lartc@mailman.ds9a.nl
I have to do Load balancing and Qos on a Linux box which is having openvpn and iptables running System is Fedora core 1 Any known issues ? Or anything I have to take care ? Thanks -- Sandeep A.S <[EMAIL PROTECTED]> Netcontinuum Pvt Ltd ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] How to balance OUTBOUND traffic by packet if..
[EMAIL PROTECTED] wrote: > > I am still looking for a solution to this problem... > > [EMAIL PROTECTED] wrote: I realize this is the opposite of what you try to accomplish, but perhaps it will help? Google "LARTC load balance a file download across two connections - success" gypsy ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] How to balance OUTBOUND traffic by packet if..
I am still looking for a solution to this problem... > [EMAIL PROTECTED] wrote: >> Hi, >> Yes i did give this a try a couple of times before with no success >> >> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 1 -t mangle -j MARK >> --set-mark 0x2 >> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 0 -t mangle -j MARK >> --set-mark 0x1 >> >> ip rule : >> 0: from all lookup local >> 201:from all fwmark 0x2 lookup 202 >> 201:from all fwmark 0x1 lookup 201 >> 32766: from all lookup main >> ip route show table 202 >> default via 212.199.28.244 dev ppp1 proto static src 80.178.89.120 >> ip route show table 201 >> default via 212.199.26.111 dev ppp0 proto static src 84.94.148.214 >> ip route show table main >> 212.199.26.111 dev ppp0 proto kernel scope link src 84.94.148.214 >> 212.199.28.244 dev ppp1 proto kernel scope link src 80.178.89.120 >> default proto static equalize >> nexthop via 212.199.26.111 dev ppp0 weight 1 >> nexthop via 212.199.28.244 dev ppp1 weight 1 > > > > I must admit I am more into tc than ip so I've never tried it. > > My guess is that you need to get rid of equalize/weights as these load > balance per connection and the routes get cached. > > Andy. > > how to use iproute/iptables to balance by packet OUTBOUND traffic between 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also by using the fact that the ISP dosen't filter source IP address - meaning i can use either PPP's link assigned IP address as the source IP in the ip header.., it works for both devices.., what i want to achive is : when uploading a large file , i could use both devices to shoot data but bound only to one source IP. Naturally i could expect all data to go back through the device with that corresponding IP , atleast that is what happens according to ethereal how to use iproute/iptables to balance by packet OUTBOUND traffic between 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also by using the fact that the ISP dosen't filter source IP address - meaning i can use either PPP's link assigned IP address as the source IP in the ip header.., it works for both devices.., what i want to achive is : when uploading a large file , i could use both devices to shoot data but bound only to one source IP. Naturally i could expect all data to go back through the device with that corresponding IP , atleast that is what happens according to ethereal ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper with ssh on a non-standard port
Hi, having read the docs and the wondershaper script itself, it occurred to me that the documentation promises an immediate drop in interactive app latency, specifically mentioning SSH as a big winner. however, looking through the script i can't really tell just *how* wondershaper figures out which port my SSH daemon is running on. so what i'd like to know is, if i'm running my sshd on, say, port 222, do i need to make any changes to the wondershaper script, or will it figure out the right number automagically (e.g. from /etc/services, where SSH is already correctly assigned to port 222) ? (conversely, does it 'need' to figure out this port number at all?) It's been a while since I looked through wondershaper, but the relevant lines are apparently these: # TOS Minimum Delay (ssh, NOT scp) in 1:10: tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 So it seems to be matching based on the "type of service" bits in the IP packet. I seem to remember that SSH actually sets the IP tos bits correctly? So it *should* work when ssh is on another port. I guess you need to either tweak the script (if you want a quick fix then just mark anything to/from port 222 as high priority), or else figure out why your packets aren't matching the required rule Good luck Ed W ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper with ssh on a non-standard port
greetings all,
i've searched high and low for this, but can't seem to find an answer
anywhere..
having read the docs and the wondershaper script itself, it occurred to
me that the documentation promises an immediate drop in interactive app
latency, specifically mentioning SSH as a big winner.
however, looking through the script i can't really tell just *how*
wondershaper figures out which port my SSH daemon is running on.
so what i'd like to know is, if i'm running my sshd on, say, port 222,
do i need to make any changes to the wondershaper script, or will it
figure out the right number automagically (e.g. from /etc/services,
where SSH is already correctly assigned to port 222) ?
