[LARTC] Squid + shaping question
Hi folks, So, I have a pretty simple setup - a linux router machine running as a firewall/router for a small neighborhood LAN (approx 20 machines). I also have squid running on the box in non-transparent mode, and also I have set up NAT for TCP/UDP ports above 1024 for all clients and SSH/POP/SMTP/CVS NAT'd for selected ones based on MAC filtering. No hosts whatsoever can access ports 80 and 443 without going through squid. The uplink to the internet is 512kbit/s downstream and 64kbit/s upstream cable modem connected on eth1 (LAN on eth0, no DMZ). When the LAN started to grow from a few well known friends of mine to more people I didn't know so well 'social shaping' stopped working for us - bulk downloaders started to saturate the link so badly that I even couldn't use acceptably ssh from outside. So - the usual solution - www.lartc.org. I did a lot of reading on the topic (This really got me interested in) and finally ended up installing a self-modified version of wondershaper on the external interface. This did solve the problem of me having usable ssh from my office to the router machine, and the ingress qdisc partially solved the problem of the downlink being fairly distributed between all incoming connections - but as most of you know this is a half-baked bread. What I think should be done is shaping the internal interface - BUT - the squid in-between causes trouble. So the question is - How to differentiate between traffic served from squid's cache and traffic squid got directly from the internet ? Shaping/policing all web traffic negates the benefits of having a caching proxy pretty much. After lots of googling and reading(at one point I was ready to completely forget squid) a came up with the following alternatives, both found on the FAQ section of www.docum.org - 'SQUID zero penalty for HIT traffic patch' by a fellow bulgarian Marin Stavrev, and a patch giving you the ability to 'use ACL lists to put packets in classes' by a guy named Patrick. I'd like to ask you for your experiences with those, which one is better, any other alternatives you know of and of course general recipes/recommendations for solving my problem. Well, That's it put shortly in an over-sized mail. Thanks in advance for your advice. Regards, Teddy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Selectively filtering traffic in/out to common threshold
First WRITE IN PLAIN TEXT now your problem: This can be done easily with my imq version, http://pupa.da.ru/imq seems there is no other way I was trying to use policers but this worked realy bad. --- Question: I have a number of users, who need to be shaped at different rates. My question is this: Is there a way that I can shape both *inbound* and *outbound* traffic to not exceed a single threshold, ie. they can get x kbps traffic in or x kbps out, but no more than x kbps in/out combined? Best Regards, -AL. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] cant get FAIL-OVER to work...
I dont know any complete failower sript suitable for all situations I was making one , but since my setup became to complex it is not possible to reconfigure everything so easily. if you need only what you said then it should be possible to use this scrip for you. - Original Message - From: Cristiano Soares To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 6:38 AM Subject: [LARTC] cant get FAIL-OVER to work... Hi all. Im having a problem that is driving me crazy. I cant get link fail-over to work in my RedHat9 Linux. I have two ADSL lines exactly the same speed, and im doing NAT with the linux box. Whenever the first line (eth2 in my case) goes down, i run a bash script that i made to change the default route to the backup line (eth0). eth1 is my internal network. I want to be able to make the linux box do that for me. I already tried many load balancing sites, but still cant figure it out. I just gave up today, and i want to know if any good soul would help me to make it work by getting into my Redhat box using SSH. Thanks a lot everyone. My ICQ is: 3794264 My MSN is: about:unsupported-mailto:[EMAIL PROTECTED] Cristiano Soares
Re: [LARTC] (no subject)
