Re: [LARTC] Spill over
A little googling tells me 250 ZAR~ 42 USD. Is this correct? If so, ouch.. that's pricey. 3GB (assuming B in this case is BYTE) comes out to about 9kbit / secondover amonth, if I did my math correctly. Ouch again. Does the 3GB apply to the total of up and down traffic, or just down? Because you can't control traffic coming to you very well. You can try to control TCP traffic with policing, but UDP traffic does its own thing. Not to mention jokers who decide to flood the link for the hell of it. Given this new info, it sounds more like you shouldn't try to use the 512kbit link at all unless the 64kbit link goes down. If you do try to push "excess" traffic ontoit, all that does is encourage the use of applications that will consume the entire bandwidth available. If that is reallybeyondyour budget, it doesn't seem like something you'd want to do. Better to set the expectations at 64kbit sothe usersdon't get the idea of tuning into Internet radio or something. In fact, if the 64kbit link does go down, it could be a good ideato police the 512kbit link down to 64kbit, just so the users don't jump for joy when the 64kbit link goes down... (keeping in mind that policing is no guarantee that you'll actually stay below 64kbit usage, especially if a lot of the traffic is UDP). - Original Message - From: Kenneth Kalmer To: Chris Bennett ; Taylor Grant Cc: lartc Sent: Monday, April 25, 2005 2:48 AM Subject: Re: [LARTC] Spill over Taylor Chris (and the list)The arguments behind my choice here is cost driven, the 64kbps line is a fixed monthly rate for unlimited use, the 512kbps line costs us roughly ZAR250 per 3GB of usage. This can get quite expensive as the lines in question is for a college and we all know what students do to bandwidth :)Taken the amount we pay every month for the 64kbps line it's more economical to over utilize the link as a primary connection than to have it lying around as a backup. South Africa and data connections don't go well in the same sentence...As Chris suggested, I need something that can detect when Link A is saturated and then redirect the traffic over Link B until there is available bandwidth on Link A again. The rate limit trick of Taylor might work once I get to understand the usage patterns of these students. But for at least the first 3 months I won't have proper data at my disposal.Thanks for your replies! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Spill over
You can't split a particular IP connection between two links, but can instead only determine which link a particularconnection will occur on. Given this, it sounds like you want to have some way to detect that Link A is already saturated and then send all further connections to Link B until Link A is no longer saturated. Maybe someone can tell you how to do that if that's really what you want to do (others here know far more about this than me), but my guess is you really don't want to do that.With the hugebandwidth disparity between the two links,route cacheing, and the inabilityknow how much bandwidth any particular conneciton will consume, I think you'd end up with a giant mess... those people with connections unlucky enough to end up on Link A would probably be very unhappy people indeed. Generally speaking I think it would make more sense to put all traffic over Link B, and then use Link A only for emergencies. Maybe route the most critical traffic over Link A if you really want to feel like its being utilized as something other than a pure backup, but personally I wouldn't even do that. Just because Link A is more reliable and more expensive doesn't mean it makes sense to use it as your primary conduit. With Link B havingeight times the bandwidth, it seemsthe obvious choice as the primary. Use it, and keep the users happy most of the time (instead of making them miserable mostof the time). On the rare ocassions it goes down, use bandwidth shaping to make sure the highest priority traffic gets access to Link A first. In all the time I've used DSL, I've hadsevereoutagestwice for reasons other than standard maintenance. In both cases (in two separate locations), the cause was the ILEC phone company mistakingly dropping the wire pair while doing other work (freakin took over a week in each case to get my connectivity back!!). This sort of thing could just as easily happen with a leased line though, so I'm not really sure I buy that the leased line is really more reliable than DSL line from a high quality ISP. Although maybe a particularSLA