[LARTC] Does anyone have a working proxyARP setup?
If you have a working proxyARP setup, will you please post it? I've tried to insert a Linux box between the DSL connection and the switch, but I'm getting nowhere. Everything works correctly when all the servers in this network use the switch to get to the DSL. Any box directly connected to the DSL also works correctly. http://www.sjdjweis.com/linux/proxyarp/ makes it sound easy, but none of the machines except the new one can get out when I set this up. From any computer except the intended proxyARP box, 'traceroute -n ANYTHING' stops after the first hop (.96) succeeds; 'ping .97' fails. I don't know (or care yet) if anything gets in. (I really have a /29 network, but for consistency I'm showing a /28): gypsy> ifconfig eth0 x.x.x.96 broadcast x.x.x.111 netmask 255.255.255.240 gypsy> ifconfig eth1 x.x.x.96 broadcast x.x.x.111 netmask 255.255.255.240 gypsy> route add default gw x.x.x.97 metric 1 Weis> # interface definitions Weis> BAD_IFACE=eth0 Weis> Weis> DMZ_IFACE=eth1 Weis> DMZ_ADDR=x.x.x.96/28 Weis> Weis> ip route del x.x.x.96/28 dev $BAD_IFACE Weis> ip route del x.x.x.96/28 dev $DMZ_IFACE Weis> ip route add x.x.x.97 dev $BAD_IFACE Weis> ip route add x.x.x.96/28 dev $DMZ_IFACE Weis> Weis> # we need proxy arp for the dmz network Weis> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp Weis> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp Weis> Weis> # turn on ip forwarding Weis> echo 1 > /proc/sys/net/ipv4/ip_forward The kernel is 2.4.26, iproute2 is 2-2.6.8 -- Call me stumped, gypsy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Delay packets by 50ms
Hi Stephen, Getting the latest iproute2 solved my problem. Thanks! -Original Message- From: Stephen Hemminger [mailto:[EMAIL PROTECTED] Sent: Friday, October 08, 2004 3:55 PM To: Anshuman Kanwar Cc: [EMAIL PROTECTED] Subject: Re: [LARTC] Delay packets by 50ms On Fri, 2004-10-08 at 15:38 -0700, Anshuman Kanwar wrote: > Hi all, > > I am trying to solve a tiny problem that is trivial to solve using > dummynet (FreeBSD). > > I just want to add a delay of 50ms to each outgoing packet from an > interface. This is to simulate a large pool of multiple modem users so > I also need to add b/w limits etc (which seems to be easy to do). > > >From the mailing list I could fine 2 qdiscs that can > simulate latency : "delay" & "netem". Neither of them is working on my > setup though ( Fedora core2 [2.6.5] or RHEL 3.0 update 2 or gentoo > [2.6.8] ). Is something special needed to enable these qdiscs ? delay was my earlier name, netem is the current one. Netem went in to mainline kernel 2.6.8 (also 2.4.27) > I tried applying the patch > (http://www.uwsg.iu.edu/hypermail/linux/net/0403.2/0019.h > tml) and recompiled the kernel but the tc command returns "RTNETLINK > answers: Invalid argument". You probably need to build/run newer version of tc see http://developer.osdl.org/dev/iproute2 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Excess Bandwidth
Hej Ronaldo Remember to prioritize the excess bandwidth. If you are using the HTB read the bottom section of the manual.: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio The "prio" parameter will help you with your problem, give the child classes a priority from 1-3, where 1 is the highest priority and 3 is the lowest. On Fri, 2004-10-08 at 22:37, Ronaldo Z. Afonso wrote: >Hi, > >I'm trying to configure QoS on my linux in the following manner: >I have a main link with 64K, so I divided it in 3 classes of 18K, 14K > and 9K with an excess (not used for classified traffic, just to be > shared) of 23K. This excess should be distributed proportonally among > the 3 classes, that is, the class that has more rate should borrow more > bandwidth. What is happening is just the opposite, the class that has > less rate is borrowing more bandwidth. A representation of my > "hierarchical class layout" is as follow: > > root - 64K > > A - 18K B - 14KC - 9K > >I have read some documentation that says it should work exactly in > this in way, but it is not happening in my environment. All the tests I > did show me that the class with less rate is borrow more bandwidth. >Can anyone help me? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Sending and receiving
Hi all. Here's the situation Linux box with eth0 connected to LAN, and eth1 connected to internet via cablemodem. Connected to the lan are some voip devices, ive configured htb in eth1 to save some bandwith for the voip devices. Now i have another issue, at some hours of the days, some servers in the lan downloads data from other servers in internet and they use all bandwith available. My question is the following. Applying some classes to eth0 is a good way to reserve some bandwith for the traffic that comes from internet to the voip devices? I mean, is this a good way to manage the "download" traffic? Thanks and best regards ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Excess Bandwidth
Hi, I'm trying to configure QoS on my linux in the following manner: I have a main link with 64K, so I divided it in 3 classes of 18K, 14K and 9K with an excess (not used for classified traffic, just to be shared) of 23K. This excess should be distributed proportonally among the 3 classes, that is, the class that has more rate should borrow more bandwidth. What is happening is just the opposite, the class that has less rate is borrowing more bandwidth. A representation of my "hierarchical class layout" is as follow: root - 64K A - 18K B - 14KC - 9K I have read some documentation that says it should work exactly in this in way, but it is not happening in my environment. All the tests I did show me that the class with less rate is borrow more bandwidth. Can anyone help me? -- __ Ronaldo Z. Afonso Projetista de Software Jr. Cyclades Brasil [EMAIL PROTECTED] Phone: 55 11 5033-3361 Fax: 55 11 5033-3388 www.cyclades.com.br "Everywhere with Linux" ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Ceiling question
Hi! I have a setup where I want to prefer traffic on one port (for testing purposes I used port 22) my setup is : tc qdisc add dev eth3 root handle 1: htb default 30 tc class add dev eth3 parent 1: classid 1:1 htb rate 96mbit burst 15k tc class add dev eth3 parent 1: classid 1:7 htb rate 2mbit burst 15k tc class add dev eth3 parent 1:1 classid 1:10 htb rate 96mbit burst 15k tc class add dev eth3 parent 1:7 classid 1:20 htb rate 1800kbit ceil 2mbit burst 15k tc class add dev eth3 parent 1:7 classid 1:30 htb rate 200kbit ceil 2mbit burst 15k tc qdisc add dev eth3 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth3 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth3 parent 1:30 handle 30: sfq perturb 10 U32="tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32" $U32 match ip src 81.223.175.128/26 flowid 1:10 $U32 match ip dst 192.168.5.9 match ip sport 22 0xfff flowid 1:20 $U32 match ip dst 192.168.5.9 match ip dport 22 0xfff flowid 1:20 $U32 match ip dst 192.168.5.10 match ip sport 22 0xfff flowid 1:20 $U32 match ip dst 192.168.5.10 match ip dport 22 0xfff flowid 1:20 What would like to achieve is that trafic on port 22 has 1800kbit always, regardless of traffic on any other port, but if there is no traffic on port 22 the rest can claim the whole bandwidth (i.e. 2.3 mbit ). However if I set the ceiling to 2mbit on both, they seem to sher the bandwidth evenly. If I set the ceiling to 512k on 1:30, I get better performance on 1:20. Do I not understand the concept correctly? I assumes that the rate would give me the guaranteed bandwidth for each class, and the ceiling is there to make it use what's "left over" from the other classes. If someone could enlighten me, I would appreciate it. Thanks, .peter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Delay packets by 50ms
On Fri, 2004-10-08 at 15:38 -0700, Anshuman Kanwar wrote: > Hi all, > > I am trying to solve a tiny problem that is trivial to > solve using dummynet (FreeBSD). > > I just want to add a delay of 50ms to each outgoing > packet from an interface. This is to simulate a large > pool of multiple modem users so I also need to add b/w > limits etc (which seems to be easy to do). > > >From the mailing list I could fine 2 qdiscs that can > simulate latency : "delay" & "netem". Neither of them is > working on my setup though ( Fedora core2 [2.6.5] or RHEL > 3.0 update 2 or gentoo [2.6.8] ). Is something special > needed to enable these qdiscs ? delay was my earlier name, netem is the current one. Netem went in to mainline kernel 2.6.8 (also 2.4.27) > I tried applying the patch > (http://www.uwsg.iu.edu/hypermail/linux/net/0403.2/0019.h > tml) and recompiled the kernel but the tc command returns > "RTNETLINK answers: Invalid argument". You probably need to build/run newer version of tc see http://developer.osdl.org/dev/iproute2 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Delay packets by 50ms
