Re: [LARTC] Problem with multiple ADSL lines
Hi Mohan, Thanks a lot for your reply. I haven't tried it yet, but I have no doubts it will work. However, if you have time, could you please explain to me why a request received from IP1 by host H1, having as default route IP2, can not be routed through IP1; I have a routing table saying that the route to IP1 is through the proper eth card. I have used tcpdump to check the packets coming/in/out from the systems and it seems that there is a packet going from ADSL1 to H1, but nothing on the other way... it seems like H1 doesn't know what to do with it. Could you please explain (or point me to URLs explaining that) why it will change if I set the modems to bridge mode? I still want to do NAT, will it change if I do it from the Linux router now? I also do not understand what you imply with 3. Source NAT rules use ISP1_IP and routing rule redirects it to link connected to ISP2. Flip similarly for ISP1. Could you be a bit more descriptive? Forgive me for being a bit ignorant of all that; possibly I'm trying to understand too much without basic technical background on routing, etc. . One more time, thanks a lot for your help. Regards, Kostas On 10/12/07, Mohan Sundaram [EMAIL PROTECTED] wrote: Kostas Flokos wrote: Hi all, I have managed to setup a Fedora 7 box with 3 ethernet cards and two ADSL modem/routers from different suppliers as LARTC recommends. I am able to direct traffic for specific internal IPs either to one or the other ADSL line. However, I am faced with two problems I am struggling for the solution: 1. I have opened a few ports on the ADSL router/firewalls to talk to internal hosts; say when someone hits http://myADSL1_IP I would redirect him to 192.168.0.10 http://192.168.0.10; while if someone hits http://myADSL2_IP I would redirect him to 192.168.0.20 http://192.168.0.20. This is your ADSL router(s) config. If I have rules such as the following all works well: ip rule add from 192.168.0.10 http://192.168.0.10 table ADSL1_rules ip rule add from 192.168.0.20 http://192.168.0.20 table ADSL2_rules These are rules on your linux machine to send traffic back on the same link they came from. Unfortunately, if I want to do the reverse it does not work. I can't have a host prefer one ADSL line, but still receive traffic from the other ADSL line. This can be done by switching the rule table above. Obviously NAT is being used. However, this will break. You cannot initiate a connection to one IP and match the reply or ack for that connection from another IP. TCP/IP basics. Assymetric routing works when no address translations take place. It may sound weird, but I only want to have one host reply to any of the two IPs, either from ISP1 or ISP2. With the current configuration I can't. It works ok the default ISP of the host, but can't make it to work for the other. One way of doing this would be: 1. Set the routers to bridge mode. 2. Assign the ISP IPs to the NICs. 3. Source NAT rules use ISP1_IP and routing rule redirects it to link connected to ISP2. Flip similarly for ISP1. Let us hope your ISP2 does not filter out traffic having source outside his subnet when it arrives from within. Mohan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- bus-email: [EMAIL PROTECTED] priv-email: [EMAIL PROTECTED] web: http://www.upcom.eu GSM: +30-693-8415038 This message and all of its attachments should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Packet Interception
Hello! In the earlier mail I think I was not clear... Actually the following is my requirements: 1) our requirement is to capture all packets originating/destined to a particular machine. This also includes ping packets to same machine/localhost. i.e. at machine A we want to also capture packets originating from say machine A and destined to machine A (these propably do not go to data link layer). 2) we want to experiment the behavior by adding delays to those packets, and that is why we want the actual packet and a copy of packet wont serve purpose. 3) we are open to listen at whatever layer (datalinke/network) and so how can we achieve this functionality. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Problem with multiple ADSL lines
Kostas Flokos wrote: Hi Mohan, Thanks a lot for your reply. I haven't tried it yet, but I have no doubts it will work. However, if you have time, could you please explain to me why a request received from IP1 by host H1, having as default route IP2, can not be routed through IP1; I have a routing table saying that the route to IP1 is through the proper eth card. I have used tcpdump to check the packets coming/in/out from the systems and it seems that there is a packet going from ADSL1 to H1, but nothing on the other way... it seems like H1 doesn't know what to do with it. Does the packet from H1 reach the Linux box? Coming to think of it, you must have a route on each of the ADSL routers that shows 192.168.0.0/24 as reachable thro' the Linux box. Think this is ok else packet will not reach H1. Similarly, the host H1 must've the Linux box as default gateway. Could you please explain (or point me to URLs explaining that) why it will change if I set the modems to bridge mode? Not all ADSL modems support bridging. Please check that out first. I still want to do NAT, will it change if I do it from the Linux router now? Most routers NAT with their external IP and user normally has no control. Thus if you receive a request on ADSL1_IP which goes to H1 and the reply goes out thro' ISP2, the src of the reply will be ADSL2_IP due