makes it so in some legal sense since you can then sue someone. Personally, if your leased line really costs more than the DSL, I'd get rid of it and get a 2nd DSL line from another provider and use that as your backup instead. Anyway, I guess my main point is that the high cost of your leased line might be clouding your thinking on this. I wouldn't let the comparitive costbe your guiding light here. Go with what makes sense from a technology perspective, and don't guilt yourself into trying to get full utilization out of the slow link just because it costs more. - Original Message - From: Kenneth Kalmer To: lartc Sent: Saturday, April 23, 2005 4:34 PM Subject: [LARTC] Spill over ListI need some help, advice or just a starting point on the following situation:Link A - 64kbps leased lineLink B - 512kbps ADSL lineIs it possible to have Link A saturated constantly and have the excess traffic "spill over" onto Link B? I know it's possible to have packets sent down links in a round-robin fashion and I've read in the howto on load sharing over multiple interfaces (http://lartc.org/howto/lartc.loadshare.html), but I do not have control over the termination of the link at the ISP's (two different one as well). Also note that splitting different protocols over each of these links are not possible in our case.Reason being, Link A is a more reliable and more expensive link, so I need to over-use it's capacity if it we're, and use the cheaper ADSL (link B) offering to keep al services running when the leased line (A) is saturated.Any tips, suggestions and comments would be welcomed.Regards-- Kenneth Kalmer[EMAIL PROTECTED]http://opensourcery.blogspot.com ___LARTC mailing listLARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB ATM MPU OVERHEAD (without any patching)
Thanks! Very prescient of you, since my latest test results prove exactly what you said about needing a higher overhead value! :) - Original Message - From: Andy Furniss [EMAIL PROTECTED] To: Chris Bennett [EMAIL PROTECTED] Cc: lartc@mailman.ds9a.nl Sent: Tuesday, April 12, 2005 12:29 PM Subject: Re: [LARTC] HTB ATM MPU OVERHEAD (without any patching) To be safe you need overhead alot bigger than 24. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB ATM MPU OVERHEAD (without any patching)
Good recommendation. I read Jesper's thesis (well, okay, not ALL of it... but the juicy bits) and it looks like the difference between the overhead value that I expected to work (24) and the overhead value that actually worked (50) can be explained by the fact that I neglected to include the overhead incurred by bridged mode over ATM (RFC 2684/1483). I would say now I can sleep peacefully, but I just woke up a couple of hours ago... so I'll go for a run instead ;) - Original Message - From: Andy Furniss [EMAIL PROTECTED] To: Chris Bennett [EMAIL PROTECTED] Cc: lartc@mailman.ds9a.nl Sent: Tuesday, April 12, 2005 12:29 PM Subject: Re: [LARTC] HTB ATM MPU OVERHEAD (without any patching) HTB uses IP packet length, to which you then need to add your fixed overhead - for pppoe that may include eth header + other have a look at jesper's table in his thesis. http://www.adsl-optimizer.dk/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] 2 internet connections for 2 different purposes
When you say you are so close but can't get your head around the final part... what do you mean? Exactly what is working and what is not? How far have you gotten? - Original Message - From: brooke [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Sent: Wednesday, December 29, 2004 4:56 PM Subject: [LARTC] 2 internet connections for 2 different purposes I've got a linux machine (fedora core 3) with 4 network cards. I looked at the howto and the only example that is close to what I need to do is section 4.2 on multiple uplink providers. I feel like I'm so close but just can't get my head around the final part. Here is what I have eth2 and eth4 connect to 2 different isps. I want all connections the come from my dmz on eth3 to go out of my connection on eth4 I want all connections from my local network on eth0 to go out of my connection on eth2 can anyone help me out with this? thanks in advance Brooke ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] QoS with Artifficial Intelligence
You're really serious? Hmm... okay. As far as giving any specific help, the last time I worked with neural net software was in college which was... um.. over 12 years ago. So I really have no idea what the latest available software for doing something like this is. Sorry. From a theoretical perspective I'll say this: as a research project I think you could get interesting results by trying out something along the lines of having the neural net vary parameters and receive positive or negative feedback based on the latency, throughput or something like that. By interesting I mean exactly that... interesting but not necessarly useful. I'd hate to be the one who has to suffer through using a network that is in training mode. And while there may be patterns that a neural net could learn, I'm not sure how well the neural net would move from reacting to conditions to actually anticipating conditions. And to the extent that it ever did correctly anticipate certain conditions, what would be the cost of incorrect guesses..? I suppose it all depends on how predictable the activity on a particular network is. My one practical thought is this: I'd try to shorten the feedback loop considerably. Every minute or so is, I'd guess, way too long. I'd go for every 10 seconds or so if possible. Anyway, guess I'm saying its a neat idea but I'm not personally interested in pursuing it. Good luck. Try it out.. write a paper, become famous. - Original Message - From: Gomi [EMAIL PROTECTED] To: Chris Bennett [EMAIL PROTECTED]; lartc@mailman.ds9a.nl@alpha.symbio.com Sent: Tuesday, December 21, 2004 8:04 AM Subject: Re: [LARTC] QoS with Artifficial Intelligence I was actually thinking in every minute or so, read statistics from queues, and SNMP from dsl routers for example, and vary the queues bandwith, their limit, their queuelenght or even the burst and cburst. I was actually thinking in implementing a neuronal network to do so, what do you think? - Mensagem Original De: Chris Bennett [EMAIL PROTECTED] Para: lartc@mailman.ds9a.nl lartc@mailman.ds9a.nl Asunto: Re: [LARTC] QoS with Artifficial Intelligence Fecha: 20/12/04 23:44 I'm not sure what you mean by AI. I suppose you could mean that you're going to feed various QoS parameters into a neural net and quot;teachquot; the neural net to vary the parameters according to conditions... but somehow I think it unlikely that this is what you mean. ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] QoS with Artifficial Intelligence
I'm not sure what you mean by AI. I suppose you could mean that you're going to feed various QoS parameters into a neural net and teach the neural net to vary the parameters according to conditions... but somehow I think it unlikely that this is what you mean. What is the specific situation you're trying to deal with, and what exactly are you referring to when you say maximum performance? Another person recently asked about how to implement QoS in a heavily oversubscribed environment, for example. If, even during the times when the network is overburdened, there is always at least enough bandwidth to handle the high priority latency sensitive data (possibly a big assumption), I suggested the possibility of monitoring a steady ping to see when the buffers fill and the ping value skyrockets. At that time, a QoS script could be run that would assume a lesser bandwidth rate, and hopefully slow up lower priority traffic and cause the buffer to empty in short order. In this way one might be able to maintain at least somewhat reliable level of low latency, while still trying to maximize the use of the dynamic bandwidth a sort of artificial intelligence. You could be talking about something completely different, so perhaps you could provide more information about what specific situation you are dealing with? - Original Message - From: Gomi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 8:50 AM Subject: [LARTC] QoS with Artifficial Intelligence Hello everyone, it is not the first time i discuss this topic here, but now it has come the time to actually do it. My idea is to set up a daemon to run QoS on linux, with a particularity, add some A.I. capabilities to our system and hence, be able to change QoS topology every certain time to obtain the maximum performance. I first want to teach the system which parameters should i vary, and hence i would like all of you to tell me, which do you think i should change. Any ideas? Anybody is welcome to join!! :) Message sent using UebiMiau 2.7.2 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Route based on port / protocol
Title: Mensagem My solution to this exact problem isn't exactly what you asked for, but I'll tell you anyway because it turned out to be s easy and work s well. On my LAN I created a /23 subnet. For example, lets say it is 192.168.2.0/23, giving us 192.168.2.0 - 192.168.3.255. I then made all IPs in the lower half of the subnet (192.168.2.0/24) access the internet through ISP-1, and all the IPs in the upper half of the subnet (192.168.3.0/24) access the internet through ISP-2. Then I multi-homed my servers, so one server might have, for example,the IPs 192.168.2.2 and 192.168.3.2. After that, directing traffic for a particular service is as simple as specifying which IP to use for the service (instead of allowing the service to use ALL IPs). I haven't yet run into a service that wouldn't allow me to do this. That's about it. Btw, when setting up filters and such for a particular machine, I can use a netmask of the form 255.255.254.255 so that both of the IPs are handled in one rule... There may be a better way to do this that more closely matches what you are trying to do with specific ports and such.. but this multi-homing approach is working great for me. Chris - Original Message - From: Antonio Luiz To: [EMAIL PROTECTED] Sent: Thursday, November 25, 2004 2:08 PM Subject: [LARTC] Route based on port / protocol I have a Linux Box with 3 NIC's connected to 2 different ISP's running a Proxy (Squid) and E-mail server (QMail). | |-- x.x.x.1 x.x.x.2 (ISP-1 gateway) |Squid | LAN --- 10.85.1.85 --| | |Qmail | | |-- y.y.y.1 y.y.y.2 (ISP-2 gateway) -- All is running OK. But now, I want do redirect all traffic from Squid (http) to ISP-1 and all traffic from QMail (smtp) to ISP-2. Anyone can help me ? I've already tried this, but no success: # Create two tables (21 and 31) to use with each connection # Copy main route to table 31 ip route show table main | grep -Ev ^default | \ while read ROUTE ; do \ ip route add table31 $ROUTE; \ done # use ISP-1as default gateway for table 31ip route replace default via x.x.x.2 table 31 # Copy main route to table 21 ip route show table main | grep -Ev ^default | \ while read ROUTE ; do \ ip route add table21 $ROUTE; \ done # use ISP-2as default gateway for table 21ip route replace default via y.y.y.2 table 21 # Mark packages (1 or ISP-1 e 2 for ISP-2) # here, I've tried to change OUTPUT for POSTROUTING and PREROUTING without success iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 2 # Define rules to use the correct connection ip rule add from x.x.x.1 table 31 ip rule add fwmark 1 table 31 ip rule add from y.y.y.1 table 21 ip rule add fwmark 2 table 21 Antonio Luiz
Re: [LARTC] dynamin rules?
I don't personally know a way to do that (maybe someone else does), but I can say that I've tweaked my shaping script with over 50 users playing online games on my servers, and the script runs so quickly that even though it drops and rebuilds the qdiscs, no one even notices the blip. - Original Message - From: Alaios [EMAIL PROTECTED] To: LARTC-Mailinglist [EMAIL PROTECTED] Sent: Thursday, November 25, 2004 7:57 AM Subject: [LARTC] dynamin rules? Hi.. Do u know if i can change dynamically the parameters of the qdiscs... I need to reallocate them if the traffic needs that Is it necessary to delete them and create them from scratch? Thx __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] how to remove rules
I've had the same problem. I sorta wish there was an ip rule flush command that would leave only the default rules. Anyway, what I do to prevent my rules from getting out of hand is every time I add a rule, I first delete the very same rule. This prevents the duplicates, at least. So every place in my script that I might have: IP RULE ADD some rule I place before it: IP RULE DEL some rule Works for me. - Original Message - From: Askar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 4:57 AM Subject: [LARTC] how to remove rules hi I have trying to remove the extra rules from my routing tables, however with no luck Also I want to know these duplicate entries have an effect on packets going routed? I have this overwhelming rules lists from my predessor who added the ip rule add fwmark entries in firewall script, and on each run of firewall script its creates an extra entry in routing table. Now what I want to get rid of an extras from all fwmark 0x2 lookup squid.out leaving only one that what's I needs. here is the output of ip rule ls 0: from all lookup local 32742: from all fwmark 0x2 lookup squid.out 32743: from all fwmark 0x2 lookup squid.out 32744: from all fwmark 0x2 lookup squid.out 32745: from all fwmark 0x2 lookup squid.out 32746: from all fwmark 0x2 lookup squid.out 32747: from all fwmark 0x2 lookup squid.out 32748: from all fwmark 0x2 lookup squid.out 32749: from all fwmark 0x2 lookup squid.out 32750: from all fwmark 0x2 lookup squid.out 32751: from all fwmark 0x2 lookup squid.out 32752: from all fwmark 0x2 lookup squid.out 32753: from all fwmark 0x2 lookup squid.out 32754: from all fwmark 0x2 lookup squid.out 32755: from all fwmark 0x2 lookup squid.out 32756: from all fwmark 0x2 lookup squid.out 32757: from all fwmark 0x2 lookup squid.out 32758: from all fwmark 0x2 lookup squid.out 32759: from all fwmark 0x2 lookup squid.out 32760: from all fwmark 0x2 lookup squid.out 32761: from all fwmark 0x2 lookup squid.out 32762: from all fwmark 0x2 lookup squid.out 32763: from all fwmark 0x2 lookup squid.out 32764: from all fwmark 0x2 lookup squid.out 32765: from all fwmark 0x2 lookup squid.out 32766: from all lookup main 32767: from all lookup 253 regards -- (after bouncing head on desk for days trying to get mine working, I'll make your life a little easier) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] how to remove rules
Cool, thanks. I've never been too good at complex scripting myself (I
have a mental block of seeing all complex scripting as inelegant and
sub-optimal by nature, so I understand your comment about inelegance), but
I see exactly what you're doing, and it seems about as elegant as possible
with a script. Very nice. That goes right into my routing script.
Chris
- Original Message -
From: Martin A. Brown [EMAIL PROTECTED]
To: Chris Bennett [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, November 23, 2004 1:30 PM
Subject: Re: [LARTC] how to remove rules
Hello all!
: I've had the same problem. I sorta wish there was an ip rule flush
: command that would leave only the default rules.
I have a function called flush which flushes all tables and all rules
other than the main routing table. Here's the rule flush portion. It
won't win any points for elegance, but it should get the job done:
ip rule show | grep -Ev '^(0|32766|32767):' \
| while read PRIO RULE; do
ip rule del prio ${PRIO%%:*} $( echo $RULE | sed 's|all|0/0|' )
done
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] clone MAC address
Hi Frank, I forgot to copy the list earlier so this will be a dup for you (sorry)... Anyway, in your message you say contradicting to Chris... in reference to me saying that only the IP and MAC of the NAT router would be visible to the ISP. I'd like to fill in my knowledge gap here.. can you please send a link (or explain) how the ISP could get the MAC of a device behind the NAT router? I know that an ISP could theoretically detect that the router is a NAT via OS finger printing and such, but I was not aware that the MACs of the machines behind the NAT router could be determined in any way. Please explain. Thanks, Chris - Original Message - From: Frank Gruellich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 5:00 PM Subject: Re: [LARTC] clone MAC address Hello, * Nicolas Patik [EMAIL PROTECTED] 16. Nov 04: No, I'm not talking about natting ... I'm talking about hidding my computers from my ISP. Tell me, what's the difference. Can you give some technical description for this 'hiding' you are talking about? .. or are you telling me that the problem with my linux box is about bad firewall rules? No. 'Firewall rules' are a matter of layer 3, MACs and their so called cloning belong to layer 2. Right now with my linux box doing NAT they can find that I have others computers connected. Contradicting to Chris they can. But trust me, they won't. Finding hosts behind a NAT router is very difficult and involves the collection of huge amounts of traffic.[1] After all, it will not work for any OSs. What exactly is your problem? For this clone-MAC-feature search the manpage of ifconfig for 'hardware address'. It's not supported by all NIC drivers, but for most. Do you change your routers from time to time? DHCP servers cache MACs and may not offer a second IP number if had another interface connected some time ago. They should flush the cache after some days. If they don't call them and feign a story about a new NIC you bought recently. HTH, regards, Frank. ===footnotes=== [1] Ascending TCP sequence numbers, not changed by NAT, you know? -- Sigmentation fault ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] clone MAC address
Cloning a MAC address really has nothing to do with particular act of hiding multiple computers behind a firewall. Sometimes an ISP will register the MAC address of a particular device to make sure you don't use any other device. Cloning the MAC address is a way of getting around this so you can use some other device (such as replacing a single computer with a NAT router/firewall). If your ISP has registered the MAC of the single computer that you currently use, then yes, you will need to clone that MAC to your linux box (offhand I don't know how that is done either). But this is just a matter of switching one device for another... not with adding multiple computers. Assuming you can first get the linux box to work with your ISP as your single device, then NAT is what hides your computers that you route though the linux box. The IP of the linux box (and the MAC of the linux box) is the only thing that the outside world will see, if NAT is configured properly. - Original Message - From: Nicolas Patik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 1:29 PM Subject: Re: [LARTC] clone MAC address No, I'm not talking about natting ... I'm talking about hidding my computers from my ISP. .. or are you telling me that the problem with my linux box is about bad firewall rules? Right now with my linux box doing NAT they can find that I have others computers connected. Instead with the minirouter doing clone MAC address (I don't know what else this minirouter is doing) ... they can't. Could my ISP be running any tool that can detect more than one computer? I guess something ARP related? Thanks, Nicolas On Tue, 16 Nov 2004 19:15:59 +0100, Stef Coene [EMAIL PROTECTED] wrote: On Tuesday 16 November 2004 03:00, Nicolas Patik wrote: Hi, I have a mini router that have this feature, clone MAC address My ISP doesn't allow me to connect more than one computer. But, with the clone MAC address of the mini router, I can connect up to 5 computers, and my ISP can't notice that. What do I need to do this clonning with my linux box? It's called natting. Google is your friend. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwidth and download control
Jake, I think that if you just want very basic policing without any priorities, you can add an ingress qdisc like this: #tc qdisc add dev eth0 handle : ingress and filter on destination IP sort of like this: #tc filter add dev eth0 parent : protocol ip prio 50 u32 match ip dst 1.2.3.4 police rate 100kbit burst 10k drop flowid :1 #tc filter add dev eth0 parent : protocol ip prio 50 u32 match ip dst 1.2.3.5 police rate 100kbit burst 10k drop flowid :1 etc... Hope this is right.. I'm kinda busy trying to debug why after installing Fedora Core 3 postfix is keeping everything deferred when I send through procmail for spamassassin... Chris - Original Message - From: Jake [EMAIL PROTECTED] To: 'Chris Bennett' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, November 15, 2004 11:56 PM Subject: RE: [LARTC] Bandwidth and download control Why can't the server keep track of how many each packets is being sent to a particular ip address, if over the download limit drop all packets from to that ip. Of course the ip have to be static or the user have to login before using the internet. Is this concept right? If yes, what resources can help me to implement it. Internet--Cable Modem - Server - router - various clients | (control clients download and bandwidth) Jake He -Original Message- From: Chris Bennett [mailto:[EMAIL PROTECTED] Sent: Tuesday, 16 November 2004 4:20 AM To: Jake Subject: Re: [LARTC] Bandwidth and download control Trying to control the incoming traffic at Server (to use your topology) is very difficult. It can be done with IMQ, but setting that up requires patching, and its not completely reliable. The easiest way to control incoming traffic is to shape the traffic flowing *out* of Server to router. This, in essence, means that the traffic coming *in* to router will be effectively controlled. Of course, this is said with the caveat that of course you can't ever really control download traffic. If someone decides to start pumelling you with a ton of UDP traffic, requested or otherwise, you can drop the packets when they get to you but they've already consumed your bandwidth so it really doesn't matter. But its at least worth *trying* to control the incoming data since TCP, for its part, will (if behaving properly) slow down if you drop packets. - Original Message - From: Jake [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 15, 2004 6:06 AM Subject: [LARTC] Bandwidth and download control Can someone suggest me some resources where I learn how to have control over download and bandwidth over a small network. My network setup is very simple star topology. Network | | Cable Modem - Server - router - various clients | (control clients download and bandwidth) Jake He ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Howto route through