Udp forwarding mostly cannnot be controled. you can drop udp packets but server will not stop sending then to you anyway. (of course this depends on server software) tcp can be controled so do not have this problem - Original Message - From: "Ibrahim Cherri" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 07, 2004 5:12 PM Subject: [LARTC] (no subject) > Hello > > I was testing HTB using IPerf TCP traffic and the results were very good. > Until I tried to add some UDP traffic the results were a little strange. > this is my setup > > tc qdisc del dev eth1 root > tc qdisc add dev eth1 handle 1:0 root htb default 2 > > tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1mbit > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 500kbit ceil 1mbit > tc class add dev eth1 parent 1:1 classid 1:3 htb rate 500kbit ceil 1mbit > > tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip protocol > 17 0xff flowid 1:3 > > tc qdisc add dev eth1 parent 1:2 handle 20 pfifo limit 10 > tc qdisc add dev eth1 parent 1:3 handle 30 pfifo limit 10 > > This simple setup should split the 1mbit bandwidth between TCP and UDP. > I run 2 IPerf clients simultaneously > Server: > iperf -s -p 200 > iperf -s -p 400 -u > Client: > iperf -c $ServerIP -p 200 > iperf -c $ServerIP -p 400 -u > > then UDP traffic takes about 750kbit and TCP traffic takes about 250kbit > Can anyone tell me why is that? > > thanx, > Ibrahim > > _ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] tc command failed on 2.4.21 kernel
Hi, Will TC work on 2.4.21 kernel without any patches? If it does, why tc command failed? For example, # tc qdisc show dev eth0 RTNETLINK answers: Invalid argument Dump terminated Thank you for your help! Reed Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway - Enter today
Re: [LARTC] medir trafico
On Tuesday, 06 April 2004, at 15:59:55 -0300, ThE LinuX_KiD wrote: > hola listeros! > I don't know if you have following the list for long, but it "seems" this list is "written" in English, so you should use English too. Please take into account that it is better to address the widest possible audience in the hope someone will help you. Maybe there is no Linux routing and traffic control spanish-written list available, but I am sure you could contact any spanish-written newsgroup to ask for some help, if you can't or don't want to write in english. Greetings. No sé si has venido siguiendo la lista durante mucho tiempo, pero según "parece" en la lista se escribe en inglés, de manera que tú también deberías usar el inglés. Por favor, ten en cuenta que es mejor dirigirse a la mayor audiencia posible en la esperanza de que alguien te ayude. Quizás no exista una lista en castellano específica para el encaminamiento y control de ancho de banda en Linux, pero estoy seguro de que podrás contactar con cualquier grupo de noticias en castellano para solicitar ayuda, si es que no sabes o no quieres escribir en inglés. Saludos. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.5) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] setup fail-over with redhat9...
Hi. Im now decribeing my problem very clearly to see if anyone could help me. I have 3 (three) nics in my system. 1 is for my internet network - (eth1) 2 are for my 2 adsl lines that i use to connect to the internet (eth2 is my "master" adsl line) and (eth0 is my "slave" adsl line). I know that to make redundance work ill have to setup the ip route and ip rule in my system. To do that, i found a bash script called "NETSANE - http://muse.linuxmafia.org/netsane/". I have to change somethings like interface of the first and second lines in netsane.conf. So, i did all the changes needed. Looking good so far, i can ping outside sites the both eth2 and eth0 doing "ping -I eth# www.kernel.org", i dont have a "default route" and etc. Ok, now goes the worse part. I cant MASQUERADE the connection to my internal network, and even if i could, will redundance work if the first interface fails? I dont think so. Because i tried a normal ping (ping www.kernel.org) and it always goes through eth2, even the i unplug the adsl line from the router/modem to simulate a down link. I believe that should be an IPTABLES configuration to make NAT work with redundance, not the usual below: #!/bin/sh IPTABLES=/sbin/iptables #All The lines below are NAT routing # flush any old rules$IPTABLES -F -t nat # turn on NAT (IP masquerading for outgoing packets)$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE # enable IP forwarding (of incoming packets)echo 1 > /proc/sys/net/ipv4/ip_forward Im using the rc.firewall-2.4 right now, and it clearly doesnt work with redundance. Here is my network. LAN _/\__/\_ +---++ _/\___/\_ / \ (eth2) - 192.168.1.200 (GTW-192.168.1.1)| | (eth0) - 192.168.0.200 (GTW-192.168.0.254) / \ ( Router1 )+ Linux box + --( Router 2 ) \_ __ _ / | | \ _ __ _ / \/ \/ ++---+ \/ \/ | | (eth1) - 192.168.2.1 | | | LAN | |Ex:192.168.2.20 | | 192.168.2.21... | - Sites I tried: http://lartc.org/howto/lartc.rpdb.multiple-links.html http://www.ssi.bg/~ja/nano.txt THANKS A LOT
[LARTC] (no subject)
Hello I was testing HTB using IPerf TCP traffic and the results were very good. Until I tried to add some UDP traffic the results were a little strange. this is my setup tc qdisc del dev eth1 root tc qdisc add dev eth1 handle 1:0 root htb default 2 tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1mbit tc class add dev eth1 parent 1:1 classid 1:2 htb rate 500kbit ceil 1mbit tc class add dev eth1 parent 1:1 classid 1:3 htb rate 500kbit ceil 1mbit tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip protocol 17 0xff flowid 1:3 tc qdisc add dev eth1 parent 1:2 handle 20 pfifo limit 10 tc qdisc add dev eth1 parent 1:3 handle 30 pfifo limit 10 This simple setup should split the 1mbit bandwidth between TCP and UDP. I run 2 IPerf clients simultaneously Server: iperf -s -p 200 iperf -s -p 400 -u Client: iperf -c $ServerIP -p 200 iperf -c $ServerIP -p 400 -u then UDP traffic takes about 750kbit and TCP traffic takes about 250kbit Can anyone tell me why is that? thanx, Ibrahim _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Selectively filtering traffic in/out to common threshold
Hello again all, Question: I have a number of users, who need to be shaped at different rates. My question is this: Is there a way that I can shape both *inbound* and *outbound* traffic to not exceed a single threshold, ie. they can get x kbps traffic in or x kbps out, but no more than x kbps in/out combined? Best Regards, -AL. signature.asc Description: This is a digitally signed message part
[LARTC] In/Out
Hello again all, Question: I have a number of users, who need to be shaped at different rates. My question is this: Is there a way that I can shape both *inbound* and *outbound* traffic to not exceed a single threshold, ie. they can get x kbps traffic in or x kbps out, but no more than x kbps in/out combined? Best Regards, -AL. signature.asc Description: This is a digitally signed message part
Re: [LARTC] htb2 -> htb3 problems
Martin Devera ([EMAIL PROTECTED]) wrote: > > > remove cburst 1 > > > > thanks! > > > > class htb 1:5500 parent 1:2 leaf 5500: prio 0 quantum 65536 rate 5Mbit > > ceil 5Mbit burst 20Kb/8 mpu 0b cburst 8151b/8 mpu 0b level 0 > > Sent 45107618 bytes 42138 pkts (dropped 0, overlimits 0) > > rate 608617bps 548pps backlog 40p > > lended: 42098 borrowed: 0 giants: 0 > > tokens: 3908 ctokens: -11502 > > > > but I see only 330Kbytes/sec flow (half of 5Mbit rate) > > >From above I see rate 608617bps = 4.7MBit. Probably it will settle down > after some while. I suspect there is problem in your way of measuring the > rate. Also you can deliberately increase (c)burst to more than default, > say to 20kB - the larger the burst it the more insensitive to CPU load > it is ... OK, I removed all manual settings of burst/cburst, and it works just fine. htb3 rocks! 30%/90% CPU Usage on 80Mbit stream with >500 classes on htb3/htb2 (P4 2Ghz, 2.4.25 kernel with APIC, e1000 NIC) -- Michael Vasilenko ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb2 -> htb3 problems
> > remove cburst 1 > > thanks! > > class htb 1:5500 parent 1:2 leaf 5500: prio 0 quantum 65536 rate 5Mbit > ceil 5Mbit burst 20Kb/8 mpu 0b cburst 8151b/8 mpu 0b level 0 > Sent 45107618 bytes 42138 pkts (dropped 0, overlimits 0) > rate 608617bps 548pps backlog 40p > lended: 42098 borrowed: 0 giants: 0 > tokens: 3908 ctokens: -11502 > > but I see only 330Kbytes/sec flow (half of 5Mbit rate) >From above I see rate 608617bps = 4.7MBit. Probably it will settle down after some while. I suspect there is problem in your way of measuring the rate. Also you can deliberately increase (c)burst to more than default, say to 20kB - the larger the burst it the more insensitive to CPU load it is ... devik ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/