I have a 64 Kbps leased line IDSL connection (with static IP address). My modem is connected to the server via a 10 Mbps Ethernet connection. The server currently runs Win2000 Pro with Internet Connection Sharing to provide Internet access to my private network (10 workstations). I also use an Apache Web server to host my company''s web page on this server. This configuration provided good service until the number of workstations increased from 5 to 10 and Kazaa appeared. If a user starts a longer download, others cant access the Internet. So I''m considering switching from Win2000 to Linux and using some sort of traffic shaping. Furthermore, the internal network will have to be split into 2 subnets for privacy purposes. What I want to achieve looks something like this: 1) Incoming traffic (outside surfers visiting the company web page) must have the highest priority, and probably, for some time, the web server will still have to run on Win2000, until some CGI web apps are ported to linux 2) The two internal subnets should have the same download priority, lower than incoming traffic 3) The available bandwidth should be equally split between any active internal users (if only 1 user is active, it should get all available bandwitdh). Can anyone tell me if I can achieve all that with a linux box and 3 NIC''s ? I have no previous linux experience, but after googling for a day or two, I know this: 1) I will have to use IP Masquerading 2) It looks like i should use the Stochastic Fairness Queueing (SFQ) to shape outgoing traffic 3) I have no idea how to achieve requirement no. 1 (regarding incoming traffic to my web site before any other traffic) Thanks in advance. Any suggestions are welcome, I dont expect anyone to solve the problem for me, maybe just some hints as to where I should look next... ______________________________________________________________________ Do you want a free e-mail for life ? Get it at http://www.personal.ro/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 30 July 2003 19:04, Daniel Ardelian wrote: This can be fun :) A windows guy playing with traffic shaping :)> I have a 64 Kbps leased line IDSL connection (with static IP address). My > modem is connected to the server via a 10 Mbps Ethernet connection. The > server currently runs Win2000 Pro with Internet Connection Sharing to > provide Internet access to my private network (10 workstations). I also use > an Apache Web server to host my company''s web page on this server. This > configuration provided good service until the number of workstations > increased from 5 to 10 and Kazaa appeared. If a user starts a longer > download, others cant access the Internet. So I''m considering switching > from Win2000 to Linux and using some sort of traffic shaping. Furthermore, > the internal network will have to be split into 2 subnets for privacy > purposes. > What I want to achieve looks something like this: > > 1) Incoming traffic (outside surfers visiting the company web page) must > have the highest priority, and probably, for some time, the web server will > still have to run on Win2000, until some CGI web apps are ported to linuxYou can put your web-server in your LAN and do port forwarding : # Redirecting incoming traffic on port 80 to your web-server (eth1 is you internet NIC and 192.168.1.253 is you web-server ip address) iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.253:80> 2) The two internal subnets should have the same download priority, lower > than incoming trafficNo problem.> 3) The available bandwidth should be equally split between any active > internal users (if only 1 user is active, it should get all available > bandwitdh).No problem.> Can anyone tell me if I can achieve all that with a linux box and 3 NIC''s > ? I have no previous linux experience, but after googling for a day or two, > I know this: > 1) I will have to use IP Masquerading > 2) It looks like i should use the Stochastic Fairness Queueing (SFQ) to > shape outgoing trafficNot really.> 3) I have no idea how to achieve requirement no. 1 (regarding incoming > traffic to my web site before any other traffic) > > Thanks in advance. Any suggestions are welcome, I dont expect anyone to > solve the problem for me, maybe just some hints as to where I should look > next...Ok, first of all, you can only shape outgoing traffic. If you have 3 nic''s and want to shape traffic from the internet to you, this can be problem. But you can patch the kernel so you can create a virtial imq device. And with simple iptables commands, you can redirect all incoming packets from the internet to this imq device. The good news is you can shape on that imq device. For the shaping part (once you have all the trafffic entering the imq device), you have to create 3 classes : one for the web-server, one for subnet 1 and one for subnet 2. The only problem you will have is splitting the traffic. Incoming traffic has the src address of the firewall so you can not use the src address to filter. The classes can be htb or cbq class. But I suggest you go for htb. To create the htb classes, see lartc.org and docum.org Good luck :) Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene wrote:> Ok, first of all, you can only shape outgoing traffic. If you have 3 nic''s > and want to shape traffic from the internet to you, this can be problem. But > you can patch the kernel so you can create a virtial imq device. And with > simple iptables commands, you can redirect all incoming packets from the > internet to this imq device. The good news is you can shape on that imq > device.I''ve noticed as of late, everyone saying ''you can''t shape incoming traffic'' but the best solution is to use the imq device. what happened to ingress /policer usage? is this not recommended anymore? I know it doesn''t do as efficient job as the normal egress methods, but is imq a lot better ? when does imq become necessary instead of cbq/htb and ingress? -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Good questions Damion,
: I''ve noticed as of late, everyone saying ''you
can''t shape incoming
: traffic'' but the best solution is to use the imq device.
Well....(you''ll love this) the reason everyone is saying "you
can''t shape
incoming traffic" is because you can''t shape incoming traffic
(without
IMQ).
Well, in short, what we''re really saying is that you can''t
control what
you receive (without IMQ). As the recipient of frames/packets, you have
no control over how fast they arrive in your device''s input queue.
: what happened to ingress /policer usage? is this not recommended
: anymore?
There''s nothing at all wrong with using an ingress policer. I
don''t
believe it''s possible to attach any classes to the ingress qdisc*.
That
is, the ingress qdisc only exists to allow the user to police inbound
traffic.
So, using the ingress qdisc as a dummy qdisc against which to attach a
policing filter (which drops traffic over a given rate) is the only use of
the ingress qdisc.
: I know it doesn''t do as efficient job as the normal egress
: methods, but is imq a lot better ?
IMQ allows the full expressiveness of the entire set of linux
traffic control tools (from egress filtering) to be applied to
- ingress traffic redirected through the IMQ device and
- traffic split across any number of interfaces regardless of
flow direction
: when does imq become necessary instead of cbq/htb and ingress?
IMQ becomes necessary when
- needing to shape or prioritize traffic on multiple interfaces as a
single unit
- desiring to shape or prioritize ingress traffic beyond policing a rate
- needing to shape or prioritize traffic regardless of flow direction
-Martin
* Maybe somebody will step in and contradict me here?
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 July 2003 10:00, Martin A. Brown wrote:> Well....(you''ll love this) the reason everyone is saying "you can''t shape > incoming traffic" is because you can''t shape incoming traffic (without > IMQ).Well, i shape incoming traffic without IMQ (: I made my bandwidth.manager is on top of every router in my organization, so every traffic coming or leaving my organization must be processed by my bandwidth.manager first..> Well, in short, what we''re really saying is that you can''t control what > you receive (without IMQ). As the recipient of frames/packets, you have > no control over how fast they arrive in your device''s input queue.In my bandwidth.manager eth0 would be upgoing packet that needs to be manage, while eth1 would be the incoming packet to my LAN network. Regards, Rio Martin. -- Game of love, we play, we win only to loose. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 July 2003 05:00, Martin A. Brown wrote:> Good questions Damion, > > : I''ve noticed as of late, everyone saying ''you can''t shape incoming > : traffic'' but the best solution is to use the imq device. > > Well....(you''ll love this) the reason everyone is saying "you can''t shape > incoming traffic" is because you can''t shape incoming traffic (without > IMQ). > > Well, in short, what we''re really saying is that you can''t control what > you receive (without IMQ). As the recipient of frames/packets, you have > no control over how fast they arrive in your device''s input queue.You can shape outgoing packets because they are queued in a buffer before they are sended out. You can shape because you can reorder packets in that buffer. Incoming packets are not buffered, so you can''t change the order.> : what happened to ingress /policer usage? is this not recommended > : anymore? > > There''s nothing at all wrong with using an ingress policer. I don''t > believe it''s possible to attach any classes to the ingress qdisc*. That > is, the ingress qdisc only exists to allow the user to police inbound > traffic. > > So, using the ingress qdisc as a dummy qdisc against which to attach a > policing filter (which drops traffic over a given rate) is the only use of > the ingress qdisc.Indeed. And policing is not shaping. Policing is rate limiting while shaping can do more. For example, shaping can borrow unused bandwidth in a controlled way between different flows. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 July 2003 05:55, Rio Martin. wrote:> On Thursday 31 July 2003 10:00, Martin A. Brown wrote: > > Well....(you''ll love this) the reason everyone is saying "you can''t shape > > incoming traffic" is because you can''t shape incoming traffic (without > > IMQ). > > Well, i shape incoming traffic without IMQ (: > I made my bandwidth.manager is on top of every router in my organization, > so every traffic coming or leaving my organization must be processed by my > bandwidth.manager first..If I understand correctly, you have 1 router with 2 nics. So you shape incoming traffic on nic1 by shaping outgoing traffic on nic2. This is fine for your setup, but if you 3 nic''s and you are running some services on the router, you will have a problem.> > Well, in short, what we''re really saying is that you can''t control what > > you receive (without IMQ). As the recipient of frames/packets, you have > > no control over how fast they arrive in your device''s input queue. > > In my bandwidth.manager eth0 would be upgoing packet that needs to be > manage, while eth1 would be the incoming packet to my LAN network.-- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 July 2003 16:46, you wrote:> If I understand correctly, you have 1 router with 2 nics. So you shape > incoming traffic on nic1 by shaping outgoing traffic on nic2. This is fine > for your setup, but if you 3 nic''s and you are running some services on the > router, you will have a problem.If i want to add more service, i will ask my boss to prepare another PC for those service, simple isnt it ? (: It would be better and wont interfere the performance of bandwidth manager .. Regards, Rio Martin. -- Game of love, we play, we win only to loose. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 31 July 2003 12:00, Rio Martin. wrote:> On Thursday 31 July 2003 16:46, you wrote: > > If I understand correctly, you have 1 router with 2 nics. So you shape > > incoming traffic on nic1 by shaping outgoing traffic on nic2. This is > > fine for your setup, but if you 3 nic''s and you are running some services > > on the router, you will have a problem. > > If i want to add more service, i will ask my boss to prepare another PC for > those service, simple isnt it ? (: > It would be better and wont interfere the performance of bandwidth manager > ..It''s best if you have a dedicated shaper in bridge mode behind your firewall. So all traffic passes thru the shaper and the shaper sees the real ip addresses. If the shaper is in bridge mode, your don''t have to change your network toplogy. And you can even remove the shaper for tests/repairs without interrupting your network. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/