understood that I would masquerade to it later. Which is the correct > approach then? I will want to move on to tc when I finally get this part > working. The way it works for me, and to my knowledge the only way it works is by masquerading. That's where the patches make things work. However I thought I saw a comment from Julian that masquerading was not necessary? I thought it was? I would imagine Julian will set me straight one way or the other. ;) > from the article: > > advanced eth0 10.0.0.0/24 via 10.0.0.1 table 1 > advanced eth0 10.0.0.0/24 via 10.0.0.1 table 2 > advanced eth1 0/0 via 63.89.102.1 table 1 > advanced eth2 0/0 via 65.3.17.1 table 2 > > Where eth0 is their lan and eth1/2 are isp. They have a new section in > ifup-routes grepping a file named static-routes for '^advanced'. This stuff forget from the sys-admin article and stick to the routing rules on the nano-how-to. The only part of the sys-admin article that I used and recommend others to use is the DNS aspect for redundancy/load balancing from the outside world. Although most of the same info with other examples can be found in the BIND manual. -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax707.766.8989 http://www.obsidian-studios.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] double gateway - new thread
I've been subbing this list for a couple of months now, knowing this day would come :-) I too am trying to do an equalize/next hop for 2 adsl lines. At the moment though I am testing with 1 2MB adsl modem and an ether connection to a switch from a second 2MB line. I am doing it from the *outside* via ssh, which makes it a little more difficult, since when I mess up I lose access until I can get someone to restart the network without my changes... I began by using the example from lartc.org, combined with a cron to undo my changes every half hour, but moved to following this page from sysadmin magazine: http://www.samag.com/documents/sam0201h/ For some reason I got a better sense of what I was trying to do from it, plus it included a section on just where to place the new rules into the system scripts. It did not say just where to place the section for ifup-routes though. I think I've got it pretty close, but since I just locked myself out again... It's a mandrake 9.0 box and I didn't see where to prevent a default route from being set when it brings up ppp0 on the adsl line. I sort of hoped that my default routes would get set first and force the other to fail with the Exists error. Since I couldn't find it, I don't know in what order it gets run. I think that's where I messed up, but I can't get back in to read the logs right now. Also, the above article uses ip to route to the lan, and I had intended/understood that I would masquerade to it later. Which is the correct approach then? I will want to move on to tc when I finally get this part working. from the article: advanced eth0 10.0.0.0/24 via 10.0.0.1 table 1 advanced eth0 10.0.0.0/24 via 10.0.0.1 table 2 advanced eth1 0/0 via 63.89.102.1 table 1 advanced eth2 0/0 via 65.3.17.1 table 2 Where eth0 is their lan and eth1/2 are isp. They have a new section in ifup-routes grepping a file named static-routes for '^advanced'. -- Regards, Paul Evans ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Mark packets based on nexthop?
On Wednesday, 29 January 2003, at 14:35:41 +0200, Anton Yurchenko wrote: > is there a patch or a way to mark packets with IPtables marking based on > the nexthop for the packet? > You can mark packets on the FORWARD chain (mangle table), based on the outgoing interface (there should be a one-to-one association of outgoing interface to nexthop IP). iptables -t mangle -A FORWARD --out-interface eth0 --jump MARK --set-mark 1 Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] building a multicast router: RESOLUTION
Title: building a multicast router well, once i figured out what to do it was easy. 1) install freebsd over linux. 2) recompile kernel with: option MROUTING 3) start mrouted 4) go get yourself a cold beer. you deserve it! thanks! -bobCONFIDENTIALITY NOTICE: The information in this electronic mail transmission contains confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of the transmission is strictly prohibited. -Original Message-From: Bob Yeaw [mailto:[EMAIL PROTECTED]]Sent: Wednesday, January 29, 2003 9:42 AMTo: '[EMAIL PROTECTED]'Subject: [LARTC] building a multicast router Hi, I have been reading: http://lartc.org/howto/lartc.multicast.html in effort to understand how to route multicast traffic and just joined the group. History: I am trying to multicast mpeg (using the videolan server) on a private network. The server side of the network is copper gigabit, which connects to one of those cheap fast Ethernet switches with a single gigabit uplink. The problem I'm having is the ports are getting flooded on the client side switch (i.e., all multicast traffic sent to all ports on the switch). After doing some research it sounds like installing a multicast router between the client and server side is the best solution. So that's what I'm trying to do now. I have Red hat Linux 7.3 installed. I've gone through the steps described on the how-to (link above): $ demsg | grep IGMP IP Protocols: ICMP, UDP, TCP, IGMP $ cat /proc/sys/net/ipv4/ip_forward 1 $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 10.100.100.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 224.0.0.0 0.0.0.0 240.0.0.0 U 40 0 0 eth1 0.0.0.0 10.100.100.254 0.0.0.0 UG 40 0 0 eth0 # NOTE: eth1 is the client side, eth0 is the server side. Problem: The problem is that no multicast is getting through the router (unicast traffic works fine). When I run: $ tcpdump -n -i eth0 I see all of the multicast traffic being sent. Unfortunately: $ tcpdump -n -i eth1 shows none of that multicast traffic (whether the client has requested it or not). Interestingly, when I run iptraf and select eth0 it reports little to no activity, which indicates to me that the traffic is getting dropped at a low level. Question: My question at this point is problem identification. Is the router configured correctly and acting as expected but the client just isn't sending the IGMP join requests? Do I need to install additional software packages like Zebra or mrouted to make this work? Am I completely missing something? Any help or suggestions are greatly appreciated! regards, -bob -bob CONFIDENTIALITY NOTICE: The information in this electronic mail transmission contains confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of the transmission is strictly prohibited.
[LARTC] Two Linik, Two Interfaces and a Server
Hi all. I wrote to the list the day Monday, but does not explain the problem well. I have a proxy server that is transparent, working with wccp, I have a router that send to the server the request of port 80 and this gives back the results. The company adquired a new connection, and this especify connection is for 2 networks, now what I want is that those two networks leave by the new connection. This I have it to do from the server, the server has two connected interfaces each one to a connection. All the input requests is by an interface (ETH0), the use of other interface is only when the server detects that the address used the other interface (ETH1). My scheme is: | --- 200.9.189.201 --- | router| | Switch| --- 165.98.111.233 --- | | (INPUT-OUTPUT) -->| | <--(OUTPUT) If-eth0 If-eth1 | | - | server proxy | -- Some body can help me? Thanks in Advanced, Regards, ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Shaping and PPPoE
It seems like this scenario isn't covered in any faq: I have a PPPoE server running on eth1, and want to control outgoing traffic to users connecting through PPPoE. Internet --- eth0 - eth1 --- users over PPPoE ppp0 ppp1 ppp.. Each user is assigned a static address (i.e., user1 is always 10.1.1.1). However, the pppx devices are assigned dynamically based on the order they connect (if user3 connects first, he gets ppp0). Should I configure shaping rules (based on IP addresses) on eth1, or do I have to write a script that is watching the PPPoE logs, figure out which user is which pppx and add rules to each pppx accordingly? That is, can I shape on IP on eth1 when I am using PPPoE, or do I have to shape on each virtual ppp device? -- LarsG ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] controlling the tc system
On Thursday 30 January 2003 04:26, Jody Belka wrote: > hi, > > i've been trying to find some information on this but haven't had any > luck. what i'm interested in is any way to control the tc system > progmatically without having to shell out to the tc program. i've already > found some stuff for controlling iptables progmatically, but have been out > of luck so far with traffic control. does anyone have any ideas? http://tcng.sourceforge.net/ Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Two Linik, Two Interfaces and a Server
Hi all. I wrote to the list the day Monday, but does not explain the problem well. I have a proxy server that is transparent, working with wccp, I have a router that send to the server the request of port 80 and this gives back the results. The company adquired a new connection, and this especify connection is for 2 networks, now what I want is that those two networks leave by the new connection. This I have it to do from the server, the server has two connected interfaces each one to a connection. All the input requests is by an interface (ETH0), the use of other interface is only when the server detects that the address used the other interface (ETH1). My scheme is: | --- 200.9.189.201 --- | router| | Switch| --- 165.98.111.233 --- | | (INPUT-OUTPUT) -->| | <--(OUTPUT) If-eth0 If-eth1 | | - |server proxy | -- Some body can help me? Thanks in Advanced, Regards, ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] problem with prio qdisc and TOS
Hi Andreas, I hope I have this right, based on my limited understanding of Linux QoS. If I'm wrong then I hope someone will correct me =) > If I just attach a PRIO qdisc on eth1(outgoing) will I be able to > prioritise packets based on the TOS value. You don't even need to do that, the default qdisc is pfifo_fast which also prioritises by TOS flags. > The TOS value is set by a test application. It can also be overridded by a Netfilter rule, if you want to force or change priority for certain types of packets. > At very high data rates will the data stream with lower > priority TOS value be starved because it cannot send out of packets from > its band on eth1 interface?. Yes, if there is not enough capacity to send on eth1 then lower-priority packets will be starved, will queue up until the queue is full and then get dropped. > Does something be set in linux kernel so that kernel sets priority for > packets according to TOS value.I guess this priorty will be used by PRIO > qdisc(by default) to decide which band the packet belongs. Yes, it happens by default, with the pfifo_fast qdisc. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] problem with prio qdisc and TOS
Hello , I have presented my problem before also.I have linux box with 2 interfaces eth0(incoming) and eth1(outgoing). If I just attach a PRIO qdisc on eth1(outgoing) will I be able to prioritise packets based on the TOS value.The TOS value is set by a test application.At very high data rates will the data stream with lower priority TOS value be starved because it cannot send out of packets from its band on eth1 interface?. Does something be set in linux kernel so that kernel sets priority for packets according to TOS value.I guess this priorty will be used by PRIO qdisc(by default) to decide which band the packet belongs. Please clarify this by giving your inputs. Regards, Andreas.With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs