similar to: QoS and IPSec...

Here''s a challenging problem for you experts to tackle: I''m trying to shape traffic going into an IPSEC interface which then goes over a DSL PPPoE interface. I figure I need to shape the DSL interface to keep it''s hardware queue mostly empty, and to

Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress

Hello everybody, We need to configure Samba (recent cvs) on our Linux (SuSE 7.2) box (iptables/FreeSwan) acting as firewall, router and VPN gateway. Whenever nmbd or smbclient try to connect to our Samba PDC (WINS ok, IP 192.168.0.5) packets are sent with a source address of the external interface x.y.46.70 and will of course be blocked by iptables and never be routable to subnet 192.168.0.0 . I

Hello, Looking here http://www.ipsec-howto.org/x299.html I''ve set up a vpn in transport mode with two linux boxes. I''m now trying to set it up in tunnel mode. After using the example keys, trying to ping, it doesn''t work because the route network isn''t routable. This mention is in the howto "If you tunnel is not working, please check your routing.

Does anyone have Samba set up to provide file, print, and authentication services across multiple physical sites? We're thinking of setting up a DSL-based VPN with Samba servers at each location, but we'd want to keep the user accounts and data synchronized between sites. Thanks, Chris

Hi Guys, I would just like to have advice and pointers of the best way would be, Someting like BGP or OSPF? I have 2 internet connections at diffrent locations. let say connection A and B 1.) router A has a fast internet connection and a seperate interface for clients using /lan/pppoe/ipsec etc and another ethernet interface going to router B 2.) router B has similiar setup as router A and

Hi, I have a few problems with my shorewall configuration. First of all, the option maclist seems no to be recognized. I have this: ghostwheel /etc/shorewall # cat interfaces | grep -v ''^#'' - eth1 detect dhcp,tcpflags,routefilter loc eth0 detect tcpflags,maclist When I look at shorewall-init.log, I found out:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, been awhile since I''ve written. I now have a situation where I get to use traffic shaping for a client. ~ We implemented the WonderShaper script on our own firewall and experienced no problems. I made some modifications to it to add IPSec protocol packets into the 1:10 high priority class using the u32 filter. ~ So far on our

Hi, We have configured several xen guest OSes on a server running SLES10. The physical server is a Sun 4200 with 3 NICs installed, configured, and working. Each of the xen guest OSes have three virtual nics, configured for RAC, Interconnect, and public IPs as follows; eth0 - public (routable and registered in DNS) eth1 - private (not routable, uses a seperate network subnet for

Greetings List Members, I''ll firstly apologise if this isn''t the place that I should be posting this message but here goes. What I want to do is have a VPN (PPTP/IPSEC/CIPE/etc) server, but it must support more than one simultaneous connection. I currently have a PPTP VPN server setup that has port 1723 and protocol 47 DNAT''d through to the internal IP

Hi all. I need a sanity check. I''m trying to setup my network to handle VoIP. I''m thinking that all I need to do is prioritize the realtime traffic above the interactive and bulk traffic. I see so much discussion about traffic shapping, but I don''t THINK this is needed, right? I understand the problem with bandwidth starvation, but for my application, the voip

Hello everybody, I''m trying to set up netem on a SuSE box (kernel 2.6.16), but I''m having some weird problems, considering that on my Gentoo laptop (kernel 2.6.17) it worked fine. If I write: # tc qdisc add dev eth0 root netem delay 20ms loss 20% and then try pinging another machine over eth0, I get a 24ms delay but no packet loss (while on my laptop I get 21ms and a correct

Hi everyone, I have a question regarding the default gateway for hosts on DMZ zone. I moved servers from parallel to the DMZ (outside the firewall, directly connected to I-net) to inside DMZ. The default gw for these servers was the DSL router(bridge) of my ISP. What should be the default gw (for the hosts inside the DMZ), when hosts are inside the DMZ now - still the DSL router (external

I''m rate limiting and prioritizing traffic upstream of a slow wan link using htb, classic wonder shaper type stuff. I''m using the following command for traffic that does not match any of my defined filters: tc qdisc add dev eth0 root handle 1: htb default 50 It appears that local, non-routable traffic like arps and igmp are being snared by this and end-up queued in the lowest

Hi, I''m asking my question here, because I could not find any answer to my problem, but I''m affraid shorewall is not the one to blame. First of all I''m using shorewall version 2.0.15 on two linux box. I set up an ipsec tunnel beetween those 2 boxes to be ables to connect 2 not routable subnetworks. Here is my network topology: 10.66.17.0/24 - 10.66.17.1 = eth0

I've got multiple satellite office all linked back to the main office via VPN. Each office has their own asterisk server which registers back to the main office's Asterisk server. Each office also has a 1Mb downstream / 384k - 768k upstream connection. The branches are using Speex for their connections back to the main office. The issue I'm having is that there are times that

Hello, I have a linux box sitting between (and bridging/firewalling) 2 LAN segments. I''m using Bridge/Netfilter/IMQ/tc(htb) to control (shape) mail/web traffic that traverses the 2 networks. The networks also have some VLAN tagged traffic flying around. My linux box behaves OK with VLAN traffic except that the shaping doesn''t seem to work. Normal http shapes alright but as soon

Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables.... Maybe Shoreline with webmin.... Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the

Hello everybody. I would like to do some kind of shaping inside an ipsec tunnel implemented by Openswan and linux 2.6.18.x with xfrm (no KLIPS): for example, to limit outbound smtp traffic inside the tunnel. Question: where should I attach the qdisc to? Eth0? I''m asking this, because tcpdump only see the ESP packet on the eth0 and not the ''clear'' packet. TIA This is my

Hello Shorewall gurus, I have a dilemma with a public server. I want to migrate the current public server over to a new machine behind the current server''s firewall (shorewall 1.4). I have included a diagram below to help explain the target network I am working toward. I have read the shorewall online documentation and though I have used Shorewall the past 4 years in the current