(conversely, does it 'need' to figure out this port number at all?)
i ask because while ping time latency has indeed fallen for me since
wondershaper was installed, my custom-port SSH connections are as slow
as ever, especially during large file uploads..
my setup in a nutshell:
- current Debian GNU/Linux 'testing' distribution ('sarge', updated daily)
- kernel 2.4.27 (Debian 'testing' default, not customized)
- wondershaper (v. 1.1a) (from current Debian 'testing')
- Shorewall (v. 2.0.13) also from 'testing'
- 4 Mbit ADSL link via 'modem' on eth0
thank you in advance!
-p
--
If economists were doctors, they would today be mired in malpractice suits.
- John Ralston Saul
signature.asc
Description: Digital signature
Re: [LARTC] Personal Firewalls
Alfred Vahau wrote: Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. Aha, so you suspect malicious intent and not only accidental behaviour. In that case you shouldn't expect that some other internal information found on the problematic computers is valid either. However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or follow the cable to the physical computer location. alfred, Yours sincerely Peter Surda ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bandwidth Management Tools - yet another tool
hi there, has anyone used this tool? if so any thoughts? http://bwm-tools.lbsd.net/ regards, /vicky ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. alfred, Peter Surda wrote: Alfred Vahau wrote: All our IP addresses fall within specific ranges and the existence of these addresses are against the policies on computer usage. In that case it's easy. Block their network access on the router and wait until they contact you :-) Alfred Vahau IT Services Uni. PNG Yours sincerely Peter Surda ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote: > Thanks for the reply. This is the practice at present. We block off one > IP and another pops up. > At times, quite a few of them appear. We suspect that some of these guys > are disgruntled ex-employees > who have unauthorized access or are accessing the network with the help > of other staff. It sounds as though you need a script tied in with your DHCP server so that only recognised MAC addresses get given IP addresses and only those addresses currently allocated get access via the firewall. -- Dave So many gadgets, so little time http://www.llondel.org/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] failover strategies - failing open vs. failing closed.
OK ... what about syncing connection tracking state tables between the two routers/fw's, is the ct_sync code from netfilter stable .. has any one used it on a production environment .. the netfilter-failover mailing list is pretty dead ! On Thu, 06 Jan 2005 22:16:42 +, Jose Luis Araujo <[EMAIL PROTECTED]> wrote: > Hi. > > Sorry for the delay. Hope you are still interested in the idea. > > Kelly Jeglum wrote: > > >I'd like to setup a box with 2 NICs as a firewall which will also rate > >limits outbound traffic. What happens when/if that box hangs or is > >rebooted? > > > > > If you are doing NAT or routing, the you need to use VRRPD with two > machines. > > >I'd like a solution that when there is a failure, traffic can still go > >through the box even though the firewall and rate limiting functions will no > >longer be in effect. > > > > > If on the other hand you want just the rate limiting, then you can try > something. It only has a drawback, the switch that you will use must > have Vlan and STP. > > The trick is this, you choose three ports, and assign those to, say vlan > 2, then choose another 3 ports and assign those to vlan 3. > > Enable STP on both Vlan's, increase the portcost on one port on each > Vlan, and use a crossed cable to link them. > Connect a port from each Vlan to the bridge/rate limiter. > Connect the remaining port to your inner router, and to your outer router. > > Now, the idea is, the Vlan will divide the switch virtually, traffic > from vlan 2 won't go to vlan 3, only if they are physically connected, > they behave like two switches (witch will also work, provided that the > switches permit VTP). When everything is working properly, the switch > will see two links from vlan 2 to vlan 3 and will disable the one with > the higher cost (the cross cable), then all your traffic will flow > thought the bridge. > If the bridge stops,hangs is disconnected, the switch will only see one > link (the cross cable) and will enable it, bypassing the bridge. > > I have this setup in operation now, and it works great. > > For those wondering, it is using a cisco 2900XL and the fallback time is > from 30 to 50 seconds. > > Hope it helps > > José Araújo > > ___ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- abulyomon www.KiLLTHeUPLiNK.com ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Could anyone explain the slot and bucket concept in SFQ to me?
Dear all, I'm reading codes in sch_sqf.c in kernel 2.4 of Linux. I find I messed up with the concept of slot, bucket and hash tables. Could anyone explain the data stucture of the hash tables a little to me. Thanks very much. Best, Franklin BTW: I can not understand why the number of entries of dep[SFQ_DEPTH*] should be twice:( ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Alfred Vahau wrote: All our IP addresses fall within specific ranges and the existence of these addresses are against the policies on computer usage. In that case it's easy. Block their network access on the router and wait until they contact you :-) Alfred Vahau IT Services Uni. PNG Yours sincerely Peter Surda ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
