Re: [LARTC] RE: VPN Solution
Rangi Biddle wrote: This is an update for anyone that has been attempting to get a PPTP VPN working using PopTop with more than one simultaneous connection from an external source to a PPTP VPN behind a router that is NATing connections through. I assume that whoever is setting this up has some general knowledge of linux and how to compile a kernel. I also make the assumption that you already have a PPTP server up and running but are requiring more than one simultaneous connection. I also offer no warranties or take on any responsibility on whether or not this breaks your system and causes damage of any kind. ... If you have any problems please mail them to the list and I will see if I can be of some assistance. So I take it that you were you able to get PPTP / PopTop working the way you wanted with multiple concurrent PPTP connections? Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ipsec and ifb device
Hi everybody. I would like to know how incoming ipsec packets (from eth0 for example) interact with ifb device. For example: I want to redirect all incoming packets from eth0 to ifb0 for shaping. What happens to esp and the relative clear packets? By default both are seeing on the incoming device. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: AW: AW: AW: [LARTC] Why did I need strange ceiling settings? (fullversion)
Philipp Leusmann wrote: Hi Andy, I made the dumpfile and will send it to you in a separate private email. I cannot see anything suspicious, but maybe I am not looking for the right thing. Did you get my offlist reply about that? Same goes for netstat -s | grep retrans : The count does not rise during the transfer. For the modem, here is what it says: down up Bit-rate (fast) : 15694 915 Bit-rate (relative cap.) : 100 % 100 % Bit-rate (max) : 15694 915 FEC error (fast) :7116 0 CRC error (fast) : 13421 0 HEC error (fast) :5051 0 Noise margin : 8.3 dB 8.5 dB Attenuation : 16.0 dB 12.8 dB Transmit power: 22.3 dBm12.3 dBm First channel : 64 33 Last channel : 505 59 Channel gaps : 95 110 127 188 191 243 291 348 0 upstream errors may mean your modem isn't reporting/getting them properly from the far end, but if the uptime of those stats isn't too short, the errors don't look too bad anyway. As for what I said about showtime rate being multiple of 32kbit I was thinking adsl, I guess it's different for adsl2(+), I suppose the FEC overheads could be deducted first aswell (We don't get FEC on fast in the UK) Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB GUI
Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Calculate GRED Parameters
hi, Is there a way to calculate Gred parameters, given a desired delay (e.g 100ms)? Thanx Ntanzi Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Reassigning a flow to a different queue
I'd like to initially assign all http flows to a interactive priority queue. But if the cumulative amount of traffic exceeds a threshold, I'd like to reassign it to a low priority bulk queue. Say someone is doing an http download of a huge .iso. Is this possible? -- Drew Einhorn ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] tc actions and accounting
Hi, I'd like to account the data going out to an interface after shaping and policing. At the moment, I'm using ipt_ACCOUNT for per-IP accounting, but it counts packets regardless if they are dropped or not. Using tc counters directly would force me to install one tc rule per IP which I'd rather avoid. My idea was to use tc actions with ipt_ACCOUNT, but I have no idea what will be counted and how to specify an action for only some of the data *after* shaping and policing. The tc action documentation seems to suggest that the actions happen at the time of PREROUTING/POSTROUTING in netfilter, so that would not work for me. As an alternative, I searched for a tc equivalent of ipt_ACCOUNT, but I found nothing. My previous attempt to solve a similar problem is here: http://mailman.ds9a.nl/pipermail/lartc/2005q2/016271.html Regards, Carl-Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB GUI
Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] NAT/MASQ with multiple external static IPs
Покотиленко Костик wrote: I don't think so. You should (need) use either -j MASQUERADE or -j SNAT. MASQUERADE is almost the same with SNAT, it more convient for NAT'ing on ppp interfaces where there are different IP on each connect, that's way it doesn't have --to-source option (it takes the address from the outgoing interface). The correct way would probably be: iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source 1.2.3.5-1.2.3.7 OR iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source 1.2.3.5 --to-source 1.2.3.6 --to-source 1.2.3.7 I understand, so outbound packets will convert to the (--to-source) address outbound. But how will packets coming back in find their way back to the original client? For example, if I had this rule: iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 1.2.3.4 then sure, a packet from IP 192.168.0.50 goes out just fine. But then I would need a DNAT rule to send packets back to that internal IP address. How would that work? Am I looking at this the right way? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Fail-over uplink problem
