LARTC - Aug 2007 - Allocating 64 kbits/s out of 256 kbits/s for one LAN behing firewall

Hi,

We have a 256 kbits/s (kilobits per second) link to the internet. it is a
router running Linux that belongs to our ISP.  They have given us 8 internet
ips. (i.e- subnet is 255.255.255.248). one has been given to this router. I
have given another internet ip to the firewall running CentOS 4.5. iptables
is running on it. And also, I have installed iproute2 pkg as well.

pls see below for installed pkgs.
[root at firebox ~]# rpm -qa |grep iptables
iptables-1.2.11-3.1.RHEL4
[root at firebox ~]# rpm -qa |grep iproute
iproute-2.6.9-3.EL4.3.centos4

This firewall has 3 ethernet cards at the moment. one is connected to
router. one is connected to our DMZ zone. one is connected to LAN1.

These are ips of the firewall.

eth0 (internet) - 1.2.3.4/255.255.255.248 (pls assume it. For security
reason, I will not give you the actual ip)
eth1 (DMZ Zone) - 192.168.100.254/255.255.255.0
eth2 (LAN1) - 192.168.101.254/255.255.255.0

Now, everyone in LAN1 has access to internet. (due to SNAT rule)

Now, I want to install another ethernet card to this firewall. then, it
would be eth3.

eth3 will be as follows.

eth3 (LAN2) - 192.168.102.254/255.255.255.0

Now, I want put about 5 people (5 PCs) behind this LAN2 and give internet
access to them. But, I do not want them to use my whole bandwidth (i.e - 256
kbit/s), But Instead, I want peple behind this LAN2 to allocate  64
kbits/s(kilo bits per second) for their
internert access.

Is it possible to acheive this task on firewall running iptables and
iproute2 (CentOS 4.5) ?

If so, How can I do such thing?

If I do such thing, what will happen to the people behind LAN1 ? Will they
get whole 256 kbits/s as before or will they get 256 kbit/s - 64  kbit/s for
their internet access?


Hope to hear form you.










-- 
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20070802/dbaefc26/attachment-0001.html>

Hi,

We have a 256 kbits/s (kilobits per second) link to the internet. it is a
router running Linux that belongs to our ISP.  They have given us 8 internet
ips. (i.e- subnet is 255.255.255.248 ). one has been given to this router. I
have given another internet ip to the firewall running CentOS 4.5. iptables
is running on it. And also, I have installed iproute2 pkg as well.

pls see below for installed pkgs.
[root@firebox ~]# rpm -qa |grep iptables
iptables-1.2.11-3.1.RHEL4
[root@firebox ~]# rpm -qa |grep iproute
iproute-2.6.9-3.EL4.3.centos4

This firewall has 3 ethernet cards at the moment. one is connected to
router. one is connected to our DMZ zone. one is connected to LAN1.

These are ips of the firewall.

eth0 (internet) - 1.2.3.4/255.255.255.248 (pls assume it. For security
reason, I will not give you the actual ip)
eth1 (DMZ Zone) - 192.168.100.254/255.255.255.0
eth2 (LAN1) - 192.168.101.254/255.255.255.0

Now, everyone in LAN1 has access to internet. (due to SNAT rule)

Now, I want to install another ethernet card to this firewall. then, it
would be eth3.

eth3 will be as follows.

eth3 (LAN2) - 192.168.102.254/255.255.255.0

Now, I want put about 5 people (5 PCs) behind this LAN2 and give internet
access to them. But, I do not want them to use my whole bandwidth ( i.e -
256 kbit/s), But Instead, I want peple behind this LAN2 to allocate  64
kbits/s (kilo bits per second) for their internert access.

Is it possible to acheive this task on firewall running iptables and
iproute2 (CentOS 4.5) ?

If so, How can I do such thing?

If I do such thing, what will happen to the people behind LAN1 ? Will they
get whole 256 kbits/s as before or will they get 256 kbit/s - 64  kbit/s for
their internet access?


Hope to hear form you.










-- 
Thank you
Indunil Jayasooriya


-- 
Thank you
Indunil Jayasooriya


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

> Is it possible to acheive this task on firewall running iptables and 
> iproute2 (CentOS 4.5) ?
> 
> If so, How can I do such thing?
> 
> If I do such thing, what will happen to the people behind LAN1 ? Will 
> they get whole 256 kbits/s as before or will they get 256 kbit/s - 64  
> kbit/s for their internet access?
Yes. use firewall marks and tc.

http://lartc.org/

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Indunil Jayasooriya wrote:<br>
<blockquote
 cite="mid7ed6b0aa0708020218s31b0448cxb8ec8d7147173cac@mail.gmail.com"
 type="cite">Now, I want put about 5 people (5 PCs) behind this
LAN2
and give internet access to them. But, I do not want them to use my
whole bandwidth (
i.e - 256 kbit/s), But Instead, I want peple behind this LAN2 to
allocate  <span style="font-weight: bold;">64
kbits/s</span> (kilo
bits per second) for <span style="font-weight: bold;">their
internert
access</span>. <br>
  <br>
</blockquote>
<br>
what if noone on LAN1 is using the net at the moment?  do you still
want to restrict LAN2 to 64k?  why waste the bandwidth?<br>
<br>
<br>
<blockquote
 cite="mid7ed6b0aa0708020218s31b0448cxb8ec8d7147173cac@mail.gmail.com"
 type="cite">Is it possible to acheive this task on firewall
running
iptables and iproute2 (CentOS 4.5) ? <br>
  <br>
If so, How can I do such thing? <br>
  <br>
</blockquote>
<br>
the clues are in the LARTC howto (Linux Advanced Routing and Traffic
Control)   What you want to do is generally known as 'traffic
shaping'.<br>
<br>
<blockquote
 cite="mid7ed6b0aa0708020218s31b0448cxb8ec8d7147173cac@mail.gmail.com"
 type="cite">If I do such thing, what will happen to the people
behind
LAN1 ? Will they get whole 256 kbits/s as before or will they get 256
kbit/s - 64  kbit/s for their internet access? <br>
  <br>
</blockquote>
<br>
<br>
you can't get 5 lbs of stuff in a 4 lb. sack.  :)<br>
<br>
if you've allowed max 64k for one class of users, and they are actively
using it, and your traffic shaping guarantees them that 64k, then
there's only 192k left for anyone else.<br>
</body>
</html>

Hi,

Thanks for your script. I am still a newbie to this traffic control. I have
only done polcy routing with iproute2.

I was thinking how to write this script. You have already given a start.

I have been reading Below URLs.

http://lartc.org/howto/lartc.qdisc.classful.html
http://edseek.com/~jasonb/articles/traffic_shaping/linuxtc.html
http://tldp.org/HOWTO/Traffic-Control-HOWTO/index.html
http://edseek.com/~jasonb/articles/traffic_shaping/classes.html#qdiscex

But, I still find it dificult to understand fully.

Hey, shall We disculls the script you wrote below .

I understand below 4 rules. last rule marks 192.168.102.0/24 traffic as
5
>
> INTERFAZ_INT=eth0
>
> BAND=256
>
> BAND_CLIENTS=64
>
> iptables -t mangle -A PREROUTING -s 192.168.102.0/24 -j MARK --set-mark
> 0x5
>
But, I do not understand below rules.

shall we discuss one by one.
> tc qdisc add dev $INTERFAZ_INT root handle 1 htb r2q 4
>
the above rule adds  a qdisc to internet interace. what is r2q ad 4 there ?.
I do not understand those two.
> tc class add dev $INTERFAZ_INT parent 1: classid 1:2 htb rate
"$BAND"Kbit
>
FULL bandwidth with above rule.


tc class add dev $INTERFAZ_INT parent 1: classid 1:5 htb
rate
> "$BAND_CLIENTS"Kbit
>
and 64 kbit  with above  with above rule.

tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb
10
>
What is this above rule?, I don not understand at all.

tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 10
fw
> classid 1:5
>
I do not understand the above rule too.

hope to hear from you.

Feel free to ask to me what you wish.
>
THAKS for above comment.



Regards
>
> Paolo Malfatti
>
>
>  ------------------------------
> From:  *"Indunil Jayasooriya" <indunil75@gmail.com>*
> To:  *lartc@mailman.ds9a.nl*
> Subject:  *[LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN
> behingfirewall*
> Date:  *Thu, 2 Aug 2007 14:48:55 +0530*
>
>
> Hi,
>
> We have a 256 kbits/s (kilobits per second) link to the internet. it is a
> router running Linux that belongs to our ISP.  They have given us 8
internet
> ips. (i.e- subnet is
> 255.255.255.248
> ). one has been given to this router. I have given another internet ip to
> the firewall running CentOS 4.5. iptables is running on it. And also, I
> have installed iproute2 pkg as well.
>
> pls see below for installed pkgs.
>
> [root@firebox ~]# rpm -qa |grep iptables
> iptables-1.2.11-3.1.RHEL4
> [root@firebox ~]# rpm -qa |grep iproute
> iproute-2.6.9-3.EL4.3.centos4
>
>
> This firewall has 3 ethernet cards at the moment. one is connected to
> router. one is connected to our DMZ zone. one is connected to LAN1.
>
> These are ips of the firewall.
>
> eth0 (internet) -
> 1.2.3.4/255.255.255.248 (pls assume it. For security reason, I will not
> give you the actual ip)
> eth1 (DMZ Zone) -
> 192.168.100.254/255.255.255.0
> eth2 (LAN1) -
> 192.168.101.254/255.255.255.0
>
> Now, everyone in LAN1 has access to internet. (due to SNAT rule)
>
> Now, I want to install another ethernet card to this firewall. then, it
> would be eth3.
>
> eth3 will be as follows.
>
>
> eth3 (LAN2) - 192.168.102.254/255.255.255.0
>
> Now, I want put about 5 people (5 PCs) behind this LAN2 and give internet
> access to them. But, I do not want them to use my whole bandwidth (
> i.e - 256 kbit/s), But Instead, I want peple behind this LAN2 to allocate
> 64 kbits/s (kilo bits per second) for their internert access.
>
> Is it possible to acheive this task on firewall running iptables and
> iproute2 (CentOS 4.5) ?
>
> If so, How can I do such thing?
>
> If I do such thing, what will happen to the people behind LAN1 ? Will they
> get whole 256 kbits/s as before or will they get 256 kbit/s - 64  kbit/s
for
> their internet access?
>
>
>
> Hope to hear form you.
>
>
>
>
>
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
>
>
> --
> Thank you
> Indunil Jayasooriya
>
> >_______________________________________________
> >LARTC mailing list
> >LARTC@mailman.ds9a.nl
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
> ------------------------------
> Las mejores tiendas, los precios mas bajos, entregas en todo el mundo,
> YupiMSN Compras: Haz clic aquí...
<http://g.msn.com/8HMBES/2746??PS=47575>



-- 
Thank you
Indunil Jayasooriya


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Hi Paolo Malfatti,


Thanks for your script. I tried it .

 But I still can not allocate 64 kbit for LAN.  We have a 256 kbit link. We
usually download around @ 30-33  kbytes per second. That means, when it
comes to kbits, I will have to mulitple it in to 8  as 1kbps=8kbit .

pls see below for usual download  rate, before applying your rules.

[root@worldnet wget]# wget
http://mirrors.kernel.org/centos/5.0/isos/i386/CentOS-5.0-i386-bin-6of6.iso
--12:16:27--
http://mirrors.kernel.org/centos/5.0/isos/i386/CentOS-5.0-i386-bin-6of6.iso
           => `CentOS-5.0-i386-bin-6of6.iso.1''
Resolving mirrors.kernel.org... 204.152.191.7, 204.152.191.39
Connecting to mirrors.kernel.org|204.152.191.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 407,005,184 (388M) [application/x-iso9660-image]

 0%
[
] 2,749,752     30.10K/s  ETA 4:43:0

Then, I applied your rules. pls see below


INTERFAZ_INT=eth0

FULLBANDWIDTH=256

BANDWIDTH4LAN=64

iptables -t mangle -A PREROUTING -s
192.168.101.0/24<http://192.168.102.0/24>-j MARK --set-mark 0x5

tc qdisc add dev $INTERFAZ_INT root handle 1 htb r2q 4
tc class add dev $INTERFAZ_INT parent 1: classid 1:2 htb rate
"$FULLBANDWIDTH"Kbit
tc class add dev $INTERFAZ_INT parent 1: classid 1:5 htb rate
"$BANDWIDTH4LAN"Kbit
tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10
tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw
classid 1:5

Still no luck. after applying rules, I downloaded an centos ISO image. But ,
I still can download @ usual rate. (i.e 30-33 kbytes per seconds).

If your rules work, I will be able to download @ about 8 kbyes per second. (
i.e - 8*8 kbit= 64 kbit)

That is what I expect ?

Where have I gone wrong?




On 8/7/07, Pio Mendez <pio_mendez@hotmail.com>
wrote:
>
> >What is r2q ad 4 there ?. I do not understand those two.
> I recommend you to read this:
>
> > 
http://luxik.cdi.cz/~devik/qos/htb/<http://luxik.cdi.cz/%7Edevik/qos/htb/>
> >
> the r2q is a divisor used to calculate the quantum of htb (the amount of
> bytes that will be transmitted before serving another class: quantum = rate
> / r2q).
>
> >tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10
>    >What is this above rule?, I don not understand at all.
> a must: http://lartc.org/howto/lartc.qdisc.html
>
> The classes do shape of traffic, but you need a Queue manager to trasmit
> it (qdisc rule).  Here you will find an example of HTB script:
> http://lartc.org/howto/lartc.qdisc.classful.html#AEN1072
>
> >tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 10
fw
> classid 1:5
> >I do not understand the above rule too.
>
> there is an error: the right filter rule is:
> tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw
> classid 1:5
>
> The filter rule filter the traffic and send the mathing packets to the
> right class.
> The iptables MARK rule mark the traffic before the SNAT. Later, after all
> iptables processing, the packets are filtered by this rule; if some packet
> match the "handle 5" filter (packet marked with 5 by the 
iptables rule will
>
> match) then it will be shaped by htb class to 64kbps.
>
> Hope this will help
> Regards
> Paolo Malfatti
>
>
> ------------------------------
> MSN Amor Busca tu ½ naranja <http://g.msn.com/8HMAES/2740??PS=47575>



-- 
Thank you
Indunil Jayasooriya


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc