[LARTC] traffic shaping a box with vpn tunnels.

[Etienne Ledoux]

Greetings,

I've got a server with a bunch of vpn (openvpn) tunnels terminating on it. I'm 
trying to limit the total bandwidth the tunnels can use to 3mbit. So I 
applied a rule like this:


tc qdisc add dev eth0 root handle 1: htb default 90
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 15k

# Default rule for eth0
tc class add dev eth0 parent 1:1 classid 1:90 htb rate 3mbit ceil 3mbit burst 
15k
tc qdisc add dev eth0 parent 1:90 handle 90: sfq perturb 10
~~

All traffic including tunnel traffic enters and leaves eth0. Hence I assumed 
this would work, even if there is lots of tun virtual interfaces. But I get 
the following error as soon as I apply this rule.

~~~
Aug 19 13:51:44 gw openvpn[4996]: write UDPv4 []: No buffer space available 
(code=105)
Aug 19 13:51:44 gw openvpn[5012]: write UDPv4 []: No buffer space available 
(code=105)
Aug 19 13:51:44 gw openvpn[5012]: write UDPv4 []: No buffer space available 
(code=105)
Aug 19 13:51:44 gw openvpn[3017]: write UDPv4 []: No buffer space available 
(code=105)
~~~

Searching archives I see that this usually means I have a crappy network card. 
I use an Intel onboard nic. Is this the cause of the problem ? Is it a crappy 
nic to use ? Or is it perhaps a problem between the buffering on the tunnel 
interfaces and the real interface ? or something ? Should I ignore the error 
or is it dropping packets ?

What can I do to resolve this problem ?

tx

e.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Two Adsl connections following lartc.rpdb.multiple-links.html instructions....

[mschonfeld]

I think you don't have to add the default route via 200.138.255.254, that's why
all the packets go out via ppp0. The rest of the configuration it's fine,

-
I have two adsl lines on my linux firewall box and i want to do some =
load balance between them...i tried a lot of different things, but it =
isn=B4t working...Following the instructions of =
http://lartc.org/howto/lartc.rpdb.multiple-links.html i used the =
configuration above. using iptraf I can see some few packets using the =
ppp1 connection, but almost all the packets use ppp0 connection. I=B4m =
doing something wrong? I=B4m forgetting something? Maybe my kernel =
doesn=B4t support multipath? how can i check it?
I use Mandrake 10 (kernel 2.6)
2 adsl connections with 600 KB down and 300 KB up (ppp0 and ppp1)=20
Tks in advance!

ip route add 200.138.225.0/24 dev ppp0 src 200.215.125.195 table 10
ip route add default via 200.138.225.254 table 10
ip route add 201.3.196.0/24 dev ppp1 src 201.3.232.205 table 11
ip route add default via 201.3.196.254 table 11

ip route add 200.138.225.0/24 dev ppp0 src 200.215.125.195
ip route add 201.3.196.0/24 dev ppp1 src 201.3.219.25
  =20
ip route add default via 200.138.225.254

ip rule add from 200.215.125.195 table 10
ip rule add from 201.3.232.205 table 11

ip route add default scope global nexthop via 200.138.225.254 dev ppp0 =
weight 1 nexthop via 201.3.196.254 dev ppp1 weight 1
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] tc+mrtg

[Michael Eck]

I can't seem to find tcrrd2.pl on the site.


On Fri, 23 Jul 2004 19:45:51 +0200, Stef Coene [EMAIL PROTECTED] wrote:
 On Tuesday 20 July 2004 07:43, Kristiadi Himawan wrote:
  I already use external script that fetch iptables mangle table from
  PREROUTING and POSTROUTING counter.
  But the traffic isn't really accurate, i found when there's bulk UDP
  traffic come to the shaper, my mrtg shown that
  the traffic shown bigger than allocated bandwidth for that class. So the
  question, it's possible to make script from tc command,
  that count bandwith acctually passing through the shaper.
 You can patch snmp so you can get the tc counters and process them in a custom
 script or use mrtg:
 http://www.docum.org/docum.org/tc-snmp/
 
 Stef
 
 --
 [EMAIL PROTECTED]
  Using Linux as bandwidth manager
  http://www.docum.org/
 ___
 LARTC mailing list / [EMAIL PROTECTED]
 http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] IP in IP tunneling [LARTC-HowTo update ?]

