[LARTC] Reviewing my shaping strategy
Hi everybody I've been using htb to shape traffic successfully for quite a while now but I am wondering if it can be improved in some ways. We are 3 companies sharing a 192Kbit connection to our ISP. I want each company to have a rate of 64Kbit and a ceiling of 192Kbit so that they can borrow from each other. Additionally we want ssh to have very low delays and be quite responsive. I also want to ensure that incoming DNS and SYN requests don't time out when all 3 companies is using all of their available 64Kbit. After all, if these packets don't make it through then the shaping can't be fair. This is how my setup looks. I have a bridge over 2 ethernet cards so that I can effectively shape incoming and outgoing traffic. I'm only showing filters for one ethernet card here. # root class tc class add dev eth1 parent 1: classid 1:1 htb rate 192kbit ceil 192kbit # I use 2Kbit from each company for SYN, ACK and DNS request, leaving # them with 62Kbit each tc class add dev eth1 parent 1:1 classid 1:10 htb rate 6kbit ceil 192kbit prio 0 # For each company I give ssh a higher priority # Company 1 (2, 3 has the same classes) tc class add dev eth1 parent 1:1 classid 1:21 htb \ rate 62kbit ceil 192kbit prio 1 # Class for SSH tc class add dev eth1 parent 1:21 classid 1:210 htb \ rate 32kbit ceil 192kbit prio 0 # The rest tc class add dev eth1 parent 1:21 classid 1:211 htb \ rate 30kbit ceil 192kbit prio 1 # ACK bit filter tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 # I don't know if this one is correct # SYN bit filter tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x02 0x0f at 0 \ flowid 1:10 # DNS filter tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip dport 53 0x \ match ip protocol 17 0xff \ flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip sport 53 0x \ match ip protocol 17 0xff \ flowid 1:10 # Company1 Filters (2, 3 has the same filters) # Filter for SSH tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip dst X.Y.Z \ match ip dport 22 0x \ match ip protocol 6 0xff \ flowid 1:210 # Filter for the rest tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip dst X.Y.Z \ flowid 1:211 If you think the above can be improved in any way or see obvious gaps in my shaping strategy please let me know. One final question I have. If one uses the u32 filter does the mask get XOR'ed or AND'ed with the incoming packet. Is there any easy way to calculate the mask? -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Filtering ACK bits smaller than 64 bytes
Urghm, found my problem. tc filter add dev eth1 parent 1:0 prio 1 u32 \ should have been: tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 \ ^^^ > Hi there > > I want to add a filter for all ACK bits smaller than 64 bytes for a > specific ip destination, but I get RTNETLINK answers: invalid argument. > Any idea what is wrong with the filter below: > > tc filter add dev eth1 parent 1:0 prio 1 u32 \ > match ip dst 196.44.35.53 \ > match ip protocol 6 0xff \ > match u8 0x05 0x0f at 0 \ > match u16 0x 0xffc0 at 2 \ > match u8 0x10 0xff at 33 \ > flowid 1:20 -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Filtering ACK bits smaller than 64 bytes
Hi there I want to add a filter for all ACK bits smaller than 64 bytes for a specific ip destination, but I get RTNETLINK answers: invalid argument. Any idea what is wrong with the filter below: tc filter add dev eth1 parent 1:0 prio 1 u32 \ match ip dst 196.44.35.53 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:20 Thanks, -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linking two networks
Ignore me previous post, my firewall was toasting me ;-) -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linking two networks
Hi Abraham > Ok, so this (otoh so don't blame me if it doesn't work *g*) in your inittab > should do the job: > > < snip <--< snip <--< snip < > # At office > S0:23:respawn:/usr/sbin/pppd /dev/ttyS0 115200 modem noauth crtscts persist \ > 192.168.1.10:192.168.2.10 nodetach >>/var/log/leased.log Instead of re-assigning 192.168.1.10 to eth1 at the office I just set loc_ip:rem_ip in my ppp options to 192.168.1.1:192.168.2.1 because to many hosts already point to 192.168.1.1 as their gateway. I think this boils down to the same thing. This works partially. I have one host behind 192.168.2.1 (gateway at home) with the ip 192.168.2.2. I had to add a route to 192.168.1.1 (gateway at the office) before 192.168.2.2 could see 192.168.1.1: route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1 So now 192.168.2.2 can see 192.168.1.1 as gateway, but the hosts on the 192.168.1.0 network at the office can't reach the 