RE: [LARTC] List fault?
+1 -Original Message- From: lartc-boun...@mailman.ds9a.nl [mailto:lartc-boun...@mailman.ds9a.nl] On Behalf Of Russell Stuart Sent: Thursday, 5 May 2011 9:41 AM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] List fault? On Wed, 2011-05-04 at 14:24 -0500, Grant Taylor wrote: All in favor? Any one against? In favour. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
On Tue, Dec 11, 2007 at 12:19:22AM +0100, Radek 'Goblin' Pieczonka wrote: Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port dest ip/dest port. You could write your own plugin module to look into the tcp stream. based upon destination email address/domain could be done by postfix and transports for selected mail/domain to selected server. but there is also a possibility of load balancing and failover for set of domains with all servers working with all the domains for HA and flexibility of computing power, then id say take a look at keepalived for both those features. for http traffic its actually the same, and also you can consider apache reverse proxy feature. he only has 1 real ip [silly idea] of course could be really tricky and use an ipv6 to ipv4 address and name all the dmz servers with ipv6 (in dns as well), really relying upon clients to be ipv6 enable [/silly idea] -- Radek aka Goblin ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
On Mon, Dec 10, 2007 at 04:09:52PM +0530, Indunil Jayasooriya wrote: see cache_peer !! squid can load balance between 3 servers and cache it !! run squid on your box with real ip.. Thanks for your quick answer. I know about reverse proxy. I wanted to know that without squid, whether iptables it self can handle this situation. Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port dest ip/dest port. You could write your own plugin module to look into the tcp stream. Hope to hear form you. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Bandwith vsatl - not static
I have a existencial problem. There are some provider that offer the service of bandwith asimetric as download/upload link as for example 512/256. but most of them offer not exclusive this amount of transmission or reception capacity. They usually offer the service with more users as a ratio of 1/10. How I can design a appropriate diagrama with htb where the amount of bandwith could vary.? I have an idea where I can create a paterrn as : Main Link Parent Childs A Child B Child C Child X Where X is the amount of bandwith that could vary? And it change in period of time as from 8:00am - 12:00pm bandwith 200kbps and from 12:00pm-16:00pm 100 kbps. And so on. Depend of the stadistic I assume. And reload the script several time with crob. Does anyone knows a better way? Regards. -- Alex Segura N. Jefe de Proyectos Redes - VoIP BLOCKED::mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] BLOCKED::http://www.kernellinux.com http://www.kernellinux.com Peru T: Peru-Lima : 51-1-4529526Nextel : 400*5698 T: Personal : 51-1-9412*3550 Nextel : 412*3550 T: Personal Movil : 51-1-98415454 *** The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify KERNELLINUX immediately by replying to this message and deleting it from your computer. * ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] One machine, two net feeds, outbound route selection
On Thu, Oct 25, 2007 at 02:00:14PM -0400, Ben Scott wrote: On 10/25/07, Peter Rabbitson [EMAIL PROTECTED] wrote: Unfortunately not easy without doing local NAT (from the local interface to another local interface). Can you use marking, mark the packet in the mangle table, us iptables to select the which packets and then use ip rules fw mark - routing table (sorry about the syntax) I thought that might be the case. I even started to write a rule about how the NAT might work... but then I ran into brain pain trying to figure out how, because I didn't know when the packets get what address/interface info assigned to them, and I didn't know how SNAT would interact with the routing tables. Normally, I do SNAT in the POSTROUTING chain, but by then the routing rules have already run, right? So the packet would still be bound for the wrong interface, even if the source address is translated. No? In other words, let's say $DEF_ADDR is the IP address of the interface that is going to be picked by the default routing table, but I really want the packets to go out the $ALT_ADDR interface. So I try this: iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j SNAT --to $ALT_ADDR But the whole point of changing the source address/interface is to influence which routing rules match, and those have already been applied by the time the packet transverses the POSTROUTING chain, right? In any event, that didn't work. So then I thought, well, maybe I can do SNAT in the PREROUTING chain for this? But in that case, the kernel won't have assigned it an address yet, right? So there's nothing to SNAT. And I can't do -s 0/0 because that actually means match all packets, right? So then I thought, well, maybe I can mark the packet in the OUTPUT chain of the mangle table, and match that in the routing rules, and *also* match that in the POSTROUTING chain: iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK --set-mark 42 ip rule add fwmark 42 table 42 iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT_ADDR I think I tried that and it didn't work either. It was getting late and my maintenance window was closing and my brain hurt. If this is just one of those you can't do that situations, I'm willing to accept that answer. But if there is a way, I'd like to know what it is. :) -- Ben ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing public IP's through a gateway
On Sun, Oct 14, 2007 at 11:07:10PM +1000, Tim Groeneveld wrote: Greeting all, I have a bit of a complicated question. I have two ethernet devices, eth1 and eth2. eth1 is where my internet comes from. It is in the form of 202.172.122.208/29. It has another IP range, 202.172.122.72/29. What I want to be able to do is route 202.172.122.72/29 to eth2, so that other machines can use those IPs, any ideas on how to do this, I cannot work out how to do this. You haven't made it too clear what exactly you are trying to do, from what i gather this should work on your linux box ip route add 202.172.122.72/29 dev eth2 Does your isp route 202.172.122.72/29 to you ? eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to 202.172.122.76. eth1 is basically just hooked into my internet router, while eth2 is hooked into a switch, and will be used for other computers. If anyone could help me with this setup, I would more then appreciate it. Thank you very much, - Tim Groeneveld -- Need hosting for your next Open Source project? why not try ShareSource? www.sharesource.org ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] scrapting data from tc rules
Hi Currently I use snmp to scrap information from my router about its interfaces, does any one have an easy way of scaping information from tc rules to place into a rrd db ? do I need to put together a perl script to extract it from the output ? Alex signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] OpenVPN routing
On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. My server routing table is: 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 10.4.1.0/24 via 172.27.0.2 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 172.27.0.0/16 via 172.27.0.2 dev tun0 default via 192.168.0.1 dev eth0 I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. why do you want to hide the network - ? unless your server is the default gateway for the network you will have to do 1 of 2 things, either setup routing on each client or update the default gateway how to route the packet (ie via the server). Why do the client (openvpn client) not respond to pings, I would guess again routing usual problem, can you run tcpdump on these machines ? IP forwarding is enabled on all interfaces, and iptables (by way of firehol) has rules to allow all forwarding between all interfaces. If I create a 172.27.0.0/16 route on a LAN workstation, I can ping the server at 172.27.0.1. But I cannot reach any VPN workstation. At one time, by playing with some NAT rules, I was able to - but it didn't seem right. What am I missing? Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] OpenVPN routing
On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: Alex Samad wrote: On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. My server routing table is: 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 10.4.1.0/24 via 172.27.0.2 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 172.27.0.0/16 via 172.27.0.2 dev tun0 default via 192.168.0.1 dev eth0 I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. So do I need a source NAT directing all traffic intended for 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? why do you want to hide the network - ? The VPN is to provide me a secure static connection to customer's sites. However, those customers should be able to see neither each other, nor reach our internal LAN - unless the connection is initiated from our side. Okay then you just want out bound, pretend the customers site is the internet, SNAT should do it (and a firewall just to be safe), you should only need one on the client's openvpn side, but because that is not in direct controll of you (physcially), I would probably suggest snat'ting again on your openpvn server or the firewall rules So At your site * Set routing either fix up the default route or add routing to each client machine (the former being the easier of the 2) * Set up a firewall * setup SNAT or push a route through to the client 'push route 192.168.8.0 255.255.252.0' - done in the openvpn server config (the later is probably the better - stay away from the double natting ) one the customer site * Set up SNAT hide everything coming from your site being the local lan address * set up a firewall So all traffic coming from your site will end up on the customer site with a local lan address. There is no routing back into your lan, because of a) routing b) firewall on the customer site c) firewall on the server. a b are easy to get around because they are at the customer site. C is where you protection is. Alex -- Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] OpenVPN routing
On Mon, Sep 10, 2007 at 03:48:13PM -0700, Daniel L. Miller wrote: Alex Samad wrote: On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: Alex Samad wrote: On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. So do I need a source NAT directing all traffic intended for 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? Okay then you just want out bound, pretend the customers site is the internet, SNAT should do it (and a firewall just to be safe), you should only need one on the client's openvpn side, but because that is not in direct controll of you (physcially), I would probably suggest snat'ting again on your openpvn server or the firewall rules I've put in a snat on the server side - seems to be working fine. So At your site * Set routing either fix up the default route or add routing to each client machine (the former being the easier of the 2) * Set up a firewall * setup SNAT or push a route through to the client 'push route 192.168.8.0 255.255.252.0' - done in the openvpn server config (the later is probably the better - stay away from the double natting ) one the customer site * Set up SNAT hide everything coming from your site being the local lan address * set up a firewall So all traffic coming from your site will end up on the customer site with a local lan address. There is no routing back into your lan, because of a) routing b) firewall on the customer site c) firewall on the server. a b are easy to get around because they are at the customer site. C is where you protection is. Customer's site not under my control - and running Windows so my linux options are rather limited g. So I need to do everything within the server and OpenVPN. I CAN push a route to the client - but I still don't see why I need to share my LAN information with the clients at all - I just need the OpenVPN client to be a gateway for the VPN and forward VPN traffic from the remote network. if you are using snat you shouldn't. if you have setup a ip network for the vpn ie if your server ip address is not in the network for the customer you will need snat'ing there else the client machine will not know how to get back. -- Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] 2 ISP connection sharing problem
On Sun, Sep 02, 2007 at 03:25:11PM +0500, Arman wrote: Thats fine but primary problem is that only one connection is used at a time but I want to utilize both at the same time. Please guide -- Forwarded message -- From: Jorge Evangelista [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Date: Sat, 1 Sep 2007 18:33:35 -0500 Subject: Re: [LARTC] 2 ISP connection sharing problem Hi, You should change your last rule for some as it: ip route add equalize default nexthop via 192.168.1.1 dev eth0 nexthop via 201.81.219.1 dev eth2 It works fine for load balancing, but when a failure occurrs on one line, whats happen? if one line is down the change it is too slow, and the cache for the route is still there and when I want this Host again the old route is through from the down line. I have a script which runs via ping and cron when next hop is down, the box linux will change to use one line. i have something similiar, but my problem is conntrack/natting. once a stream is up and running, conntrack remembers with external ip and tries to route out that one untill the connection is closed - which it will not be until it gets an rst/finish. This can take a while to settle down - wait for all the timers to run out... On 9/1/07, Arman [EMAIL PROTECTED] wrote: Hi all, I have a similar question like many asked before I know but Please help as i cant figure out where the problem is and how should I tackle. I have 2 ISP connections. I want to share the bandwidth from both. I have copied the script from many places and created my own after changes. Problem is that only one connection is utilized at a time. Not both working. ratio of consuming bandwisth between then is around 1:30. both connections are from dhcp that is dynamic. configuration from 1 ISP remains same and from 1 changes. EXTERNAL_IP_2=201.81.219.95 EXTERNAL_NETWORK_2= 201.81.219.0 EXTERNAL_GATEWAY_IP_2=201.81.219.1 echo 200 T1 /etc/iproute2/rt_tables echo 201 T2 /etc/iproute2/rt_tables ip route add 192.168.1.0 dev eth1 src 192.168.1.2 table T1 ip route add default via 192.168.1.1 table T1 ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 table T2 ip route add default via $EXTERNAL_GATEWAY_IP_2 table T2 ip route add 192.168.3.0 dev eth0table T1 ip route add 192.168.1.0 dev eth1table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 192.168.3.0 dev eth0table T2 ip route add $EXTERNAL_NETWORK_2 dev eth2table T2 ip route add 127.0.0.0/8 dev lo table T2 ip route add 192.168.1.0 dev eth1 src 192.168.1.2 ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 ip route add default via $EXTERNAL_GATEWAY_IP_2 ip rule add from 192.168.1.2 table T1 ip rule add from $EXTERNAL_IP_2 table T2 ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via $EXTERNAL_GATEWAY_IP_2 dev eth2 weight 2 route command output is Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.255 UH 0 0 0eth1 192.168.3.0 * 255.255.255.0 U0 00eth0 192.168.1.0 * 255.255.255.0 U0 00eth1 201.81.219.0* 255.255.255.0 U0 00 eth2 default 201.81.219.1 0.0.0.0 UG 0 00 eth2 Problem is that the interface which is set gateway is used only. The other one remains idle. -- Regards, Arman ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Redundant internet connections.