[fechanti]

I've tried with iproute and it works now !
commands for A:
ip tunnel add mode ipip tunl1 local IP_A remote IP_B
ip addr add dev net1 local virtual-IP_A remote virtual-IP_B
ip link set net1 up
Same on B.

And then from A i'm able to ping virtual-IP_B.

It seems one can not use tunl0 as a tunnel name, is it true ?
I think it will be a good thing to add to the section 5.2 of the LARTC HowTo
the
way to do a tunnel with the 'ip' commands and to specify that new_tunnel.o is
only in old kernel. But that's perhaps already in a TODO list...

Francois


 [EMAIL PROTECTED] wrote:

 here is the config:
 (i cut the 192.168. part of IP addr)

 -A-B-C
  3.3   5.3 5.4   4.4 4.1

 on A:
 ifconfig tunl0 192.168.3.3 pointopoint 192.168.5.4
 route add -net 192.168.4.0 netmask 255.255.255.0 dev tunl0
 on B:
 ifconfig tunl0 192.168.4.4 pointopoint 192.168.5.3
 route add -net 192.168.3.0 netmask 255.255.255.0 dev tunl0

 From A i can't ping C. Traceroute shows that packets doesn't even reach
 B.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Help:how to filter PPP LCP packets?

[Andy Furniss]

swcims wrote:
Hi all,
I am using tc htb3.6 on Linux2.4.17,and it works well.I'd like to capture PPP 
LCP packets and put them into high priority queue.But I don't know how to use u32 
,iptables or other methods to filter this type packet.
Would anyone please provide suggstion?Thank you very much!
I would have thought that ppp would be before/after any shaping - so if 
it sends packets they won't queue.

Andy.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Gamest and QoS

[Andy Furniss]

Marcin Sura wrote:
Hi
  I share my bandwith (adsl 512/128) between 12 users. I set up simple qos script for
  incoming (IMQ) and outgoing traffic using htb in root, 4 classess and esfq qdisc at
  leafs.
If you are NATing then you need to patch/select options for IMQ, so that 
 esfq will work properly with local addresses.

  Interactive traffic goeas to class1 , http,mail etc. to class2, p2p,
  ftp to class3, and rest to class4. Classess divide link in
  proportion 20% (prio 1), 40% (prio 2), 20% (prio 3) ,20% (prio 4)
If you really want latency to come first using HTB you need to give 
class one almost all of the rate and make the rest borrow.

  This works very well when users surfing internet (www,mail, ssh), but is
  insufficient when i really need low, stable latency for example for games.
  Games traffic  is in class1.
  Without QoS, while uploading some files via ftp i have pings (in my favourite
  game) 1000+. With my qos script my ping lower to 150 - 300, but is
  very unstable.
On just upload you should be able to get between your baseline ping and 
about 90ms with 128k and MTU 1500.

There is a tweak to HTB you can use to help accuracy -
Set HTB_HYSTERESIS 0 in net/sched/sch_htb.c
If I had 128k up I would mss clamp to say 576 any traffic classes that 
send alot of data. I would do this for bittorrent anyway as it it hard 
to shape (ingress) and reducing the packet size helps.


  Is there any way to configure htb, to have good, __STABLE__ pings ( 40 - 100)
  while other people exploring the internet.
This can be tricky, shaping traffic from the wrong end of the bottleneck 
is not as easy as upstream.

I have 512 down and can stop browsing hurting latency by having a class 
with ceil half my rate (about 80% of link speed). Using connbytes the 
first 80KB of new connections go here and it has a short (16 packet) 
queue - so that packets get dropped and get the new connections out of 
slowstart before they get too fast.

The trouble is that it only works well if there is no other traffic 
using the bandwidth. If you share and let bulk traffic have any spare 
then there will be a brief latency rise when people browse big pages.

P2P and bittorrent are harder to shape on ingress than real servers 
and need lower % of bandwidth and clamping to keep the packets small.


  Is use default htb parameters, maybe i must change some of them? Any
  suggestions?
Set burst on bulk classes low and quantums to MTU / what you clamp to.
Unless you are going to try Ed Wildgooses' DSL patch, set ingress and 
egress to 80% of advertised bandwidth.

Andy.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Load Balance adsl connections: a complete explanation of my case...

[favero]

I have a linux server running Mandrake 10, with the kernel 
configured with CONFIG_IP_ADVANCED_ROUTER=y 
CONFIG_IP_MULTIPLE_TABLES=y 
CONFIG_IP_ROUTE_MULTIPATH=y options, with 4 ethernet 
cards:
- 2 ethernet used to connect to my lan (eth0=192.168.1.x and 
eth1=192.168.2.x)
- 2 ethernet used to internet connection (2 adsl lines, both 
with 600/300 kbtis)
The two lan are used to share the internet connetion with my 
friends. We run p2p services on the linux server, so all the 
heavy traffic is generated directly by the linux server. 
The main objective here is to load balance the traffic 
generated by the p2p services running on the server and the 
lan through the 2 adsl lines, and make the 2 adsl 600/300 
kb/sec looks like a 1200/600 kb/sec connection...


Here is a diagram of the network (i don´t know if it helps.. 
but.. here it is):
   ___
eth0   |  |ppp0
___|   Linux Server   |__
   | (Firewall + P2p  |
___| +Traffic control |__
eth1   | +Load Balance)   |ppp1
   |__|

To make the traffic control i mark all packets using iptables, 
then i put identical cbq rules on each ppp connection. My ideia 
is that the packets go to the cbq qdiscs only after they was 
routed to that ppp connection... is that right? If it is, this 
might work...
The load balance is a problem.. i tried to load balance using 
the commands below:

ip rule add from 200.193.25.93 lookup 1
ip route add 192.168.1.0/24 via 192.168.1.1 table 1
ip route add 192.168.2.0/24 via 192.168.2.1 table 1
ip route add 0/0 via 200.138.225.254 table 1

ip rule add from 201.3.232.150 lookup 2
ip route add 192.168.1.0/24 via 192.168.1.1 table 2
ip route add 192.168.2.0/24 via 192.168.2.1 table 2
ip route add 0/0 via 201.3.196.254 table 2

ip route add default equalize nexthop via 200.138.225.254 
dev ppp0 nexthop via 201.3.196.254 dev ppp1

But... when i use the above commands the lan can´t 
communicate with the internet, just the linux server can see 
the internet... so i need to put one of the ppp connection as 
a default gateway to make the lan see the internet, using 
the command:

route add default gw 200.138.225.254

then, i get this route table:

200.138.225.254 *   255.255.255.255 UH0  
00 ppp0
201.3.196.254   *   255.255.255.255 UH0  
00 ppp1
192.168.4.0 *   255.255.255.0   U 0  0
0 eth3
192.168.2.0 *   255.255.255.0   U 0  0
0 eth1
192.168.1.0 *   255.255.255.0   U 0  0
0 eth0
127.0.0.0   *   255.0.0.0   U 0  00 lo
default 201.3.196.254   0.0.0.0 UG0  0
0 ppp1
default 200.138.225.254 0.0.0.0 UG0  0
0 ppp0

But, in this case, the traffic coming from the lan don´t get 
load balanced... just go through the ppp0 (200.138.225.254), 
and looks very strange to me to have two default gateway. 
Even if i keep the first configuration option, without using 
the route add default gw 200.138.224.254 command, and 
keeping the lan disconnected (for test purposes) i can see 
that the traffic generated by the linux server use the 2 adsl 
lines, but it don´t make a load balance...if i make 
a traceroute it ALWAYS go through the first NEXTHOP ip 
configured on the ip route add default equalize nexthop 
command...
Even if i give a ip route list cache and catch a ip that on the 
cache route list go through the second nexthop ip, the 
traceroute go through the first nexthop ip... So i don´t 
understand: why the traceroute don´t use the cached route? I 
can only imagine that something is wrong in my 
configuration...
And worst: keeping the server running with two default 
gateways for a long time i can see that NEVER the traffic get 
more than 80 Kbytes/sec (640 Kbytes)...In a healthy system 
with correct configuration, running p2p services, with hundreds 
of simultaneous connections, the speeds should go near the 
1000 kbits (125 Kbytes/seg) even if i consider the adsl 
overhead...
Someone have some idea of where is the problem? Why i get 
a poor load balance that never gets more than 60% of the 
bandwidth of each adsl?
The internet have just a few load balance information... i read 
almost all the pages google could find and i still can´t figure 
out what´s the problem.. I´ll appreciate all help u can give 
me! 
Tks in advance!
Fernando Favero

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/