INTRO I want to set up some traffic control and don''t know where to start... I''m happy to do some reading but need some pointers in the right direction to get me started... I''ll explain what I''m doing below so you can make your best recommendations based on my skill level. THE PROBLEM I have set up a poptop pptp vpn server. I''ve done this so that clients behind firewalls can use netmeeting to talk to each other. (ie: Each user connects to the VPN server then connects netmeeting from point to point using the private ip that the poptop pptp vpn assigns each client) Netmeeting will use up as much bandwidth as it can. (As I understand it) I want to be able to restrict each vpn tunnel to xk (where xk might be 128kbits or less). I also want to be able to stop users from using any ports on the vpn tunnel other than the ones required by netmeeting and port 80. ABOUT ME I''m a newbi to linux who''s bitten off 100% more than I can chew but I''m getting there slowly... I just worked out how to set up poptop with lots of help. I have read all about compiling kernels but I still haven''t got this sused. I don''t mind doing the reading if people just point me to material that''s relivant. I''ve been following this mailing list for a while but I''m fairly lost as to what most of it''s about - I learn best by just having a go.... so that''s what I''m doing :) Thanks in advance Cheers DiG -- Don Gould The technology exists to give every home 10mbits per second for $10 per month! http://sourceforge.net/donate/ - Give a little and watch the love grow! www.skype.com - sorry it''s not a linux tool but it''s very kewl! Wish a linux guru would make something for nix as good as this! news@dslprime.com - Best information about DSL technology and trends I''ve found yet. http://www.linuxforum.com/forums/ - need I say more? :) http://australianit.news.com.au/ - My fav IT news site. http://tusker.org/gallery/GouldWedding - We got married... come on you know you _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Don,
: I want to set up some traffic control and don''t know where to
start...
I''ll copy my own comments from the LARTC FAQ (o-Matic) [0].
[ begin from FAQ ]
In addition to the lartc.org HOWTO itself, I''d suggest some
introductory
reading....first my own traffic control overview (and some links to other
documentation):
http://tldp.org/HOWTO/Traffic-Control-HOWTO/
http://tldp.org/HOWTO/Traffic-Control-HOWTO/links.html
An alternative introduction is Leonardo Balliache''s pages:
http://opalsoft.net/qos/DS.htm
Werner Almesberger''s still relevant implementation overview of 1999
warrants (and rewards) careful study:
http://www.almesberger.net/cv/papers.html
http://www.almesberger.net/cv/papers/tcio8.pdf
Once you have an understanding of the entire traffic control system, the
easiest way to some practical configurations is with the tcng software:
http://tcng.sourceforge.net/
The tcng software reads a structured configuration file, where the
"tc"
command line utility is documented in parts of documents all over the
''net.
[ end from FAQ ]
I''d suggest my Traffic Control HOWTO and Werner''s pages for
you until you have
a rough idea of the entire system. Once you understand the system, head over
to the LARTC site [1] to get some detailed help on what commands to use.
Also never forget that Stef Coene has a large set of pages [2] which detail HTB
and traffic control generally in an excellent fashion.
: (ie: Each user connects to the VPN server then connects netmeeting from
: point to point using the private ip that the poptop pptp vpn assigns
: each client)
Neat idea.
: Netmeeting will use up as much bandwidth as it can. (As I understand
: it)
So will a bulk file download. ;-)
: I want to be able to restrict each vpn tunnel to xk (where xk might be
: 128kbits or less).
You''ll probably want to use an HTB tree with a child class where
rate=ceil=128kbit for each of your clients...but you''ll probably get
some
ideas of your own as you familiarize yourself with the tools.
: I also want to be able to stop users from using any ports on the vpn
: tunnel other than the ones required by netmeeting and port 80.
Use iptables. The iptables tutorial [3] will help you here.
: I have read all about compiling kernels but I still haven''t got this
: sused.
This makes no sense to me. What means this verb "sused"? Is that
what
happens when an admin leaves, dropping a lousy old crufty SuSe box in your
lap? ( "I''ve been Sused!" ?? ) In seriousness, though,
what
distribution and kernel are you using? It is likely if you have a recent
installation that you have everything you need already (with the possible
exception of an HTB-capable tc).