Hi all, I am trying to solve a tiny problem that is trivial to solve using dummynet (FreeBSD). I just want to add a delay of 50ms to each outgoing packet from an interface. This is to simulate a large pool of multiple modem users so I also need to add b/w limits etc (which seems to be easy to do). >From the mailing list I could fine 2 qdiscs that can simulate latency : "delay" & "netem". Neither of them is working on my setup though ( Fedora core2 [2.6.5] or RHEL 3.0 update 2 or gentoo [2.6.8] ). Is something special needed to enable these qdiscs ? I tried applying the patch (http://www.uwsg.iu.edu/hypermail/linux/net/0403.2/0019.h tml) and recompiled the kernel but the tc command returns "RTNETLINK answers: Invalid argument". What am I doing wrong ? Thanks much, -ansh ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] shaping outbound ftp traffic
Yes, inbound is affected even though outbound transfers are suspended. The inbound in shaped to 39K. This is what totally confuses me. I thought with my script that only traffic leaving source ports 5-51000 & 65437 should be shaped. But it is also shaping traffic entering my machine on the same ports. . Is the inbound rate affected even if there are no outbound transfers? Is the speed actually being "limited" to a certain speed, or are you just noticing that the inbound/upload traffic is slower than it should be. The reason I ask is because you're tagging all outbound ftp-data traffic (ports 5:51000) and directing it to the class with 39kbps. If you have outbound/download transfers going, they may be using all the available outbound bandwidth for that class and causing outbound ACK packets (for the inbound/upload traffic) to queue and throttle the inbound speed. Please don't flame me if I'm way off base... Assumption: - data connection is bi-directional. ie. the data connection is made on the specified PASV (server) ports (5:51000) regardless of whether it's an upload or download. Test: - simply kill all downloads and see if the uploads are still affected. - or you can tag oubound ACK packets and filter them into the faster class. chris Theory is.. You can only shape outbound traffic. > >> Inbound is via tcp windowshaping etc.. >> >> In theory yes, but it is shaping inbound transfers to my server. >> > >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK >> --set-mark 20 >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 5:51000 -j MARK >> --set-mark 20 >> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark >> 26 > >> > Why do you care about destination port? AFAIK, it shouldn't affect your wants since you're >not filtering on incoming traffic > >> >> I dont care about destination port. That line was commented. BUT, >> incoming transfers are being shaped for some reason. >> > Is this legal?? 1mbps?? Wow.. 1*1E6? > >> >> I just did that to make sure lan traffic was not affected at all. >> >> >> enire script for reference >> I am using the following script to limit my outbound traffic. This scipt >> runs on a box behind my firewall. It limits my outbound passive ftp >> traffic to 39K perfectlyjust like i want. However, i just noticed that >> it is also limiting uploads coming to my server. >> >> Is there something I can change to make it not limit uploads to my server? >> #!/bin/bash >> #shaping passive ftp traffic >> >> # mark the outbound passive ftp packets on ports 5-51000 >> iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > >> /dev/null >> iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null >> iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null >> >> iptables -t mangle -N MYSHAPER-OUT >> iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT >> >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark >> 20 >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 5:51000 -j MARK >> --set-mark 20 >> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 >> # clear it >> tc qdisc del dev eth0 root >> >> #add the root qdisk >> tc qdisc add dev eth0 root handle 1: htb default 26 >> >> #add main rate limit class >> tc class add dev eth0 parent 1: classid 1:1 htb rate 1mbps >> >> #add leaf classes >> tc class add dev eth0 parent 1:1 classid 1:26 htb rate 1mbps >> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 39kbps >> >> #filter traffic into classes >> tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid >> 1:20 >> tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid >> 1:26 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] shaping outbound ftp traffic
