Re: [LARTC] Route policy preference value
> > You may well be right--I sometimes have a tendency to be verbose. I'll > see what I can do to imagine an accurate and intuitive diagram. > > Thanks for the feedback, > It's OK, i think I have figured out the answer. The system will pick smaller no, meaning smaller no, higher preference. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Route policy preference value
Ming-Ching, : > http://linux-ip.net/html/routing-selection.html#routing-selection-adv : : Ghee a simple illustration will explain it much better than : such a train of words. Well...in that case...how do you feel about my pseudo-code locomotive? You may well be right--I sometimes have a tendency to be verbose. I'll see what I can do to imagine an accurate and intuitive diagram. Thanks for the feedback, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Route policy preference value
> See also this description: > > http://linux-ip.net/html/routing-selection.html#routing-selection-adv > Ghee a simple illustration will explain it much better than such a train of words. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tcng + NAT
Hello, you can try: . . . // ip header type of service class ( <$adsl_high> ) if ip_tos == 0x80; // metadata packet mark class ( <$adsl_medium> ) if meta_nfmark == 0x30; . . . Cheers Charles On Mon, 2004-08-02 at 18:02, [EMAIL PROTECTED] wrote: > > Does anybody know how to you use tcng with packet marking. I'm > masquerading my connection so to shape outbound traffic I need to mark > packets with iptables. But how to you make tcng to recognize marked > packets? > > Thanks for your help. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] tcng + NAT
Does anybody know how to you use tcng with packet marking. I'm masquerading my connection so to shape outbound traffic I need to mark packets with iptables. But how to you make tcng to recognize marked packets? Thanks for your help.
Re: [LARTC] Split Access Routing and SNAT
One thing you might do if you use DNS, is to create views for hosts on the lan have a VIEW for them so they will resolve the internal IP. Looks like you should specify with your natting what interface the traffic is outbound on with -o eth1 or eth0 so that when it leaves eth2 it won't source nat Alexander W. Janssen ([EMAIL PROTECTED]) wrote: > >Hi all, > >i got the following configuration: >* NET1: DSL Line with /28 network, let's call it 10.1.0.0/28 >* NET2: DSL Line with /28 network, let's call it 10.2.0.0/28 >* INTNET: Internal Network with productive servers and workstations, >192.168.1.0/24 >Obvisiously the 10er networks are official networks but censored to >protect my customer. >The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1 >and NET2. The internal net is on eth2. >I've set up split-access routing like in the documentation, part "4.2.1. >Split access". Every productive server get's his own routingtable and it's >own SNAT/DNAT rule. Example is given for one server. ># Server 1, external 10.1.0.3, internal 192.168.1.2, table server1, ># default-gateway is 10.1.0.1 (DSL router) >ip route add $NET1 dev eth0 src 10.1.0.1 table server1 >ip route add $INTNET dev eth2 table server1 >ip route add default via 10.1.0.1 table server1 >ip rule add from 192.168.1.2 table server1 ># Now NAT0.1.0.3 - >iptables -t nat -A PREROUTING -d 10.1.0.3j DNAT --to 192.168.1.2 >iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3 > >I do this for all server on alternating IP-adresses and lines. > >Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT >for all workstations in INTNET to get SNATed access to the internet (only >routed via one line): >iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1 >(where 10.1.0.1 is a designated IP address only used for the workstations >- the server all got their own IP-address. >Works so far. > >Now my problem: If a workstation from the internal network, let's say, >wants to connect to the offical IP-address of one of the servers, it >doesn't work. >Let's say 192.168.1.212 wants to connect to 10.1.0.3. It goes through it's >default gateway 192.168.1.1, which is the only IP address assigned on >eth2, the internal interface. It hits the PREROUTING chain and gets DNATed >to 192.168.1.2. It hits routing code and is matched against "$INTNET dev >eth2" in table server1. It hits POSTROUTING and gets SNATed with 10.1.0.1, >the external, designated IP-address fo the router for the clients. It >should be pushed out on the internal interface. >The server receives the packet, processes it and sends back the answer to >the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no >rule matches), hits routing-code and there is the problem i think. >Destined for local interface, don't route. BANG. >Is my observation at that point right? If yes, does somebody know how to >achieve my goal, that internal IPs can connect to the external IPs? The >term "CONNMARK" somehow popped up in my mind, but i haven't seen any >useful examples yet how to use it properly. >I hope i provided all necessary information; i know that "ip rule show" is >missing to check the precedences of rules, but i don't have access to the >system right now. >Any hint is appreciated, >thanks, >Alex. > > >___ >LARTC mailing list / [EMAIL PROTECTED] >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] help on ADSL shaping
Am Monday 02 August 2004 00:27 schrieb [EMAIL PROTECTED]: > In the village whera I live we have created a wireless local network > consisting of 10 houses. One of these houses has an ADSL connection and > services this connection to the other houses. Well, you could have a look at the existing shaper scripts, for example my own ;-) which deals with this kind of problem; however, I never tested it with WLAN, only in a cable-based LAN, where all clients are in the same subnet and all IPs are known. It's located here: http://www.metamorpher.de/fairnat/ I'm still working on some new features like load balancing (multiple links), and dynamic IP (DHCP) support with multiple subnets, and firewall support, but those are still far away from being completed. My page also describes exactly the kind of setup I use, so even if the script is not useful to you, you might at least get some ideas on how to do shaping in your own situation. Andreas ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Split Access Routing and SNAT
