LARTC - Dec 2002 - Multiple rate limited networks and transparent http proxy - tricky problem

Hello,

We have a box with good connectivity which we divide among several
internal networks by having a different interface for each internal
network and rate limiting outgoing traffic on each of these interfaces.

We are using cbq and a u32 match on the destination to organize the
packets.  This works very well for us, but there may be a better way,
I''m no expert at this!

We also use a squid proxy set up in transparent mode with a NAT rule to
send all outgoing http requests to the proxy.  This also works very well
to save some of our bandwidth.

My "problem" is that of course the rate limiting applies to *all*
traffic going out the internal interfaces, so even objects that are in
the squid cache are given to the clients at a fairly slow speed.  

I am trying to figure out a way to allow cached objects to be sent at
full ethernet speed while still rate limiting objects that have to be
fetched from the internet.  It is puzzling to me because I cannot
differentiate cached and noncached data coming from squid at the packet
level.  I was actually think about a quick hack on Squid to set some qos
or other bit in the tcp headers for connections containting cached
objects but this is probably beyond my limited skills.  I havent found
anyone on the web doing something similar in a quick search.  

The other theory I had was to limit the traffic on it''s way to squid
rather than after..  This would eliminate the need to distinguish
between cache and noncache post squid.  The problem here is how do I
apply the different rate limits to the different internal networks,
since all incoming traffic will be bound for the squid proxy not the
destination clients.  I have considered creating several external
interfaces, running a separate squid for each internal network and
having each squid use a different outgoing interface.. This allows what
I want I think but gets very complicated, and I''m not sure if I can
have
all the instances share a cache directory.. If not the usefulness of the
cache is quite limited.

Any thoughts on this are much appreciated!

-Aaron
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

*** Aaron A. Wolfe <aaron@aaronwolfe.com> [16:40 Mon
23.Dec]:
> My "problem" is that of course the rate limiting applies to *all*
> traffic going out the internal interfaces, so even objects that are in
> the squid cache are given to the clients at a fairly slow speed.  
You can achieve results by using iptables mark facility to mark packets
which are passing by your router (from internet) and are not for Your
router, and than use this mark value to distinguish if packet is local
or not (fw filter). 

while solving your orginal problem it leaves one more. when client try
to fetch object which is not in squid cache, squid will fetch it with
full bandwith and serve for client also with full bandwitch. 
here you should make decision:
1. this is ok behaviour (although little unfair) because such
fetched-at-full-speed objects are ready for other clients (also on full speed)
2. this is not ok, and You have to cbq (or rather IMQ) squid which is
hard task because there is one squid for all clients. you can try use
hbt and grant for squid unused bandwith from all clients by proper
classes schema.

addidtional to 1. you can ''enhance'' it by using squid
delaypools to help
it to be little more fair.

perfect solution is to hack squid to mark its packets based on HIT/MISS.


	.radek.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Wouldn''t stuff coming from Squid have a defined source port number?  If
so, would a fwmark on all packets from that IP Address and Squid''s TCP
source port do the trick?

- Greg Scott


-----Original Message-----
From: Aaron A. Wolfe [mailto:aaron@aaronwolfe.com]
Sent: Monday, December 23, 2002 3:40 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Multiple rate limited networks and transparent http
proxy - tricky problem


Hello,

We have a box with good connectivity which we divide among several
internal networks by having a different interface for each internal
network and rate limiting outgoing traffic on each of these interfaces.

We are using cbq and a u32 match on the destination to organize the
packets.  This works very well for us, but there may be a better way,
I''m no expert at this!

We also use a squid proxy set up in transparent mode with a NAT rule to
send all outgoing http requests to the proxy.  This also works very well
to save some of our bandwidth.

My "problem" is that of course the rate limiting applies to *all*
traffic going out the internal interfaces, so even objects that are in
the squid cache are given to the clients at a fairly slow speed.  

I am trying to figure out a way to allow cached objects to be sent at
full ethernet speed while still rate limiting objects that have to be
fetched from the internet.  It is puzzling to me because I cannot
differentiate cached and noncached data coming from squid at the packet
level.  I was actually think about a quick hack on Squid to set some qos
or other bit in the tcp headers for connections containting cached
objects but this is probably beyond my limited skills.  I havent found
anyone on the web doing something similar in a quick search.  

The other theory I had was to limit the traffic on it''s way to squid
rather than after..  This would eliminate the need to distinguish
between cache and noncache post squid.  The problem here is how do I
apply the different rate limits to the different internal networks,
since all incoming traffic will be bound for the squid proxy not the
destination clients.  I have considered creating several external
interfaces, running a separate squid for each internal network and
having each squid use a different outgoing interface.. This allows what
I want I think but gets very complicated, and I''m not sure if I can
have
all the instances share a cache directory.. If not the usefulness of the
cache is quite limited.

Any thoughts on this are much appreciated!

-Aaron
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/