>In theory yes, but it is shaping inbound transfers to my server. >YOu're not doing any other sort of Ingress filters are you?? No >I dont care about destination port. That line was commented. BUT, incoming >transfers are being shaped for some reason. >Could this be shaping on the ISP side?? What >happens when the tc rules >are shut off?? No, everything works fine >Can you determine what ports are being used for >inbound data transfers? >What makes you select those ports you defined as >the outbound?? Same ports, 5-51000 and 65437. I choose these ports because they are the ports that I have passive ftp traffic on and 65437 is the active ftp port. I just dont understand why the inbound traffic is being limited. The outbound shaping works fine. Script: I am using the following script to limit my outbound traffic. This scipt runs on a box behind my firewall. It limits my outbound passive ftp traffic to 39K perfectlyjust like i want. However, i just noticed that it is also limiting uploads coming to my server. Is there something I can change to make it not limit uploads to my server? #!/bin/bash #shaping passive ftp traffic # mark the outbound passive ftp packets on ports 5-51000 iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 5:51000 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 # clear it tc qdisc del dev eth0 root #add the root qdisk tc qdisc add dev eth0 root handle 1: htb default 26 #add main rate limit class tc class add dev eth0 parent 1: classid 1:1 htb rate 1mbps #add leaf classes tc class add dev eth0 parent 1:1 classid 1:26 htb rate 1mbps tc class add dev eth0 parent 1:1 classid 1:20 htb rate 39kbps #filter traffic into classes tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping
Hi Peter, I already tried to give the IP from the same network for my tunnel, but OpenVPN 2.0b11 just blocks after that access to firewall via internal IP. So I gave the different IP space. My setup is here Server: ifconfig The OpenVPN goes via this Wireless line eth0 Link encap:Ethernet HWaddr 00:10:5A:A3:9B:58 inet addr:1.2.3.4 Bcast:x.x.x.x Mask:255.255.255.248 Second ADSL line eth1 Link encap:Ethernet HWaddr 00:50:DA:3C:D9:7B inet addr:2.2.3.4 Bcast:x.x.x.x Mask:255.255.255.0 Local net eth2 Link encap:Ethernet HWaddr 00:04:76:23:43:36 inet addr:10.105.105.199 Bcast:10.105.105.255 Mask:255.255.255.0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255 Routing table 10.10.10.2 * 255.255.255.255 UH0 00 tun0 2.2.3.x* 255.255.255.255 UH0 00 eth1 1.2.3.x * 255.255.255.248 U 0 00 eth0 2.2.3.x* 255.255.255.0 U 0 00 eth1 10.10.10.0 10.10.10.2 255.255.255.0 UG0 00 tun0 10.105.105.0* 255.255.255.0 U 0 00 eth2 10.1.1.010.10.10.2 255.255.255.0 UG0 00 tun0 loopback* 255.0.0.0 U 0 00 lo default 2.2.3.x0.0.0.0 UG0 00 eth1 Client: ifconfig # ADSL connection eth0 Link encap:Ethernet HWaddr 00:0A:5E:42:9E:88 inet addr:192.168.0.129 Bcast:192.168.0.255 Mask:255.255.255.0 # Local net eth1 Link encap:Ethernet HWaddr 00:0A:5E:48:0A:E3 inet addr:10.1.1.199 Bcast:10.1.1.255 Mask:255.255.255.0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.6 P-t-P:10.10.10.5 Mask:255.255.255.255 Routing table 10.10.10.5 * 255.255.255.255 UH0 00 tun0 192.168.0.0 * 255.255.255.0 U 0 00 eth0 10.10.10.0 10.10.10.5 255.255.255.0 UG0 00 tun0 10.105.105.010.10.10.5 255.255.255.0 UG0 00 tun0 10.1.1.0* 255.255.255.0 U 0 00 eth1 loopback* 255.0.0.0 U 0 00 lo default 192.168.0.1 0.0.0.0 UG1 00 eth0 Iptables rule iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o tun0 -j SNAT --to-source 10.10.10.6 So the client configuration works fine for me, but how to make access client local net from server and server local net? Thanks Remus - Original Message - From: "Peter Huetmannsberger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 08, 2004 3:28 PM Subject: Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping OK. I didn't know you wanted to NAT the traffic. If you have the default gw on your client-net set to the client-gw AND you forward the traffic, i.e. set your ip_forward to 1 AND you allow that in your iptables, there is no need to NAT the traffic at all. (If you have a static route set to your server-net via the tunnel) I have a similar setup and all I do is: excerpt from `route -n` 192.168.42.