192.168.2.0 network at home. I tried to ping 192.168.2.1 from 192.168.1.2 (a host behind the 192.168.1.1 gateway) and got no response so I investigated with tcpdump. On 192.168.1.1 the output of tcpdump -i eth1 is: 10:20:43.432529 < 192.168.1.2 > 192.168.2.1: icmp: echo request (DF) 10:20:44.432621 < 192.168.1.2 > 192.168.2.1: icmp: echo request (DF) 10:20:45.432556 < 192.168.1.2 > 192.168.2.1: icmp: echo request (DF) 10:20:46.432560 < 192.168.1.2 > 192.168.2.1: icmp: echo request (DF) So no "echo reply", then I did a tcpdump -i ppp0 to see if these packets actually reach the ppp device and they don't. This is how the routing table at the office looks like now: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.1 0.0.0.0 255.255.255.255 UH0 0 0 eth1 192.168.2.1 0.0.0.0 255.255.255.255 UH0 0 0 ppp0 196.x.y.51 0.0.0.0 255.255.255.255 UH0 0 0 eth0 196.x.y.48 0.0.0.0 255.255.255.240 U 0 0 0 eth0 192.168.2.0 192.168.1.1 255.255.255.0 UG0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 196.44.35.49 0.0.0.0 UG0 0 0 eth0 -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linking two networks
Thanks for your help. I will try this later this afternoon and let you know. I think I understand a bit more about routing and networks now. On Sat, 30 Nov 2002 14:37:09 +0200 Abraham van der Merwe <[EMAIL PROTECTED]> wrote: > Hi Roch?! > > > > On your home gateway's eth0 assign 192.168.2.10 and on your office's > > > side, assign 192.168.1.10 to eth1. Then use unnumbered ppp on both > > > sides and make sure that ip forwarding is enabled on the office gw. > > > > I don't quite follow how to set up unnumbered ppp. Should I just omit > > the local_ip:remote_ip in my ppp options file at home? > > That is correct. See, ppp is a point-to-point protocol, so traffic can only > go in two directions anyway, so you can tell ppp not to use any kind of > layer 3 routing and just send packets to the other side automatically. > > In Linux you do that by just specifying local_ip:remote_ip on the server > side and : on the client side. > > > > Of course, you probably have /etc/ppp/* with the pon/poff scripts in > > > which case you need to add above to your /etc/ppp/peers/* scripts > > > > At the moment I have no scripts in place - I'm doing it manually to see > > what works and what I should eventually put in the scripts. I only have > > /etc/ppp/options on both sides. > > Ok, so this (otoh so don't blame me if it doesn't work *g*) in your inittab > should do the job: > > < snip <--< snip <--< snip < > # At office > S0:23:respawn:/usr/sbin/pppd /dev/ttyS0 115200 modem noauth crtscts persist \ > 192.168.1.10:192.168.2.10 nodetach >>/var/log/leased.log > > # At home > S0:23:respawn:/usr/sbin/pppd /dev/ttyS0 115200 noauth lock debug crtscts > defaultroute persist nodetach >>/var/log/leased.log > < snip <--< snip <--< snip < > > -- > > Regards > Abraham > > A morsel of genuine history is a thing so rare as to be always valuable. > -- Thomas Jefferson > > ___ > Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks > P.O. Box 3472, Matieland, Stellenbosch, 7602 > Cell: +27 82 565 4451 Http: http://www.frogfoot.net > Email: [EMAIL PROTECTED] > > -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linking two networks
On Sat, 30 Nov 2002 13:53:57 +0200 Abraham van der Merwe <[EMAIL PROTECTED]> wrote: Thanks for the advice :-) > You don't need to add a route to get to 192.168.1.0/24 since you your > default gw will route packets to that network anyway. You are also use > 192.168.1.10 as a gateway to get onto the 1/24 network which won't > work (you can't use a machine on the network which you want to reach > as a gateway). You want to be using 192.168.2.10 as a gateway to get > onto the 1/24 network. Mmm, thought I had something upside down. > > Also, you can use unnumbered ppp. Just do this: > > On your home gateway's eth0 assign 192.168.2.10 and on your office's > side, assign 192.168.1.10 to eth1. Then use unnumbered ppp on both > sides and make sure that ip forwarding is enabled on the office gw. I don't quite follow how to set up unnumbered ppp. Should I just omit the local_ip:remote_ip in my ppp options file at home? > > On your office side, you'll have > > pppd ... 192.168.1.10:192.168.2.10 > > and on your home side, you'll have > > pppd ... defaultroute : > > Of course, you probably have /etc/ppp/* with the pon/poff scripts in > which case you need to add above to your /etc/ppp/peers/* scripts At the moment I have no scripts in place - I'm doing it manually to see what works and what I should eventually put in the scripts. I only have /etc/ppp/options on both sides. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Linking two networks
