[LARTC] Route-map Linux for ssh traffic
Hi guys, I have a question about of route-map with linux, I have two
routers linux, one for Internet Trafic and other for VPN traffic, both
routers have public IP's address.
Internet with nat VPN with nat
eth0 200.244.10.1 eth0 200.244.10.2
-
--
eth1 10.10.1.1 gw1 eth1
10.10.1.254gw2
I have created the following route-map
echo 100 gw2 >> /etc/iproute2/rt_tables
ip route add default via 10.10.1.254 table gw2 proto static
ip rule add from 10.10.1.5 table gw2
Where 10.10.1.5 is my computer. Public IP address are ficticious. With
this configuration my PC going out to Internet for gw2, my PC is nat
with IP public 200.244.10.2, but I need change it, I need that my PC
going out via gw2 only for ssh traffic, I change my rules:
echo 100 gw2 >> /etc/iproute2/rt_tables
ip route add default via 10.10.1.254 table gw2 proto static
ip rule add from all fwmark 1 table gw2
iptables -I PREROUTING -t mangle -i eth1 -s 10.10.1.5 -p tcp --dport
22 -j MARK --set-mark 1
However, it does not work, because when I make a ssh conexion to
remote host, I can see that I am going to nat with IP 200.244.10.1
Anyone can help me with this configuration, excuse me for my english.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] htb: rate bigger then ceil
Hi, we have upgraded a gateway machine for our network and suddenly shaping doesn't work as it used to. Before the upgrade the traffic was shaped correctly - both OUTPUT and FORWARD packets shared the same class and it just worked. But now only FORWARD packets are shaped, OUTPUT uses whole line bandwidth. This is a piece of output from tc -s class show dev eth1: class htb 1:894 parent 1:257 leaf 894: prio 1 rate 32000bit ceil 32bit burst 16Kb cburst 1759b Sent 10360881 bytes 1470 pkt (dropped 0, overlimits 0 requeues 0) rate Kbit 18pps backlog 0b 11p requeues 0 lended: 181 borrowed: 1278 giants: 1039 tokens: -1198082 ctokens: -32358 Class 1:894 is a leaf, 1:257 has to children, both leaves (sum of the children's rate equals to 1:257's rate). By FORWARD I mean packets that are forwarded by the machine and by OUTPUT packets that are generated by the machine. The new configuration is Core 2 duo, kernel (2.6.17.13-smp) and utils from Slackware. The previous one was something like Duron with non-smp 2.4 kernel. So the question is - what am I missing? How is it possible that rate is much bigger than ceil in a leaf class? Thaks, David Brodsky ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Little problem with ifb. How to catch server traffic on IFB...
I've network with NATed hosts. I want to catch only all traffic going from my server, but I don't want catch NATed traffic from LAN. I need only traffic going from/to my server (traffic from INPUT, OUTPUT chain in iptables) (like SSH, postfix, WWW or proxy). This is throw all traffic from my LAN to IFB: $TC qdisc add dev $iface_lan handle : ingress $TC qdisc add dev $iface_lan root handle 1:0 htb #Incoming traffic... $TC filter add dev $iface_lan parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.0.0/16 flowid 1:1 action mirred egress redirect dev ifb0 #Outgoing traffic... $TC filter add dev $iface_lan parent : protocol ip prio 1 u32 match ip src 192.168.0.0/16 flowid 1:1 action mirred egress redirect dev ifb1 I need some rules to throw all traffic from my server to ifb. This rules throw all traffic from my router, all with NATed LAN traffic... And there is no way to filter this traffic:/ $TC qdisc add dev $iface_wan handle : ingress $TC qdisc add dev $iface_wan root handle 1:0 htb #Incoming traffic... $TC filter add dev $iface_wan parent : protocol ip prio 1 u32 match ip dst $server_external_IP flowid 1:1 action mirred egress redirect dev ifb0 #Outgoing traffic... $TC filter add dev $iface_wan parent 1:0 protocol ip prio 1 u32 match ip src $server_external_IP flowid 1:1 action mirred egress redirect dev ifb1 I need some help... Is any possibility to do this? How to catch packets which is not from/to LAN - on WAN interface? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] tc statistics
Hi Gang, I'm still experiencing some bandwidth starvation with my script (below), so I decided to look at the statistics by using: tc -s qdisc show dev eth0 (where eth0 is the interface I'm trying to rate-limit outbound packets) I get, for example: qdisc sfq 21: quantum 1514b perturb 10sec Sent 133527926 bytes 413260 pkts (dropped 0, overlimits 0) qdisc sfq 20: quantum 1514b perturb 10sec Sent 42622473 bytes 184396 pkts (dropped 0, overlimits 0) qdisc htb 1: r2q 10 default 21 direct_packets_stat 0 Sent 176150399 bytes 597656 pkts (dropped 0, overlimits 137379) On first appearance, I would think this is telling me that the overall limiting is kicking in, and I'm not limiting specifically in the class 21 (which is where I want the limiting). Here's my script: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 21 tc class add dev eth0 parent 1: classid 1:1 htb rate 370kbit tc class add dev eth0 parent 1:1 classid 1:20 htb prio 0 rate 100kbit tc class add dev eth0 parent 1:1 classid 1:21 htb prio 1 rate 200kbit ceil 370kbit tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth0 parent 1:21 handle 21: sfq perturb 10 # Set high priority for a certain destination IP address: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip dst 147.135.2.0/24 flowid 1:20 # Set high priority for <64 byte packets: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:20 # Set high priority for ICMP packets: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip protocol 1 0xff \ flowid 1:20 # Set high priority for UDP packets (hopefully all VOIP!): tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip protocol 17 0xff \ flowid 1:20 Am I reading this incorrectly? Bob ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP rate or Ethernet rate ?
Yes I want to know if the rate counter calculate with the ethernet frame or only the IP frame ? When I put a ceil in Kbit/s on a HTB class, is it the ethernet rate or the IP rate ? 2007/2/12, Alexandru Dragoi <[EMAIL PROTECTED]>: Andrew Beverley wrote: Just a question, the rate values use for configure a class, are they a IP rate or a Ethernet rate ? Do you mean is the rate per IP address or for the whole of the interface? If so, then the rate is the total for that interface. ___ LARTC mailing list [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc I think he meant if rates are applyed counting the whole ethernet frame (ip packet + 14 bytes). ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP rate or Ethernet rate ?
On Mon, 2007-02-12 at 14:53 +0200, Alexandru Dragoi wrote: > Andrew Beverley wrote: > > > Just a question, the rate values use for configure a class, are they a > > > IP rate or a Ethernet rate ? > > > > > > > Do you mean is the rate per IP address or for the whole of the > > interface? If so, then the rate is the total for that interface. > > > > > > ___ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > I think he meant if rates are applyed counting the whole ethernet > frame (ip packet + 14 bytes). In which case I've got no idea, but it works for me :) ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP rate or Ethernet rate ?
Andrew Beverley wrote: Just a question, the rate values use for configure a class, are they a IP rate or a Ethernet rate ? Do you mean is the rate per IP address or for the whole of the interface? If so, then the rate is the total for that interface. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc I think he meant if rates are applyed counting the whole ethernet frame (ip packet + 14 bytes). ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Page allocation failure
Hi list, I have a very strange problem with my network. I have 2 internet connections: A - 1 Gbit, B - 100Mbps. Network layout: A, B | | [Brd1] / \ [L1] [L2] \ / [ GW1] ... Clients . Brd1 runs bgpd, and balances the traffic through L1 and L2. L1 and L2 do traffic shaping. GW1 does some packet filtering, and balances the traffic through L1 and L2. Every interface is gigabit. (Realtek NICs) I'm using IMQ on L1 and L2, to separate the traffic into 2 zones, international and local, with HTB for shaping. The system works fine for some time, but when the traffic hits 200Mbps, and ocassionally bursts to 250-300Mbps, L1 and L2 behave strangely (packet loss > 30%, increased latency +20ms), sometimes they even hang, leaving me with the only solution: rebooting them. I've checked the CPU usage, it stays around 80% during the highest traffic. I've examined the logs, and here is what i've found: Feb 11 08:04:05 l1 kernel: cpu 0 cold: low 0, high 0, batch 1 used:0 Feb 11 08:04:05 l1 kernel: DMA32 per-cpu: empty Feb 11 08:04:05 l1 kernel: Normal per-cpu: Feb 11 08:04:05 l1 kernel: cpu 0 hot: low 0, high 186, batch 31 used:79 Feb 11 08:04:05 l1 kernel: cpu 0 cold: low 0, high 62, batch 15 used:52 Feb 11 08:04:05 l1 kernel: HighMem per-cpu: empty Feb 11 08:04:05 l1 kernel: Free pages:3032kB (0kB HighMem) Feb 11 08:04:05 l1 kernel: Active:15050 inactive:8995 dirty:0 writeback:0 unstable:0 free:758 slab:102918 mapped:3203 pagetables:101 Feb 11 08:04:05 l1 kernel: DMA free:2016kB min:88kB low:108kB high:132kB active:28kB inactive:1092kB present:16384kB pages_scanned:0 all_unrec laimable? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 495 495 Feb 11 08:04:05 l1 kernel: DMA32 free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 495 495 Feb 11 08:04:05 l1 kernel: Normal free:1016kB min:2800kB low:3500kB high:4200kB active:60172kB inactive:34888kB present:507584kB pages_scanned :0 all_unreclaimable? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 0 0 Feb 11 08:04:05 l1 kernel: HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimab le? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 0 0 ... Feb 11 08:04:05 l1 kernel: Swap cache: add 0, delete 0, find 0/0, race 0+0 Feb 11 08:04:05 l1 kernel: Free swap = 987956kB Feb 11 08:04:05 l1 kernel: Total swap = 987956kB Feb 11 08:04:05 l1 kernel: Free swap: 987956kB Feb 11 08:04:05 l1 kernel: 130992 pages of RAM Feb 11 08:04:05 l1 kernel: 0 pages of HIGHMEM Feb 11 08:04:05 l1 kernel: 2137 reserved pages Feb 11 08:04:05 l1 kernel: 28840 pages shared Feb 11 08:04:05 l1 kernel: 0 pages swap cached Feb 11 08:04:05 l1 kernel: 0 pages dirty Feb 11 08:04:05 l1 kernel: 0 pages writeback Feb 11 08:04:05 l1 kernel: 3203 pages mapped Feb 11 08:04:05 l1 kernel: 102918 pages slab Feb 11 08:04:05 l1 kernel: 