Re: [LARTC] most out of qos
yes, thanks for the idea, the reason i did not think of implementing this is that i cannot see how it would help, the data has already passed the bottleneck with no particular qos with regard to interactive sessions, which should mean, if i did egress on the fws internal interface, that the ssh/telnet data would come in bursts from the fw to the host. what i mean is this, i will try to illustrate it, (this is if the egress on the fw would be implemented); data (most bulk traffic, some interactive session too) from the isp - fw (buffer the bulk traffic, prioritize the session traffic) - router and lan this in turn would mean that after sending the session traffic the fw would send the bulk traffic in its buffer. meanwhile the fw have received additional session and bulk traffic, and so on. maybe im missing something here? thanks, tomas On Thu, Feb 06, 2003 at 09:55:37AM +0100, Rob Rankin wrote: Stick an egress filter on the LAN side of the firewall, and use it to control the *inbound* data from your ISP (downloads pass through the firewall and become *outbound* traffic on the LAN side / interface). Old style Ingress filtering in Linux is horrible. Its a blanket rule stating if the bw gets above X, drop packets with no real filtering capability. Using an egress filter on the opposite side of the firewall from the traffic flow does actually work, although I'm not entirely sure its a supported configuration. For what its worth, I have it setup exactly as I am suggesting on my firewalls, and it does actually work. Peak downloads are slowed down, interactive sessions do get higher priority, etc. The other alternative would be to use the IMQ logical network device, which allows the use of HTB for both ingress and egress filtering. I plan on moving to this type of setup as soon as I have a maintenance window long enough to drop the firewalls and bring them up to date with the new tools / patches necessary. Cheers, hope this was of some help. On Wed, 2003-02-05 at 22:28, Tomas Bonnedahl wrote: well, if tcp throttles down at the point where packets are dropped is of course good, but still, when a download is peaking at the maximum speed minus a couple kbits, the delay is terrible, that's what i want to change. any idea? regards, tomas bonnedahl On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: to get most out of qos in general, would the best thing be to set up qos on both ends of a bottleneck with both ingress and egress filtering? the reason for asking is because we have a 2mbit connection with egress filtering qos, the problem is that we experience most downloads compared to uploades and therefor the egress filtering doesnt provide much help. what we could do is to get ingress filtering on our side here, but i dont know how much that would help really, the data has already passed the bottleneck in the path. so, my question, would i experience any different delay if adding ingress filtering? Yes. A tcp connection will throttle down if you drop packets. But this is not the same as egress shaping. it is a 2mbit fiber stub network which looks pretty much like this: lan - router - fw - isp - internet the egress qos is at the moment at the router which pretty much says prioritize interactive sessions. since the filtering for qos is rather simple, just telnet/ssh to a certain host, should i contact my isp and ask them to set some egress qos going to our network on the cisco router that is at their place? btw, anyone know how good the qos is on cisco 2600? I have no idea how the qos works on cisco router. Just give it a try and se what happens. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Rob Rankin [EMAIL PROTECTED] http://undertow.ca ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Wednesday 05 February 2003 22:28, Tomas Bonnedahl wrote: well, if tcp throttles down at the point where packets are dropped is of course good, but still, when a download is peaking at the maximum speed minus a couple kbits, the delay is terrible, that's what i want to change. any idea? You can give the download 98% of the link so there is always 2% available for something else. It also helps to throttle down _all_ incoming bandwidth to 99% of your link so _you_ are shaping and not your router. Stef regards, tomas bonnedahl On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: to get most out of qos in general, would the best thing be to set up qos on both ends of a bottleneck with both ingress and egress filtering? the reason for asking is because we have a 2mbit connection with egress filtering qos, the problem is that we experience most downloads compared to uploades and therefor the egress filtering doesnt provide much help. what we could do is to get ingress filtering on our side here, but i dont know how much that would help really, the data has already passed the bottleneck in the path. so, my question, would i experience any different delay if adding ingress filtering? Yes. A tcp connection will throttle down if you drop packets. But this is not the same as egress shaping. it is a 2mbit fiber stub network which looks pretty much like this: lan - router - fw - isp - internet the egress qos is at the moment at the router which pretty much says prioritize interactive sessions. since the filtering for qos is rather simple, just telnet/ssh to a certain host, should i contact my isp and ask them to set some egress qos going to our network on the cisco router that is at their place? btw, anyone know how good the qos is on cisco 2600? I have no idea how the qos works on cisco router. Just give it a try and se what happens. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
