Hell everybody,
Yesterday I faced a problem with the shaper I use. Here''s my topology
and I''ll describe the problem later after the topology.
10.0.1.0 /24 10.0.1.100 eth0
eth1 eth0 10.0.1.1 eth1
+-------------+ +-------------+ +------------------+
+--------------+
| Internal | | | | Traffic shaper |
| |
| Network |-------------->| Squid proxy |---->| Bridge
|------>| Firewall |
| | | | | |
| |
+-------------+ +-------------+ +------------------+
+--------------+
Well this is the http and ftp traffic flow on my netwrok. Some of my
users used to download huge files from the web.
Is there any way to slow down specific IP addresses even if they conect
through the proxy ??
For example I want to slow down the requests made from 10.0.1.51 but
only that host. If I apply a filter for that IP it does not make any
sense cause in fact the proxy is making the connection for that host.
Has anybody else faced this problem ?
Any ideas or suggestions ?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
If you''re using Squid for the proxy service, check out the docs, it has the ability to limit bandwith for specific ips, classes, etc. Regards, Radu ÓôáěÜôçň ĘĺęÝň a scris:> Hell everybody, > Yesterday I faced a problem with the shaper I use. Here''s my topology > and I''ll describe the problem later after the topology. > > > 10.0.1.0 /24 10.0.1.100 eth0 > eth1 eth0 10.0.1.1 eth1 > +-------------+ +-------------+ +------------------+ > +--------------+ > | Internal | | | | Traffic shaper | > | | > | Network |-------------->| Squid proxy |---->| Bridge > |------>| Firewall | > | | | | | | > | | > +-------------+ +-------------+ +------------------+ > +--------------+ > > Well this is the http and ftp traffic flow on my netwrok. Some of my > users used to download huge files from the web. > Is there any way to slow down specific IP addresses even if they conect > through the proxy ?? > For example I want to slow down the requests made from 10.0.1.51 but > only that host. If I apply a filter for that IP it does not make any > sense cause in fact the proxy is making the connection for that host. > Has anybody else faced this problem ? > Any ideas or suggestions ? > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >----- Radu-Mihail Obada _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello Radu, Well I found the delay pools at the squid configration. I need to know if there''s any alternative way to slowdown the traffic for a specific IP address without modifying anything in the proxy server. Radu-Mihail Obada wrote:>If you''re using Squid for the proxy service, check out the docs, it has >the ability to limit bandwith for specific ips, classes, etc. >Regards, >Radu > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Yes am having the same problem,If i get it fixed in time, i''ll post my script, unfortunately delay pools in squid werent as effective as the HTB, am trying to use steff''s IMQ with iptable which shld solve the problem. you could search the LARTC archives, though am yet to find someone that had the problem and posted solution to it. CJ> >If you''re using Squid for the proxy service, check out the docs, it has >the ability to limit bandwith for specific ips, classes, etc. >Regards, >Radu >ÓôáìÜôçò ÊåêÝò a scris: > > Hell everybody, > > Yesterday I faced a problem with the shaper I use. Here''s my topology > > and I''ll describe the problem later after the topology. > > > > > > 10.0.1.0 /24 10.0.1.100 eth0 > > eth1 eth0 10.0.1.1 eth1 > > +-------------+ +-------------+ +------------------+ > > +--------------+ > > | Internal | | | | Traffic shaper | > > | | > > | Network |-------------->| Squid proxy |---->| Bridge > > |------>| Firewall | > > | | | | | | > > | | > > +-------------+ +-------------+ +------------------+ > > +--------------+ > > > > Well this is the http and ftp traffic flow on my netwrok. Some of my > > users used to download huge files from the web. > > Is there any way to slow down specific IP addresses even if they conect > > through the proxy ?? > > For example I want to slow down the requests made from 10.0.1.51 but > > only that host. If I apply a filter for that IP it does not make any > > sense cause in fact the proxy is making the connection for that host. > > Has anybody else faced this problem ? > > Any ideas or suggestions ? > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > >----- >Radu-Mihail Obada >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Why not change your topology so that you have Firewall----------------->Shaper-------------->Proxy------------->Internet This way you have more control over the traffic. Admittedly, you are not truly shaping the total bandwidth available to you (some of the traffic will be returning to your clients from the proxy without ever going out to the internet) but maybe with some tweaking of the traffic shaping you can allow for this ? Leigh> Hell everybody, > Yesterday I faced a problem with the shaper I use. Here''s my topology > and I''ll describe the problem later after the topology. > > > 10.0.1.0 /24 10.0.1.100 eth0 > eth1 eth0 10.0.1.1 eth1 > +-------------+ +-------------+ +------------------+ > +--------------+ > | Internal | | | | Traffic shaper | > | | > | Network |-------------->| Squid proxy |---->| Bridge > |------>| Firewall | > | | | | | | > | | > +-------------+ +-------------+ +------------------+ > +--------------+ > > Well this is the http and ftp traffic flow on my netwrok. Some of my > users used to download huge files from the web. > Is there any way to slow down specific IP addresses even if they conect > through the proxy ?? > For example I want to slow down the requests made from 10.0.1.51 but > only that host. If I apply a filter for that IP it does not make any > sense cause in fact the proxy is making the connection for that host. > Has anybody else faced this problem ? > Any ideas or suggestions ? > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Heloooo :-) Well this is a good oppinion but, what does it happen when somebody make a big request, the proxy will be unshaped thus it will allocate whole the line. A good option is to place another shaper between the proxy and the internet. To make it simpler to place the proxy in our DMZ, and place another shaper for the dmz. Thanks for the advice my friend Best regards Stamatis Leigh Waldie wrote:>Why not change your topology so that you have > >Firewall----------------->Shaper-------------->Proxy------------->Internet > >This way you have more control over the traffic. Admittedly, you are not truly shaping >the total bandwidth available to you (some of the traffic will be returning to your >clients from the proxy without ever going out to the internet) but maybe with some >tweaking of the traffic shaping you can allow for this ? > >Leigh > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> Heloooo :-) > Well this is a good oppinion but, what does it happen when somebody make > a big request, the proxy will be unshaped thus it will allocate whole > the line.Perhaps you need to put the shaping on the same machine as the proxy, this should allow you to mark the packets (i think squid can do this) and shape them accordingly?> A good option is to place another shaper between the proxy and the > internet. > To make it simpler to place the proxy in our DMZ, and place another > shaper for the dmz. > Thanks for the advice my friend > Best regards > Stamatis > Leigh Waldie wrote: > >>Why not change your topology so that you have >> >>Firewall----------------->Shaper-------------->Proxy------------->Internet >> >>This way you have more control over the traffic. Admittedly, you are not truly shaping >>the total bandwidth available to you (some of the traffic will be returning to your >>clients from the proxy without ever going out to the internet) but maybe with some >>tweaking of the traffic shaping you can allow for this ? >> >>Leigh >> >> > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Leigh Waldie wrote:>>Heloooo :-) >>Well this is a good oppinion but, what does it happen when somebody make >>a big request, the proxy will be unshaped thus it will allocate whole >>the line. >> >> > >Perhaps you need to put the shaping on the same machine as the proxy, this should allow >you to mark the packets (i think squid can do this) and shape them accordingly? > >Well I want them separate. Anyway I''ll add 2 more interfaces on the current shaper and build another bridge which will shape my DMZ then to tighten the shaping policy. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/