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.42.0 192.168.42.1 255.255.255.0 UG 0 00 tun0 Which means the fw fins 192.168.42.1 by looking through the tunnel, and the whole network by looking at the far end of the tunnel. On the other side it is the exact the same way, except of course turned around. I saved myself the trouble of having an extra net fo rthe tunnel, I just gave the tun0 device the same ipaddress as the internal (i.e. the client) network. so it actually looks like this: 192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24 This setup has worked very well for me for years, if you see anything wrong with it let me know, I am willing to learn. As long as packets get forwarded on both gateways there is no need to NAT. I can ping any machine from either network, and have samba working for all those clients, so it must be reasonable. As for traffic shaping, I would do the shaping on the internal interface (the one pointing to your network behind the fw), there you have control of incoming traffic via htb (as the traffic going to the clients is outgoing). I hope all of this is correct. Good luck, .peter On Fri, 8 Oct 2004, Remus wrote: You are correct Peter. But that is not enough to have access from client local lan to serevr client local lan. The line below helpped me to fix it: iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.0.0.2 So there is one more problem, how to access from the server local net client's local net? Any ideas? And how to shape traffic going via tun0? At the moment I have htb on et
Re: [LARTC] HTB weird problem ....
On Friday 08 October 2004 10:58, Andy Furniss wrote: > Also you may need to set Hz higher or use psched = CPU for timing. In 2.6.9 this looks like it'll be part of the `make config` process itself. :) -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB weird problem ....
Drink Linux wrote: hello Andy , i think they are right for 256kbps = 2048kbit ... ahh I see. I just tried your setup on my eth0 and it works OK. Though HTB's stats don't seem too accurate - I used wget/ftp to judge rates. You may need to patch HTB/use a newer kernel - there was a patch posted on this list a while back which may affect you. Also you may need to set Hz higher or use psched = CPU for timing. See www.docum.org . i have added a leaf pfifo with a limit of 1 packet per second, coz if i have 2-10 it wont work...viola !!! the ceiling rate for each class rule is now working... my problem is that you can reach the ceiling class only if you have 4-5 files getting through FTP, ex: 256kbps Ceil 1 file ftp download = 80-90 kbps max speed 4-5 files ftp download = almost 256kbps how can i make it work to 256kbps speed for 1 file alone ...? Get rid of the 1 packet pfifo :-) Andy. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping
OK. I didn't know you wanted to NAT the traffic. If you have the default gw on your client-net set to the client-gw AND you forward the traffic, i.e. set your ip_forward to 1 AND you allow that in your iptables, there is no need to NAT the traffic at all. (If you have a static route set to your server-net via the tunnel) I have a similar setup and all I do is: excerpt from `route -n` 192.168.42.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.42.0 192.168.42.1 255.255.255.0 UG 0 00 tun0 Which means the fw fins 192.168.42.1 by looking through the tunnel, and the whole network by looking at the far end of the tunnel. On the other side it is the exact the same way, except of course turned around. I saved myself the trouble of having an extra net fo rthe tunnel, I just gave the tun0 device the same ipaddress as the internal (i.e. the client) network. so it actually looks like this: 192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24 This setup has worked very well for me for years, if you see anything wrong with it let me know, I am willing to learn. As long as packets get forwarded on both gateways there is no need to NAT. I can ping any machine from either network, and have samba working for all those clients, so it must be reasonable. As for traffic shaping, I would do the shaping on the internal interface (the one pointing to your network behind the fw), there you have control of incoming traffic via htb (as the traffic going to the clients is outgoing). I hope all of this is correct. Good luck, .peter On Fri, 8 Oct 2004, Remus wrote: > You are correct Peter. > But that is not enough to have access from client local lan to serevr client > local lan. > The line below helpped me to fix it: > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source > 10.0.0.2 > > So there is one more problem, how to access from the server local net > client's local net? > Any ideas? > > And how to shape traffic going via tun0? > > At the moment I have htb on eth0 and imq0 to shape in and out traffic? > But what about VPN traffic which goes via tun0? > > Thanks > > Remus > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping
You are correct Peter. But that is not enough to have access from client local lan to serevr client local lan. The line below helpped me to fix it: iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.0.0.2 So there is one more problem, how to access from the server local net client's local net? Any ideas? And how to shape traffic going via tun0? At the moment I have htb on eth0 and imq0 to shape in and out traffic? But what about VPN traffic which goes via tun0? Thanks Remus - Original Message - From: "Peter Huetmannsberger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 08, 2004 1:44 PM Subject: Re: [LARTC] Problem with VPN routing from internal network Hi! Correct me if I am wrong, what it looks like to me is this : 192.168.1.0/24 10.0.0.110.0.0.2 192.168.2.0/24 server net serverfw openvpn clientfw client net On the serverfw you need a static route to the client net: route add net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2 On the client net the other way round: route add net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1 Firewall must allow all traffic through tun+ And of course must allow traffic coming from the opposite network. Hope this helps, .peter On Fri, 8 Oct 2004, Remus wrote: Hi folks, I have the two firewalls (Slackware current) in differnt cities connected via OpenVPN. I can ping the network behind server firewall from client firewall server. But how to route/iptable network traffic from the network behind client firewall to see the netwrok behind server firewall? Thank you Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] PRIO not working?
Phill wrote: Hello, I am using a simple script, which is based on prio. The point is, that it is not possible to use htb on wifi networks, so I thought that prio will work fine, but it does almost nothing. All I wanted was to make the important packets like icmp, games, VoIP,... to go first, and to slow the things like FTP data transfer, etc. When I use $TC -s qdisc show dev ${IFACE}, I see, that the packets go to correct qdiscs. But when I start FTP data transfer, then the ping time is same with and without this shaping. I should also mention, that I am testing it on WiFi with hostap drivers, where the ping times are about 2-3ms when idle and 100-150ms durring high traffic. Is the first/fastest prio class really 1:1, and the last/slowest is 1:4? Or did I miss something else? A part of the code follows: $TC qdisc add dev ${IFACE} root handle 1:0 prio bands 4 priomap 2 2 2 2 2 2 0 0 1 2 2 2 2 2 2 2 2>/dev/null $TC qdisc add dev ${IFACE} parent 1:1 handle 10 sfq quantum 1514b perturb 10 $TC qdisc add dev ${IFACE} parent 1:2 handle 20 sfq quantum 1514b perturb 10 $TC qdisc add dev ${IFACE} parent 1:3 handle 30 sfq quantum 1514b perturb 10 $TC qdisc add dev ${IFACE} parent 1:4 handle 40 sfq quantum 1514b perturb 10 $TC filter add dev ${IFACE} parent 1:0 protocol ip handle 1 fw flowid 1:1 $TC filter add dev ${IFACE} parent 1:0 protocol ip handle 2 fw flowid 1:2 $TC filter add dev ${IFACE} parent 1:0 protocol ip handle 3 fw flowid 1:3 $TC filter add dev ${IFACE} parent 1:0 protocol ip handle 4 fw flowid 1:4 $IPT -t mangle -A POSTROUTING -o ${IFACE} -j MARK --set-mark 1 ... $IPT -t mangle -A POSTROUTING -o ${IFACE} -p tcp --dport 20 -j MARK --set-mark 2 $IPT -t mangle -A POSTROUTING -o ${IFACE} -p tcp --sport 20 -j MARK --set-mark 2 ... You need to limit the rate to less than link speed by making the prio a child of an htb class. Andy. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB weird problem ....
hello Andy , i think they are right for 256kbps = 2048kbit ... i have added a leaf pfifo with a limit of 1 packet per second, coz if i have 2-10 it wont work...viola !!! the ceiling rate for each class rule is now working... my problem is that you can reach the ceiling class only if you have 4-5 files getting through FTP, ex: 256kbps Ceil 1 file ftp download = 80-90 kbps max speed 4-5 files ftp download = almost 256kbps how can i make it work to 256kbps speed for 1 file alone ...? :) --- Andy Furniss <[EMAIL PROTECTED]> wrote: > Drink Linux wrote: > > Hello good day to all ... this is my setup > > 1 Linux Wireless Access Point, connected are 4 > > wireless gateway in which i needed to apply > shaping > > ... > > ok here is the weird part... clients on each > gateway > > download files from the Acess Point ... a 500 mb > file > > through ftp > > > > on gateway 1 which is up to 64 kbps ... the result > is > > from 60-64 kbps speed which is fine ... > > > > on gateway 2 which is 128 kbps ... the result is > > varying from 130 - 132 kbps (why does it exceed)? > but > > it is acceptable nevertheless > > > > on gateway 3 which is up to 256 kbps ... the > result is > > the lowest rate clients can get is up to 285-286 > above > > limit ?!?!! why did that happen... > > > > on gateway 4 .. which is up to 512 kbps ... the > rate > > of the client is up to 600+ kbps ... why is that > so ?! > > > > anyway here is my script for anyone who can help > > ...thanks > > > > one thing is when i ftp 2 files ... the speed is > > higher than the ceiling limit > > > > kernel is 2.4.22 ... with QoS enabled > > > > > > > > > > tc qdisc add dev wlan0 root handle 1:0 htb > > > > tc class add dev wlan0 parent 1:0 classid 1:1 htb > rate > > 1024kbps ceil 1024kbps > > > > tc class add dev wlan0 parent 1:1 classid 1:10 htb > > rate 1kbps ceil 64kbps > > tc class add dev wlan0 parent 1:1 classid 1:20 htb > > rate 1kbps ceil 128kbps > > tc class add dev wlan0 parent 1:1 classid 1:30 htb > > rate 1kbps ceil 256kbps > > tc class add dev wlan0 parent 1:1 classid 1:40 htb > > rate 1kbps ceil 512kbps > > > > > > tc filter add dev wlan0 parent 1:0 protocol ip u32 > > match ip dst 10.40.40.245 flowid 1:10 > > tc filter add dev wlan0 parent 1:0 protocol ip u32 > > match ip dst 10.40.40.246 flowid 1:20 > > tc filter add dev wlan0 parent 1:0 protocol ip u32 > > match ip dst 10.40.40.247 flowid 1:30 > > tc filter add dev wlan0 parent 1:0 protocol ip u32 > > match ip dst 10.40.40.248 flowid 1:40 > > kbps = k bytes/sec maybe you mean kbit for the > rates. > > Andy. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Problem with VPN routing from internal network
Hi! Correct me if I am wrong, what it looks like to me is this : 192.168.1.0/24 10.0.0.1 10.0.0.2 192.168.2.0/24 server net serverfw openvpn clientfw client net On the serverfw you need a static route to the client net: route add net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2 On the client net the other way round: route add net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1 Firewall must allow all traffic through tun+ And of course must allow traffic coming from the opposite network. Hope this helps, .peter On Fri, 8 Oct 2004, Remus wrote: > Hi folks, > > I have the two firewalls (Slackware current) in differnt cities connected via > OpenVPN. > I can ping the network behind server firewall from client firewall server. > But how to route/iptable network traffic from the network behind client firewall to > see the netwrok behind server firewall? > > Thank you > > Remus > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB weird problem ....