ok, thanks, one question though, you mean that i should use regular ingress qos? this could rise some problems since i want to shape both traffic entering at a physical interface and traffic entering at a virtual ipsec interface. do you have any experiance from this particular sitaution? thanks, tomas On Thu, Feb 06, 2003 at 05:23:27PM +0100, Stef Coene wrote: On Wednesday 05 February 2003 22:28, Tomas Bonnedahl wrote: well, if tcp throttles down at the point where packets are dropped is of course good, but still, when a download is peaking at the maximum speed minus a couple kbits, the delay is terrible, that's what i want to change. any idea? You can give the download 98% of the link so there is always 2% available for something else. It also helps to throttle down _all_ incoming bandwidth to 99% of your link so _you_ are shaping and not your router. Stef regards, tomas bonnedahl On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: to get most out of qos in general, would the best thing be to set up qos on both ends of a bottleneck with both ingress and egress filtering? the reason for asking is because we have a 2mbit connection with egress filtering qos, the problem is that we experience most downloads compared to uploades and therefor the egress filtering doesnt provide much help. what we could do is to get ingress filtering on our side here, but i dont know how much that would help really, the data has already passed the bottleneck in the path. so, my question, would i experience any different delay if adding ingress filtering? Yes. A tcp connection will throttle down if you drop packets. But this is not the same as egress shaping. it is a 2mbit fiber stub network which looks pretty much like this: lan - router - fw - isp - internet the egress qos is at the moment at the router which pretty much says prioritize interactive sessions. since the filtering for qos is rather simple, just telnet/ssh to a certain host, should i contact my isp and ask them to set some egress qos going to our network on the cisco router that is at their place? btw, anyone know how good the qos is on cisco 2600? I have no idea how the qos works on cisco router. Just give it a try and se what happens. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Thursday 06 February 2003 17:29, Tomas Bonnedahl wrote: ok, thanks, one question though, you mean that i should use regular ingress qos? this could rise some problems since i want to shape both traffic entering at a physical interface and traffic entering at a virtual ipsec interface. do you have any experiance from this particular sitaution? No Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
Stef, Am I overlooking something obvious? I'd suggest that Tomas throttles his bandwidth on transmit to the internal network. It is a router, so very little traffic will be initiated from the router itself. Why not perform traffic control on packets transmitted to the Internet on the outward facing NIC. Then perform traffic control on packets received from the Internet on the inward facing NIC. What's wrong with this? -Martin : well, if tcp throttles down at the point where packets are dropped is of : course good, but still, when a download is peaking at the maximum speed : minus a couple kbits, the delay is terrible, that's what i want to change. : any idea? : You can give the download 98% of the link so there is always 2% available for : something else. It also helps to throttle down _all_ incoming bandwidth to : 99% of your link so _you_ are shaping and not your router. : : Stef : :it is a 2mbit fiber stub network which looks pretty much like this: : :lan - router - fw - isp - internet : :the egress qos is at the moment at the router which pretty much says :prioritize interactive sessions. -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Thursday 06 February 2003 17:49, Martin A. Brown wrote: Stef, Am I overlooking something obvious? I'd suggest that Tomas throttles his bandwidth on transmit to the internal network. It is a router, so very little traffic will be initiated from the router itself. Why not perform traffic control on packets transmitted to the Internet on the outward facing NIC. Then perform traffic control on packets received from the Internet on the inward facing NIC. What's wrong with this? Euh nothing :) But you have the same problem. You are controlling already received data. So you can only hope that the other end of the link stops sending data if you drop packets. Stef -Martin : well, if tcp throttles down at the point where packets are dropped is : of course good, but still, when a download is peaking at the maximum : speed minus a couple kbits, the delay is terrible, that's what i want : to change. any idea? : : You can give the download 98% of the link so there is always 2% : available for something else. It also helps to throttle down _all_ : incoming bandwidth to 99% of your link so _you_ are shaping and not your : router. : : Stef : :it is a 2mbit fiber stub network which looks pretty much like :this: : :lan - router - fw - isp - internet : :the egress qos is at the moment at the router which pretty much :says prioritize interactive sessions. -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
: I'd suggest that Tomas throttles his bandwidth on transmit to the internal : network. It is a router, so very little traffic will be initiated from : the router itself. : Why not perform traffic control on packets transmitted to the Internet on : the outward facing NIC. : Then perform traffic control on packets received from the Internet on the : inward facing NIC. : What's wrong with this? : Euh nothing :) : But you have the same problem. You are controlling already received data. So : you can only hope that the other end of the link stops sending data if you : drop packets. Well, slap me with a wet fish! That's pretty obvious. (Martin, neophyte with traffic control, returns to routing.) Thanks, Stef, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
