[LARTC] question about traffic control
Hi, I have the following situation: 1 gateway box with 2 WAN interfaces (eth1 and eth2). 1 LAN interface eth0 default gateway is eth2 I want to route all traffic with destination protocol tcp 22 (ssh) NOT over the default gateway eth2 but force them to find it's route over eth1. All other traffic must go the normal way over eth2. Is this possible with tc or an other tool? -- Thanks in Advance, Michiel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] (no subject)
Hello - I am using kernel 2.4.27 and running into behavior I don't know how to explain. I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal LAN, but at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy ARP this device. Both eth0 and eth1 on my firewall have IP Addresses 1.2.3.2/27. eth1 also has IP Address 10.10.10.1/24 and is the default gateway for all my internal hosts. The router outside my firewall is 1.2.3.1. So the network looks like this (apologies if email butchers my ASCII art): 10.10.10.0/27 1.2.3.0/27 10.10.10.n internal hosts | +-++ +---+--to the Internet | | | | Proxied | | | H.323 device Firewall Router eth1 eth0 1.2.3.11 10.10.10.1 1.2.3.2 1.2.3.1 1.2.3.2 /proc/sys/net/ipv4/conf/eth0/proxy_arp is 1. /proc/sys/net/ipv4/conf/eth1/proxy_arp is 1. My firewall has a route to 1.2.3.11 dev eth1. The host at 1.2.3.11 has a default GW of 1.2.3.1. This is where it gets weird. The H.323 device should exchange a few TCP packets with the far end and then thousands of UDP packets. And I should see this stream on the firewall watching both interfaces. I run tcpdump in two different windows on the firewall - one for eth1, the other for eth0. When I initiate an outbound H.323 call from the device at .11, tcpdump on the firewall shows TCP packets flying on eth1, but nothing on eth0 - almost all the time. Calls don't complete most of the time, although one call kind of completed. Watching on the firewall, I saw a TCP conversation on eth1, but nothing on eth0. Very strange! One time a call completed all the way and UDP started flying - as it should. I saw a few UDP packets on eth0 and lots (thousands) of UDP packets on eth1. For the call that really completed, I would expect to see thousasnds of UDP packets on both eth0 and eth1 - but instead saw only a few on eth0. This behavior happens even with no firewall filtering rules in place. My NATed 10.10.10.nn internal hosts work fine - in fact, my email server posting this item to the list is one of those hosts. The obvious question - why such an old kernel? Because it's worked for everything I need so far and every 2.6.nn I try has other bugs with one module or another. My questions - was proxy ARP broken in the 2.4.27 days? Why doen't tcpdump show me packets on both interfaces of the firewall? Am I missing a setup ingredient someplace? Should the default GW on that H.323 device be .2 (the firewall) or .1 (the Internet router)? Does mixing NAT and proxy ARP create problems? Should I put the H.323 device in its own little DMZ? Thanks - Greg Scott ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Proxy ARP and UDP
Woops - my fat fingers hit the send key before I could put in a subject a minute ago. Hello - I am using kernel 2.4.27 and running into behavior I don't know how to explain. I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal LAN, but at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy ARP this device. Both eth0 and eth1 on my firewall have IP Addresses 1.2.3.2/27. eth1 also has IP Address 10.10.10.1/24 and is the default gateway for all my internal hosts. The router outside my firewall is 1.2.3.1. So the network looks like this (apologies if email butchers my ASCII art): 10.10.10.0/27 1.2.3.0/27 10.10.10.n internal hosts | +-+++---+--to the Internet | || | Proxied || | H.323 device Firewall Router eth1 eth0 1.2.3.1110.10.10.1 1.2.3.2 1.2.3.1 1.2.3.2 /proc/sys/net/ipv4/conf/eth0/proxy_arp is 1. /proc/sys/net/ipv4/conf/eth1/proxy_arp is 1. My firewall has a route to 1.2.3.11 dev eth1. The host at 1.2.3.11 has a default GW of 1.2.3.1. This is where it gets weird. The H.323 device should exchange a few TCP packets with the far end and then thousands of UDP packets. And I should see this stream on the firewall watching both interfaces. I run tcpdump in two different windows on the firewall - one for eth1, the other for eth0. When I initiate an outbound H.323 call from the device at .11, tcpdump on the firewall shows TCP packets flying on eth1, but nothing on eth0 - almost all the time. Calls don't complete most of the time, although one call kind of completed. Watching on the firewall, I saw a TCP conversation on eth1, but nothing on eth0. Very strange! One time a call completed all the way and UDP started flying - as it should. I saw a few UDP packets on eth0 and lots (thousands) of UDP packets on eth1. For the call that really completed, I would expect to see thousasnds of UDP packets on both eth0 and eth1 - but instead saw only a few on eth0. This behavior happens even with no firewall filtering rules in place. My NATed 10.10.10.nn internal hosts work fine - in fact, my email server posting this item to the list is one of those hosts. The obvious question - why such an old kernel? Because it's worked for everything I need so far and every 2.6.nn I try has other bugs with one module or another. My questions - was proxy ARP broken in the 2.4.27 days? Why doen't tcpdump show me packets on both interfaces of the firewall? Am I missing a setup ingredient someplace? Should the default GW on that H.323 device be .2 (the firewall) or .1 (the Internet router)? Does mixing NAT and proxy ARP create problems? Should I put the H.323 device in its own little DMZ? Thanks - Greg Scott ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] calculating burst for TBF
I'm using tc from iproute-2.6.15 with a 2.6.12 kernel. I was testing the effects of the burst parameter in a tbf qdisc. Basically, I was testing this statement from the tc-tbf(8) manpage: If your buffer is too small, packets may be dropped because more tokens arrive per timer tick than fit in your bucket. The minimum buffer size can be calculated by dividing the rate by HZ. So, for a 200kbit rate on intel, this would yeld me a minimum burst of 2000bits, or 250 bytes. I then do this: tc qdisc add dev eth0 handle 1: root tbf latency 50ms burst 250b rate 200kbit but all packets are dropped. I then rise burst to 300b, 400b, even 900b and it is still not working. It only starts working when I raise it to 2000b. Which, besides being the wrong unit (bits versus bytes), is the result of the rate/HZ calculation. The tc(8) manpage says that b or a bare number = bytes, but it seems this parameter ends up being bits? If not, what is wrong then? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] question about traffic control
On Monday 20 February 2006 13:54, Michiel van Es wrote: Hi, I have the following situation: 1 gateway box with 2 WAN interfaces (eth1 and eth2). 1 LAN interface eth0 default gateway is eth2 I want to route all traffic with destination protocol tcp 22 (ssh) NOT over the default gateway eth2 but force them to find it's route over eth1. All other traffic must go the normal way over eth2. Is this possible with tc or an other tool? yes with iproute and little help from iptables for selecting which packets to route differently. look at http://www.linuxguruz.com/iptables/howto/2.4routing-11.html and please, don't send html mails to mailing lists. Markus Schulz ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] dual wan, dual router, one machine behind, route from both to / from one machine
i apologize if this has been asked before, but things are too busy to preclude a full search of the list.i have both cable and dsl from the local providers here. due to wiring issues here, i've been forced to put the cable modem in one end of the house and the dsl modem in the other. the cable modem is firewalled off by a cisco pix 501 (192.168.2.12). the dsl modem is firewalled off by a 4 year old linksys dsl / cable router (192.168.2.1 ). behind the whole mess i have several PCs and a linksys wrt54gs running openwrt (192.168.2.3). if i set both 192.168.2.1 and 192.168.2.12 to forward ssh to 192.168.2.3 (the wrt54gs running openwrt) and install iproute2 on the 54gs, what can i do to make sure that ssh coming in from the cable modem gets routed out the cable modem and ssh coming in from the dsl modem gets routed out the dsl modem? i tried setting up multiple default routes and (for some reason unknown to me) that worked exactly once, but then i did a power-off test of the config and it never worked since. assume i might be connecting over both routes from one random IP on the internet at any random time. doing that would allow me to harness the full and combined uplink capability of both lines. i know one solution would be to buy another wrt54gs and run openwrt on it, but i've looked all over town and no one has any of the old linux-friendly hardware versions still. they all have the new versions that run only vxworks. thanks,michael ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] question about traffic control
Michiel, : I have the following situation: : 1 gateway box with 2 WAN interfaces (eth1 and eth2). : 1 LAN interface eth0 : default gateway is eth2 : I want to route all traffic with destination protocol tcp 22 (ssh) NOT : over the default gateway eth2 but force them to find it's route over : eth1. : All other traffic must go the normal way over eth2. : : Is this possible with tc or an other tool? You already have an answer from Markus Schulz, but I thought I might add a bit of help, too. You are describing a problem that can be solved with policy routing. Linux has long supported policy routing. Although I have not updated my documentation in quite some time, you may find this document [0] helpful in untangling the possible configurations to support policy routing. In short, one solution involves: - [optional] making an entry in the /etc/iproute2/rt_tables file grep -q secondary /etc/iproute2/rt_tables \ || echo 3 secondary /etc/iproute2/rt_tables - adding a routing table with its default route pointed out eth1 ip route add default via $ETH1_GW dev eth1 table secondary - marking the traffic you wish to handle differently iptables [ ... selectors ... ] -j MARK --set-mark 3 - modifying the RPDB to include select your secondary routing table for traffic with fwmark 3 ip rule add fwmark 3 table secondary That should get you most of the way there. Remember a few additional tips which often stump beginners with policy routing: - Think about the return packets. Are they handled according to your plan? - Turn off reverse path filtering (rp_filter) [1] - Make sure your (S)NAT rules are correct for packets leaving via eth1 (the other interface). Good luck, -Martin [0] http://linux-ip.net/html/adv-multi-internet.html [1] http://ipsysctl-tutorial.frozentux.net/chunkyhtml/theconfvariables.html#AEN634 -- Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Proxy ARP and UDP
Greg Scott wrote: I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal LAN, but at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy ARP this device. My questions - was proxy ARP broken in the 2.4.27 days? Why doen't tcpdump show me packets on both interfaces of the firewall? Am I missing a setup ingredient someplace? Should the default GW on that H.323 device be .2 (the firewall) or .1 (the Internet router)? Does mixing NAT and proxy ARP create problems? Should I put the H.323 device in its own little DMZ? Thanks - Greg Scott No, not broken; proxy ARP works fine in 2.4.25 - .32. You should have a look at Martin Brown's proxy ARP script http://yesican.chsoft.biz/lartc/proxy-arp.sh and its config file http://yesican.chsoft.biz/lartc/proxy-arp.conf but I bet the problem is rp_filter. -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB, strange capacity distribution
Hello, after spending several hours reading archives, I decided to write new post. I successfully set up packet classification, made some basic HTB setup, made some simple graphical representation from HTB statistics data... BUT, I cannot figure out how to refine HTB to get this behaviour: I need that class p2p should be the last one to get some link capacity. If I set both RATE and CEIL for p2p to some constant value, everything is OK. When I set CEIL for p2p e.g. to 2048 kbps (total link capacity), p2p starts to get most of the link capacity and does not want to give capacity to other classes with higher priorities! I made a screen to help explain my problem. Please, see this picture: http://elusion.sk/visual_inet_hory.png Point A - p2p class (red line) has both RATE and CEIL set to fixed value. I started download from web to fill www class. You can see, www got remaining link capacity, p2p without a change - all as expected. Point B - I reset CEIL of p2p class to 2048 kbit (to use rest of the unused capacity by other classes with higher priorites, up to link capacity) Point C - I started the same download from web as in Point A and this is the PROBLEM. You can see, that p2p lowered a bit, and www class got some capacity. What I expect is, that www class get most of the link capacity and p2p class will fall to it's RATE, because http class has higher priority than p2p Point D - CEIL of p2p reset to fixed value Point E - I tried the same download from web just to be sure it works. This is my HTB config (using latest htb-init script): root: RATE=100Mbit ( local traffic: RATE=50Mbit CEIL=100Mbit PRIO=0 ) ctrl class: RATE=64kbit CEIL=256kbit PRIO=1 other class: RATE=128kbit CEIL=768kbit PRIO=2 www class: RATE=512kbit CEIL=2048kbit PRIO=3 p2p class: RATE=386kbit CEIL=386kbit (or 2048, for Points B and C in figure above) PRIO=4 All want to set up is: If class www with prio 3 gets fully utilized (I start 10 http downloads at the same time), I expect p2p class with prio 4 to fall down to it's RATE 386 kbit - to free capacity for www class In another words: I expect www to overrule p2p (p2p still getting it's RATE) Can someone help to explain this? Maybe I did not get purpose of PRIO setting, not sure. Help, please Best Regards, B. Gereg ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB, strange capacity distribution