Drink Linux wrote: Hello good day to all ... this is my setup 1 Linux Wireless Access Point, connected are 4 wireless gateway in which i needed to apply shaping ... ok here is the weird part... clients on each gateway download files from the Acess Point ... a 500 mb file through ftp on gateway 1 which is up to 64 kbps ... the result is from 60-64 kbps speed which is fine ... on gateway 2 which is 128 kbps ... the result is varying from 130 - 132 kbps (why does it exceed)? but it is acceptable nevertheless on gateway 3 which is up to 256 kbps ... the result is the lowest rate clients can get is up to 285-286 above limit ?!?!! why did that happen... on gateway 4 .. which is up to 512 kbps ... the rate of the client is up to 600+ kbps ... why is that so ?! anyway here is my script for anyone who can help ...thanks one thing is when i ftp 2 files ... the speed is higher than the ceiling limit kernel is 2.4.22 ... with QoS enabled tc qdisc add dev wlan0 root handle 1:0 htb tc class add dev wlan0 parent 1:0 classid 1:1 htb rate 1024kbps ceil 1024kbps tc class add dev wlan0 parent 1:1 classid 1:10 htb rate 1kbps ceil 64kbps tc class add dev wlan0 parent 1:1 classid 1:20 htb rate 1kbps ceil 128kbps tc class add dev wlan0 parent 1:1 classid 1:30 htb rate 1kbps ceil 256kbps tc class add dev wlan0 parent 1:1 classid 1:40 htb rate 1kbps ceil 512kbps tc filter add dev wlan0 parent 1:0 protocol ip u32 match ip dst 10.40.40.245 flowid 1:10 tc filter add dev wlan0 parent 1:0 protocol ip u32 match ip dst 10.40.40.246 flowid 1:20 tc filter add dev wlan0 parent 1:0 protocol ip u32 match ip dst 10.40.40.247 flowid 1:30 tc filter add dev wlan0 parent 1:0 protocol ip u32 match ip dst 10.40.40.248 flowid 1:40 kbps = k bytes/sec maybe you mean kbit for the rates. Andy. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Problem with VPN routing from internal network
Hi folks, I have the two firewalls (Slackware current) in differnt cities connected via OpenVPN. I can ping the network behind server firewall from client firewall server. But how to route/iptable network traffic from the network behind client firewall to see the netwrok behind server firewall? Thank you Remus
Re: [LARTC] shaping outbound ftp traffic on 1 nic not working properly
Is the inbound rate affected even if there are no outbound transfers? Is the speed actually being "limited" to a certain speed, or are you just noticing that the inbound/upload traffic is slower than it should be. The reason I ask is because you're tagging all outbound ftp-data traffic (ports 5:51000) and directing it to the class with 39kbps. If you have outbound/download transfers going, they may be using all the available outbound bandwidth for that class and causing outbound ACK packets (for the inbound/upload traffic) to queue and throttle the inbound speed. Please don't flame me if I'm way off base... Assumption: - data connection is bi-directional. ie. the data connection is made on the specified PASV (server) ports (5:51000) regardless of whether it's an upload or download. Test: - simply kill all downloads and see if the uploads are still affected. - or you can tag oubound ACK packets and filter them into the faster class. chris >>Theory is.. You can only shape outbound traffic. > Inbound is via tcp windowshaping etc.. > > In theory yes, but it is shaping inbound transfers to my server. > >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK >>> --set-mark 20 >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 5:51000 -j MARK >>> --set-mark 20 >>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark >>> 26 > >>Why do you care about destination port? >>AFAIK, it shouldn't affect your wants since you're >not filtering on >>incoming traffic > > I dont care about destination port. That line was commented. BUT, > incoming transfers are being shaped for some reason. > >>Is this legal?? 1mbps?? Wow.. 1*1E6? > > I just did that to make sure lan traffic was not affected at all. > > > enire script for reference > I am using the following script to limit my outbound traffic. This scipt > runs on a box behind my firewall. It limits my outbound passive ftp > traffic to 39K perfectlyjust like i want. However, i just noticed that > it is also limiting uploads coming to my server. > > Is there something I can change to make it not limit uploads to my server? > #!/bin/bash > #shaping passive ftp traffic > > # mark the outbound passive ftp packets on ports 5-51000 > iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > > /dev/null > iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null > iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null > > iptables -t mangle -N MYSHAPER-OUT > iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT > > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark > 20 > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 5:51000 -j MARK > --set-mark 20 > iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 > # clear it > tc qdisc del dev eth0 root > > #add the root qdisk > tc qdisc add dev eth0 root handle 1: htb default 26 > > #add main rate limit class > tc class add dev eth0 parent 1: classid 1:1 htb rate 1mbps > > #add leaf classes > tc class add dev eth0 parent 1:1 classid 1:26 htb rate 1mbps > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 39kbps > > #filter traffic into classes > tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid > 1:20 > tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid > 1:26 > > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/