hm, the only way i see how to really get a hold on downloads is egress filtering on the isp side. ingress filtering here is just waste of time? partly because, what stef also said, the data is already reveived, so i can get the same effect with egress filtering on the internal interface of the fw, and partly because ingress filtering in linux is not well functioning? thanks, tomas On Thu, Feb 06, 2003 at 11:01:08AM -0600, Martin A. Brown wrote: : I'd suggest that Tomas throttles his bandwidth on transmit to the internal : network. It is a router, so very little traffic will be initiated from : the router itself. : Why not perform traffic control on packets transmitted to the Internet on : the outward facing NIC. : Then perform traffic control on packets received from the Internet on the : inward facing NIC. : What's wrong with this? : Euh nothing :) : But you have the same problem. You are controlling already received data. So : you can only hope that the other end of the link stops sending data if you : drop packets. Well, slap me with a wet fish! That's pretty obvious. (Martin, neophyte with traffic control, returns to routing.) Thanks, Stef, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Thursday 06 February 2003 18:11, Tomas Bonnedahl wrote: hm, the only way i see how to really get a hold on downloads is egress filtering on the isp side. Even that's too late. The isp has no control on the data that people is sending to you. ingress filtering here is just waste of time? partly because, what stef also said, the data is already reveived, so i can get the same effect with egress filtering on the internal interface of the fw, and partly because ingress filtering in linux is not well functioning? You can get the same effect. And ingress shaing is works, but it's not so powerfull. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
i dont really see your reasoning here. of course my isp has no control of the data that other people is sending me, but if the sending party could do egress filtering on their nearest router on the path to reach me, my isp should be able to do the same? the difference between my isp doing egress filtering and if i were to do egress filtering is that if the isp would do it, the data is yet to enter the bottlneck in the path and could be buffred their. was this what you meant? thanks, tomas On Thu, Feb 06, 2003 at 06:22:04PM +0100, Stef Coene wrote: On Thursday 06 February 2003 18:11, Tomas Bonnedahl wrote: hm, the only way i see how to really get a hold on downloads is egress filtering on the isp side. Even that's too late. The isp has no control on the data that people is sending to you. ingress filtering here is just waste of time? partly because, what stef also said, the data is already reveived, so i can get the same effect with egress filtering on the internal interface of the fw, and partly because ingress filtering in linux is not well functioning? You can get the same effect. And ingress shaing is works, but it's not so powerfull. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: to get most out of qos in general, would the best thing be to set up qos on both ends of a bottleneck with both ingress and egress filtering? the reason for asking is because we have a 2mbit connection with egress filtering qos, the problem is that we experience most downloads compared to uploades and therefor the egress filtering doesnt provide much help. what we could do is to get ingress filtering on our side here, but i dont know how much that would help really, the data has already passed the bottleneck in the path. so, my question, would i experience any different delay if adding ingress filtering? Yes. A tcp connection will throttle down if you drop packets. But this is not the same as egress shaping. it is a 2mbit fiber stub network which looks pretty much like this: lan - router - fw - isp - internet the egress qos is at the moment at the router which pretty much says prioritize interactive sessions. since the filtering for qos is rather simple, just telnet/ssh to a certain host, should i contact my isp and ask them to set some egress qos going to our network on the cisco router that is at their place? btw, anyone know how good the qos is on cisco 2600? I have no idea how the qos works on cisco router. Just give it a try and se what happens. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
well, if tcp throttles down at the point where packets are dropped is of course good, but still, when a download is peaking at the maximum speed minus a couple kbits, the delay is terrible, that's what i want to change. any idea? regards, tomas bonnedahl On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: to get most out of qos in general, would the best thing be to set up qos on both ends of a bottleneck with both ingress and egress filtering? the reason for asking is because we have a 2mbit connection with egress filtering qos, the problem is that we experience most downloads compared to uploades and therefor the egress filtering doesnt provide much help. what we could do is to get ingress filtering on our side here, but i dont know how much that would help really, the data has already passed the bottleneck in the path. so, my question, would i experience any different delay if adding ingress filtering? Yes. A tcp connection will throttle down if you drop packets. But this is not the same as egress shaping. it is a 2mbit fiber stub network which looks pretty much like this: lan - router - fw - isp - internet the egress qos is at the moment at the router which pretty much says prioritize interactive sessions. since the filtering for qos is rather simple, just telnet/ssh to a certain host, should i contact my isp and ask them to set some egress qos going to our network on the cisco router that is at their place? btw, anyone know how good the qos is on cisco 2600? I have no idea how the qos works on cisco router. Just give it a try and se what happens. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