Hi all, i got the following configuration: * NET1: DSL Line with /28 network, let's call it 10.1.0.0/28 * NET2: DSL Line with /28 network, let's call it 10.2.0.0/28 * INTNET: Internal Network with productive servers and workstations, 192.168.1.0/24 Obvisiously the 10er networks are official networks but censored to protect my customer. The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1 and NET2. The internal net is on eth2. I've set up split-access routing like in the documentation, part "4.2.1. Split access". Every productive server get's his own routingtable and it's own SNAT/DNAT rule. Example is given for one server. # Server 1, external 10.1.0.3, internal 192.168.1.2, table server1, # default-gateway is 10.1.0.1 (DSL router) ip route add $NET1 dev eth0 src 10.1.0.1 table server1 ip route add $INTNET dev eth2 table server1 ip route add default via 10.1.0.1 table server1 ip rule add from 192.168.1.2 table server1 # Now NAT iptables -t nat -A PREROUTING -d 10.1.0.3 -j DNAT --to 192.168.1.2 iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3 I do this for all server on alternating IP-adresses and lines. Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT for all workstations in INTNET to get SNATed access to the internet (only routed via one line): iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1 (where 10.1.0.1 is a designated IP address only used for the workstations - the server all got their own IP-address. Works so far. Now my problem: If a workstation from the internal network, let's say, wants to connect to the offical IP-address of one of the servers, it doesn't work. Let's say 192.168.1.212 wants to connect to 10.1.0.3. It goes through it's default gateway 192.168.1.1, which is the only IP address assigned on eth2, the internal interface. It hits the PREROUTING chain and gets DNATed to 192.168.1.2. It hits routing code and is matched against "$INTNET dev eth2" in table server1. It hits POSTROUTING and gets SNATed with 10.1.0.1, the external, designated IP-address fo the router for the clients. It should be pushed out on the internal interface. The server receives the packet, processes it and sends back the answer to the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no rule matches), hits routing-code and there is the problem i think. Destined for local interface, don't route. BANG. Is my observation at that point right? If yes, does somebody know how to achieve my goal, that internal IPs can connect to the external IPs? The term "CONNMARK" somehow popped up in my mind, but i haven't seen any useful examples yet how to use it properly. I hope i provided all necessary information; i know that "ip rule show" is missing to check the precedences of rules, but i don't have access to the system right now. Any hint is appreciated, thanks, Alex. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] help on ADSL shaping
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Hi I have read the howto on qdisc's a few times but I cant figure out how to use the shaping capabilities to serve my needs. In the village whera I live we have created a wireless local network consisting of 10 houses. One of these houses has an ADSL connection and services this connection to the other houses. To gain access to the network a member must have an accesspoint in client mode, the idea is that if each house has to use a certain accesspoint (with a specific known ip address) to access the router then it must be possible to shape the traffic so no single house can dominate the out (and thus the incomming) traffic. The configuration: House with ADSL:A client house: ((o)) ((0)) | |(Known ip) eth0 | | |Linux router|---| AP | | AP |---| router | | SuSE 8.2 | | | | ---- eth1 || PC 1 | | PC 2 | | ---- __--__--__ | Internet | -- One house might need to connect 1 PC another house 3, but I need to be sure that one house doesn't swallow the whole bandwidth. Is this possible? Best Regards Jakob Simon-Gaarde ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ Hi, You can use the tc program, and htb qdiscs to ensure that people are guaranteed some bandwidth, so that one host cannot dominate the network.As it is the Internet link that is the weak point, you need to shape at the gateway. I am currently working on a script that deals out the bandwidth evenly amongst hosts, so that when only one host uses the link, it gets full speed, but if two are on it is 50/50, and so on. I hope to have it finished in a month or so. Maybe you can use that Also, if it is p2p traffic you are worried about, you could try the p2pshaper. I posted a link in a earlier post. That sounds very cool (and fair :) ) how do you plan to detect how many hosts are using the gateway? idle traffic or ping-like check? Some clients may have a hardware router on the other end so it is allways on-line though maybe being idle for hours. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ At first I was thinking of making a patch to the linux kernel. That would be the "right" way of doing it. But it also requires people to patch kernels, and I'm not that much into kernel hacking at the moment. So actually, I just create a huge HTB tree and make rules for each host (hosts should be in the 192.168.0.1 - 192.168.0.255 range) that puts them into priorities according to how fast they are downloading. Fastest downloaders gets least priority. If I am not mistaken, this will make the bandwidth split very fair, because each host will be ensured at least their fraction of the bandwidth, while the others can borrow if you dont use your share. It might seem a bit cruel to make about 8 rules for each of the 255 hosts, but if it just works, it might not be so big a problem. AFAIK, most routers are doing nothing anyway, and can spare the extra cpu-cycles. And maybe it can be made smarter by using massive filtering. I will include some more documentation when I have completed the script. cheers, Nikolaj Fogh ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Route policy preference value