On Thu, Jun 21, 2007 at 05:35:13PM +0200, Peter Rabbitson wrote: Grant Taylor wrote: I need a way for the Linux kernel to try to use a default gateway and switch to another one if it does not see any traffic. should something like this work default proto static metric 5 nexthop via 58.173.108.1 dev vlan2 weight 10 nexthop via 10.20.20.106 dev ppp0 weight 20 and then let the dgd detect dead gateways and drop the relevant route about. I don't know about any working in-kernel solutions, but you can do it trivially with netfilter and a cronjob: * In netfilter do this: -t mangle -N ispA -t mangle -A ispA -j RETURN -t mangle -N ispB -t mangle -A ispB -j RETURN -t mangle -A PREROUTING -i $ifA -s ! a.a.a.a/aa -j ispA -t mangle -A PREROUTING -i $ifB -s ! b.b.b.b/bb -j ispB where a.a.a.a and b.b.b.b are subnets describing your first 1 - 2 hops, so traffic from your upstream router will not count. * Then make a cron job that run this every minute: iptables -t mangle -vnxZL isp[AB] and will look for the first number on the third line. If it is not 0 - the link is alive, otherwise change the routing tables accordingly. Of course you can have up to 1 minute of downtime, but it does not look so bad IMO. HTH Peter ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Redundant internet connections.
On Thu, Jun 21, 2007 at 04:24:19PM -0500, Grant Taylor wrote: On 06/21/07 16:01, Alex Samad wrote: should something like this work default proto static metric 5 nexthop via 58.173.108.1 dev vlan2 weight 10 nexthop via 10.20.20.106 dev ppp0 weight 20 and then let the dgd detect dead gateways and drop the relevant route about. Doesn't this use Equal Cost Multi Path (ECMP) routing? sorry yep, just woken up, reading and answering whilst eating breakfast okay then why not default via preffered path default via backup path metric 100 If so, how does this take in to account that I do not want any of the traffic to run over the backup connection unless the primary is down? It is my understanding that the weights of an ECMP route are for a fraction of the traffic. I.e. 10/30 and 20/30 of the traffic will use each of the routes. (Note: I state 10/30 and 20/30 because the man page indicates that 10/30 does not equal 1/3. Namely because the kernel creates an in memory route for each weight for each route. Thus if you use a weight of 10, there will be 10 routes in memory.) Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Redundant internet connections.
On Thu, Jun 21, 2007 at 05:23:23PM -0500, Grant Taylor wrote: On 06/21/07 17:18, Alex Samad wrote: sorry yep, just woken up, reading and answering whilst eating breakfast *nod* okay then why not default via preffered path default via backup path metric 100 I've done that with a metric of 0/1, and 1/2. The problem that I'm seeing is that the system will never try to use the second metric. It's as if the system will never go to a next higher metric if it does not receive an error while trying to use a lower metric. Strange I am running openwrt on a linksys wr54gs with 1 cable and 1 adsl. I load balance, (also have julian patches applied - its 2.4.30), when the routing notices the link is dead, so if i do a ip li. then it marks the routes as dead and stops using them, once the interface is brought down the routes disappear I haven;t followed the dgd threads, but I seem to remember it having some problem with upstream detection. You talked about getting OSPF routing for this, is this from the ISP's inbound as well as outbound. Wouldn't OSPF handle link state as well ? (it been a while since I looked at OSPF) Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Linux bridging and cascaded switches
On Tue, Jun 19, 2007 at 05:54:46PM -0500, Greg Scott wrote: Hi - Still plugging away at my Linux bridge/firewall and thinking through the consequences. In a normal firewall situation, the Internet is on one side, the internal LAN on the other. Duh! But now, with a Linux bridge in the middle, the whole thing becomes one big messy LAN. So we have a scenario that looks like this: Internal---User---Core-Firewall---Internet---Internet router Servers switch switch (Bridged)switch (and default GW for internal servers) out of curiosity why would you want to bridge at the firewall. is this meant to be a drop in-line firewall appliance The scenario is a little more complex than I drew above because the internal side has more than one LAN segment participating in the bridge. I'm working on a way to simulate all this here - before going into production - but I have a big question; That firewall/bridge is no longer a router - it's a bridge. Well, a bridge that also does a bunch of stateful IP layer 3 filtering. So now, it will participate in a spanning tree setup with all those switches, on both sides of it - right? I'm guessing I want to turn off STP in this case. Am I on the right track? if there is only 1 way to connect from the corporate (private LAN) to the public (internet) then I don't think you will need STP - it was meant to stop loops in ethernet segments. If you have multiple paths you might still need it Thanks - Greg Scott ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Linux bridging and cascaded switches
On Tue, Jun 19, 2007 at 06:35:46PM -0500, Greg Scott wrote: out of curiosity why would you want to bridge at the firewall. is this meant to be a drop in-line firewall appliance Long story but yes, it is essentially a drop in-line system. It's a mess. So will that Internet router really see 4 switches - a switch, a bridge, and 2 switches - between it and the internal servers? I don't remember all my LAN rules but that feels way too deep to me. I think that was the old 5-4-3 or was it 4-3-2 ... I think that was more in the days of repeater and broadcast hubs. Modern day switch I believe allow for a lot more. - Greg signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: multiple routing tables for internal router programs
On Thu, Jun 14, 2007 at 11:50:30AM +0800, Salim S I wrote: I solved it, thought a bit ugly. Have two more rules now in ip ru 32150: from all lookup main 32201: from all fwmark 0x200/0x200 lookup wan1_route 32202: from all fwmark 0x400/0x400 lookup wan2_route 32203: from 10.20.0.137 lookup wan1_route 32204: from 10.2.3.107 lookup wan2_route 32205: from all lookup catch_all 32766: from all lookup main I did not like to include WAN IP anywhere, coz it may be dynamic, but well, seems like no choice. ran into the same problem, I capture the link information at ip-up time for ppp/pppoe and dhcp time for cable modem, then I fire off a scrip that pulls down all the ip ru ip ro and builds it from scratch (as well as the specialised iptables rules as well). This should only happen when I loose a connection so should be okay And then two rules in OUTPUT chain Iptables -t mangle -A OUTPUT -o eth2 -j LB1 Iptables -t mangle -A OUTPUT -o eth3 -j LB2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salim S I Sent: Wednesday, June 13, 2007 12:08 PM To: 'Peter Rabbitson' Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] Re: multiple routing tables for internal router programs My configuration [EMAIL PROTECTED]:~# ip ru 0: from all lookup local 32150: from all lookup main 32201: from all fwmark 0x200/0x200 lookup wan1_route 32202: from all fwmark 0x400/0x400 lookup wan2_route 32203: from all lookup catch_all 32766: from all lookup main 32767: from all lookup default [EMAIL PROTECTED]:~# ip ro li ta main 192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.254 10.20.0.0/24 dev eth2 proto kernel scope link src 10.20.0.137 192.168.1.0/24 dev eth10 proto kernel scope link src 192.168.1.254 10.2.3.0/24 dev eth3 proto kernel scope link src 10.2.3.107 127.0.0.0/8 dev lo scope link [EMAIL PROTECTED]:~# ip ro li ta wan1_route default via 10.20.0.1 dev eth2 proto static [EMAIL PROTECTED]:~# ip ro li ta wan2_route default via 10.2.3.254 dev eth3 proto static [EMAIL PROTECTED]:~# ip ro li ta catch_all default proto static nexthop via 10.20.0.1 dev eth2 weight 1 nexthop via 10.2.3.254 dev eth3 weight 1 The catch_all table comes into play only for local packets. All forwarded packets are marked in mangle PREROUTING, with 0x200 0r 0x400. If not loadblancing ping script, there maybe other apps using domain names instead of IP address, they might still fail, right? The problem happens when one of the link goes down (not the nexthop,but after that). Then the kernel will pick an interface and wrong src IP for local packets. -Original Message- From: Peter Rabbitson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 12, 2007 7:24 PM To: Salim S I Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Re: multiple routing tables for internal router programs Salim S I wrote: Thanks! I get it now. But why the src address for the interface is wrong? In my case eth2 has a.b.c.d and eth3 has p.q.r.s. DNS queries going through eth2 has p.q.r.s as src address and those going through eth3 has a.b.c.d. Something wrong with routing? Possible. Post full configuration and someone might be able to help. I was wondering, how the ping script (to check the lonk status) of others work id domain name is used. Don't know about others, and I personally use ip addresses :) ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] julian's patches and custom routing
I'm using a 2.6.20-15-ubuntu (shipped with feisty) kernel with Julian's patches applied and it's my 3rd day with tc, ip, ifconfig and the rest ;). Got 2 ADSL uplinks. What I need is an ability to manually configure uplink usage, so nothing like bonding by default. Failover is meant to be provided via a shell script at the next step. Here is my config: == # no need for default route for now ip rule add prio 50 table main ip route del default table main # table and default route for gt ip rule add prio 201 from 101.64.106.28/30 table gt ip route add default via 101.64.105.29 dev eth2 src 101.64.105.30 proto static table gt ip route append prohibit default table gt metric 1 proto static # table and default route for ut ip rule add prio 202 from 192.168.1.0/30 table ut ip route add default via 192.168.1.1 dev eth3 src 192.168.1.2 proto static table ut ip route append prohibit default table ut metric 1 proto static # no interface specified ip rule add prio 222 table 222 ip route add default table 222 proto static nexthop via 192.168.1.1 dev eth3 nexthop via 101.64.105.29 dev eth2 == The prob is that in case I set iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to 192.168.1.2, client machines can access inet w/o probs, while iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 101.64.105.30 would lead to a non-functional connection. Could anyone please give a hint on what am I doing so wrong? TIA. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DNAT and Load Balancing
On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote: On 3/2/07, Tom Lobato [EMAIL PROTECTED] wrote: Hi all! After that good thread DGD patch not detecting dead gateway I was able to set up a Load Balancing with ping based DGD (without Julian Anastasov patch). But now I'm facing a new problem and tried some options, with only partial solutions. I made a script based on http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank you Manish Kathuria), without Julian A. patch, and with routes/rules as described in nano.txt. It works fine, but... The problem: I do DNAT for internet located people to access my LAN machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. It appears that the connection from outside can enter, but when reply packets try to get back across nat machine, it falls into the round robin default route selection to define its gateway. Well, of course, this reply must leave the router via the same interface whose initial packets entered. vnc initial request packet reply that got \ wrong route \ ^ \ / V / isp1 isp2 isp3 _|||__ || | dnat | |_| ^ | | V LAN estation, the vnc server What I need is a way to force packets leave the router via the same interface whose its request entered this. I'd like to hear opinions about the problem (and also solution =). Remember, I can't apply the DGD patch from J.A. because it only checks the first hop for dead detection. I will apreciate any help. Thank you, Tom Lobato ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc I had overlooked this. I had also faced a similar problem. There are two possible solutions, one is to apply Julian's patches because even This sounds exactly like my problem, until I appplied julian's patch, I would suggest giving it a try though you are not using the patches for DGD, they do help in making NAT processing with multiple gateways work properly. The other option is to mark the packets using CONNTRACK. There was a good discussion on this topic some days back. You can check the thread using the following links to the archives: http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DNAT and Load Balancing
On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote: I solved this exact problem (with incoming connections on three different adsl) markin packets on PREROUTING chain. Obviously with three different routing tables. # incoming connections for DNAT to DMZ need to be marked here in PREROUTING iptables -t mangle -N mymark iptables -t mangle -F mymark # first of all RETURN for local interfaces iptables -t mangle -A mymark -i $E0_IF -j RETURN iptables -t mangle -A mymark -i $DMZ_IF -j RETURN iptables -t mangle -A mymark -i $VPN_IF -j RETURN # then mark and save incoming connections from the external universe iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M iptables -t mangle -A mymark -j CONNMARK --save-mark #restore mark before ROUTING decision iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark # non marked incoming connections need to be marked (DNAT to DMZ only) iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark Hi i know there was a thread on this methiod earlier, but has somebody put up a howto, or a wiki page on it ? alex signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Multiple uplinks, ssh connections hang
On Tue, Feb 27, 2007 at 08:12:17AM +0700, Denny Zulfikar wrote: Hello korey, I don't think your configuration will work well, because there're balancing using weight connection. So, if you have connection-oriented-application that must sure passing their traffic only from one connection (such as ssh and https-please try to test open and login to hotmail.com), it will fail when the default routing switch from one gateway to another (round robin). Dont use this config for connection-oriented application. it's round robin rule, that will switch from one gateway to another without notice/know about traffic type. ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 I have been using default proto static metric 5 nexthop via 138.130.8.1 dev vlan2 weight 1 nexthop via 10.20.20.243 dev ppp0 weight 20 for over 4 years and it has worked fine for me, for ssh and other connection oriented applications. the key thing is to have contrack (or its new incarnation) loaded. the default rule is only used when you don't have a source address or route cache entry. When you ssh through the machine, the syn packet uses the default route, but it also setups a entry in contrack, all other packets will have a source and dest address. These will match up the ip rul statements. if you followed your link onto julian pages http://www.ssi.bg/~ja/nano.txt, there is a howto on this ! please refer to this documentation howto develop multpile internet connection gateway. http://linux-ip.net/html/adv-multi-internet.html Best Regards, Denny Z On 2/27/07, Korey O'Dell [EMAIL PROTECTED] wrote: Folks, Ive got two ISP connections that I am using with: --- ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 ip route add default via 192.168.200.1 table connection1 ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 ip route add default via x.175.244.1 table connection2 ip rule add from 192.168.200.11 table connection1 ip rule add from x.175.244.2 table connection2 echo Enabling load balancing between ISP connections... ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Split access, load balancing AND forwarding: HOW?