-Martin
[0] http://www.docum.org/stef.coene/qos/faq/cache/
http://www.docum.org/stef.coene/qos/faq/cache/46.html
[1] http://lartc.org/
http://lartc.org/howto/
[2] http://docum.org/
[3] http://iptables-tutorial.frozentux.net/
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thanks for the help so far...> : (ie: Each user connects to the VPN server then connects > netmeeting from : point to point using the private ip that the > poptop pptp vpn assigns : each client) > > Neat idea.Thanks. It works quite well with VPN off a NT4 machine but I wanted to do it all on a nix machine :) Talk about make things hard thou... getting RRAS working on NT took an hour.> : I want to be able to restrict each vpn tunnel to xk (where xk > might be : 128kbits or less). > > You''ll probably want to use an HTB tree with a child class where > rate=ceil=128kbit for each of your clients...but you''ll probably get > some ideas of your own as you familiarize yourself with the tools.Before I got your message I spent a couple of hours reading chapter 9 of the how to at lartc.org. The HTB option makes sense in concept to me... Can you provide some example syntax for me given the following... Lan Testing... I have set up poptop with a local IP of 192.168.1.6 and remote IP of 192.168.1.200-250 I have 2 windows machines (XP Home & Win2k server) connecting as clients. They come up as ppp0:192.168.1.200 and ppp1:192.168.1.201 when I check using ifconfig. The machines are all connected to a 10bit hub I would like to slow the connections to 56kbits Internet Testing... On Monday Telecom NZ will deliver the second of 2 128k ADSL connections. I will then put the two WIN machines on Inet1 and the linux box on Inet2. I would like to slow the connections to 56kbits - this should mean that Inet1 and 2 both have 112kbits running across them. Does this all make sense? As I understand it the HTB works by limited the ''outgoing'' data and not the incomming data and the limits will be placed on the ppp sessions and not the eth0. How do I make the limiting start when the ppp session comes up?> : I also want to be able to stop users from using any ports on the vpn > : tunnel other than the ones required by netmeeting and port 80. > > Use iptables. The iptables tutorial [3] will help you here.I suspected you were going to say as must... iptables is next on my learning curve!> : I have read all about compiling kernels but I still haven''t got this > : sused. > > This makes no sense to me. What means this verb "sused"?I might not have spelt it right. Like the English use the word ''sorted'' as in "I don''t have the problem sorted out." In other words, "I understand the theory of compiling a kernel but I haven''t done it in pratice". :) Sorry for using slang on an international forum :)> Is that what > happens when an admin leaves, dropping a lousy old crufty SuSe box > in your lap? ( "I''ve been Sused!" ?? )heheheh :) In seriousness, though,> what distribution and kernel are you using? It is likely if you > have a recent installation that you have everything you need already > (with the possible exception of an HTB-capable tc).I''m using Rethat 9 with kernel 2.4.20-8. Thanks again for your assistance. Cheers DiG -- Don Gould The technology exists to give every home 10mbits per second for $10 per month! http://sourceforge.net/donate/ - Give a little and watch the love grow! www.skype.com - sorry it''s not a linux tool but it''s very kewl! Wish a linux guru would make something for nix as good as this! news@dslprime.com - Best information about DSL technology and trends I''ve found yet. http://www.linuxforum.com/forums/ - need I say more? :) http://australianit.news.com.au/ - My fav IT news site. http:/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello Doug,
: Before I got your message I spent a couple of hours reading chapter 9
: of the how to at lartc.org. The HTB option makes sense in concept to
: me...
Right....good...LARTC doc is quite good, though occasionally dense.
: Can you provide some example syntax for me given the following...
I''ll refrain until you have a more fully-formed scenario. Since you
are
new to Linux traffic control, let me suggest that you consider using tcng
(I''m a big fan--it''s much more human-legible than raw tc
syntax). See my
tcng and HTB HOWTO [0].
[ snip ]
: As I understand it the HTB works by limited the ''outgoing''
data and not
: the incomming data and the limits will be placed on the ppp sessions
: and not the eth0.
Premise: You can only shape what you transmit [1]. (Yes, exceptions to
this rule exist.)
: How do I make the limiting start when the ppp session comes up?
Good question.....this will probably require some glue code. Shell, perl,
whatever you like. Others may have better suggestions. In short, the
traffic control structures inside the kernel are static--they can be
manipulated (added/removed), although my impression (and my own usage)
relies on creating a static traffic control configuration. Regardless, if
you can hook into an "ip-up" or "if-up" script on your PPTP
server, then
you can write raw tc commands which create the traffic control structures
(and iptables, hint...hint) for each connection.
: I''m using Rethat 9 with kernel 2.4.20-8.
Retchhat? (I never stop with the teasing, do I?) If you choose to use
tcng, you may end up needing dsmark. That''s easy with RedHat boxen in
the
post 2.4.20 world. "modprobe dsmark" works very well. Almost
everything
you''ll need is built as a module for your use.
You will, however need a custom "tc". I have a now-outdated SRPM you
can
use as a template for rebuilding against the recently issued iproute
errata package [2], or you can use the binary provided by Martin Devera
(author of HTB) [3].
-Martin
[0] http://tldp.org/HOWTO/Traffic-Control-tcng-HTB-HOWTO/
[1] http://tldp.org/HOWTO/Traffic-Control-HOWTO/rules.html
[2] http://linux-ip.net/traffic-control/iproute-2.4.7-7.src.rpm *
[3] http://luxik.cdi.cz/~devik/qos/htb/
http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz
* You can use this as an example, but please understand that it is
grossly out of date. If you don''t know how to build SRPMS, just
skip
it and grab Martin Devera''s "tc".
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 18 Dec 2003 17:21:46 -0600 (CST), Martin A. Brown wrote> Hello Doug,Hi MartiUG :)> : Can you provide some example syntax for me given the following... > > I''ll refrain until you have a more fully-formed scenario.bugger... having done lots of reading yesterday the one thing I learnt about htb is that I''m going to need some help! :)> Since you > are new to Linux traffic control, let me suggest that you consider > using tcng > (I''m a big fan--it''s much more human-legible than raw tc syntax). > See my tcng and HTB HOWTO [0].Hummm.... let''s stick to one system at a time? Having read all about HTB yesterday I do actually understand most of it I think... Just not sure how I''m going to bind the bits to ppp yet...> > : How do I make the limiting start when the ppp session comes up? > > Good question.....this will probably require some glue code. Shell, > perl, whatever you like. Others may have better suggestions. In > short, the traffic control structures inside the kernel are static- > -they can be manipulated (added/removed), although my impression > (and my own usage) relies on creating a static traffic control > configuration. Regardless, if you can hook into an "ip-up" or "if- > up" script on your PPTP server, then you can write raw tc commands > which create the traffic control structures > (and iptables, hint...hint) for each connection.I spent some time this morning looking at ip-up.local and its parameters. I can see I can get the pppX, local and remote ip numbers. My current thinking is that I just add a line to the script to ''add''/bind the new ip when the connection goes live, then add a line to ip-down.local to remove the rule when the link goes down. So how about this...?... # In ip-up.local tc qdisk add dev ppp<X> root handle 1:<X> htb tc class add dev ppp<X> parent 1:<X> classid 1:<X> htb rate 56kbit ceil 56kbit tc filter add dev ppp<X> parent 1:<X> protocol ip prio 1 u32 \ match ip dest <X-remoteIP> flowid 1:<X> How do I remove all this when the ppp connection goes off line? Cheers DiG -- Don Gould The technology exists to give every home 10mbits per second for $10 per month! http://marc.theaimsgroup.com/?l=poptop-server&r=1&w=2 - For all your poptop needs. http://sourceforge.net/donate/ - Give a little and watch the love grow! www.skype.com - sorry it''s not a linux tool but it''s very kewl! Wish a linux guru would make something for nix as good as this! news@dslprime.com - Best information about DSL technology and trends I''ve found yet. http://www.linuxforum.com/forums/ - _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/