LARTC - Dec 2002 - QoS (HTB) without IP address

Gilles,

Yes.  You can most certainly do so.

  http://lartc.org/howto/lartc.bridging.html
  http://lartc.org/howto/lartc.bridging.shaping.html

-Martin

 : Hi all,
 :
 : After a long reading of the LARTC, I were able to set up a working HTB
 : config on my firewall.
 :
 : But my question is :
 :
 : Can I use a "ip less" box to do QoS ? With bridging software (or
even
 : without?) or thing like this and use an u32 filter to direct the traffic to
 : the right class ?
 :
 : In other words, I can''t modify the existing network config or inster
into
 : (netmask is 255.255.255.252) and I want to shape traffic before the router.
 : (And the firewall can''t do bandwitdth managment...)
 :
 : Many thanks in advance and happy new year 2003 !
 :
 : G.
 :
 : _______________________________________________
 : LARTC mailing list / LARTC@mailman.ds9a.nl
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi all,

After a long reading of the LARTC, I were able to set up a working HTB
config on my firewall.

But my question is :

Can I use a "ip less" box to do QoS ? With bridging software (or even
without?) or thing like this and use an u32 filter to direct the traffic to
the right class ?

In other words, I can''t modify the existing network config or inster
into
(netmask is 255.255.255.252) and I want to shape traffic before the router.
(And the firewall can''t do bandwitdth managment...)

Many thanks in advance and happy new year 2003 !

G.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Many Thanks Martin for your quick response !

Just another question about bridge (may be stupid)

For me it should work (I''ll test it tomorrow)

Normally, a Nunux Box with bridge-utils doesn''t require echo 1 >
/proc/sys/net/ipv4/ip_forward ? (right ?)

But if I wat to manage it remotely, AND if I have NO ip available (cause
netmask is 255.255.255.252), can I have a third interface, not put it brctl
and assign an IP of the private network (IP from RFC 1918) normally the
bridge software should ignore it and I can put a nice Apache with RRD Tool,
with MRTG, with any other nice tool to monitor bandwith and connections ?

G.

Thanks in advance ...
> -----Message d''origine-----
> De : lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]De
> la part de Martin A. Brown
> Envoye : lundi 30 decembre 2002 20:46
> A : Gilles Douillet
> Cc : lartc@mailman.ds9a.nl
> Objet : Re: [LARTC] QoS (HTB) without IP address
>
>
> Gilles,
>
> Yes.  You can most certainly do so.
>
>   http://lartc.org/howto/lartc.bridging.html
>   http://lartc.org/howto/lartc.bridging.shaping.html
>
> -Martin
>
>  : Hi all,
>  :
>  : After a long reading of the LARTC, I were able to set up a working HTB
>  : config on my firewall.
>  :
>  : But my question is :
>  :
>  : Can I use a "ip less" box to do QoS ? With bridging software
(or even
>  : without?) or thing like this and use an u32 filter to direct
> the traffic to
>  : the right class ?
>  :
>  : In other words, I can''t modify the existing network config or
> inster into
>  : (netmask is 255.255.255.252) and I want to shape traffic
> before the router.
>  : (And the firewall can''t do bandwitdth managment...)
>  :
>  : Many thanks in advance and happy new year 2003 !
>  :
>  : G.
>  :
>  : _______________________________________________
>  : LARTC mailing list / LARTC@mailman.ds9a.nl
>  : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>  :
>
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Monday 30 December 2002 21:36, Gilles Douillet wrote:
> Many Thanks Martin for your quick response !
>
> Just another question about bridge (may be stupid)
>
> For me it should work (I''ll test it tomorrow)
>
> Normally, a Nunux Box with bridge-utils doesn''t require echo 1
>
> /proc/sys/net/ipv4/ip_forward ? (right ?)
>
> But if I wat to manage it remotely, AND if I have NO ip available (cause
> netmask is 255.255.255.252), can I have a third interface, not put it brctl
> and assign an IP of the private network (IP from RFC 1918) normally the
> bridge software should ignore it and I can put a nice Apache with RRD Tool,
> with MRTG, with any other nice tool to monitor bandwith and connections ?
Or if you know the mac address, you can insert a static arp entry in a host 
that''s connected to the bridge so you can reach that bridge on that 
ip-address.
Or give the bridge a ip-address in the private range (10.x.x.x or so).  And 
give a box connected to the bridge an ipaddress in the same rage so you can 
reach the bridge on that private ip-address.

I''m not sure it''s possible, but maybe it will give you some
new ideas.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Am Mon, 2002-12-30 um 21.36 schrieb Gilles Douillet:
> But if I wat to manage it remotely, AND if I have NO ip available (cause
> netmask is 255.255.255.252), can I have a third interface, not put it brctl
> and assign an IP of the private network (IP from RFC 1918) normally the
> bridge software should ignore it and I can put a nice Apache with RRD Tool,
> with MRTG, with any other nice tool to monitor bandwith and connections ?
Forget the bridging junk. Pick an ipaddress, assign it to both
interfaces and make sure you configure iptables to FORWARD traffic
comming from either side to the other. Additionally you can setup
whatever sort of traffic shaping you desire and/or implement a
transparent proxy.

-- 
Daniel Egger <egger@spotnic.de>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi there,

It''s a good thought, Daniel, but he is restricted by his /30 network.
This means he only has two IPs, hence his need for a bridging device.

[ Gilles, you should be able to enter a static route from each of these
  hosts to an RFC1918 address on the bridge itself (as Stef Coene had
  suggested), and per http://bridge.sourceforge.net/docs/bridge.html.
  the ARP will work just fine--no need for static entries in ARP tables. ]

Setting the problem of the tiny network aside, I''m interested in your
suggestion, Daniel, that he use the same IP on both interfaces of the
box--I''ve not tried that before.

Do you have an example config?
Have you seen any problems with this configuration?

I''m going to have to try that out!  Thanks for the idea.

-Martin

 : > But if I wat to manage it remotely, AND if I have NO ip available (cause
 : > netmask is 255.255.255.252), can I have a third interface, not put it
brctl
 : > and assign an IP of the private network (IP from RFC 1918) normally the
 : > bridge software should ignore it and I can put a nice Apache with RRD
Tool,
 : > with MRTG, with any other nice tool to monitor bandwith and connections
?
 :
 : Forget the bridging junk. Pick an ipaddress, assign it to both
 : interfaces and make sure you configure iptables to FORWARD traffic
 : comming from either side to the other. Additionally you can setup
 : whatever sort of traffic shaping you desire and/or implement a
 : transparent proxy.
 :
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Tuesday 31 December 2002 00:14, Martin A. Brown
wrote:
> Hi there,
>
> It''s a good thought, Daniel, but he is restricted by his /30
network.
> This means he only has two IPs, hence his need for a bridging device.
>
> [ Gilles, you should be able to enter a static route from each of these
>   hosts to an RFC1918 address on the bridge itself (as Stef Coene had
>   suggested), and per http://bridge.sourceforge.net/docs/bridge.html.
>   the ARP will work just fine--no need for static entries in ARP tables. ]
>
> Setting the problem of the tiny network aside, I''m interested in
your
> suggestion, Daniel, that he use the same IP on both interfaces of the
> box--I''ve not tried that before.
>
> Do you have an example config?
> Have you seen any problems with this configuration?
I tried it once on a firewall with 3 interfaces with the same ip-address and 
it worked very well.  You just have to be sure you configure the right 
routing.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I''m doing this on a  LEAF box using bridge-cf-0.03 code from
bridge.sourceforge.net and htb on a Bering version of LEAF. Works well.

Mohan

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Martin A. Brown
Sent: 31 December 2002 01:16
To: Gilles Douillet
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] QoS (HTB) without IP address


Gilles,

Yes.  You can most certainly do so.

  http://lartc.org/howto/lartc.bridging.html
  http://lartc.org/howto/lartc.bridging.shaping.html

-Martin

 : Hi all,
 :
 : After a long reading of the LARTC, I were able to set up a working HTB
 : config on my firewall.
 :
 : But my question is :
 :
 : Can I use a "ip less" box to do QoS ? With bridging software (or
even
 : without?) or thing like this and use an u32 filter to direct the traffic
to
 : the right class ?
 :
 : In other words, I can''t modify the existing network config or inster
into
 : (netmask is 255.255.255.252) and I want to shape traffic before the
router.
 : (And the firewall can''t do bandwitdth managment...)
 :
 : Many thanks in advance and happy new year 2003 !
 :
 : G.
 :
 : _______________________________________________
 : LARTC mailing list / LARTC@mailman.ds9a.nl
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 :

--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I think bridging is the best and simplest method. Bridging allows for
multiple interfaces in the same subnet while all other solutions assume a 2
interface scenario only.

Proxy ARP is a better if you want to implement firewalling. Either you can
set this up by hand or implement using parprouted (google to find location)
which is normally used to implement bridging in a wireless network where MAC
addresses cannot be propogated.

Mohan
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Daniel Egger
Sent: 31 December 2002 04:34
To: Gilles Douillet
Cc: lartc@mailman.ds9a.nl
Subject: RE: [LARTC] QoS (HTB) without IP address


Am Mon, 2002-12-30 um 21.36 schrieb Gilles Douillet:
> But if I wat to manage it remotely, AND if I have NO ip available (cause
> netmask is 255.255.255.252), can I have a third interface, not put it
brctl
> and assign an IP of the private network (IP from RFC 1918) normally the
> bridge software should ignore it and I can put a nice Apache with RRD
Tool,
> with MRTG, with any other nice tool to monitor bandwith and connections ?
Forget the bridging junk. Pick an ipaddress, assign it to both
interfaces and make sure you configure iptables to FORWARD traffic
comming from either side to the other. Additionally you can setup
whatever sort of traffic shaping you desire and/or implement a
transparent proxy.

--
Daniel Egger <egger@spotnic.de>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Am Die, 2002-12-31 um 00.14 schrieb Martin A. Brown:
> Setting the problem of the tiny network aside, I''m interested in
your
> suggestion, Daniel, that he use the same IP on both interfaces of the
> box--I''ve not tried that before.
The ip (and thus the size of the network) is irrelevant; actually it
shouldn''t even matter if one has the same IP on all or interfaces IIRC.

My vision on the solution is unfortunately not really clear as we''re
doing a lot more perverted things as part of a bussiness solution
which could simplify the simple setup a lot (upside down, eh? :) ) 
> Do you have an example config?
What I''ve been doing at some point was to simply route traffic from
one interface to another and vice versa using the incomming interface
as selector for the iptable rules.

Another (and probably more flexible aproach) would be to mark incomming
from one interface with some mark, handle as if it was "normal"
traffic
inside the packet filters and then route the other interface based on
the firewall mark.
> Have you seen any problems with this configuration?
Yes, the first approach (we had taken originally) had the problem that
it was quite hard to intercept packets and handle them differently
like push them through an transparent proxy. Also (and this is nasty for
us) it''s almost impossible to run services on the "bridge"
and correctly
let them answer back to the client.

We''re doing it sort of differently now: We still have the same IP
on both interfaces and the machine is almost transparent, but we
only have one default route pointing to the net and several host routes
into the client net which are set up on demand. That way we have
a mixture of a router and a bridge but can still provide services on
the machine. We also have lots of special services on the machine 
automatically creating routes on demand and doing arp faking so
it might not work that well without...

-- 
Daniel Egger <egger@spotnic.de>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/