On Fri, Feb 23, 2007 at 03:23:42PM +0800, Ming-Ching Tiew wrote: From: Luciano Ruete [EMAIL PROTECTED] This solution works in theory and in practice, so plz, get your hands dirty before you post your next great idea. I understand your explanation fully but believe me I also have got hand-on experience with using the alternative, ie 1. I don't use multipath weight routing. 2. I use PREROUTING all the way, ie I don't use POSTROUTING. Instead, I use iptables 'recent' and 'statistics'/'random' match to achieve load sharing. hi sorry missed the previous bits of the thread, could you post the relevant info, interested to see how this works and why you would pick it over the multipath method I have use this for many years already, believe me I am not theoretical. It's just a matter of different ways to doing things. If you search the web it will come upon many others using the same method I used. Cheers ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Wed, Feb 14, 2007 at 08:30:48AM +0100, Paul Viney wrote: I still seem to have much the same problem. I no longer get ICMP unreachable errors, but the packet just seems to disappear - I can't see it being forwarded on any interface, nor can I find any kind of reply - icmp or otherwise. sounds like a firewall issue! It does sound like a firewall issue, but the only firewall rule I have at the moment is the one doing the DNAT. If I do 'iptables -t nat -L -v', then I can see the number of packets increasing. Once I remove the firewall rule, I get my icmp unreachable errors again. Funnily enough, if I then reinstate the firewall (dnat) rule, then I still get icmp unreachable errors and the packet count doesn't go up for the rule. It's almost as though the rule doesn't get consulted. 'ip route flush cache' doesn't make a difference. After about 5 minutes the icmp unreachable errors stop and the packet count starts going up, although I still can't find my packet on the next hop. (I do have forwarding switched on). The packet count on a iptables log rule on the forward table does not go up, giving me the impression that routing has failed. This could be connection tracking, once you start a ping, connection tracking will keep it in its cache, so even though you have placed it (the rule) back in it doesn't count for the established link... I also tried ip r get random internet address from 192.168.12.5, which did indeed give me the same RTNETLINK answers: Invalid argument error. I guess that means that my understanding of the purpose of 'ip r get' is indeed faulty. does 192.168.12.5 exist on your box, can up do an ip a also do you have forwarding on ? Thanks for all your help so far. Paul Viney ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: Hi all, I'm trying to set up a computer with 2 routes to the internet, much as described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my interfaces (eth5, 192.168.2.2) is only used for traffic originating inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all (udp) traffic originates from outside our network. I have created a second routing table for eth1, with its own default gateway, and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this works fine. My problem is that one of the udp ports is forwarded to another server using iptables: /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport 4902 -j DNAT --to 192.168.12.5:4902 using tcpdump on eth1, I can see that the incoming packets receive an icmp rejection, and when I try something like ip route get 192.168.12.5 from 64.233.183.103 iif eth1 I get RTNETLINK answers: Invalid argument If I try ip route get 192.168.12.5 from 64.233.183.103 iif eth5 I get 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 cache mtu 1500 advmss 1460 metric 10 64 iif eth5 which leads me to conclude that the difference has something to do with the default route. I've tried things like ip rule add iif eth1 lookup 4 (4 being my custom routing table) ip rule add from 192.168.1.2 lookup 4 and even iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 ip rule from all fwmark 0x1 lookup 4 ip route flush cache I'm using linux 2.6.19.2 + grsecurity patches, every option I could find compiled in, on an up to date gentoo system. Can anyone see what I'm missing? Thanks, Paul Viney ip route show 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.2.1 dev eth5 ip route show table 4 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 ip rule show 0: from all lookup local : from all fwmark 0x1 lookup 4 1: from 192.168.1.2 iif lo lookup 4 if the ip address on eth1 is 64.233.183.103 then you need a rule 10001: from 64.233.183.103 lookup 4 I don't think the fwmark rule will work with ip route get. Plus your routing information in table 4, you are saying that the default address is available via 192.168.1.1 that doesn't match up with 64.233.183.103 this is my ip ru 0: from all lookup local 200:from 144.132.147.156 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default 144.132.147.156 is one isp, 60.241.248.86 is the other one ip r sh tab cable 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 metric 50 prohibit default proto static metric 100 ip r sh tab adsl 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric 20 prohibit default proto static metric 100 ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.168 dev ppp0 weight 20 default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30 The difference for you should be in the default table, you will not need default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.168 dev ppp0 weight 20 cause you want all your traffic to go out 1 link. alex 3: from all lookup main 3: from all lookup default ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Tue, Feb 13, 2007 at 10:54:51PM +0100, Paul Viney wrote: Thanks for the advice, Alex. I've been able to add both default routes - I hadn't considered using the metric to avoid using the VPN link. I guess I wasn't very clear with my use of 64.233.183.103, which was meant to be a random internet address coming in over the VPN link, not the default internet link. what exactly does the prohibit default proto static metric 100 in your routing table do? Haven't you already had a default route which would trigger before reaching this rule? it been a while since I looked over this, but from memory, if the link goes down, it stops the route table being used I still seem to have much the same problem. I no longer get ICMP unreachable errors, but the packet just seems to disappear - I can't see it being forwarded on any interface, nor can I find any kind of reply - icmp or otherwise. sounds like a firewall issue! ip route get random internet address to 192.168.12.5 gives 192.168.12.5 dev eth3 src 192.168.12.1 cache mtu 1500 advmss 1460 metric 10 64 ip route get random internet address to 192.168.12.5 iif eth1 gives RTNETLINK answers: Invalid argument try ip r g random internet address from 192.168.12.5, I seem to be getting the same error as you Am I not understanding how ip route get works? The man pages are fairly succinct in their explanation. Thanks for your help, Paul Viney On Tuesday 13 February 2007 21:40, Alex Samad wrote: On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: Hi all, I'm trying to set up a computer with 2 routes to the internet, much as described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my interfaces (eth5, 192.168.2.2) is only used for traffic originating inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all (udp) traffic originates from outside our network. I have created a second routing table for eth1, with its own default gateway, and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this works fine. My problem is that one of the udp ports is forwarded to another server using iptables: /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport 4902 -j DNAT --to 192.168.12.5:4902 using tcpdump on eth1, I can see that the incoming packets receive an icmp rejection, and when I try something like ip route get 192.168.12.5 from 64.233.183.103 iif eth1 I get RTNETLINK answers: Invalid argument If I try ip route get 192.168.12.5 from 64.233.183.103 iif eth5 I get 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 cache mtu 1500 advmss 1460 metric 10 64 iif eth5 which leads me to conclude that the difference has something to do with the default route. I've tried things like ip rule add iif eth1 lookup 4 (4 being my custom routing table) ip rule add from 192.168.1.2 lookup 4 and even iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 ip rule from all fwmark 0x1 lookup 4 ip route flush cache I'm using linux 2.6.19.2 + grsecurity patches, every option I could find compiled in, on an up to date gentoo system. Can anyone see what I'm missing? Thanks, Paul Viney ip route show 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.2.1 dev eth5 ip route show table 4 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 ip rule show 0: from all lookup local : from all fwmark 0x1 lookup 4 1: from 192.168.1.2 iif lo lookup 4 if the ip address on eth1 is 64.233.183.103 then you need a rule 10001: from 64.233.183.103 lookup 4 I don't think the fwmark rule will work with ip route get. Plus your routing information in table 4, you are saying that the default address is available via 192.168.1.1 that doesn't match up with 64.233.183.103 this is my ip ru 0: from all lookup local 200:from 144.132.147.156 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default 144.132.147.156 is one isp, 60.241.248.86 is the other one ip r sh tab cable 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 metric 50
Re: [LARTC] Questions about mutiple providers
On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi wrote: Hi, this is my first post to the list. I have googled a lot, and still cannot find a proper solution. I hope someone here will be able to shed some light on my doubts. I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for 100 clients, and uses two different ISPs, using the howto found at http://lartc.org/howto/lartc.rpdb.multiple-links.html.I have *not* patched my kernel. The rounting setup is taken from the howto, and it basically works, I see packets flowing out of both WAN interfaces, and everyting seems to work properly for packets that are generated from the firewall itself. I have set up NAT rules in postrouting table, this way: iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and their relative IP addresses are set as shown. WAN interfaces are phisically different and have no aliases, only the IP shown above. Now, I am experiencing two issues: - First, I see packets with from address set to 83.211.205.162 that go out of $WAN, and also packets with from address set to 217.221.234.74 that flow out of $WAN2. This address mixup should not happen, I suppose. looking at the packets, it seems that only NATed trafic shows this behaviour. you have to setup your ip rule rules, which will state anything coming from 217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only goes out $WAN2, it should be part of the wiki/faq doco - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that still have the LAN from address, that is 10.0.x.x, these packets somehow where not NATed at all. never seen this Now, the questions are: How do I solve this? Do I need to patch my kernel to solve the first issue, because I need to lock at NAT established connections tables to make routing decisions? Is it impossible to have equal cost multipath and SNAT together without patching the kernel? If so, what patch do I need exactly? Is there something wrong with my kernel version, that has a broken NAT support? (this could explain why I get some packets that do not get NATed at all) Thanks a lot for the time you took reading this. -- Fabio Kurgan Muzzi ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ip alias + dsl modem
On Thu, Jan 25, 2007 at 12:14:56AM +0900, GodSharp wrote: Hi Guys, Just wondering for some reason when I switched providers(DSL) IP aliasing stopped working. And, I am not sure what kind of modem this is, the previous one had some Ethernet ports at the back(it has a bult-in 4 port switch) the new doesn't have one, only a single Ethernet port and It is directly connected to my Linux box. My provider gave me a /24 subnet and 9 useable IP's. # ip a s eth2 6: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:72:c1:f5 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 scope global eth2 inet xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 scope global secondary eth2 -- settings -- ip link set eth2 up ip addr flush dev eth2 ip addr add xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 dev eth2 ip route add default via xxx.xxx.xxx.1 --- end settings --- /proc/sys/net/ipv4/ip_forward is 1 /proc/sys/net/ipv4/ip_dynaddr is 1 works: ping google.com -I eth2 works: ping google.com -I xxx.xxx.xxx.50 not working: ping google.com -I xxx.xxx.xxx.58 have you tried ip route get it will tell you what the kernel is thinking on how its going to route the packet. you might also need to setup some ip rule lines for each of the secondary addresses. but first try pinging the next hop with each of the addresses ! From the outside I can ping xxx.xxx.xxx.50 but cannot ping any secondary IP's. I tried tcpdump but didn't receive any replies from the secondary ip's I got replies from the primary IP though. If I remove the secondary IP's and use it on another computer the secondary IP works. It looks like I can only use 1 IP per computer(per mac). What seems to be the problem? Is it the modem? I am not sure about adsl's and their type of settings (bridge/router) and I would like to contact my provider. But I am having troubles on asking them regarding the problem. If there's a technical explanation regarding this or some trick it would help me clarify them or me. There are no filters involved(iptables). On my previous provider aliasing works both are dsl's. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] LARTC Wiki
On Tue, Jan 23, 2007 at 03:53:23PM +, Andrew Beverley wrote: I'm not aware of one, and I think it's an excellent idea. There's some great software available for LARTC, and some of the documentation is very good, but unfortunately it's all a bit disparate. A wiki would be a great start. I'd be happy to host one and transfer stuff into it unless someone else has a better idea/offer? Andy Beverley Last time there was talk of a wiki this address was given http://linux-net.osdl.org/index.php/Main_Page This link below gives the details on how to setup a multi link connection http://lartc.org/howto/lartc.rpdb.multiple-links.html Alex On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: Hi all, Since the mail list receives a lot of repeated subjects (for example: i have two adsl lines...), maybe these specific issues should be treated on the LARTC Guide, or maybe if we had an wiki? Is there a LARTC Wiki? If not, what do you think about creating one? Thanks -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] LoadBalancing on many asimetric different dsl's.
On Mon, Jan 22, 2007 at 10:03:21AM +0100, Jordi Segues wrote: Hello, I've done this some montsh ago, with a command like: ip route add default equalize scope global nexthop via $EXTGW1 dev $EXTIF1 weight 1 nexthop via $EXTGW2 dev $EXTIF2 weight 1 However, this is not the problem. While loadbalancing of simple requests worked fine, there where problems when you worked with connections. I mean HTTPS, of FTP connection for example. The problem was fo me that the system trys to send packets of the same connection throught different gateways, so with different IP source (each DSL connection was from different ISP). This caused the server not to understand why the same connection sent packets with 2 different source IP ;) Well, I hope you understand me. If you would do real load balancing, and in a proper way, you should not only do it by link charge, but route packets by connection to. (routing all packets of the same connection through the same gateway) This is caused because you must flush the route cache some times (or packets to a destination will allways take the same route, wich is not a loadbalance). So if someone has done it and doesn't have this problem, I'm interested too :) the above is actually covered in the wiki howto. Bu tyou need to setup snat on each interface, then connection tracking takes care of sending each stream out the right interface, you need to use snat and not MASQ. Then you need to setup up some ip rule tables for each of the interfaces. my ip ru looks like this 0: from all lookup local 200:from 144.132.145.38 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default my ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.230 dev ppp0 weight 20 default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 This works fine for me, I have tracked packets with tcpdump on both the server and the client. Alex Thanks! Jordi Segues On 22 Jan 2007 09:49:28 +0100, sAwAr [EMAIL PROTECTED] wrote: Hi, my company have just bought new network and I have question about one problem. As in topic we must use few completely different dsl's and balance traffic between them. 2M/0,5M 4Mb/0,5M 8M/0,5M M=Mb/s I've never done such thing before so I have doubts how it will work. If the links are symmetric 2/2 4/4 8/8 there is no problem because with weights I can compensate the difference between them and achieve nice results. But what in my situation? My questions are: how to set load balancing to get all links equally loaded and avoid situation when the up load will be full and download almost empty? I believe this situation can happen due to fact that load balancing is based on flows and for example p2p or smpt/pop3 will eat whole upload. If my problem isn't clear I'll try to explain it better later. Thanks in advance. Pozdrawiam sawar -- Wolne adresy pocztowe @interia.eu http://link.interia.pl/f19e8 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Jordi Segués Daina --- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 [EMAIL PROTECTED] / MSN: [EMAIL PROTECTED] AIM: superjordix Skype: callto://superjordix --- http://www.JordiX.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] LoadBalancing on many asimetric different dsl's.
On Mon, Jan 22, 2007 at 01:21:32PM +0100, Jordi Segues wrote: the above is actually covered in the wiki howto. Bu tyou need to setup snat on each interface, then connection tracking takes care of sending each stream out the right interface, you need to use snat and not MASQ. Great news :) And thankyou for the details. But could you give the link to the wiki howto? I only found old doc. been a while since i had a look, quick google gave me this http://lartc.org/howto/lartc.rpdb.multiple-links.html I have this booked market as the wiki http://linux-net.osdl.org/index.php/Main_Page But I think the former is what you want Thanks! Then you need to setup up some ip rule tables for each of the interfaces. my ip ru looks like this 0: from all lookup local 200:from 144.132.145.38 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default my ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.230 dev ppp0 weight 20 default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 This works fine for me, I have tracked packets with tcpdump on both the server and the client. Alex Thanks! Jordi Segues On 22 Jan 2007 09:49:28 +0100, sAwAr [EMAIL PROTECTED] wrote: Hi, my company have just bought new network and I have question about one problem. As in topic we must use few completely different dsl's and balance traffic between them. 2M/0,5M 4Mb/0,5M 8M/0,5M M=Mb/s I've never done such thing before so I have doubts how it will work. If the links are symmetric 2/2 4/4 8/8 there is no problem because with weights I can compensate the difference between them and achieve nice results. But what in my situation? My questions are: how to set load balancing to get all links equally loaded and avoid situation when the up load will be full and download almost empty? I believe this situation can happen due to fact that load balancing is based on flows and for example p2p or smpt/pop3 will eat whole upload. If my problem isn't clear I'll try to explain it better later. Thanks in advance. Pozdrawiam sawar -- Wolne adresy pocztowe @interia.eu http://link.interia.pl/f19e8 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Jordi Segués Daina --- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 [EMAIL PROTECTED] / MSN: [EMAIL PROTECTED] AIM: superjordix Skype: callto://superjordix --- http://www.JordiX.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFtJ1/kZz88chpJ2MRAhGKAJ9xthAZnQ/ovr82sa/x5j4BFJGgWwCgvtWa dS7qseaia3GnZK/n8szE98Y= =zLpL -END PGP SIGNATURE- ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Jordi Segués Daina --- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 [EMAIL PROTECTED] / MSN: [EMAIL PROTECTED] AIM: superjordix Skype: callto://superjordix --- http://www.JordiX.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] multipath device round robin not working?
On Mon, Jan 15, 2007 at 06:44:54PM -0600, Grant Taylor wrote: On 01/15/07 15:20, [EMAIL PROTECTED] wrote: Wow, that's a complicated solution. Nicely done:) But I think that's a bit too complicated for my setup thx for the input anyway. Thanks. Indeed the set up is not simple. You may consider talking with your ISP and seeing if they can assign one of your links an IP on a different subnet. I have found that ISPs that are worth their salt are willing to work with you to help you resolve these types of problems. Grant. . . . something else to look for, because you have 2 nics in the same broadcast domain (http://cactuswax.net/blog/articles/2006/09/arp_ignore.html) explains about arp_ignore. In its default setup you are going to find i nic is going to arp respond for both IP addresses! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] multipath device round robin not working?
On Sat, Jan 13, 2007 at 12:54:24PM +0100, [EMAIL PROTECTED] wrote: Hi, I have a linux server running kernel 2.6.19 that is connected with 2 seperate 100Mbit links to the same isp: +---+ +---+ | I | +---+ | | | S | | | |eth0 --+--+ P | | | | | | S | | | | linux 2.6.19 | | W || ISP GATEWAY | | | | I | | | |eth1 --+--+ T | | | | | | C | | | +---+ | H | +---+ +---+ Both links have their own ip but have the same gateway. The problem is I can't seem to get egress traffic load balanced over the 2 nics. IP config after boot (dhcp from isp) ip a: 1: lo: LOOPBACK,UP,1 mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: BROADCAST,MULTICAST,NOTRAILERS,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:0f brd ff:ff:ff:ff:ff:ff inet 10.0.0.110/24 brd 10.0.0.255 scope global eth0 3: eth1: BROADCAST,MULTICAST,NOTRAILERS,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:ed brd ff:ff:ff:ff:ff:ff inet 10.0.0.120/24 brd 10.0.0.255 scope global eth1 Default routing table after boot ip r: 10.0.0.0/24 dev eth0 scope link 10.0.0.0/24 dev eth1 scope link metric 1 127.0.0.0/8 dev lo scope link default via 10.0.0.1 dev eth0 default via 10.0.0.1 dev eth1 metric 1 I enabled ip_forward and set arp_ignore to 1 for eth0 and eth1 to make sure the correct nic answers to arp requests. I tried to get the egress load balancing to work by replacing the above two default routes with: ip route add default mpath drr nexthop via 10.0.0.1 dev eth0 weight 1 onlink nexthop via 10.0.0.1 dev eth1 weight 1 onlink I assumed that with mpath device round robin both nics would be used more or less equally, but the reality is only one of the nics actually works and the second nic even stops responding to arp requests. Am I doing something totally wrong or impossible here or is the device round robin code not working properly? Curiosity but why use such a setup is your ISP link 2Gbp/s ? Why not bond if you want HA. why its not round robining. I am going to guess but this line default via 10.0.0.1 dev eth0 costs less to use than default via 10.0.0.1 dev eth1 metric 1 so it should never use the second. I say guess cause I don't know what the default metric is if you do add one. What you want it to look something like is default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 5 nexthop via 10.20.20.230 dev ppp0 weight 20 There is a link to a howto on the web site that steps out how to set this up Alex ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ipp2p
When i compiled ipp2p it gave me warnings : ntohs …/ipt-ipp2p.ko undefined ntohl …/ipt-ipp2p.ko undefined Any suggestion ? Did you specify the correct source for iptables and the kernel before compiling? What versions do you use? How did you compile it? And I'd suggest using the latest, although beta version (0.8.1_rc1) of ipp2p. But that's just me. Alex ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] arp flood (offtopic?)
Hi guys, Sorry if this is a little offtopic, but I was wandering what can one do to prevent/stop arp flooding ? Thanks, Alex -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] arp flood (offtopic?)
This is what I do to avoid Neighbor table overflow : echo 1024 /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 8192 /proc/sys/net/ipv4/neigh/default/gc_thresh3 I should mention that I don't get the message Neighbor table overflow, at least with these settings, don't know with default. Now the thing is that the load average goes up to 30 and the gateway doesn't even respond to ping after a while. The arp-requests are not only for ips that are assigned to hosts but even for un-allocated ips in the same subnet. Maybe dividing into multiple vlans would be a better idea? Regards, Alex - Original Message - From: Marek Kierdelewicz [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Sent: Wednesday, October 19, 2005 9:04 PM Subject: Re: [LARTC] arp flood (offtopic?) Hi guys, Hi Sorry if this is a little offtopic, but I was wandering what can one do to prevent/stop arp flooding ? You can increase arp cache table size: echo 512 /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 /proc/sys/net/ipv4/neigh/default/gc_thresh1 It'll make your box handle arpfloods more easily (at least DoS part). You can also use static arp entries (man arp). This will ensure known computers will always have access to (throu) your router (even with arpflood in progress). Two solutions mentioned above cope with Neighbour table overflow and problems with accessibility to other legitimate users. They don't cope however with router's cpu utilisation... Hope that helps. Marek Kierdelewicz KoBa ISP ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iptables MARK behaviour out of the box
Hi all, Short question: what happens with the mark on a packet once it's out of the box? Is is usable in another computer in the network or the mark is only valid in the same box you've marked the packet? Thank you, Alex___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] is the lartc documentation right about filters on HTB
Hi, Just a short question: in documentation (http://lartc.org/howto/lartc.qdisc.filters.html) it appears that Also, with HTB, you should attach all filters to the root! . Is it older information or you can not attach filter to the inner qdiscs at all? Thank you, alex___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Multiple upload links on same eth
Hello.. I have a big problem and It seems I can't solve it.. Scenario: Linux server , 2 eths (one for Lan (eth0), one for Internet (eth1)). I use NAT for LAN clients.. The internet eth is linked into a switch , along with 6 sdsl modems.. (256 kbit each link - most probably an htb on the other side).. So , I made 6 aliases to my eth1 with ip's for the DSL connections.. ( 82.xx.xx.50 - .56) Now , how can I make some load balancing , in order to achieve a download rate of 256 * 6 kbit ? I tried to use sch_teql , but seems that tc cannot work with aliases... Anybody can help me here ? Regards Alex
[LARTC] Re: [ANNOUCE] iproute2 update
But should we break existing scripts?? One possibility would be to make things case dependant (K = 1024 and k = 1000) or something like that. That does makes sense for entering data, however, for display of results, they need to be in one format. How about a global flags, -k/-K which would change all multipliers (for input as well as output) to 1000 or 1024? That way, nothing existing will be broken, and a warning should be placed in documentation that without -k flag, results are misleading. I'll leave the default selection for -k/-K up to you. Alternatively, (tc -k command) -alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Re: [ANNOUCE] iproute2 update
Stephen, Perhaps it is time to fix iproute2 interpretation of kbit/mbit/gbit. Currently, they are interpreted as powers of 2 (i.e. 10mbit = 10*1024*1024), which is absolutely incorrect when dealing with networking, as line speeds are always interpreted in decimal. Example: 10Mbit ethernet is 10 000 000 bits/second. Someone who may be trying to rate-limit outbound traffic is bound for a surprise when tc's 10mbit does not match physical line characteristic. Other examples: 28k modem is 28000 bit/s, 56k is 56000, OC-3 SONET (155Mbit) is 15500 bit/s, etc. There isn't a technology that is quoted with kbits meaning 1024bit/s. -alex On Tue, 8 Jun 2004, Stephen Hemminger wrote: A new version of the iproute2 utilities is available to handle the new extensions for 2.6.7. * Based on the last known good version of iproute2 from Alexy * Included most of the vendor patches (except for the stupid ones). * Got rid of lots of the glibc workarounds, I intend this to build and run on 2.6 (and 2.4) only. * Fixed some parsing and formatting bugs. * Added gigabit as a rate. * Added HTB and delay scheduler * Added support for new tcp_info extensions to ss The website is: http://developer.osdl.org/dev/iproute2 and the download is in: http://developer.osdl.org/dev/iproute2/download This version builds with 2.6.7 as the kernel include files, so either have the files in /usr/include/linux up to date or modify the top level Makefile to point to a kernel build. Will workout a way to build on 2.4 next. - To unsubscribe from this list: send the line unsubscribe linux-net in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ALTQ - Bandwidth Manager
a) this has nothing to do with Linux. b) if you have to ask these questions, you will not be able to do it. -alex On Thu, 29 Apr 2004, Prajith wrote: Hi, I have to port ALTQ(Alternate Queueing) software form the FreeBSD to QNX. It's more like a bandwidth manager. Since I am new to this domain, any kind of help will be useful. I have many doubts like * What exactly is a bandwidth manager * Where will it sit in the OS * How will it be implemented. Thanks in advance Prajith. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] second routing decision--when?
Unfortunately, not that easy. Look at ipt_ROUTE (from netfilter) to do it. -alex On Thu, 29 Apr 2004, Egon Eckert wrote: Hi, I'd like to mark locally generated packets in the OUTPUT chain and do policy based routing (selecting one of two default gateways) based on the mark value. But when the packet hits the OUTPUT chain (in 'mangle' table), the routing decision seems to be already made. AFAIK, locally generated packets do not pass the PREROUTING chain (so trying to mark them there wouldn't help me either). Any ideas? Sorry, haven't found this in the archive. :-) Thanks in advance, ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tc feature request/bounty (fwd)
for something like that to work, you need a lot of programming and testing in different situations. Sharing traffic shaping across different boxes can become very complicated if you want to do it right, I don't think you can find experts willing to program and test everything, setup test networks etc. for 300$. Thanks to jamal's latest tc action patch, and some perl duct tape (essentially polling the load per index, and modifying the capacity based on incoming announcements), I've been able to do what I wanted. :_) -alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] large routing table
On Wed, 31 Mar 2004, Roy wrote: 100kbytes of prefixes is not so good , hashing does not mean anything faster when checking ip you will need to test 4 bytes in any way, since hash is usualy 32 bit too. this can help on very complex rules only. so if you pump 100 kbytes of prefixes this is probably 7000 addreses so on each packet 7000 tests will be done. Incorrect. Linux route lookup is crappy, but not THAT crappy. Route-cache somewhat helps too. -alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB VoIP
Hi, I have a Linux box which acts as a router (NAT) and has VoIP software. I want the VoIP traffic to have the highest priority. So I used a script like this: #!/bin/sh DEV=ppp0 TC=tc $TC qdisc del dev $DEV root /dev/null 21 $TC qdisc add dev $DEV root handle 1: htb default 30 $TC class add dev $DEV parent 1: classid 1:1 htb rate 96kbit burst 15k $TC class add dev $DEV parent 1:1 classid 1:10 htb rate 94kbit burst 15k prio 0 $TC class add dev $DEV parent 1:1 classid 1:20 htb rate 1kbit ceil 1kbit burst 1k prio 1 $TC class add dev $DEV parent 1:1 classid 1:30 htb rate 1kbit ceil 90kbit burst 1k prio 7 $TC qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 $TC filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip protocol 17 0xff flowid 1:10 Currently the filter puts all UDP traffic (through which the voice goes) to 1:10. The script works partially: when uploading from the LAN and starting a call, the upload rate decreases exactly as needed by the voice, BUT the voice has LARGE delays - up to 2 secs. Is there an option to put (for instance) all UDP traffic at the beginning of the output queue? Thanks, Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB VoIP
(Sorry if this appears twice) Hi, I have a Linux box which acts as a router (NAT) and has VoIP software. I want the VoIP traffic to have the highest priority. So I used a script like this: #!/bin/sh DEV=ppp0 TC=tc $TC qdisc del dev $DEV root /dev/null 21 $TC qdisc add dev $DEV root handle 1: htb default 30 $TC class add dev $DEV parent 1: classid 1:1 htb rate 96kbit burst 15k $TC class add dev $DEV parent 1:1 classid 1:10 htb rate 94kbit burst 15k prio 0 $TC class add dev $DEV parent 1:1 classid 1:20 htb rate 1kbit ceil 1kbit burst 1k prio 1 $TC class add dev $DEV parent 1:1 classid 1:30 htb rate 1kbit ceil 90kbit burst 1k prio 7 $TC qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 $TC filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip protocol 17 0xff flowid 1:10 Currently the filter puts all UDP traffic (through which the voice goes) to 1:10. The script works partially: when uploading from the LAN and starting a call, the upload rate decreases exactly as needed by the voice, BUT the voice has LARGE delays - up to 2 secs. Is there an option to put (for instance) all UDP traffic at the beginning of the output queue? Thanks, Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Neighbour table overflow
I'm doing NAT for 200 workstations and 2 gre tunels with 4 users each. I also have in mangle table in PRETOURING chain, DROP rules for ports commonly used by blaster, welchia and other worms. I have never seen this problem until now and I did not get the chance to verify it under kernel 2.4.X. I use one class C private with private ips + another 2 class C for tunels. Maybe this message is because my users frequently scan the network with WS_PING to see what users are online (this produces arp-requests for each ip in that ip class)? Alex Iruc - Original Message - From: Damjan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Alex [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 11:12 PM Subject: Re: [LARTC] Neighbour table overflow What is the cause for such a message while running kernel 2.6.1 on RH9 ? Neighbour table overflow. NET: 282 messages suppressed. Neighbour table overflow. ARP table overflow, do you have an interface on your router with a too wide netmask? /16 (255.255.0.0) maybe? Do you have a lot of (incomplete) entries in arp -n? Check that interface with tcpdump -i eth? -n arp. Probably some virus or port sniffer tries to scan your network. -- Damjan Georgievski jabberID: [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] esfq htb
Hi, I just upgraded to kernel 2.6.2 patched with IMQ-NAT patch ESFQ from Jim diGriz's QoS Script and now I need to patch iproutefor esfq and the latest HTB patch. I grabbed iproute2-2.4.7-now-ss010824.tar.gz and I applied the folowinf patches: iproute2-2.2.4-now-ss001007-esfq.diff and htb3.6_tc.diff I did set the corect path in Makefile pointing to /usr/src/linux-2.6.2/include and when I do make I get this: make[1]: Entering directory `/work/new/iproute2/lib' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -Werror -g -I../include-glib c -include ../include-glibc/glibc-bugs.h -I/usr/src/linux-2.6.2/include -I../include -D RESOLVE_HOSTNAMES -c -o ll_map.o ll_map.c In file included from /usr/src/linux-2.6.2/include/linux/compiler.h:16, from /usr/src/linux-2.6.2/include/asm/byteorder.h:5, from /usr/src/linux-2.6.2/include/linux/in.h:241, from ../include-glibc/netinet/in.h:7, from ll_map.c:19: /usr/src/linux-2.6.2/include/linux/compiler-gcc3.h:19:1: __attribute_used__ redefined In file included from /usr/include/features.h:291, from ../include-glibc/glibc-bugs.h:4, from command line:1: /usr/include/sys/cdefs.h:192:1: this is the location of the previous definition In file included from /usr/src/linux-2.6.2/include/linux/compiler.h:16, from /usr/src/linux-2.6.2/include/asm/byteorder.h:5, from /usr/src/linux-2.6.2/include/linux/in.h:241, from ../include-glibc/netinet/in.h:7, from ll_map.c:19: /usr/src/linux-2.6.2/include/linux/compiler-gcc3.h:22:1: __attribute_pure__ redefined In file included from /usr/include/features.h:291, from ../include-glibc/glibc-bugs.h:4, from command line:1: /usr/include/sys/cdefs.h:183:1: this is the location of the previous definition make[1]: *** [ll_map.o] Error 1 make[1]: Leaving directory `/work/new/iproute2/lib' make: *** [all] Error 2 My config is RH9 with gcc-3.2.2-5 and glibc-2.3.2-27.9 Any solutions in this case? Another thing: I have a squid server setup with equalize load-balancing over 3 internet links and it runs on kernel 2.4.23. I know that for the 2.4.X kernel I had to apply a patch for equalize to work at packet level and not at connection level. For kernel 2.6.2 is it included (I don;t think so...) or do I have to get another patch. If so, from where? Alex Iruc Administrator Retea LG-NET http://www.hostingcenter.ro Suport Tehnic: [EMAIL PROTECTED] Marketing: [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iproute esfq patch krnel 2.6.2
