LARTC - Feb 2003 - ROUTING, POSTROUTING, & Traffic Control

(List @ netfilter.org suggested that I post this here.)

I have 2 machines (A & B) behind a Linux Firewall (FW).
I have 2 ethernet cards on the FW - eth0 talks to the internet, eth1 talks
to machines A & B.
Machine A has lots of inbound & outbound traffic while machine B
doesn''t.
It seems reasonable that I could add 2 new ethernet cards (eth2 & eth3) to
the FW and by configuring iptables and/or routing tables force traffic on A
to be handled by eth0/eth1 and traffic for B to be handled by eth2/eth3.

Can I do this? If possible, can someone please give explicit details.

Thankyou,

Jeff Cordova

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Jeff,

[I rearranged your question a bit.]

 : Can I do this? If possible, can someone please give explicit details.

Yes.  In order to help you more, we''d need to know IP addresses, and
also
a bit more about why you think you need to add more NICs.  Depending on
what your answer is to that question, we can make a recommendation on
whether you should simply use tc/fwmark with your existing hardware
configuration to perform your traffic control or whether you really need
to have more physical devices.

 : I have 2 machines (A & B) behind a Linux Firewall (FW).
 : I have 2 ethernet cards on the FW - eth0 talks to the internet, eth1 talks
 : to machines A & B.
 : Machine A has lots of inbound & outbound traffic while machine B
doesn''t.
 : It seems reasonable that I could add 2 new ethernet cards (eth2 & eth3)
to
 : the FW and by configuring iptables and/or routing tables force traffic on A
 : to be handled by eth0/eth1 and traffic for B to be handled by eth2/eth3.

If you are looking at reserving a certain amount of bandwidth for machine
B while still allowing machine A the lion''s share of the bandwidth, you
are looking at a simple HTB setup on your eth0.

I''d recommend reading up on HTB, queuing and so forth on the following
sites for documentation:

  http://lartc.org/howto/      # -- broad docs on linux traffic control
  http://www.docum.org/        # -- more hands on docs (and intro)

HTB software:

  http://luxik.cdi.cz/~devik/qos/htb/

In short, you can use "tc filter" to select based on fwmark, source
address, destination address, and a number of other criteria.  This will
allow you to place traffic from machine A or machine B into a particular
class, thus reserving bandwidth for each one.

Is that what you were looking for?

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Martin,

Thanks for the pointers.

I may have been too quick to suggest a "solution" before describing
the
problem I''m having. More specifically: machine A is an outbound emailer
and
machine B runs a website. When A is sending at high volume it can take up to
30 seconds to get an HTTP response from machine B. I naively assumed the
solution was to install more NIC cards and build separate "channels"
for A &
B.

Here''s my current setup:

          64.41.183.130 (eth0)
          64.41.183.131 (eth2)
                FW
           192.168.1.8 (eth1)
                 |
               /   \
              /     \
             /       \
            A         B
     192.168.1.26    192.168.1.17

As for iptables, I currently include these two statements:

-A PREROUTING -i eth0 -d 64.41.183.130 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 192.168.1.17:80
-A PREROUTING -i eth2 -d 64.41.183.131 -p tcp -m tcp --dport 25 -j
DNAT --to-destination 192.168.1.26:25

which presumably routes web traffic coming in on eth0 to the web server
(machine B) and which routes smtp traffic coming in on eth1 to the email
server (machine A). ASSUMING this is correct, I''d like to be able to
turn
this around and map outbound traffic from A through 64.130.183.130 and
outbound traffic from B through 64.130.183.131. Another naive assumption I
have made is that eth1 could become a chokepoint and I could add eth3 with
IP 192.168.1.9. So, that when everything was done, I would have these 2
channels:

A <-> 192.168.1.8 <-> 64.131.183.131   (handles all inbound/outbound
smtp
traffic)

                 AND

B <-> 192.168.1.9 <-> 64.131.183.130   (handles all inbound/outbound
http
traffic)

I hope that provides enough details for you.

Thankyou,

Jeff



-----Original Message-----
From: Martin A. Brown [mailto:mabrown-lartc@securepipe.com]
Sent: Monday, February 17, 2003 10:11 AM
To: Jeff Cordova
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] ROUTING, POSTROUTING, & Traffic Control


Jeff,

[I rearranged your question a bit.]

 : Can I do this? If possible, can someone please give explicit details.

Yes.  In order to help you more, we''d need to know IP addresses, and
also
a bit more about why you think you need to add more NICs.  Depending on
what your answer is to that question, we can make a recommendation on
whether you should simply use tc/fwmark with your existing hardware
configuration to perform your traffic control or whether you really need
to have more physical devices.

 : I have 2 machines (A & B) behind a Linux Firewall (FW).
 : I have 2 ethernet cards on the FW - eth0 talks to the internet, eth1
talks
 : to machines A & B.
 : Machine A has lots of inbound & outbound traffic while machine B
doesn''t.
 : It seems reasonable that I could add 2 new ethernet cards (eth2 & eth3)
to
 : the FW and by configuring iptables and/or routing tables force traffic on
A
 : to be handled by eth0/eth1 and traffic for B to be handled by eth2/eth3.

If you are looking at reserving a certain amount of bandwidth for machine
B while still allowing machine A the lion''s share of the bandwidth, you
are looking at a simple HTB setup on your eth0.

I''d recommend reading up on HTB, queuing and so forth on the following
sites for documentation:

  http://lartc.org/howto/      # -- broad docs on linux traffic control
  http://www.docum.org/        # -- more hands on docs (and intro)

HTB software:

  http://luxik.cdi.cz/~devik/qos/htb/

In short, you can use "tc filter" to select based on fwmark, source
address, destination address, and a number of other criteria.  This will
allow you to place traffic from machine A or machine B into a particular
class, thus reserving bandwidth for each one.

Is that what you were looking for?

Good luck,

-Martin

--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Jeff,

 : I may have been too quick to suggest a "solution" before describing
the
 : problem I''m having. More specifically: machine A is an outbound
emailer
 : and machine B runs a website. When A is sending at high volume it can
 : take up to 30 seconds to get an HTTP response from machine B. I naively
 : assumed the solution was to install more NIC cards and build separate
 : "channels" for A & B.

Chances are that the network interface card is not the bottleneck on your
bandwidth.  Chances are that it is something like a DSL line, or a T1, or
maybe capped bandwidth on an upstream router.  Whether you have one NIC or
two facing the outside world, the problem revolves around both machines
gluttonously gorging themselves on your bandwidth.  Your router can divide
access to bandwidth between machines A and B in a controllable manner.

<snipped diagram>

 : As for iptables, I currently include these two statements:
 :
 : -A PREROUTING -i eth0 -d 64.41.183.130 -p tcp -m tcp --dport 80 -j
 : DNAT --to-destination 192.168.1.17:80
 : -A PREROUTING -i eth2 -d 64.41.183.131 -p tcp -m tcp --dport 25 -j
 : DNAT --to-destination 192.168.1.26:25

Right--a little bit of DNAT never hurt anybody....

 : which presumably routes web traffic coming in on eth0 to the web server
 : (machine B) and which routes smtp traffic coming in on eth1 to the email
 : server (machine A). ASSUMING this is correct, I''d like to be able to
turn
 : this around and map outbound traffic from A through 64.130.183.130 and
 : outbound traffic from B through 64.130.183.131.

How''s this:

-A POSTROUTING -i eth1 -s 192.1.68.1.17 -j SNAT --to-source 64.41.183.130
-A POSTROUTING -i eth1 -s 192.1.68.1.26 -j SNAT --to-source 64.41.183.131

 : Another naive assumption I have made is that eth1 could become a
 : chokepoint and I could add eth3 with IP 192.168.1.9. So, that when
 : everything was done, I would have these 2 channels:

<snipped diagram>

Jeff, I don''t think this is the correct solution for your problem.  I
think what will be better for you is to understand how to apply HTB (or
traffic control, more generally) to your problem.

Here''s an off-the-cuff suggestion, patterned closely after this common
need (two or more bandwidth-hungry hosts competing over the available
bandwidth):

  - add an HTB class with rate equal to your total outbound bandwidth,
    minus a bit so that you become the bottleneck (10%?, Stef?)
  - add two nested HTB classes with an SFQ qdisc (per Martin Devera''s
    suggestion on the HTB site)
  - set the rate on each class to a fraction of your total bandwidth,
    and set the ceil (ceiling) on each class to the rate of the
    parent class
  - classify traffic from machine A into one class; classify traffic
    from machine B into the other class

Good luck,

-Martin


-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/