On Mon, Feb 20, 2006 at 10:59:33PM +0100, Boris Gereg wrote: I made a screen to help explain my problem. Please, see this picture: http://elusion.sk/visual_inet_hory.png Nice graph. I assume this is on downstream, and you rely on HTB to drop packets for you. You may have read this in the archives already - it's much harder to shape downstream than upstream, because you can't really influence what the other side is sending you. So no matter what you do it's probably hard to get near-optimal results. This is my HTB config (using latest htb-init script): I must admit I'm not familiar with htb-init. What are the parent-child relationships here? I'm missing the internet parent class that groups all the other traffics (except local) together. Does htb-init generate that on it's own somehow? If not, chances are your HTB tree is just exceeding your line capacity in general, as all classes are allowed to borrow without limit, rendering the prio setting uneffective, leading to random results. Could you post the output of 'tc -d qdisc/class show dev $DEVICE'? Regards, Andreas Klauer ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Proxy ARP and UDP
H - I turned off rp_filter (echo 0 /proc/sys/net/ipv4/eth0/rp_filter - and eth1) and ran several test calls. It all worked. But I still don't understand why I see less than 1 percent of the packets on the eth0 interface with tcpdump. - Greg but I bet the problem is rp_filter. -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB, strange capacity distribution
On Tue, Feb 21, 2006 at 12:49:59AM +0100, Boris Gereg wrote: (first of all, please, how to reply to some article in LARTC via mail to post it into right thread?) Using 'reply all', or 'reply list' if your mail software offers it. If all else fails, just hit 'reply' and add the mailing list to CC. So, I am definitely shaping outgoing traffic (upstream) Yes, outgoing traffic from router to your network, which actually contains the downstream traffic from the internet. Right? tc -d class show dev eth0 class htb 1:2 root rate 10Kbit ceil 10Kbit burst 51587b/8 mpu 0b overhead 0b cburst 51587b/8 mpu 0b overhead 0b level 7 class htb 1:2000 parent 1:2 leaf 2000: prio 0 quantum 20 rate 5Kbit ceil 10Kbit burst 26593b/8 mpu 0b overhead 0b cburst 51587b/8 mpu 0b overhead 0b level 0 class htb 1:3010 parent 1:2 leaf 3010: prio 1 quantum 1000 rate 64000bit ceil 256000bit burst 1631b/8 mpu 0b overhead 0b cburst 1727b/8 mpu 0b overhead 0b level 0 class htb 1:3020 parent 1:2 leaf 3020: prio 2 quantum 1600 rate 128000bit ceil 768000bit burst 1663b/8 mpu 0b overhead 0b cburst 1983b/8 mpu 0b overhead 0b level 0 class htb 1:3030 parent 1:2 leaf 3030: prio 3 quantum 6400 rate 512000bit ceil 2048Kbit burst 1855b/8 mpu 0b overhead 0b cburst 2623b/8 mpu 0b overhead 0b level 0 class htb 1:5040 parent 1:2 leaf 5040: prio 4 quantum 4825 rate 386000bit ceil 386000bit burst 1792b/8 mpu 0b overhead 0b cburst 1792b/8 mpu 0b overhead 0b level 0 It's as I suspected, your current HTB tree looks like this: 1: HTB Qdisc | \--- 1:2 HTB root class (10Kbit:10kbit) | \--- 1:2000 HTB leaf class (5Kbit:10Kbit) \--- 1:3010 HTB leaf class (64000bit:256000bit) \--- 1:3020 HTB leaf class (128000bit:768000bit) \--- 1:3030 HTB leaf class (512000bit:2048Kbit) \--- 1:5040 HTB leaf class (386000bit:386000bit) HTB classes borrow from their parent; in this setup, the parent class offers a whopping 10Kbit for that purpose. Unless the 1:2000 class has got a very high priority and is maxing out the line all the time, there is no limit to borrowing at all, because the other classes will never reach the 10Kbit from their parent. So the classes above are actually not limited by their rate, but by their ceil; the only class that will respect its rate in this setup is 1:5040, because it's got the same rate and ceil. Assuming that 1:5040 was your P2P class, if you set the ceil of this class to 2048Kbit, it will (try to) use 2048Kbit at all times, because the parent (thinks it) is able to offer it. You need a class that knows of your total internet bandwidth somewhere. Assuming that it is 2048Kbit, your tree should maybe look more like this: 1: HTB Qdisc | \--- 1:2 HTB root class (10Kbit:10kbit) | \--- 1:2000 HTB leaf class (5Kbit:10Kbit) | \--- 1:3000 HTB parent class (2048Kbit:2048Kbit) | \--- 1:3010 HTB leaf class (64000bit:256000bit) \--- 1:3020 HTB leaf class (128000bit:768000bit) \--- 1:3030 HTB leaf class (512000bit:2048Kbit) \--- 1:5040 HTB leaf class (386000bit:386000bit) In this setup, the 2048Kbit class is the limiting factor for the leaf classes, except for the 1:2000 class, which should be used for local LAN traffic only. HTH Andreas Klauer ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc