LARTC - Feb 2004 - RE: RE: LARTC digest, Vol 1 #1564 - 6 msgs

Hi Martin,

The scenario I am working on is the second one - there is one internal
network and two ISPs.
How can I do fwmark based on the outgoing interface? Remember that there
is just one physical WAN interface, with two IP addresses. Is it
possible to fwmark somehow based on the routing decision?

Thanks
Aron


-----Original Message-----
From: Martin A. Brown [mailto:mabrown-lartc@securepipe.com] 
Sent: Friday, January 30, 2004 12:00 AM
To: Aron Brand
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] RE: LARTC digest, Vol 1 #1564 - 6 msgs

Aron,

 : If I understand whay you are suggesting, there is a problem in your
 : design: It will only work if you use Hide NAT.

...and multiple public IPs.

 : The problem is that the ip_src == IP0 rule is wrong: The ip_src is
not
 : changed by the router and it is not equal to the IP of any of the
 : machine interfaces.

OK--maybe the ''ip_src == IP0'' rule is not applicable to your
situation,
but that doesn''t make it wrong.  You describe a different network
configuration than I was envisioning based on Gordan''s description.

 : Can you think of a solution that will work in the following
reasonable
 : scenario:

I can try!

 : Lets say I have two T1 internet connections connected to one ethernet
 : interface. I do not use Hide-NAT. I want to guarantee at least
512kbps
 : to HTTP traffic on each line (separately) in the ''virtual
circuit''
 : method that you mentioned.

Are you pushing different networks across each T1?  If you have
Network-A from ISP-A and Network-B from ISP-B, then you have different
addresses to use in your configuration.

See an untested configuration with some fabricated addresses and
netmasks below.

  #define NETA 216.109.118.64
  #define NETAMASK 28

  #define NETB 63.209.4.192
  #define NETBMASK 27

  dev eth0 {
      egress {
          class ( <$neta> )  if ip_src:NETAMASK == NETA/NETAMASK ;
          class ( <$netb> )  if ip_src:NETBMASK == NETB/NETBMASK ;
          htb () {
            $neta = class ( rate 512kbps, ceil 512kbps ) ;
             $netb = class ( rate 512kbps, ceil 512kbps ) ;
          }
      }
  }


I would think this should provide a skeleton configuration for limiting
outbound (transmitted) traffic originating from separate IP networks on
the same host.

 : I see no way do do this unless I can attach a qdisc to a specific
 : virtual interface.

If you are using a single IP network and you have two different
providers (you''re using BGP or similar), then you could consider
marking
the packets
(fwmark) based on outgoing interface, and perform traffic control based
on this mechanism.

These are just some thoughts based on how I interpret your description
of your network.

Good luck,

-Martin

--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Aron,

I do not understand your network.  In a prior note, I thought I understood
that you had multiple serial (T1) interfaces.  If you have multiple
interfaces, then your statement about having "one physical WAN
interface"
is misleading.  You may have only one T1 card (physical device), with
several logical interfaces (for example, wan0, wan1 ...), which is not an
uncommon configuration.

Anyway, I don''t understand your network, so cannot help.  Please give
"ip
addr" and a small ASCII netmap.

 : The scenario I am working on is the second one - there is one internal
 : network and two ISPs.

Then you have two WAN interfaces?

 : How can I do fwmark based on the outgoing interface?

  iptables -t mangle -A POSTROUTING -o wan0 -j MARK --set-mark $wan0_mark
  iptables -t mangle -A POSTROUTING -o wan1 -j MARK --set-mark $wan1_mark

 : Remember that there is just one physical WAN interface, with two IP
 : addresses. Is it possible to fwmark somehow based on the routing
 : decision?

I''m not sure.  Maybe somebody else can pick up that question. 
It''s
certainly possible to use -j ROUTE based on the fwmark, though [0].  I
don''t really think that will be required in your situation, but I
won''t
know until I understand your network better.

Best of luck,

-Martin

 [0] http://netfilter.gnumonks.org/documentation/pomlist/pom-extra.html#ROUTE

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/