Hi, I just upgraded to kernel 2.6.2 patched with IMQ-NAT patch ESFQ from Jim diGriz's QoS Script and now I need to patch iproutefor esfq and the latest HTB patch. I grabbed iproute2-2.4.7-now-ss010824.tar.gz and I applied the folowinf patches: iproute2-2.2.4-now-ss001007-esfq.diff and htb3.6_tc.diff I did set the corect path in Makefile pointing to /usr/src/linux-2.6.2/include and when I do make I get this: make[1]: Entering directory `/work/new/iproute2/lib' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -Werror -g -I../include-glib c -include ../include-glibc/glibc-bugs.h -I/usr/src/linux-2.6.2/include -I../include -D RESOLVE_HOSTNAMES -c -o ll_map.o ll_map.c In file included from /usr/src/linux-2.6.2/include/linux/compiler.h:16, from /usr/src/linux-2.6.2/include/asm/byteorder.h:5, from /usr/src/linux-2.6.2/include/linux/in.h:241, from ../include-glibc/netinet/in.h:7, from ll_map.c:19: /usr/src/linux-2.6.2/include/linux/compiler-gcc3.h:19:1: __attribute_used__ redefined In file included from /usr/include/features.h:291, from ../include-glibc/glibc-bugs.h:4, from command line:1: /usr/include/sys/cdefs.h:192:1: this is the location of the previous definition In file included from /usr/src/linux-2.6.2/include/linux/compiler.h:16, from /usr/src/linux-2.6.2/include/asm/byteorder.h:5, from /usr/src/linux-2.6.2/include/linux/in.h:241, from ../include-glibc/netinet/in.h:7, from ll_map.c:19: /usr/src/linux-2.6.2/include/linux/compiler-gcc3.h:22:1: __attribute_pure__ redefined In file included from /usr/include/features.h:291, from ../include-glibc/glibc-bugs.h:4, from command line:1: /usr/include/sys/cdefs.h:183:1: this is the location of the previous definition make[1]: *** [ll_map.o] Error 1 make[1]: Leaving directory `/work/new/iproute2/lib' make: *** [all] Error 2 My config is RH9 with gcc-3.2.2-5 and glibc-2.3.2-27.9 Any solutions in this case? Another thing: I have a squid server setup with equalize load-balancing over 3 internet links and it runs on kernel 2.4.23. I know that for the 2.4.X kernel I had to apply a patch for equalize to work at packet level and not at connection level. For kernel 2.6.2 is it included (I don;t think so...) or do I have to get another patch. If so, from where? Alex Iruc Network Administrator LG-NET http://www.hostingcenter.ro Suport Tehnic: [EMAIL PROTECTED] Marketing: [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] combining filters
After few hours of looking, I couldn't find a way to combine (and) different filters. Example: I need to police ingress traffic coming from certain source IPs (which are best expressed with u32 filter) and going to certain routes (which are best expressed with route filter). What I was trying to do (thinking that parent: will only match packets passed by the previous filter, but I was mistaken). tc filter add dev eth0.501 parent : prio 1 protocol ip route to 10 classid :10 tc filter add dev eth0.501 parent :10 protocol ip prio 50 \ u32 match ip src flowid :20 action ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Paid project/Netfilter target to match queue backlog - Traffic Engineering
Isn't the same possible in /lartc.org 12.3.2. Overlimit actions / and reclassify option /which i din't used yet/. Interesting idea - Let me try if this works first. next, you must use IMQ to pass every traffic from eth2, /because as i'm thinking there isn't possible to do reclassify packet which is already routed to some interface, and next put the same packet over other interface based on some policy - PLEASE CORRECT ME!!! / Only way to find out is to try it, I think. I don't know how to put all traffic which is destined for eth0, to some IMQ device, next police packets there by reclassify options. All the settings must be according to your full bandwidth of eth0, so all which is overlimit eth0 speed get reclassify to other TOS. After all packets which leaves imq, are routed again by system, if you have differented TOS routing, /if your IGP routing domain create such Traffic Engineered path/ then packets with such other TOS will get outside from eth1. /this is my teory, to correct or discuss / This what you are trying to do is somehow Traffic Engineering or Contraint Based Routing. I'm very pleased to be with contact with somebody who is intend/or already done with some work with linux in this topic. Correct - that's exactly what I'm trying to do. Now i elaborate how to control distribution of MPLS labels which must be according to current interface load or even interface load with each QoS class /in linux/. That's slightly above the scope of what I need right now - but it is something I will need soon. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Paid project/Netfilter target to match queue backlog
Hello, If any of kernel hackers wants to make some money: For 300$: What I need is a netfilter match rule that would match on depth of a queue on a given device. Example: iptables -t mangle -I PREROUTING -m queue_backlog --device eth0.1 --depth-gt 10 -j chain If you can complete this in a reasonable time (2-3 days), let me know. This does not need to be very complicated: The only qdiscs that this needs to work with is HTB and pfifo. I envision this as adding a function query_backlog to relevant qdiscs, and a simple match on dev-qdisc-query_backlog For someone who has done this before, I'm sure should take about a day :) This *must* be optimized (i.e. pointer to device struct must be cached, number of packets in backlog must be cached or otherwise computed at O(1) time). To those wondering why in the world would someone want to do that: Consider router connected to many uplinks (possibly of varying speeds). Due to political reasons reasons (example, one link being paid for completely, others being pay per use), I only want to send packets over the other link when the first link is full. Backlog length provides the best measure of the fullness of a given device. Now (use of 'recent' match necessary because TCP really dislikes multipath within a given session): -A PREROUTING -m recent --rdest -j MARK --seconds 60 --set-mark 1 -A PREROUTING -m queue_backlog --device eth0.1 --depth-gt 10 -j OVERFLOW -A OVERFLOW -j MARK --set-mark 1 -A OVERFLOW -m recent --rdest --set -j ACCEPT ...ip rule add fwmark 1 table 2 Yes, I know its somewhat fugly (essentially, I'm doing RPDB as netfilter rules), but seems simplest and more flexible to me. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB individual classes ?
Hello, I have about 180 clients that share a single line to the net. I have a couple of them that need only 32kbit, other 64kbit and some with 128kbit. The ISP gives more bandwith locally in the metropolitan area that I have on the external connections (outside my area). I have setup a HTB root class and 2 child classes in which I put packets based on iptables marking of local addresses. Now, I was wondering what would give better results? to have each client with it's own class under each of the two child classes? or to have classes for each type of client and each one of the classes should contain u32 filters for each client ip? What is the better approach ? 1=root class; 2=class with metropolitan bandwith; 3=class with the rate of internet speed; 4,5,6,7,8,9 -- it better these classes to be each one of them for a single client or for a type of clients and to put filters for each client of speed x in class 4, for each client of speed y in class 5, and so on.. 1 / \ / \ 2 3 / | \ / | \ 4 5 6 7 8 9 Thanks! Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] tcng ingress examples
Hi, I'am looking for tcng examples where ingress is used. Please post me some (working) examples, no need for explanation. Thank you Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Can't use fwmark filters
Hello, I'm facing an issue that i have reported on Debian's BTS as a bug against iproute package. Prior to this i have been looking around trying to find out what could be wrong but had no success to get it to work. Below is a what i've reported on Debian's BTS as http://bugs.debian.org/215629 Here goes the story, thanks for any tip on the subject. Alex I would like to add a fwmark filter to the original HTB based LARTC WonderShaper script (http://lartc.org/wondershaper/). I am using a self compiled kernel from latest sarge kernel-source-2.4.22 and based on kernel-image-2.4.22-k7 provided config file. The idea is to add a single additionnal fwmark filter : tc filter add dev ppp0 parent 1: protocol ip prio 10 \ handle 1 fw classid 1:30 When adding this line i get the following error message : RTNETLINK answers: Invalid argument If i modify the WonderShaper script, remove all tc filter lines but the fwmark filter one i get no such error. The filter seems to get declared just fine. From here i can start uncommenting some of the tc filter lines provided in WonderShaper without getting any error. At some point when having enabled again 4 or 5 tc filter original lines the reported error strikes again. I have tried simplifying the script to something like this : tc qdisc add dev ppp0 root handle 1: htb default 60 tc class add dev ppp0 parent 1: classid 1:1 htb rate 450kbit tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 450kbit tc class add dev ppp0 parent 1:1 classid 1:60 htb rate 450kbit tc qdisc add dev ppp0 parent 1:10 handle 10: sfq tc qdisc add dev ppp0 parent 1:60 handle 60: sfq tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 6 fw classid 1:60 Which works fine. Adding this single line triggers the error again : tc filter add dev ppp0 parent 1: protocol ip prio 1 u32 \ match ip tos 0x10 0xff flowid 1:10 --- RTNETLINK answers: Invalid argument I am stucked here... i haven't been able to find anything related to this on the net and i hope not to be misusing 'tc'. Thank you. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux routeur 2.4.22-routeur3 #1 Sat Oct 11 11:40:45 CEST 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages iproute depends on: ii libc6 2.3.2-7GNU C Library: Shared libraries an ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] What's wrong here? HELP PLEASE!!!!
(this is a repost, nobody said anything about this so maybe it did not go throu the list) I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb script I get just errors. I did not patch the kernel, since I use kernel 2.4.22 and I saw on - HTB Homepage that I need to patch it only if I run version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is something else wrong? (I also used the precompiled tc but the situation is the same) Errors: --- RTNETLINK answers: No such file or directory Deleted old root disk on eth1 Unknown filter flowid, hence option 1:10 is unparsable Unknown filter flowid, hence option 1:2 is unparsable RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument .etc (same error over and over...) Part of my script (the full script is accesible on http://retea.hostingcenter.ro/htb.txt ..is too long to post here) : --- /sbin/tc qdisc add dev eth1 root handle 1: htb default 10 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 5mbit /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 6 flowid 1:10 /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 5mbit /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 5 flowid 1:2 /sbin/tc class add dev eth1 parent 1:10 classid 4:11 htb rate 128kbit ceil 256kbit prio 5 /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 4:11 /sbin/tc class add dev eth1 parent 1:10 classid 4:12 htb rate 128kbit ceil 256kbit prio 5 /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match ip dst 192.168.254.11 flowid 4:12 etc (full script at http://retea.hostingcenter.ro/htb.txt) Thanks! Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb errors, wrong patch?
I have everything cbq/htb and all the QoS stuff compiled directly in the kernel, not as a module. The script is at http://retea.hostingcenter.ro/htb.txt since is about 46k and is too big to post here. Thanks. Alex - Original Message - From: Stef Coene [EMAIL PROTECTED] To: Alex [EMAIL PROTECTED]; Lartc [EMAIL PROTECTED] Sent: Saturday, October 04, 2003 12:41 PM Subject: Re: [LARTC] htb errors, wrong patch? On Saturday 04 October 2003 02:52, Alex wrote: I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb script I get just errors. I did not patch the kernel, since I use kernel 2.4.21 and I saw on - HTB Homepage that I need to patch it only if I run version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is something else wrong? RTNETLINK answers: No such file or directory Deleted old root disk on eth0 Unknown filter flowid, hence option 1:10 is unparsable Unknown filter flowid, hence option 1:2 is unparsable RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Can you post us your commands and do you have the htb qdisc enabled in your kernel config? Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb errors, wrong patch?
I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb script I get just errors. I did not patch the kernel, since I use kernel 2.4.21 and I saw on - HTB Homepage that I need to patch it only if I run version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is something else wrong? RTNETLINK answers: No such file or directory Deleted old root disk on eth0 Unknown filter flowid, hence option 1:10 is unparsable Unknown filter flowid, hence option 1:2 is unparsable RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Thanks! Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Re: HTB and metro+int. limits
I'm sorry, but I'm still confused about assigning separate limits for metro and international traffic. After I mark metro traffic with --set-mark 6 and int. traffic with --set-mark 5 what's the next step? Can someone give me an example? It seems that my approach is somehow wrong after marking of the packets. Thanks again. Alex - Original Message - From: Stef Coene [EMAIL PROTECTED] To: Alex [EMAIL PROTECTED]; Lartc [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 12:59 PM Subject: Re: [LARTC] Re: HTB and metro+int. limits On Tuesday 30 September 2003 21:27, Alex wrote: Thanks for your replay, it really helps, but to take the question further, from what you have seen in my sample script, how should I classify packets with tc ? I don't know how to put them in separate classes,. What I have in my script will only shape metro traffic, but for international how would the tc command be? Something like: /sbin/tc class add dev eth2 parent 1:2 classid 2:11 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 1:11 Would this be the correct commands? No. You create a class with a wrong number. If the parent class is 1:x, the class name has to be 1:y. Thanks again. Alex ---begin my script sbin/tc qdisc add dev eth2 root handle 1: htb default 10 /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M #metro /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid 1:10 This filter will not do much (typo?). You attach it to class 1:10 (the parent parameter). This should be 1: so all packets leaving eth2 will be checked against this filter. And is 10M working? Normally 10mbit is used. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Re: HTB and metro+int. limits part2
I forgot to say that I have put my script on http://retea.hostingcenter.ro/htb.txt Maybe someone could lead to to the correct sintax if there's something wrong. Alex - Original Message - From: Stef Coene [EMAIL PROTECTED] To: Alex [EMAIL PROTECTED]; Lartc [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 12:59 PM Subject: Re: [LARTC] Re: HTB and metro+int. limits On Tuesday 30 September 2003 21:27, Alex wrote: Thanks for your replay, it really helps, but to take the question further, from what you have seen in my sample script, how should I classify packets with tc ? I don't know how to put them in separate classes,. What I have in my script will only shape metro traffic, but for international how would the tc command be? Something like: /sbin/tc class add dev eth2 parent 1:2 classid 2:11 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 1:11 Would this be the correct commands? No. You create a class with a wrong number. If the parent class is 1:x, the class name has to be 1:y. Thanks again. Alex ---begin my script sbin/tc qdisc add dev eth2 root handle 1: htb default 10 /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M #metro /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid 1:10 This filter will not do much (typo?). You attach it to class 1:10 (the parent parameter). This should be 1: so all packets leaving eth2 will be checked against this filter. And is 10M working? Normally 10mbit is used. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB and metro+int. limits
Hello, I need to setup HTB to limit the bandwidth, but I need to have 2 types of limits, because my ISP gives me more bandwith for sites located in my country, than others located outside. I have setup the following script in which I mark packets with mark 6 for the ip clasess for the sites in my country. What I don't know is how to continue the script with assigning lower limits to everything else not going from ip's in --set-mark 6. Maybe some of can enlighten me about this. Thanks, Alex #!/bin/sh #Mark metro packets /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.154.152.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.154.119.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.154.117.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.154.118.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.154.116.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.154.126.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.157.176.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.157.117.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.157.126.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 80.97.173.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 82.137.58.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 82.137.56.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 81.196.96.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 81.196.97.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 62.231.74.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 213.157.176.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 192.226.30.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 193.231.7.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 192.129.4.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 193.231.15.0/24 -j MARK --set-mark 6 #end metro # #2. Anything else /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 0/0 -j MARK --set-mark 5 /sbin/tc qdisc del dev eth2 root echo Deleted old root disk on eth2 /sbin/tc qdisc add dev eth2 root handle 1: htb default 10 /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M #metro /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid 1:10 #international /sbin/tc class add dev eth2 parent 1:1 classid 1:2 htb rate 10M /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 5 flowid 1:2 /sbin/tc class add dev eth2 parent 1:1 classid 1:11 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 1:11 /sbin/tc class add dev eth2 parent 1:1 classid 1:12 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.11 flowid 1:12 /sbin/tc class add dev eth2 parent 1:1 classid 1:13 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.12 flowid 1:13 /sbin/tc class add dev eth2 parent 1:1 classid 1:14 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.13 flowid 1:14 etc ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Re: HTB and metro+int. limits
Thanks for your replay, it really helps, but to take the question further, from what you have seen in my sample script, how should I classify packets with tc ? I don't know how to put them in separate classes,. What I have in my script will only shape metro traffic, but for international how would the tc command be? Something like: /sbin/tc class add dev eth2 parent 1:2 classid 2:11 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 1:11 Would this be the correct commands? Thanks again. Alex ---begin my script sbin/tc qdisc add dev eth2 root handle 1: htb default 10 /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M #metro /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid 1:10 #international /sbin/tc class add dev eth2 parent 1:1 classid 1:2 htb rate 10M /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 5 flowid 1:2 /sbin/tc class add dev eth2 parent 1:1 classid 1:11 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 1:11 /sbin/tc class add dev eth2 parent 1:1 classid 1:12 htb rate 50kbit ceil 100kbit prio 5 /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst 192.168.254.11 flowid 1:12 etc --end-- - Original Message - From: [EMAIL PROTECTED] To: Alex [EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 9:07 PM Subject: Re: HTB and metro+int. limits Alex Alex writes: Hello, I need to setup HTB to limit the bandwidth, but I need to have 2 types of limits, because my ISP gives me more bandwith for sites located in my country, than others located outside. I have setup the following script in which I mark packets with mark 6 for the ip clasess for the sites in my country. What I don't know is how to continue the script with assigning lower limits to everything else not going from ip's in --set-mark 6. Maybe some of can enlighten me about this. Thanks, Alex snip .. /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 193.231.15.0/24 -j MARK --set-mark 6 #end metro # #2. Anything else /sbin/iptables -t mangle -A PREROUTING -i eth2 -d 0/0 -j MARK --set-mark 5 /snip This will not differentiate your traffic. Everything -i eth2 will end up marked '5' because iptables will evaluate against every rule in order, eventually marking them '5' whether they have previously been marked '6' or not. You need to create a new table with two commands for each address range. ie: /sbin/iptables -t mangle -N MYMARKER /sbin/iptables -t mangle -A PREROUTING -i eth2 -j MYMARKER # and ... /sbin/iptables -t mangle -A MYMARKER -d 193.231.15.0/24 -j MARK --set-mark 6 /sbin/iptables -t mangle -A MYMARKER -d 193.231.15.0/24 -j RETURN # for each metro range, and finally /sbin/iptables -t mangle -A MYMARKER -j MARK --set-mark 5 /sbin/iptables -t mangle -A MYMARKER -j RETURN The separate table and the 'RETURN' statements give you the short-circuit evaluation you require. BTW: You might be able to consolidate your metro class-C's into fewer (larger) CIDR ranges to speed evaluation. ( Your upstream provider has likely been allocated them in this manner ) mulc ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] multiple uplink which patch?
Do I need any patches for setting up load balancing between 2 uplinks? I don't need NAT, I just have a squid proxy server and on the same linux rh9 computer I have 2 uplinks (adsl+cable modem) and all I want is squid to use load balancing on these links. I have kernel 2.4.21 now and I have done the setup for load balancing, even put the equalize switch in the command to add default route and it works and sometimes does not, routes stay in cache and if a try www.google.com 2 or 3 times I see that it goes out on the same interface as the first time. If I try more addresses, eventually some will go out on the second interface but it seems to me that the equlize flag doen't work if it does this, right? Or maybe I need a patch or something for squid? Or maybe I need to enable/disable some specific config option in squid.conf ? (I didn't enable tcp_outgoing_address in squid conf so it's free to go out on any interface) I don't need connection based balancing (one address going trough eth1 and another trough eth2, but packed balancing.. first packet trough eth1, second trough eth2... that's why I have the equalize flag set but) Maybe I'm missing something... Thanks for help. Alex btw, on lartc.org in the howto at split access section there is a mention about Reader Rod Roark notes: 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable: ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 Do I need these entries if I don't use NAT ? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] where is equalize kernel patch?
Does this patch work on kernel 2.4.21 or 2.4.22? (I'm curently using 2.4.21 and planning to switch to 2.4.22 in near future) Thanks. Alex - Original Message - From: Martin A. Brown [EMAIL PROTECTED] To: Jihoon Chung [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 05, 2003 6:07 PM Subject: Re: [LARTC] where is equalize kernel patch? Jihoon, [ snip ] : Now, where can I find : this patch ? : (I'm using kernel 2.4.21) I believe this is one of Patrick McHardy's patches: http://trash.net/~kaber/ -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Equalize patch on kernel newer that 2.4.18????
Does this patch work on kernel 2.4.21 or 2.4.22? (I'm curently using 2.4.21 and planning to switch to 2.4.22 in near future) Thanks. Alex - Original Message - From: Martin A. Brown [EMAIL PROTECTED] To: Jihoon Chung [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 05, 2003 6:07 PM Subject: Re: [LARTC] where is equalize kernel patch? Jihoon, [ snip ] : Now, where can I find : this patch ? : (I'm using kernel 2.4.21) I believe this is one of Patrick McHardy's patches: http://trash.net/~kaber/ -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] split access 2 uplinks
I have setup split access with load balancing on a router that runs squid but it appears that the second line it almost empty, the router send packets trough the second line only from time to time, very rarely adn the mrtg graphs only show something like 10-16kbit used on that line and instead the primary line is full all the time. I have setup this only for squid, I don't do any masqurading for the local net, just web acces via squid proxy server. What's the remedy for this situation? Why does this happen? If that all I can do then I have no use for such a setup , it doesn't help me at all. Thanks, Alex Here the script that I use: (192.168.55.1 is another router which actualy has the second line conected physicaly and on that router I do SNAT for the squid machine) IF0=eth1 IF1=eth2 IF2=eth0 IP0=192.168.254.125 IP1=1.2.3.4 IP2=192.168.55.2 P1=1.2.3.1 P2=192.168.55.1 P0_NET=192.168.254.0/24 P1_NET=1.2.3.0/26 P2_NET=192.168.55.0/24 # ip route add 1.2.3.0/26 dev eth2 src 81.196.96.11 table T1 ip route add default via 1.2.3.1 table T1 ip route add 192.168.55.0/24 dev eth0 src 192.168.55.2 table T2 ip route add default via 192.168.55.1 table T2 # ip route add 1.2.3.0/26 dev eth2 src 1.2.3.4 ip route add 192.168.55.0/24 dev eth0 src 192.168.55.2 ip rule add from 81.196.96.11 table T1 ip rule add from 192.168.55.2 table T2 ##ip route add $P0_NET dev $IF0 table T1 ip route add 192.168.55.0/24 dev eth0 table T1 ##ip route add 127.0.0.0/8 dev lo table T1 ##ip route add $P0_NET dev $IF0 table T2 ip route add 1.2.3.0/26 dev eth2 table T2 ##ip route add 127.0.0.0/8 dev lo table T2 # ip route del default ip route flush cache ip route add default scope global nexthop via 1.2.3.1 dev eth2 weight 1 nexthop via 192.168.55.1 dev eth0 weight 1 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Monitoring traffic
Does anybody know a good ip traffic monitoring software that has multiuser capability? I need some type of software with an interface on which users can login with their user/pass and see how much traffic (how many megabytes) they consumed over a certain period of time. Speed graphs are NOT a must, just something to show them hou much traffic they did. I'm currently using net-acct mysql but with little success because on RH9 the netacctd daemon dies unexpectedly sometimes without any error. Thanks! Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Monitoring traffic
This approach is not good for me because I curently have 90 clients to count traffic for and I expect another 50 in the next month, maybe more. I have used this script that you say, but it would be a pain to implement that for so many clients adn it would also put a good amount of load on the machine running this setup. So I need something else... this works, but I should create specific mrtg.cfg files for each client ( I don't think I can specify htmldir and such... for every entry in mrtg.cfg) adn this is another issue besides the most important one, THE LOAD! Thanks anyway.but maybe some of you know any better solutions? Alex - Original Message - From: Gabriel Lorenzo [EMAIL PROTECTED] To: Alex [EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 12:32 AM Subject: Re: [LARTC] Monitoring traffic Here is my tip. Install MRTG (www.mrtg.org ) into your Server/Gateway , if its a eg Cisco Router where the customers are atached install a Computer with Linux with mrtg and query with mrtg the Cisco router on eachinterface where you have customers attached, otherwise do it on your Gateway and wuery your Interfaces- While Mrtg creates automatically HTML pages with the results of daily, weekly, monthly and yearly traffic statistics. you need also to run a script writen by Joseph Wendel called Mrtg Totalizer, very cool!, which counts the packets in/out collected by Mrtg. So you have both the totals packets consumed by your customers and the average statistics graphs. the next thing is to create individual html sites for each customer with .htaccess password restrictions, maybe using virtual domains for every customer for have them seperated. I hope this helps. If you need some more advice send me a mail Regards Osgaldo. - Original Message - From: Alex [EMAIL PROTECTED] To: LARTC [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 10:55 PM Subject: [LARTC] Monitoring traffic Does anybody know a good ip traffic monitoring software that has multiuser capability? I need some type of software with an interface on which users can login with their user/pass and see how much traffic (how many megabytes) they consumed over a certain period of time. Speed graphs are NOT a must, just something to show them hou much traffic they did. I'm currently using net-acct mysql but with little success because on RH9 the netacctd daemon dies unexpectedly sometimes without any error. Thanks! Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Routing question
Hi, I was wondering if somebody could assist me in the following I have a lan with a mail server, a fixed outside ip address leased line router at 10.1.1.1, and a dynamic outside ip address adsl router at 10.1.1.5 Our linux mail server always used to have the leased line router at 10.1.1.1, but now with our adsl, I'd like traffic to go across 10.1.1.5, I thought it would be straight forward to just change the default gateway from 10.1.1.1 to 10.1.1.5, but this resulted in any traffic coming in via 10.1.1.1 being ignored. I've been told it is because the replies go out over 10.1.1.5 I've looked over the adv routing howto, but can't see how I would implement it according to section 4.2.1, as I won't always know our ip address for the adsl connection. Could someone point me in the right direction? Thanks, Alex ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] tc usage
Dear List, I am a tc newbie, and I've been working through the LARTC HOWTO to try to understand how qdiscs, classes, and filters fit together. I was confused by the example in section 9.5.5.1 (see excerpt below). I thought that classes were could only be attached to qdiscs (classful ones). In the example, however, classes are being attached to other classes. Can anybody explain to me how this works? Sorry if this is a silly question. Thanks, Alex snip 9.5.5.1. Sample configuration Functionally almost identical to the CBQ sample configuration above: # tc qdisc add dev eth0 root handle 1: htb default 30 # tc class add dev eth0 parent 1: classid 1:1 htb rate 6mbit burst 15k # tc class add dev eth0 parent 1:1 classid 1:10 htb rate 5mbit burst 15k # tc class add dev eth0 parent 1:1 classid 1:20 htb rate 3mbit ceil 6mbit burst 15k # tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 6mbit burst 15k The author then recommends SFQ for beneath these classes: # tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 # tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 # tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 Add the filters which direct traffic to the right classes: # U32=tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 # $U32 match ip dport 80 0x flowid 1:10 # $U32 match ip sport 25 0x flowid 1:20 --- /snip ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] logging traffic on port/remote host/localhost
I maintain a iptables firewall/router for a small office (15 users). I've just installed wondershaper and managed to tune it... almost. When testing and tuning I get good latency even under heavy load, but in my latencylogs there are still some ugly spots. To further tune this (maybe I need to add some ports to NOPRIOPORTSRC) I want to add some logging so that I can got back and see exactly what traffic I had when latency was bad. I want to see what internal hosts and external host were generating the traffic. What ports they were talking on, what protocols etc. I know how to add logging in iptables but reading the logs is kind of tiresome. I rather have something like iptraf but that can be run after the fact. alex -- Alex Polite http://plusseven.com/gpg ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Allowing CVS, RCP SCP
bert hubert said: On Thu, Jul 04, 2002 at 02:01:07PM +0100, Alex Bennee wrote: A. Peter Mee said: snip Could someone give me some pointers to achieving stable cvs and rcp access through a fairly restrictive firewall. snip CVS isn't a network protocol. You generally run it using remote shell tools, in the CVS manual it allows you to specifify how with the CVS_RSH evrionment variable. CVS 'pserver' lives on port 2401. Use netstat -an to see which ports have LISTENing sockets, and open up those ports. Quite correct of course. There are numerous ways of accessing remote CVS repositries (see http://www.cvshome.org/docs/manual/cvs_2.html#SEC26). CVS over ssh seems to be the preffered method of large development communities (sourceforge and savanah at least). Once you've got ssh working you don't need to do any additional (network level) work to get CVS running. I would generally be wary of just opening up ports that are listening without being aware of the security implications of using that protocol. The CVS documentation suggests Kerboros over pserver for security. ssh works just as well (the documention only refers to rsh which isecure but replaceable by ssh). Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] TCP/UDP traffic priority.
Carles Xavier Munyoz Baldó said: Hi, Is it possible with Linux Traffic Control system to give priority to some TCP/UDP traffic based upon the port number ? Yes. You can either use tc's own packet classification or mark packets with an iptables/ipchains to route packets through differnt traffic shapers. See the Section 9 of the lartc HOWTo: http://lartc.org/HOWTO//cvs/2.4routing/html/c427.html For an intro to the options you have available. Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Beginner
ewan said: #Lan--Internal Firewall--- External firewall -- Internet | | webserver what purpose does the internal firewall serve? just plug everything into one firewall and write rules accordingly There is nothing wrong with having multiple layers of firewalls. It means your haxor has several layers of security to beat - security through depth. But you can just use iptables on your internal firewall as well. No point learning new semantics :-) Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ipt_connbytes iptables match for shaping
On Sun, 2002-05-19 at 23:14, Martin Devera wrote: Hi, I just finished connbytes match. You can use it to move long downloads into lower prio class. It is for hackers only just now. Needed files are at luxik.cdi.cz/~devik/qos/connbytes.tgz. IT IS NOT PATCH YET ! I'm going to sleep. More later .. devik Martin, have you been getting my mails. I keep getting bounces from your address when I send direct to your cdi.cz address. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- [EMAIL PROTECTED] http://www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Martin Devera said: Hi, I'm happy that HTB gained so much popularity ;) Only one hint for you - you can completely avoid all these tc filter add fw ... You can use only one tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 and so on .. devik Thanks for that it should make my script a bit less cumbersome. I have also realised that at the moment the bandwidth is being shared out in proportion to allocated bandwidths which is not quite what I was after. Having re-read your manual pages I've now added prio statements to each htb class so that if I'm downloading from inside I get all the bandwidth I need at the expense of the uploads, rather tha a 2:1 split. I got it the second time, the first time I wasn't sure if prio 0 was the highest or lowest priority. The other thing that is current sub-optimal is the division of long uploads vs short uploads. I've attempted to ensure that normal webpages are downloaded as fast as possible with the burst parameter but if someone is downloading a large file from my website all other web users suffer. I've got to do some more reading but my current plan involves the iptable connection tracking. I'm not sure if iptables does this already but if I can match and tag a packet based on the time of the connection I can still allow new connections to get priority of long lived downloads. This may involve writting a new kernel module as a netfilter extension but it would be the iceing on the cake to my setup :-) Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] A tc htb/iptables rate control script for ADSL
Hi,
Firstly I appologise for the cross-posting but as I got help from all
over the place I thought I had better feed back the results now I have
this working.
The Problem:
I run a Speedtouch ADSL modem on my router and host a number of services
behind my link (web server mainly) so people can access my files.
Unfortunately some of the files on my web-server are quite big 100Mb
and while I'm happy for people to download them it kinda kills
interactivity when I am at home surfing.
The Solution:
Line rate control! I was going through various cookbook approaches (e.g.
the wondershapper) but decided to role my own because:
a) I've just grokked iptables and I didn't want to learn yet another
packet matching syntax
b) cbq solutions looked to hard to understand
c) its the only way to learn
What this script does is mark upstream packets using a bunch of iptables
matches. The marks correspond to the priority I want to assign my
traffic (remember I can only do this for outgoing packets, shaping
incoming data on my LAN wouldn't achieve much).
The script then create a bunch of htb shapers, one for each traffic type
giving a controlled rate of output. The filters are then setup to direct
packets to each traffic class based on the iptables matches done
earlier.
For more info read the script
Caveats:
This works for me, YMMV. I've done limited testing and for me I can
surf at my normal high speeds while large downloads happen from my
server. I expect it can be tuned further with experimentation and
would welcome any feedback on the script. I have a moderate number of
services on my link, I expect most people can simplify the priorities
to traffic originated by me and incomming connections. The script is
part of a larger firewall script that can be found on my websites CVS
pages (under software) but its not fully integrated yet.
Enjoy,
Alex.
function setup_shaping ()
{
# Setup POSTROUTING marking on dsl output
# needed for QoS type hacks
# 1 - outgoing interactive (ssh)
# 2 - outgoing file stuff (www)
# 3 - incomming interactive (ssh)
# 4 - incomming personal use (https, http-tunnel)
# 5 - incomming web
# 6 - incomming mail
# 7 - everything else
# create the to-dsl table (we can only shape outgoing traffic)
/sbin/iptables -t mangle -N to-dsl
# For outgoing packets we need to mark stuff
/sbin/iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK
--set-mark 1
/sbin/iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK
--set-mark 2
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK
--set-mark 3
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 443 -j MARK
--set-mark 4
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 8890 -j MARK
--set-mark 4
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 80 -j MARK
--set-mark 5
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 25 -j MARK
--set-mark 6
# enable the marking on all outgoing packets
/sbin/iptables -t mangle -A POSTROUTING -o $EXTIF -j to-dsl
# and the qdisc's
# Base htb class
/sbin/tc qdisc add dev ppp0 root handle 1: htb default 60
# add a rate limiting class underneath - this ensure we don't send
# packets to the dsl modem faster than its going to send them
/sbin/tc class add dev ppp0 parent 1: classid 1:1 htb rate 250kbit
burst 6k
#sub classes for each traffic type
/sbin/tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 250kbit
burst 15k
/sbin/tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 250kbit
burst 15k
/sbin/tc class add dev ppp0 parent 1:1 classid 1:30 htb rate 250kbit
burst 15k
/sbin/tc class add dev ppp0 parent 1:1 classid 1:40 htb rate 250kbit
burst 15k
/sbin/tc class add dev ppp0 parent 1:1 classid 1:50 htb rate 128kbit
burst 50k
/sbin/tc class add dev ppp0 parent 1:1 classid 1:60 htb rate 100kbit
burst 15k
#note to self: to show class stats
#tc -s -d class show dev ppp0 parent 1:
# don't use prio anymore
#tc qdisc add dev ppp0 parent 1:1 handle 2: prio bands 6 priomap 0 1
2 3 4 5
# create sfq's under each traffic class to share it all out
/sbin/tc qdisc add dev ppp0 parent 1:10 handle 10: sfq
/sbin/tc qdisc add dev ppp0 parent 1:20 handle 20: sfq
/sbin/tc qdisc add dev ppp0 parent 1:30 handle 30: sfq
/sbin/tc qdisc add dev ppp0 parent 1:40 handle 40: sfq
/sbin/tc qdisc add dev ppp0 parent 1:50 handle 50: sfq
/sbin/tc qdisc add dev ppp0 parent 1:60 handle 60: sfq
# note to self: delete with
# tc qdisc del dev ppp0 parent 1:0 handle 10:
# are flowid and classid interchangable?
# create filters from the root to sort the traffic
/sbin/tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1
fw classid 1:10
/sbin/tc filter add dev ppp0 parent 1: protocol ip prio 2 handle 2
fw classid 1:20
/sbin/tc filter add dev
Re: [LARTC] Determining tbf parameters
On Thu, 28 Mar 2002, Kurt Wagner wrote: Howdi Alex, On Fri, 22 Mar 2002, Alex Leyva wrote: I've been triying with diferent values for burst, limit and latency, but we cant understand how to determine the correct values for them. Now, how to set it depends on what you want to do. Which bursts do you wan't to allow, and do you wan't to queue packets when the bucket is empty (introducing additional delay...) or simply drop them? We found different formulas to determine the size of the bucket, the latency and the limit, but they doesnt work for us, because we get incoherent values. If you have some rules of thumb for some sort of setup please post it, could be interesting for other people too. However, the general rule is that there is no general rule. ;-) We can't found any formula to determine the setup, but we founded some rules, (something like conclusions): -limit is the size of something like a prebuffer for packets waiting for tockens to be available. -latency is the amount of time that a packet can sit waiting for tockens to be available. -For both values (limit and latency) if the limit (of size or time) is overpassed the packets are dropped. -There are NO formulas to determine the setup, there are only formulas to determine the critical or maximal values for the parameters. -If we are managing interactive traffic we must mantain the overlimit packets count down, and we must configure tbf with burst and LATENCY to do it. -If we are managing bulk traffic the overlimit count is non important, but we must know if the dropped packets are important, just like the TOS maximum reliability, and whe must use burst and LIMIT to do it. At now we have not probed with interactive traffic or nothing else, just with ttcp, with to pentium II over a ethernet, directly connected, and the results was really good. We have another question, what is the normal values for dropped and overlimit?. We have: qdisc tbf 110: dev eth1 rate 1Mbit burst 20Kb/8 mpu 0b [0001f400] limit 40Kb lat 190.7ms Sent 17542230 bytes 11591 pkts (dropped 36, overlimits 35216) is this normal?. Hmm, 17MByte transmitted with 11591 packets, so your packets are approximately 1500 bytes long in average, which makes me guess it was a file transfer with TCP and 1.5KB MTU? The values are ok if that's the case... We are using ttcp to make the test, with the default values. We think that if we get better results and we get conclusions more solid we could contribute it to the howto =-). bye, Kurt ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