Ming-Ching, : Assuming if I have rules matching the same packet, the one chosen : is the lower preference value or the high ? : : For example : : # ip rule list : : : 100 from 192.168.1.0/24 lookup main : 200 from all fwmark 5 lookup first : . : : Packet is matching both rules, the one with priority/preference : 100 or 200 is selected ? The first matched rule in the routing policy database (RPDB) is the one chosen. Rules are traversed from 0 to 32767. If a route match is found for a given packet in a specified table, that route is used. If no match is found in a given table, the (sequential) traversal of the RPDB continues. See also this description: http://linux-ip.net/html/routing-selection.html#routing-selection-adv Good luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Route policy preference value
On Mon, Aug 02, 2004 at 05:00:30PM +0800, Ming-Ching Tiew wrote: > > Assuming if I have rules matching the same packet, > the one chosen is the lower preference value or > the high ? > > For example > > # ip rule list > > > 100 from 192.168.1.0/24 lookup main > 200 from all fwmark 5 lookup first > . > for what I have understood is the lower, beware as pointed out to me from Martin Brown that failing a matching *route* from rule 100 it will look for the route in next matching *rule*. In my case I didn't defined default route, but packets passed since arrived to get the one defined in main table. sandro *:-) -- Sandro Dentella *:-) e-mail: [EMAIL PROTECTED] http://www.tksql.orgTkSQL Home page - My GPL work ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tables and default
> First thing--I don't know why you are seeing this error from 'ip > route get'. This should return the real route chosen. You could > always try the ping and then check the route cache. This should > help you identify the actual route chosen. > > Here's what's happening. > > - kernel gets packet and needs to select a route > - according to rule 0, we look up in table local > - perform route lookup in table local--no match! > - according to rule 50, we look up in table bluff > - perform route lookup in table local--no match! > - according to rule 32767, we look up in table main > - perform route lookup in table main-- MATCH! > - route packet out default gateway > > If you add a route to table bluff as follows, you should effectively > prevent 192.168.5.0/24 from reaching any network other than > 192.168.5.0/24. > > ip route add blackhole default table bluff thanks a lot for the explanation. This definitely solved my doubts. The only remainig problem is the 'ip route get' error. I'm sure that in some moments yesterday I culd get an answer, now it always give errors, independent from the rule set... sandro *:-) -- Sandro Dentella *:-) e-mail: [EMAIL PROTECTED] http://www.tksql.orgTkSQL Home page - My GPL work ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] help on ADSL shaping
> [EMAIL PROTECTED] wrote: > >>Hi >>I have read the howto on qdisc's a few times but I cant figure out how to >>use the shaping capabilities to serve my needs. In the village whera I >>live we have created a wireless local network consisting of 10 houses. >> One >>of these houses has an ADSL connection and services this connection to >> the >>other houses. To gain access to the network a member must have an >>accesspoint in client mode, the idea is that if each house has to use a >>certain accesspoint (with a specific known ip address) to access the >>router then it must be possible to shape the traffic so no single house >>can dominate the out (and thus the incomming) traffic. >> >>The configuration: >> >>House with ADSL:A client house: >>((o)) ((0)) >> | |(Known ip) >> eth0 | | >>|Linux router|---| AP | | AP |---| router | >>| SuSE 8.2 | >> | | >> | ---- >> eth1 || PC 1 | | PC 2 | >> | ---- >> __--__--__ >> | Internet | >> -- >> >>One house might need to connect 1 PC another house 3, but I need to be >>sure that one house doesn't swallow the whole bandwidth. Is this >> possible? >> >>Best Regards >>Jakob Simon-Gaarde >> >> >>___ >>LARTC mailing list / [EMAIL PROTECTED] >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> > Hi, > > You can use the tc program, and htb qdiscs to ensure that people are > guaranteed some bandwidth, so that one host cannot dominate the > network.As it is the Internet link that is the weak point, you need to > shape at the gateway. > > I am currently working on a script that deals out the bandwidth evenly > amongst hosts, so that when only one host uses the link, it gets full > speed, but if two are on it is 50/50, and so on. I hope to have it > finished in a month or so. Maybe you can use that > > Also, if it is p2p traffic you are worried about, you could try the > p2pshaper. I posted a link in a earlier post. > That sounds very cool (and fair :) ) how do you plan to detect how many hosts are using the gateway? idle traffic or ping-like check? Some clients may have a hardware router on the other end so it is allways on-line though maybe being idle for hours. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Route policy preference value
Assuming if I have rules matching the same packet, the one chosen is the lower preference value or the high ? For example # ip rule list 100 from 192.168.1.0/24 lookup main 200 from all fwmark 5 lookup first . Packet is matching both rules, the one with priority/preference 100 or 200 is selected ? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/