Hi list, I have a problem I thought was simple first, but now I'm stuck. In a nutshell, it's about redundant uplinks at an outside location. Crude ASCII-Art follows: Internet || ++ | cisco with | | uplinks| ++ | | ATM interface +--+ ... | alvarion | | | wireless |+---+ | base || DSL | +--+| modem | ||| +---+ ++ | | wireless | | | subscriber | / ++/ | / +-+ | small linux | | box | +-+ | target net The target net is connected via a 20 MBit wireless connection which should be the normal route, and a 2 MBit DSL connection as backup. Switching to the backup line should work automatically. There are link networks between the linux box and the DSL modem and between the linux box and the base (subscriber is acting as a bridge). We control all the equipment, including the cisco. So I thought I'd use quagga and build a small OSPF or RIP between the linux box and the cisco where the linux box announces the target net. The wireless route would have higher priority because of the higher line speed. But how do I set the default route on the box? I don't want to redistribute BGP into OSPF on the cisco, it knows 2x20,000 routes from two uplink peers and the linux box is really small (300 MHz Celeron with 128 MB RAM). Thanks in advance for any advice. - Torsten ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ipsec and ifb device
Hi everybody. I would like to know how incoming ipsec packets (from eth0 for example) interact with ifb device. For example: I want to redirect all incoming packets from eth0 to ifb0 for shaping. What happens to esp and the relative clear packets? By default both are seeing on the incoming device. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] using cpu cycle counter on smp
Hi there, I was wondering if it's possible to use PSCHED_CPU (cpu cycle counter as clock source for QoS). Normally kernel menuconfig forbids it due to lack of synchronization of counters on different cpu, but: http://uwsg.iu.edu/hypermail/linux/kernel/9902.0/0053.html and quoting interesting part... - checking TSC synchronization across CPUs: BIOS BUG: CPU#0 improperly initialized, has -25 usecs TSC skew! FIXED. BIOS BUG: CPU#1 improperly initialized, has 25 usecs TSC skew! FIXED. - ... we can see TSC is synchronized during boot process. So, is it or is it not possible/prudent to use PSCHED_CPU on x86/x86_64, where TSCs are used? pozdrawiam, Marek Kierdelewicz ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ROUTE target broken under 2.6.18.3 kernel
I had problems with 2.6.19 kernel, appears to be some binaries problems about iptables and kernel modules, then I pass to try the 2.6.18.3 kernel to tests some things. When I put -j ROUTE into -t mangle table and PREROUTING chain, I have no problems, but when I try -j ROUTE into POSTROUTING chain, my system loss all network access (and it is posible it crash, I'm not there to view screen). My system has: SMP kernel (dual Xeon 3,0 GHz) 2.6.18.3 kernel + connlimit + layer7 + ROUTE patches 1.3.5 iptables (FC5 distro sources) with connlimit + layer7 + ROUTE patches (as I see, I only need change the makefile into distro sources to allow connlimit and ROUTE work) The command that break off network (and posibility crash the machine) is: iptables -t mangle -A POSTROUTING -p tcp --dport msnp -j ROUTE --gw mygw --continue I have 2 uplinks with 2 diferents gw ip's, and I detected disconnection problems with messenger clients (amsn, windows msn, msn-messenger, gaim, etc) and I only want to route all msn traffic into only one uplink. Any help about this? It is really a bug with ROUTE Patch and 2.6.8.3 kernel? Or its a bug with the 1.3.5 iptables version (FC5 distro sources). Please, help me a bit to solve this problem. Thanks ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Fwd: Traffic Shaping on a Transparent Bridge not working!
drew einhorn wrote: RTFM time. The htb section of http://lartc.org/howto/index.html is easier reading than the cbq section. And the howto claims htb is better anyway. Let's focus on the htb version of wondershaper. Yes HTB/HFSC should br better for slow links, unfortunatly wondershaper is flawed as noted below. This may not be your problem here, though. Then we start downloading a file to generate some traffic that really needs to be shaped. Shaping from the wrong end of the bottleneck is not nice and the slower the link the harder it is. It's better than not shaping (policing in this case). [EMAIL PROTECTED]:~ # sh -x wshaper.htb + DOWNLINK=100 + UPLINK=100 + DEV=eth0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' '' = status ']' + tc qdisc del dev eth0 root + tc qdisc del dev eth0 ingress + '[' '' = stop ']' + tc qdisc add dev eth0 root handle 1: htb default 20 It's not a good idea to use default on eth, unless you explicitly handle arp. IIRC WS was tested on ppp so I guess thats why. Not specifying default lets unclassified through unshaped and you can, and do make a catchall ip filter later for 20 anyway. + tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbit burst 6k + tc class add dev eth0 parent 1:1 classid 1:10 htb rate 100kbit burst 6k prio 1 + tc class add dev eth0 parent 1:1 classid 1:20 htb rate 90kbit burst 6k prio 2 + tc class add dev eth0 parent 1:1 classid 1:30 htb rate 80kbit burst 6k prio 2 Rates can't add up to more than parent rate/ceil I guess the test case used didn't expose this when WS was published. I would use something like - ... 1:10 htb rate 80kbit ceil 100kbit ... 1:20 htb rate 15kbit ceil 100kbit 1:30 htb rate 5kbit ceil 100kbit + tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 + tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 + tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10 + tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10 + tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip dst 0.0.0.0/0 flowid 1:20 This filter should catch all IP so default not needed. + tc qdisc add dev eth0 handle : ingress + tc filter add dev eth0 parent : protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 I am suprised this did nothing - at low speeds you may need to back off a bit more. If I were shaping 128kbit link I would be tempted to mss clamp/set mtus lower as 1500byte packets have long bitrate latency - depends on your requirememts and I am not sure you can mss clamp with this bridge setup. + tc -s qdisc ls dev eth0 qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 Sent 18649 bytes 191 pkts (dropped 0, overlimits 0) qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec Sent 10582 bytes 147 pkts (dropped 0, overlimits 0) qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec Sent 8067 bytes 44 pkts (dropped 0, overlimits 0) qdisc sfq 30: parent 1:30 limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) Looks OK, we are testing ingress anyway. I would use limit XX on sfqs as 128 default is a very long time @ low bitrates. qdisc ingress : Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 0 bytes - something wrong here. Filter looks OK, but it's not seeing traffic. I haven't got a 2.4 box, I do have a br on a 2.6 box and just tested on eth0 - works OK with those rules. Counters on eth0 egress look OK so I assume all traffic is IP - tcpdump. I wonder if it's something to do with bridging (I don't understand some behavior of mine), maybe ingress on eth0 has a different ethertype at that point. Try this instead - tc qdisc add dev eth0 handle : ingress tc filter add dev eth0 parent : protocol arp prio 1 u32 match u32 0 0 flowid :1 tc filter add dev eth0 parent : protocol all prio 2 u32 match u32 0 0 police rate 100kbit burst 10k drop flowid :2 Aggh just thought of something else - tempted to delete above, but will leave incase it works. The thing is 2.4 and 2.6(default config) use different policers. On 2.4 it hooks after PREROUTING and on 2.6 before. Maybe old policer + bridge isn't going to work for that reason. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Linux DHPC
Hello, You will also need to install the dhcp server to be able to assign IP addresses to other. -nik - Original Message - From: Seye Omotoso [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Sent: Thursday, November 23, 2006 7:50 PM Subject: [LARTC] Linux DHPC Dear sir, I am trying to install Linux server using DHCP, I have downloaded the DHCP file and installed. etho is the LAN point giving the Linux server connection to Internet and I want to configure eth1 to give DHCP to the clients. With the instruction I got from the Internet, I have to copy conf file to /etc which I have done,I want to add codes to conf file to make it DHCP but the code is not saving into conf file in /etc. Meanwhile when I finished installation I couldn't find conf file but 'configure' file so I rename the 'configure' to be 'conf' .What do you think I can do? Thank you. Sincerely, Seye - Everyone is raving about the all-new Yahoo! Mail beta. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] HTB GUI
Hi Alan, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks That really is a very open question to be asking. There are so many different programming languages that can work with a web server 2 that spring to mind are PHP and Perl. What may be of more benefit for you would be to visit each of the respective websites www.php.net http://www.php.net/ (PHP) or www.perl.com http://www.perl.com/ (Perl) and perhaps look at some of the examples on those sites. Depending on what you plan to do PHP may be a better choice over Perl (I'm not going to argue with anyone here) or vice versa it really comes down to your requirements and or future requirements. That said, I would probably suggest Perl as it has an extensive library of user contributed classes and code that is available from CPAN (www.cpan.org http://www.cpan.org/ ) and it is most likely that you will find something there that will allow you to finish your project sooner. You will also need to look at installing the apache web server module mod_perl in order to get your perl scripts working with apache. (Again, not arguing with anyone over this) As for teaching you how to build a web based GUI, I'm afraid I just don't have the time but there are plenty of resources available on the internet that you can learn from including IRC channels and websites to name just a few. I hope this helps Rangi _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of alan tan Sent: Thursday, 23 November 2006 10:18 p.m. To: lartc@mailman.ds9a.nl; lartc@mailman.ds9a.nl Subject: [LARTC] HTB GUI Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link http://mailman.ds9a.nl/pipermail/lartc/2005q1/014735.html . However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan http://mailman.ds9a.nl/pipermail/lartc/2005q1/014735.html ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] HTB GUI
You might want to look into MasterShaper. It's a full tc/ip bandwidth shaper. The author of it is Unki. He's done the GUI in php, and uses some perl scripts to run the actual scripts on the system. He's currently working on a newer version, and I think it's supposed to support multiple wans. Regards, Mark From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of alan tan Sent: Thursday, 23 November 2006 10:18 p.m. To: lartc@mailman.ds9a.nl; lartc@mailman.ds9a.nl Subject: [LARTC] HTB GUI Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc