[LARTC] public root server with /64 IPv6 & my local home inet
Hey all, I am having a public reachable root server with its own /64 IPv6 block ready and at home still IPv4 but a WRT54GL with a fresh OpenWRT (IPv6-capable) installed. Now I want to bridge the IPv6 network from my root server to use this 64bit block *locally* leaving the primary address at the public root server, and distribut the remaining at my home's computers. I hope I described my goal just right, but currently I'm a little overquestions in what the right way to go would be. AFAIK, I am in no need for a tunnel broker because I am having already an IPv6 block, but I need to set up a virtual network that connect my root server with my wrt54gl router that in forwards all IPv6 traffic behind it and the root server. From my point of view, radvd should *ideally* be installed on the root server, but this is where it ends for me - I just hope I do not need too many layering tools like OpenVPN to achieve this goal. What can I do? Regards, Christian Parpart. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] custom routing (two gateways)
On Monday 09 July 2007 21:01:26 Grant Taylor wrote:
> On 07/09/07 13:07, Christian Parpart wrote:
> > I tried here several approaches, like adding custom routing tables,
> > and modifying the tables (including main) either I got no answers
> > routed to the FW or no traffic got routed to the LB.
>
> I think you were on the right path.
>
> I would set up a custom routing table for traffic associated with the
> load balancer to use. This load balancer routing table would use the
> load balancer as the default gateway.
>
> You would then use ip rule(s) to determine which traffic would deviate
> from the normal default routing tables and use the load balancer routing
> table. This could probably be done based on source port on the web
> server, or based on connection / packet marks in IPTables. However you
> do it, you will probably need an additional routing table.
>
> Keep going the direction you were, or perhaps post some of what you did
> try and let us take a look at it to see if you were close.
I finally found a way, and your hint (select by server port number) finally
helped me to get rid of it :)
The following is the script to be executed at bootup to setup the additional
routing table.
1 #! /bin/bash
2 # sets up additional routing table for load balancer traffic on a node
3
4
#
5 LB_IP=10.10.10.4# load balancer IP
6 LB_IF=eth0 # ethernet interface the load balancer is
talking from/to
7
8 rt_table_name=loadbalancer # LB routing table name
9 rt_table_num=200# LB routing table ID
10
11 fwmark=1# FW mark to use for LB traffic
12
13 service_port=8000 # HTTP port for lighttpd on local mashine that
14 # serves for the load balancer
15
16
#
17
18 # just ensure that we have a routing table called loadbalancer
19 if ! grep -q ${rt_table_name} /etc/iproute2/rt_tables; then
20 echo "${rt_table_num} ${rt_table_name}" >> /etc/iproute2/rt_tables
21 fi
22
23 # add a default route for communication from LB<->this_host
24 ip route flush table ${rt_table_name}
25 ip route add default via ${LB_IP} table ${rt_table_name} dev ${LB_IF}
26
27 # add a selector rule for which packets we want to use the LB routing table
28 ip rule add fwmark ${fwmark} table ${rt_table_name}
29
30 # finally lets mark all packets that shall be send out to the LB
31 iptables -t mangle -A OUTPUT -p tcp --sport ${service_port} -j
MARK --set-mark ${fwmark}
32 # --(doesn't work? why?)-- iptables -t mangle -A INPUT -p tcp --dport
${service_port} -j CONNMARK --set-mark ${fwmark}
However, you might see, that I first tried to fwmark all packets by connection
matching,
using CONNMARK. so that I only need to select all incoming traffic that came
from the load balancer
as the previous hop and with our service port 8000, to let mark iptables
itself all further connection
related packets automatically. but this didn't work out, unfortunately, and I
am using the OUTPUT table
to match the packets.
What is the better approach anyway?
Thanks for your help,
Christian Parpart.