What I do is have the linux box claim all of the public IPs as its own, and then use IPTABLES to DNAT/SNAT to/from private IPs as needed. You can dedicate a public IP to a specific private IP, so the computer on your network with that private IP appears to all of the world as if it actually has the public IP. This has the added advantage that if your public IPs change for some reason, you just need to update IPTABLEs and the computers on your network will only need slight (if any) tweaking. In this setup, all of your public IPs are on one ethernet port, and all of your private IPs are on the other. If you desire, you can give one of the public IPs to the linux box itself (though for security reasons, I personally do not do this... in fact, the only traffic I let the linux box pass to the internet is forwarded packets... nothing originating from itself). This may be what you had in mind when you considered the option of a transparent bridge... - Original Message - From: Rene Gallati [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 31, 2004 9:55 AM Subject: [LARTC] Howto route through Hello list, I'm having a little trouble imagining a setup I'll soon have. I am in the process of getting a routed /28 to my homeLAN. What I want to do is to put a linux box in front of the lan to filter some of the unneeded and potential dangerous ports. Now the box has 2 nics, one for the inside one for the outside. How should I go on to setup those NICs when a) the PCs in the net should have their official IP address from the /28 net and b) the filtering linux box should at the same time have one IP address from the same range for some services it provides The dilemma I see (maybe it is none but I just don't know) if I put it this way that I have the IP of the /28er range on one nic and nothing to put on the other ? Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15) eth0: 1.2.3.1 eth1: ??? Internet --- FW Box -- LAN (1.2.3.0/28) The FW box should be reachable by both the hosts in the LAN as well as from the internet using the assigned IP. Don't I run into troubles having an IP on one NIC which does belong to a net that is located on the side of another NIC ? I know that the most specific entry (full IP) overrides or wins over the less specific ones (the net) but does this setup work so that the LAN clients can access the FW box just like every other host on the internet? How do I configure eth1 ? Just bring it up without any IP at all? Or should I better make the FW box a transparent bridge for the filtering with one IP where it reacts itself ? Thanks for all hints CU René ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Multiple uplinks through single ethernet
Next week I'm replacing my single SDSL connection with two ADSL connections. I've got a plan for dealing with this, but I'd like any thoughts on potential problems I might run into. My goal is not to load balance the bandwidth (yet), but I do want to run all traffic through a single router. At the moment this router only has one ethernet port for both of the ADSL connections (and another ethernet port for the local network) so this is my biggest concern. The example in the HOWTO assumes a separate ethernet port for each uplink. Here's the intended setup: ADSL 1 = 6mbps/768kbps, several static IPs on 66.92.128.0/24 (gw = .1) ADSL 2 = 6mpbs/768kbps, several static IPs on 69.17.22.0/24 (gw = .1) LOCAL NETROUTERINTERNET - 192.168.A.0/24 | -NAT- | ADSL 1 |ETH0 ETH1| 192.168.B.0/24 | -NAT- | ADSL 2 - For example (to make up some numbers): subnet A: 192.168.1.2 - 66.92.128.2 192.168.1.3 - 66.92.128.3 subnet B: 192.168.2.2 - 69.17.22.2 192.168.2.3 - 69.17.22.3 The default route to the Internet will be 66.92.128.1 via ADSL 1, but all traffic for internal subnet B (SNATs to 69.17.22.xx) should instead route to 69.17.22.1 via ADSL 2. I think (but correct me if I'm wrong) the command for this is: ip route add 69.17.22.0/24 dev eth1 src 69.17.22.2 So are there any problems with this setup? Is there any need for separate routing tables if both ADSL connections are on the same ethernet port? My router is a mini-itx so I'm not sure I can easily fit another ethernet port in it, but I could look into that would really make things work better. Thanks! Chris ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
