Gilles, Yes. You can most certainly do so. http://lartc.org/howto/lartc.bridging.html http://lartc.org/howto/lartc.bridging.shaping.html -Martin : Hi all, : : After a long reading of the LARTC, I were able to set up a working HTB : config on my firewall. : : But my question is : : : Can I use a "ip less" box to do QoS ? With bridging software (or even : without?) or thing like this and use an u32 filter to direct the traffic to : the right class ? : : In other words, I can''t modify the existing network config or inster into : (netmask is 255.255.255.252) and I want to shape traffic before the router. : (And the firewall can''t do bandwitdth managment...) : : Many thanks in advance and happy new year 2003 ! : : G. : : _______________________________________________ : LARTC mailing list / LARTC@mailman.ds9a.nl : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi all, After a long reading of the LARTC, I were able to set up a working HTB config on my firewall. But my question is : Can I use a "ip less" box to do QoS ? With bridging software (or even without?) or thing like this and use an u32 filter to direct the traffic to the right class ? In other words, I can''t modify the existing network config or inster into (netmask is 255.255.255.252) and I want to shape traffic before the router. (And the firewall can''t do bandwitdth managment...) Many thanks in advance and happy new year 2003 ! G. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Many Thanks Martin for your quick response ! Just another question about bridge (may be stupid) For me it should work (I''ll test it tomorrow) Normally, a Nunux Box with bridge-utils doesn''t require echo 1 > /proc/sys/net/ipv4/ip_forward ? (right ?) But if I wat to manage it remotely, AND if I have NO ip available (cause netmask is 255.255.255.252), can I have a third interface, not put it brctl and assign an IP of the private network (IP from RFC 1918) normally the bridge software should ignore it and I can put a nice Apache with RRD Tool, with MRTG, with any other nice tool to monitor bandwith and connections ? G. Thanks in advance ...> -----Message d''origine----- > De : lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]De > la part de Martin A. Brown > Envoye : lundi 30 decembre 2002 20:46 > A : Gilles Douillet > Cc : lartc@mailman.ds9a.nl > Objet : Re: [LARTC] QoS (HTB) without IP address > > > Gilles, > > Yes. You can most certainly do so. > > http://lartc.org/howto/lartc.bridging.html > http://lartc.org/howto/lartc.bridging.shaping.html > > -Martin > > : Hi all, > : > : After a long reading of the LARTC, I were able to set up a working HTB > : config on my firewall. > : > : But my question is : > : > : Can I use a "ip less" box to do QoS ? With bridging software (or even > : without?) or thing like this and use an u32 filter to direct > the traffic to > : the right class ? > : > : In other words, I can''t modify the existing network config or > inster into > : (netmask is 255.255.255.252) and I want to shape traffic > before the router. > : (And the firewall can''t do bandwitdth managment...) > : > : Many thanks in advance and happy new year 2003 ! > : > : G. > : > : _______________________________________________ > : LARTC mailing list / LARTC@mailman.ds9a.nl > : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > : > > -- > Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 30 December 2002 21:36, Gilles Douillet wrote:> Many Thanks Martin for your quick response ! > > Just another question about bridge (may be stupid) > > For me it should work (I''ll test it tomorrow) > > Normally, a Nunux Box with bridge-utils doesn''t require echo 1 > > /proc/sys/net/ipv4/ip_forward ? (right ?) > > But if I wat to manage it remotely, AND if I have NO ip available (cause > netmask is 255.255.255.252), can I have a third interface, not put it brctl > and assign an IP of the private network (IP from RFC 1918) normally the > bridge software should ignore it and I can put a nice Apache with RRD Tool, > with MRTG, with any other nice tool to monitor bandwith and connections ?Or if you know the mac address, you can insert a static arp entry in a host that''s connected to the bridge so you can reach that bridge on that ip-address. Or give the bridge a ip-address in the private range (10.x.x.x or so). And give a box connected to the bridge an ipaddress in the same rage so you can reach the bridge on that private ip-address. I''m not sure it''s possible, but maybe it will give you some new ideas. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Am Mon, 2002-12-30 um 21.36 schrieb Gilles Douillet:> But if I wat to manage it remotely, AND if I have NO ip available (cause > netmask is 255.255.255.252), can I have a third interface, not put it brctl > and assign an IP of the private network (IP from RFC 1918) normally the > bridge software should ignore it and I can put a nice Apache with RRD Tool, > with MRTG, with any other nice tool to monitor bandwith and connections ?Forget the bridging junk. Pick an ipaddress, assign it to both interfaces and make sure you configure iptables to FORWARD traffic comming from either side to the other. Additionally you can setup whatever sort of traffic shaping you desire and/or implement a transparent proxy. -- Daniel Egger <egger@spotnic.de> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi there, It''s a good thought, Daniel, but he is restricted by his /30 network. This means he only has two IPs, hence his need for a bridging device. [ Gilles, you should be able to enter a static route from each of these hosts to an RFC1918 address on the bridge itself (as Stef Coene had suggested), and per http://bridge.sourceforge.net/docs/bridge.html. the ARP will work just fine--no need for static entries in ARP tables. ] Setting the problem of the tiny network aside, I''m interested in your suggestion, Daniel, that he use the same IP on both interfaces of the box--I''ve not tried that before. Do you have an example config? Have you seen any problems with this configuration? I''m going to have to try that out! Thanks for the idea. -Martin : > But if I wat to manage it remotely, AND if I have NO ip available (cause : > netmask is 255.255.255.252), can I have a third interface, not put it brctl : > and assign an IP of the private network (IP from RFC 1918) normally the : > bridge software should ignore it and I can put a nice Apache with RRD Tool, : > with MRTG, with any other nice tool to monitor bandwith and connections ? : : Forget the bridging junk. Pick an ipaddress, assign it to both : interfaces and make sure you configure iptables to FORWARD traffic : comming from either side to the other. Additionally you can setup : whatever sort of traffic shaping you desire and/or implement a : transparent proxy. : : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tuesday 31 December 2002 00:14, Martin A. Brown wrote:> Hi there, > > It''s a good thought, Daniel, but he is restricted by his /30 network. > This means he only has two IPs, hence his need for a bridging device. > > [ Gilles, you should be able to enter a static route from each of these > hosts to an RFC1918 address on the bridge itself (as Stef Coene had > suggested), and per http://bridge.sourceforge.net/docs/bridge.html. > the ARP will work just fine--no need for static entries in ARP tables. ] > > Setting the problem of the tiny network aside, I''m interested in your > suggestion, Daniel, that he use the same IP on both interfaces of the > box--I''ve not tried that before. > > Do you have an example config? > Have you seen any problems with this configuration?I tried it once on a firewall with 3 interfaces with the same ip-address and it worked very well. You just have to be sure you configure the right routing. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I''m doing this on a LEAF box using bridge-cf-0.03 code from bridge.sourceforge.net and htb on a Bering version of LEAF. Works well. Mohan -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Martin A. Brown Sent: 31 December 2002 01:16 To: Gilles Douillet Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] QoS (HTB) without IP address Gilles, Yes. You can most certainly do so. http://lartc.org/howto/lartc.bridging.html http://lartc.org/howto/lartc.bridging.shaping.html -Martin : Hi all, : : After a long reading of the LARTC, I were able to set up a working HTB : config on my firewall. : : But my question is : : : Can I use a "ip less" box to do QoS ? With bridging software (or even : without?) or thing like this and use an u32 filter to direct the traffic to : the right class ? : : In other words, I can''t modify the existing network config or inster into : (netmask is 255.255.255.252) and I want to shape traffic before the router. : (And the firewall can''t do bandwitdth managment...) : : Many thanks in advance and happy new year 2003 ! : : G. : : _______________________________________________ : LARTC mailing list / LARTC@mailman.ds9a.nl : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I think bridging is the best and simplest method. Bridging allows for multiple interfaces in the same subnet while all other solutions assume a 2 interface scenario only. Proxy ARP is a better if you want to implement firewalling. Either you can set this up by hand or implement using parprouted (google to find location) which is normally used to implement bridging in a wireless network where MAC addresses cannot be propogated. Mohan -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Daniel Egger Sent: 31 December 2002 04:34 To: Gilles Douillet Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] QoS (HTB) without IP address Am Mon, 2002-12-30 um 21.36 schrieb Gilles Douillet:> But if I wat to manage it remotely, AND if I have NO ip available (cause > netmask is 255.255.255.252), can I have a third interface, not put itbrctl> and assign an IP of the private network (IP from RFC 1918) normally the > bridge software should ignore it and I can put a nice Apache with RRDTool,> with MRTG, with any other nice tool to monitor bandwith and connections ?Forget the bridging junk. Pick an ipaddress, assign it to both interfaces and make sure you configure iptables to FORWARD traffic comming from either side to the other. Additionally you can setup whatever sort of traffic shaping you desire and/or implement a transparent proxy. -- Daniel Egger <egger@spotnic.de> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Am Die, 2002-12-31 um 00.14 schrieb Martin A. Brown:> Setting the problem of the tiny network aside, I''m interested in your > suggestion, Daniel, that he use the same IP on both interfaces of the > box--I''ve not tried that before.The ip (and thus the size of the network) is irrelevant; actually it shouldn''t even matter if one has the same IP on all or interfaces IIRC. My vision on the solution is unfortunately not really clear as we''re doing a lot more perverted things as part of a bussiness solution which could simplify the simple setup a lot (upside down, eh? :) )> Do you have an example config?What I''ve been doing at some point was to simply route traffic from one interface to another and vice versa using the incomming interface as selector for the iptable rules. Another (and probably more flexible aproach) would be to mark incomming from one interface with some mark, handle as if it was "normal" traffic inside the packet filters and then route the other interface based on the firewall mark.> Have you seen any problems with this configuration?Yes, the first approach (we had taken originally) had the problem that it was quite hard to intercept packets and handle them differently like push them through an transparent proxy. Also (and this is nasty for us) it''s almost impossible to run services on the "bridge" and correctly let them answer back to the client. We''re doing it sort of differently now: We still have the same IP on both interfaces and the machine is almost transparent, but we only have one default route pointing to the net and several host routes into the client net which are set up on demand. That way we have a mixture of a router and a bridge but can still provide services on the machine. We also have lots of special services on the machine automatically creating routes on demand and doing arp faking so it might not work that well without... -- Daniel Egger <egger@spotnic.de> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/