101 pages pagetables Feb 11 08:04:05 l1 kernel: ksoftirqd/0: page allocation failure. order:0, mode:0x20 Feb 11 08:04:05 l1 kernel: [] __alloc_pages+0x1e6/0x2b0 Feb 11 08:04:05 l1 kernel: [] kmem_getpages+0x30/0x90 Feb 11 08:04:05 l1 kernel: [] cache_grow+0x8c/0x120 Feb 11 08:04:05 l1 kernel: [] cache_alloc_refill+0x11f/0x1d0 Feb 11 08:04:05 l1 kernel: [] __kmalloc+0x4f/0x60 Feb 11 08:04:05 l1 kernel: [] __alloc_skb+0x40/0x130 Feb 11 08:04:05 l1 kernel: [] e1000_alloc_rx_buffers+0x60/0x360 Feb 11 08:04:05 l1 kernel: [] e1000_clean_rx_irq+0x1d3/0x4a0 Feb 11 08:04:05 l1 kernel: [] rtl8169_rx_fill+0x5b/0x70 Feb 11 08:04:05 l1 kernel: [] e1000_clean+0x9a/0x150 Feb 11 08:04:05 l1 kernel: [] ksoftirqd+0x0/0x80 Feb 11 08:04:05 l1 kernel: [] net_rx_action+0x61/0xe0 Feb 11 08:04:05 l1 kernel: [] __do_softirq+0x79/0x90 Feb 11 08:04:05 l1 kernel: [] do_softirq+0x26/0x30 Feb 11 08:04:05 l1 kernel: [] ksoftirqd+0x4d/0x80 Feb 11 08:04:05 l1 kernel: [] kthread+0x9c/0xb0 Feb 11 08:04:05 l1 kernel: [] kthread+0x0/0xb0 Feb 11 08:04:05 l1 kernel: [] kernel_thread_helper+0x5/0x10 And it continues like this for a long, long time Does anybody know whats wrong, or how can I fix this? Thanks. Andrei SANDU. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Equalize traffic within 1 class.
> I need to know how to equalize traffic within 1 class. > I have so many bulk users within 1 class and i should equalize traffic to > their nodes so they get fair traffic. Does SFQ able to handle this ? You need the ESFQ patch. Check the archives for more information as it's just been discussed in the past day or two. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP rate or Ethernet rate ?
> Just a question, the rate values use for configure a class, are they a > IP rate or a Ethernet rate ? Do you mean is the rate per IP address or for the whole of the interface? If so, then the rate is the total for that interface. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DGD patch not detecting dead gateway
Manish Kathuria escreveu: On 2/8/07, Tom Lobato <[EMAIL PROTECTED]> wrote: Thank you for the script. I'm trying it. Well, I made a simple modification and would like to hear opnions. Until now, I just added one more TESTIP, so I'm pinging one IP for each link. Also I'm using the IP instead name address, and used the DNS IP of each provider for the ping. I made this because the ping to external sites (yahoo, google) is too slow here, mainly when the link is under heavy load. So I'm afraid it can try ping without success and "think" the link is down. I just used a popular external site because it may happen that connectivity from your location to the provider's DNS is there but the provider's link with the rest of the internet is down so even if you get a successful ping reply, the link isn't working in the real sense. ok, I noted here my DNS server block pings (!) so I'm also using a site now. Also, I preferred using a name instead of IP address because there could be multiple IP addresses associated with the site name and they can change too. But I don't see anything wrong in your approach. What do you mean by slow ? I don't think ping reply time should be an issue. We are more concerned with the success. Obviously, it should not time out. I agree, but here "slow == timeout" =) I'm suspecting the adsl modem is the problem. I have two dynamic IP links, adsl/pppoe 400kbps and cable-modem/dhcp 4Mbps. Anyway, I changed my mind and will connect links directly to linux (no routers), with the drawback of not have fixed IP/GW/MASK/NET's, but with advantages of need no routers, need no port forwarding in routers, a more auto-sufficient solution. So, I'm using your script as base (although I had made another, I liked yours), making scripts for dhcp and pppoe create files with connection info, from where it reads data for set LB. If someone more wants it, tell me and I send a mail. I know I could apply the patchs and these scripts would too more simple, but the patch does not detect fail if it is beyond the gateway. The ping reply times I get here for sites like www.yahoo.com and www.google.com are to the tune of 300 ms. Here, without any internet use from localnet, i get ~150ms for both. So, really, it appears I have another problem, not ping delay. Maybe too load on adsl link, although I set weights 10 for cable link and 1 for adsl. Tom Lobato ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] IP rate or Ethernet rate ?
Hi, Just a question, the rate values use for configure a class, are they a IP rate or a Ethernet rate ? Thanks, Edouard. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