signature.asc
Description: This is a digitally signed message part.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] custom routing (two gateways)
Hi all, i'm having a somewhat stupid problem I can't get rid of. we've a server that accepts incoming world connections from a load balancer (10.10.10.4) to port 80, and we still want to serve incoming ssh/http from the firewall (10.10.10.1) routed to this host (10.10.10.90) and their reply packets of cause shall be send out through the firewall. unfortunately, both hosts (the load balancer (LB) and the firewall(FW)) are on the same subnet (10.10.10.0/24) and though on the same interface (eth0), but I need to find a solution. So, packets send from the LB shall get their answer through the LB as nexthop of couse, as well as incoming packets from the FW shall have response packets send out to the FW as nexthop, too. But how to realise this? server: 10.10.10.90 (this is the problem host) firewall(FW): 10.10.10.1 (we receive (mostly) ssh/https conns from it) loadbalancer(LB): 10.10.10.4 (we receive http conns from it) FW and LB are accepting/forwarding and routing connections from the world to our server. server ~ # ip route list 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.90 10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.90 127.0.0.0/8 dev lo scope link default via 10.10.10.1 dev eth0 You see, default traffic is routed through the firewall as the default gateway... but now, we want to have outgoing traffic caused from incoming packets from the load balancer to be routed back through the loadbalancer itself. I tried here several approaches, like adding custom routing tables, and modifying the tables (including main) either I got no answers routed to the FW or no traffic got routed to the LB. Can you please give me a hint on how to find the right way? Thanks in advance, Christian Parpart. signature.asc Description: This is a digitally signed message part. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] newbie: TC[NG] with (256kbit/s down and 768kbit/s up) on a router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 April 2004 10:01, Andy Furniss wrote: > > On Sunday 25 April 2004 09:06, Andy Furniss wrote: > >>Jason Boxman wrote: > >>>Egress is easy. Ingress seems to be a topic that is discussed often on > >>>LARTC, and I believe your options are to either use an ingress policer > >>> or the IMQ target. The former you can do directly with tcng, the > >>> latter I believe you cannot. > >> > >>I know nothing about TCNG so can't help there. > >> > >>You can shape ingress without using IMQ as long as you have just one LAN > >>interface and don't care about traffic headed for the shaping PC. You > >>just shape on the LAN interface. > > > > But *how* does such a setup now looks like, either in tcng or in gc > > syntax? > > > > This is what I actually do: [...zap...] > > > > This is my script. And I do not really now, *where* to differ > > here to once shape down-stream, and once to shape the up-stream > > > > I'd be really really very happy, if someone would point > > me in this *wrong* script to the right direction. > > You have to set you rates lower than your real rates - for ingress about > 80% so you actually get queues growing that you can control. For egress > about 85% with dsl as there are extra overheads and TC counts IP size. thx. > You should be shaping on eth0 if that's your LAN facing interface - you > shape egress from the shaping box to the LAN to do ingress (on simple > setups). The src IP match needs to change to dst. > > As it is the script may have too big queues - but should work as a test, > you may also endup wanting to split interactive traffic from bulk to > make things nicer for users - but that sort of thing is policy to be > thought about/agreed by users. This is all nice, but, I'd be happy to see some *working* example code. That's why I posted my *wrong* setup, possible to point me to the right direction, by showing me, *what* I did wrong. Could someone show me some simple example code for incress+egress shaping for ppp0 (for a router with clients at eth0)? thanks in advance, Christian Parpart. > Andy. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAj25nPpa2GmDVhK0RAg4DAJ9AQAGZgbD1UhP95azObPzsi8kvaQCeLvsC q2ELEmtQPTKWuVZu1GM7VfU= =iIPw -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] newbie: TC[NG] with (256kbit/s down and 768kbit/s up) on a router
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sunday 25 April 2004 09:06, Andy Furniss wrote:
> Jason Boxman wrote:
> > Egress is easy. Ingress seems to be a topic that is discussed often on
> > LARTC, and I believe your options are to either use an ingress policer or
> > the IMQ target. The former you can do directly with tcng, the latter I
> > believe you cannot.
>
> I know nothing about TCNG so can't help there.
>
> You can shape ingress without using IMQ as long as you have just one LAN
> interface and don't care about traffic headed for the shaping PC. You
> just shape on the LAN interface.
But *how* does such a setup now looks like, either in tcng or in gc syntax?
This is what I actually do:
- --
#! /bin/sh
DEV=ppp0
UP=256
DOWN=768
CLIENTS="192.168.2.1 192.168.2.2 192.168.2.3 192.168.2.5 192.168.2.6 192.168.2.7
192.168.2.8"
TC=$(which tc)
# reset
$TC qdisc del dev ${DEV} root &>/dev/null
$TC qdisc del dev ${DEV} ingress &>/dev/null
# attach HTB queue discipline to device $DEV
$TC qdisc add dev $DEV root handle 1: htb default 12
# create client classes for shaping DOWN-stream
crate=$[DOWN / NumClients]
i=0
for host in $CLIENTS; do
$TC class add dev $DEV parent 1:1 classid 1:1$i htb rate ${crate}kbit ceil
${DOWN}kbit
$TC filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src $host flowid
1:1$i
i=$[i + 1]
done
# TODO shaping UP stream
- --
This is my script. And I do not really now, *where* to differ
here to once shape down-stream, and once to shape the up-stream
I'd be really really very happy, if someone would point
me in this *wrong* script to the right direction.
Many thanks,
Christian Parpart.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAi/jRPpa2GmDVhK0RAiyiAJ9t1LngvstQqwqGkTC367USYfcQtQCeNHUV
nc9176QOuUWp1XqeCSrbj8g=
=Po1b
-END PGP SIGNATURE-
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb/iptables: incoming vs. outgoing shaping?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, there's something I really don't understand. What I wanna do is to shape my incoming _and_ my outgoing traffic in speperate queues. I have a 256kbit up and 256kbit down link on eth1. I want to use iptables to set the marks. wan=eth1 lowin=1 # ; highin=2 lowout=5 # ; highout=6 # mark incoming traffic iptables -t mangle -A PREROUTING -i $wan -p tcp --sport 80 \ -j MARK --set-mark $lowin # mark outgoing traffic iptables -t mangle -A OUTPUT -o $wan -p tcp --dport 80 \ -j MARK --set-mark $lowout tc qdisc handle add dev $wan root handle 1:0 htb tc class add dev $wan parent 1:0 classid 1:1 htb rate 256kbit # input shaping tc class add dev $wan parent 1:0 classid 1:2 htb rate 256kbit # output shaping tc class add dev $wan parent 1:1 classid 1:11 htb rate 64kbit # low in tc class add dev $wan parent 1:1 classid 1:12 htb rate 192kbit # high in tc class add dev $wan parent 1:2 classid 1:21 htb rate 64kbit # low out tc class add dev $wan parent 1:2 classid 1:22 htb rate 192kbit # high out tc filter add dev $wan parent 1:1 protocol ip prio 1 \ fw handle $lowin flowid 1:11 tc filter add dev $wan parent 1:2 protocol ip prio 1 \ fw handle $lowout flowid 1:21 What I think I have done is that I've created to main queues (1:1 and 1:2) each one rating up to 256kbit. Each main queue got devided into a queue for low traffic (non priorized) and one high traffic (priorized). Then, I attatched the filter that anchors the iptables marked ip packets to their corresponding queue. But does this really work? I also notices somewhere that you just can shape input traffic, and for output you need a special IMQ target for iptables, why? And why doesn't it work in that way? Furthermore, is this right how I mark the outgoing traffic? should this be done in POSTROUTING, or even somewhere else? It's that we've PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle. Please, would you help me solving my problem? Thanks in advance, Christian Parpart. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9eWOpPpa2GmDVhK0RAgYtAJ9EgbgblPUgeB+1C0rbBMGE2u6MCACdFpOh ZIoj8dQQ3GYpWjxHrgTT/5Y= =hq5D -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB doesn't work?
Hi all, Irecently subscribed to that list and read about htb and its features. So I tried it too, but without good results. My script seems to ignore the limit for class 1:20 (I've only tested it at 1:20) I derived my example from the lartc howto. Main /\ \ / \ \ /\ \__Pseudo (1kbit, default) GamingWeb-things [512Kbit][256Kbit] Web-things are http,ftp,smtp, pop3, etc: Downloading now via http gets still ~ 80Kbyte a second. This is not good. Since htb should limit it down to 256. I'd be really very very happy if anyone find the bug in my tc.sh test script. Thanks in advance, Christian Parpart. tc.sh Description: This is my script
Re: [LARTC] iptables marked packets want's to be queued.
Stef Coene inspired the electrons to say: > On Monday 15 April 2002 11:02, Stef Coene wrote: > > > tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw classid > > 10:11 Will put all packets marked with 21 in the class 10:11 > > Oops :) (still party time in my head) > > tc filter add dev eth0 parent 1: protocol ip prio 3 handle 21 fw classid > 10:11 > > Will put all packets marked with 21 in the class 10:11 > > Stef Ah. So the handle parameter gets the marked value. Have many thanks, Christian. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iptables marked packets want's to be queued.
Hi all, that is yet another problem I can't solve. I want to use the iptables to match the packets to be queued but do not know how to tell my tc queues wich marked packages to use. EXAMPLE: ppp0 with (768Kbit downstream and 128Kbit upstream) the privileges local port 27005 should get 512/96 # the marked packets below shall be privileged. $IPTABLES -t mangle -A PREROUTING -o ppp0 -p udp --sport 27005 \ -j MARK --set-mark 21 $IPTABLES -t mangle -A POSTROUTING -i ppp0 -p udp --dport 27005 \ -j MARK --set-mark 22 # the other packets may get the remaining bandwidth # attach cbq to device ppp0 with handle 1: (1:0 ?) $TC qdisc add dev ppp0 root handle 1: cbq bandwidth 768Kbit avpkt mpu 64 # create the root class (1:1) $TC class add dev ppp0 parent 1:0 classid :1 est 1sec 4sec cbq \ bandwidth 768Kbit rate 768Kbit # create class A (privileged 1:10) $TC class add dev ppp0 parent 1:1 classid 1:10 est 1sec 4sec cbq \ bandwidth 768Kbit rate 512Kbit allot 1514 maxburst 50 avpkt 1000 $TC qdisc add dev ppp0 parent 1:10 sfq quantum 1514b perturb 15 # create class B (the remaining 1:20) $TC class add dev ppp0 parent 1:1 class 1:20 est 1sec 4sec cbq \ bandwidth 768Kbit rate 256Kbit allot 1514 maxburst 50 avpkt 1000 $TC qdisc add dev ppp0 parent 1:20 sfq quantum 1514b perturb 15 END EXAMPLE. So. But how do I tell TC to use the iptables marked packets to queue? Many many thanks, Christian. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] How to handle TC on asyncron interfaces?
Hi all, is this possible? I have an asyncronous DSL connection (768Kbit/128Kbit). Or don't I really care about? My goal is to handle some destinations ports with a garantied bandwith and have all the other services in the backgrounds. Privileged should get 512/96Kbit and the others may get the remaining bandwidth. Does anyone have an idea? Many thanks, Christian Parpart. http://www.surakware.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
