Hello, After reading the excellent HOWTO I got traffic shaping working nicely over ethernet devices on a test setup. I can''t put this setup live though, because our main firewall has three 2mbit hdlc interfaces instead of a single device. We are using multipath routing using iproute2 nexthop at the moment, and that works fine for firewalling. But now I have a need for shaping and shaping only works over a single interface it seems and not over multiple interfaces. According to the HOWTO I can setup a teql device to bundle the hdlc0-2 into a single teql0 device, but that requires an extra combined IP address at both sides it seems. The question is whether I can get away with setting up the teql device over the three hdlc IPs with an ip on the teql device that''s either fake or one of our class C subnet (maybe even reuse the IP of the ethernet card on the other end), without having our provider to change their config. The round robin routing is not the problem, we have that working correctly for quite a while already, it''s the fact that teql requires an extra IP which nexthop routing doesn''t that bothers me a bit. And since this is a live router I am not going to take risks by messing with it without proper research... Is there any advice to give me here? Or do you need more information first? Thanks in advance for any help, -- Martijn _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 October 2002 15:20, Martijn Klingens wrote:> Hello, > > After reading the excellent HOWTO I got traffic shaping working nicely over > ethernet devices on a test setup. I can''t put this setup live though, > because our main firewall has three 2mbit hdlc interfaces instead of a > single device. > > We are using multipath routing using iproute2 nexthop at the moment, and > that works fine for firewalling. But now I have a need for shaping and > shaping only works over a single interface it seems and not over multiple > interfaces.Yes you can if you apply the needed patches to the kernel and iptables so you can use the imq device. It''s a virtual device and you can use the normal cbq/htb/tbf qdiscs on it. You can redirect packets to it with iptables and you can do it from any interface you want and also from IN + OUT. So you can create 1 imq device, redirect all packets that leaves hdlc0-2 and shape on that imq device. IMQ link : http://trash.net/~kaber/imq> According to the HOWTO I can setup a teql device to bundle the hdlc0-2 into > a single teql0 device, but that requires an extra combined IP address at > both sides it seems.The teql can only be used if you have a linux on both sides of the 2 links.> The question is whether I can get away with setting up the teql device over > the three hdlc IPs with an ip on the teql device that''s either fake or one > of our class C subnet (maybe even reuse the IP of the ethernet card on the > other end), without having our provider to change their config. > > The round robin routing is not the problem, we have that working correctly > for quite a while already, it''s the fact that teql requires an extra IP > which nexthop routing doesn''t that bothers me a bit. And since this is a > live router I am not going to take risks by messing with it without proper > research... > > Is there any advice to give me here? Or do you need more information first?Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 October 2002 17:06, Stef Coene wrote:> Yes you can if you apply the needed patches to the kernel and iptables so > you can use the imq device. It''s a virtual device and you can use the > normal cbq/htb/tbf qdiscs on it. You can redirect packets to it with > iptables and you can do it from any interface you want and also from IN + > OUT. So you can create 1 imq device, redirect all packets that leaves > hdlc0-2 and shape on that imq device. > IMQ link : > http://trash.net/~kaber/imqThanks for the quick reply! Looks like I need this, since our provider uses a Cisco router and not a linux box, so teql is not an option :( Now I only hope this applies properly to our kernel... (btw, how stable is it? I''m always hesitant to use code that is not in the mainstream kernel on a production firewall). -- Martijn _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 October 2002 17:33, Martijn Klingens wrote:> On Thursday 31 October 2002 17:06, Stef Coene wrote: > > Yes you can if you apply the needed patches to the kernel and iptables so > > you can use the imq device. It''s a virtual device and you can use the > > normal cbq/htb/tbf qdiscs on it. You can redirect packets to it with > > iptables and you can do it from any interface you want and also from IN + > > OUT. So you can create 1 imq device, redirect all packets that leaves > > hdlc0-2 and shape on that imq device. > > IMQ link : > > http://trash.net/~kaber/imq > > Thanks for the quick reply! > > Looks like I need this, since our provider uses a Cisco router and not a > linux box, so teql is not an option :( > > Now I only hope this applies properly to our kernel... (btw, how stable is > it? I''m always hesitant to use code that is not in the mainstream kernel on > a production firewall).I think it''s stable. At least I never heard people complaining about it. But maybe nobody is using it :) And it''s a small hack. Maybe Patrick knows this better. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene wrote:> On Thursday 31 October 2002 17:33, Martijn Klingens wrote: > > Now I only hope this applies properly to our kernel... (btw, how > > stable is it? I''m always hesitant to use code that is not in the > > mainstream kernel on a production firewall). > > I think it''s stable. At least I never heard people complaining > about it. But maybe nobody is using it :) > And it''s a small hack.IMQ? I''m using it in the production. 100 IMQ devices 10 - 50 of them in use. Number of devices in use is changing in boxes and I had to create just enough IMQ devices. I''m using IMQ in combination with TBF to get bidirectional shaping. No problems at all. with my best wishes, -- Hasso _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/