Hi there I just had a data line installed between my home and the office. I've managed to connect the two sides successfully with ppp and the gateways on both sides can see each other. I want the hosts behind the gateways to see each other as well and although this is discussed in some howtos I couldn't get this right and need some help with the routing. Here's my setup: At home I have a 192.168.2.0 network and at the office I have a 192.168.1.0 network. The gateway at home is 192.168.2.10 and at the office it is 192.168.1.10. My routing table at home looks like this: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.10 0.0.0.0 255.255.255.255 UH0 0 0 ppp0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 192.168.1.10 255.255.255.0 UG0 0 0 ppp0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 My routing table at work looks like this: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.1 0.0.0.0 255.255.255.255 UH0 0 0 eth1 192.168.2.10 0.0.0.0 255.255.255.255 UH0 0 0 ppp0 196.x.y.51 0.0.0.0 255.255.255.255 UH0 0 0 eth0 196.x.y.48 0.0.0.0 255.255.255.240 U 0 0 0 eth0 192.168.2.0 192.168.2.10 255.255.255.0 UG0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.00.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 196.44.35.49 0.0.0.0 UG0 0 0 eth0 Here eth0 is connected to my ISP and eth1 is connect to the local lan. Now if I am logged in at 192.168.1.10 (the gateway at the office) and try to ping a host behind the gateway at home (eg. 192.168.2.2) then it looks like the packets make it to that host but 192.168.2.2 cannot locate host 192.168.1.10 and can therefor not send the echo reply. 192.168.2.2 has 192.168.2.1 as gateway. Any ideas what might be wrong? -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge with Traffic shaping
Hi Stef I think I caused unnecessary alarm. There was actually a network cable connecting my router and hub behind the linux box that does the shaping, duh :-) I forgot to pull it out once I move some servers around causing very little traffic to go through the box doing the shaping. On Mon, 2002-07-29 at 14:54, Stef Coene wrote: > > If I understand correctly I can shape incoming traffic by setting > > up a qdisc on eth0 and filters that match any of the ip addresses > > in my public subnet sitting behind the linux box that currently does > > the traffic shaping. > But all traffic coming on eth0 is leaving eht1 and vice versa. So shaping > incoming traffic on eth0 is the same as shaping outgoing traffic on eth1. This seems to be working now. Are there tools that I can test this with. Traffic seems to go through all classes now and there is good amount of borrowed and lended packets on all classes. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Bridge with Traffic shaping
> what kinda bridge are you using? > bridge-nf? if you are it says it only supports iptables, you would have to > mark the packets then use filter to put the marked packets into > teh correct > queue for managing Yes I'm using bridge-nf, but as far as I understand bridge-nf doesn't require iptables for shaping - you only need to patch your kernel if you _want_ to use iptables. I am in any case not using "fw" but using "u32" which should match anything in a packet header. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Bridge with Traffic shaping
> On Saturday 27 July 2002 19:56, Roché Compaan wrote: > > Hi, > > > > I am fairly new to routing and traffic control but I with the > > help of the lartc howto I managed to setup a bridge with htb > > traffic control. The traffic shapping does not seem to work > > as I expected and I would really appreciate if somebody > > can tell my why this is the case. > > > > My setup: > > I have a DSL router connecting a /28 network to the internet. > > I put a linux box with 2 ethernet cards between my router and > > the rest of the subnet. I set up the linux box as an ethernet > > bridge where the 2 ethernet cards has no ip address and the > > bridge has an ip address. I patched the kernel with the IMQ > > patch so that I can shape incoming traffic. eth0 is connected > > to the router and eth1 is connect to the rest of the public > > subnet. I have an iptables rule that routes all traffic on eth1 > > to the imq device. > If you put all incoming traffic on eth1 in the imq device, why > don't you use > the outgoing traffic on eth0 do the same shaping? All traffic > entering the > box on eth1 leaves the box on eth0. That way you don't need the > imq device. If I understand correctly I can shape incoming traffic by setting up a qdisc on eth0 and filters that match any of the ip addresses in my public subnet sitting behind the linux box that currently does the traffic shaping. Ok, I tried this but all traffic still seems to match only the default htb class. Here's my tc script: #!/bin/bash tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 128kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 32kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:12 htb rate 32kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.53 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.54 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.55 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.51 flowid 1:11 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.52 flowid 1:11 And this is the ouput of "tc -s -d class show dev eth0": class htb 1:1 root prio 0 rate 128Kbit ceil 128Kbit burst 1753b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 1638 level 3 Sent 83954 bytes 576 pkts (dropped 0, overlimits 0) rate 30bps lended: 114 borrowed: 0 giants: 0 injects: 0 tokens: 101 ctokens: 101 class htb 1:10 parent 1:1 prio 0 rate 64Kbit ceil 128Kbit burst 1679b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 819 level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 205 ctokens: 107 class htb 1:12 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 12864 bytes 215 pkts (dropped 0, overlimits 0) rate 30bps lended: 215 borrowed: 0 giants: 0 injects: 0 tokens: 387 ctokens: 104 class htb 1:11 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 71090 bytes 361 pkts (dropped 0, overlimits 97) lended: 247 borrowed: 114 giants: 0 injects: 0 tokens: 373 ctokens: 101 No packets seem to match any of the other classes although tcpdump confirms that there are definitely traffic destined for the ip addresses mentioned in my filters. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bridge with Traffic shaping
Hi, I am fairly new to routing and traffic control but I with the help of the lartc howto I managed to setup a bridge with htb traffic control. The traffic shapping does not seem to work as I expected and I would really appreciate if somebody can tell my why this is the case. My setup: I have a DSL router connecting a /28 network to the internet. I put a linux box with 2 ethernet cards between my router and the rest of the subnet. I set up the linux box as an ethernet bridge where the 2 ethernet cards has no ip address and the bridge has an ip address. I patched the kernel with the IMQ patch so that I can shape incoming traffic. eth0 is connected to the router and eth1 is connect to the rest of the public subnet. I have an iptables rule that routes all traffic on eth1 to the imq device. I started with a very simple htb setup to make testing easier: #!/bin/bash tc qdisc del dev imq0 root ip link set imq0 down tc qdisc add dev imq0 root handle 1: htb default 12 tc class add dev imq0 parent 1: classid 1:1 htb rate 128kbit ceil 128kbit tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit tc class add dev imq0 parent 1:1 classid 1:11 htb rate 32kbit ceil 128kbit tc class add dev imq0 parent 1:1 classid 1:12 htb rate 32kbit ceil 128kbit tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \ match ip dst 196.44.35.53 flowid 1:10 tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \ match ip dst 196.44.35.54 flowid 1:10 tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \ match ip dst 196.44.35.55 flowid 1:10 tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \ match ip dst 196.44.35.51 flowid 1:11 tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \ match ip dst 196.44.35.52 flowid 1:11 iptables -F iptables -X iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 ip link set imq0 up My problem is that all traffic seems to go through the default htb class although there are lots of traffic matching the other 2 classes. root@griet root # tc -d -s class show dev imq0 class htb 1:1 root prio 0 rate 128Kbit ceil 128Kbit burst 1753b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 1638 level 3 Sent 13194 bytes 147 pkts (dropped 0, overlimits 0) rate 7bps lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 101 ctokens: 101 class htb 1:10 parent 1:1 prio 0 rate 64Kbit ceil 128Kbit burst 1679b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 819 level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 205 ctokens: 107 class htb 1:11 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 400 ctokens: 107 class htb 1:12 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 13194 bytes 147 pkts (dropped 0, overlimits 0) rate 7bps lended: 147 borrowed: 0 giants: 0 injects: 0 tokens: 373 ctokens: 101 Any help would be greatly appreciated. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/