to natting. The initiator will only accept a reply with src ADSL1_IP. If you set the modems to bridge mode, you can do the NATting on the Linux box where you can NAT with ADSL1_IP and still send the packet out thro' ISP2. Linux has a great deal of flexibility here. I also do not understand what you imply with 3. Source NAT rules use ISP1_IP and routing rule redirects it to link connected to ISP2. Flip similarly for ISP1. Could you be a bit more descriptive? Linux Router config: Dst NAT http on ADSL1_IP goes to H1 Dst NAT http on ADSL2_IP goes to H2 Source NAT src H1 to ADSL1_IP Source NAT src H2 to ADSL2_IP ip rule add from ADSL1_IP table ADSL2_rules ip rule add from ADSL2_IP table ADSL1_rules ADSL1_rules default gw is ISP1. ADSL2_rules default gw is ISP2 H1 receives all requests that come on ADSL1_IP. The reply from H1 for request arriving on ADSL1 goes out thro' ISP2 as desired but with the right source IP i.e. ADSL1_IP. From your mail, it seemed like you were wanting to do this. Your original config was sending replies out thro' the same i/f it arrived on. Forgive me for being a bit ignorant of all that; possibly I'm trying to understand too much without basic technical background on routing, etc. We were all there at a point of time. No need to apologize. It may also not be true that you do not know. We may be failing in communication too. One more time, thanks a lot for your help. You are welcome. Regards, Kostas On 10/12/07, *Mohan Sundaram* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Kostas Flokos wrote: Hi all, I have managed to setup a Fedora 7 box with 3 ethernet cards and two ADSL modem/routers from different suppliers as LARTC recommends. I am able to direct traffic for specific internal IPs either to one or the other ADSL line. However, I am faced with two problems I am struggling for the solution: 1. I have opened a few ports on the ADSL router/firewalls to talk to internal hosts; say when someone hits http://myADSL1_IP I would redirect him to 192.168.0.10 http://192.168.0.10 http://192.168.0.10; while if someone hits http://myADSL2_IP I would redirect him to 192.168.0.20 http://192.168.0.20 http://192.168.0.20. This is your ADSL router(s) config. If I have rules such as the following all works well: ip rule add from 192.168.0.10 http://192.168.0.10 http://192.168.0.10 table ADSL1_rules ip rule add from 192.168.0.20 http://192.168.0.20 http://192.168.0.20 table ADSL2_rules These are rules on your linux machine to send traffic back on the same link they came from. Unfortunately, if I want to do the reverse it does not work. I can't have a host prefer one ADSL line, but still receive traffic from the other ADSL line. This can be done by switching the rule table above. Obviously NAT is being used. However, this will break. You cannot initiate a connection to one IP and match the reply or ack for that connection from another IP. TCP/IP basics. Assymetric routing works when no address translations take place. It may sound weird, but I only want to have one host reply to any of the two IPs, either from ISP1 or ISP2. With the current configuration I can't. It works ok the default ISP of the host, but can't make it to work for the other. One way of doing this would be: 1. Set the routers to bridge mode. 2. Assign the ISP IPs to the NICs. 3. Source NAT rules
Re: [LARTC] Packet Interception
Hi. Jayesh Agrawal wrote: Hello! In the earlier mail I think I was not clear... Actually the following is my requirements: 1) our requirement is to capture all packets originating/destined to a particular machine. This also includes ping packets to same machine/localhost. i.e. at machine A we want to also capture packets originating from say machine A and destined to machine A (these propably do not go to data link layer). did you consider using iptables -j QUEUE ? maybe it would be possible with that (even if you want to delay loopback packets). http://www.crhc.uiuc.edu/~grier/projects/libipq.html 2) we want to experiment the behavior by adding delays to those packets, and that is why we want the actual packet and a copy of packet wont serve purpose. but i saw warning that when you delay for too long, queue may fill up and you start to loose packets. 3) we are open to listen at whatever layer (datalinke/network) and so how can we achieve this functionality. you were right, loopback packets aren't seen in pcap, only thing going through some interface -- ___ S pozdravom / Best regards John Default ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] load balance switching latency
Hello there. I am setting up a router using openwrt. Part of the project is load balancing among 2 broadband lines. I made use of the line: ip route add default scope global \ nexthop {GW1} dev {IF1} weight 1 \ nexthop {GW2} dev {IF2} weight 1 somewhere on the configs. On the test phase, automatically switching (routing) to line GW2 when line GW1 is suddenly disconnected takes a long time. I'm thinking that the routing still tries to send to GW1 even though it's dead. a. Is there a way around this? b. Does routing react differently to carrier loss (unplugging the cable) to a fully loaded line? Any thoughts? Thanks... -- Alec Joseph Rivera F S 3 Consulting Inc. http://www.fs3.ph signature.asc Description: This is a digitally signed message part ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] IPSec Null Encryption
Hi, Is it possible to use null encryption in IPSec protocl? Regards HASSAN ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Why not qos for downloading stream??
HI there Simple question :-) Why there is always only qos examples for upload and not download stream of adsl? I have a linux router which shares 5 wireless customers my neighbours and me to one adsl link 512kbps download 128kbps upload ... Now does it make sense to do qos on the linux router for download for us? Say if someone is using ssh from outside ... So I tried to apply the example 15.10 of Cookbook of the lartc howto on the linux router ... I have for every neighbour a class which limits its traffic to 128kbps and below that I addedd the whole tree of example 15.10 on the router ... Or does it make more sense this to do on the ap with ingress? I have a full linux ap router for each neighbour. Now comes the filtering and I was wondering if there 1. makes sense i.e. it helps us if download speed is at limit to priorize ssh, voip etc. 2. what will be the cpu load if you have not only 5 connected clients if not say 30 and a lot of filter rules i.e. each customer needs his full filter set ... Has anybody such a thing in production or is it useless? Greetings Beat ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] scrapting data from tc rules
Hi Currently I use snmp to scrap information from my router about its interfaces, does any one have an easy way of scaping information from tc rules to place into a rrd db ? do I need to put together a perl script to extract it from the output ? Alex signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Weird problem with maximum upload speed on Windows
Witam, I had very big problem since last Friday. I noticed that clients with Windows can't upload faster than ~140kB/s at one connection ( ftp http). It's quite weird because when I do exactly the same test (the same server, time, computer, client ip address, even switch and port) but on Linux upload speed is much bigger. Very interesting is that this is always something about 140KB/s. Does somebody have any suggestions or possible solutions for this ? Thanks in advance Pozdrawiam Szymon Turkieiwcz -- Bedac w toalecie korzystala z ... http://link.interia.pl/f1c16 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Why not qos for downloading stream??
Hi, Beat Meier wrote: HI there Simple question :-) Why there is always only qos examples for upload and not download stream of adsl? The packages are allready on your router, so why slowing down the routing? You cannot hinder anyone to send you data but you can control the questioning for more incoming traffic. (the case here is a slow internet connection) [...] Now comes the filtering and I was wondering if there 1. makes sense i.e. it helps us if download speed is at limit to priorize ssh, voip etc. 2. what will be the cpu load if you have not only 5 connected clients if not say 30 and a lot of filter rules i.e. each customer needs his full filter set ... [...] That's how I would argue on the other questions with a no. (Btw., afaik the traffic of 5 or 30 people would not fully load a 200MHz mipsel router on this line, but effectively shaping for low latency (voip) could be hard to deal with on that line). Bye, Andreas. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Why not qos for downloading stream??
Beat Meier wrote: HI there Simple question :-) Why there is always only qos examples for upload and not download stream of adsl? QoS works on packet queuing at the interface level. We can only queue what we send out or police/ rate limit what you receive. On edge devices, normally, a incoming stream on one interface translates to one or more outgoing streams on other interfaces. Thus applying QoS on an egress interface is equivalent to doing QoS on the ingress interface. TCP/IP slows down automatically when some congestions occur. The above does not hold true for UDP/ICMP and that is why these are commonly rate limited at ingress. I have a linux router which shares 5 wireless customers my neighbours and me to one adsl link 512kbps download 128kbps upload ... Now does it make sense to do qos on the linux router for download for us? Say if someone is using ssh from outside ... So I tried to apply the example 15.10 of Cookbook of the lartc howto on the linux router ... I have for every neighbour a class which limits its traffic to 128kbps and below that I addedd the whole tree of example 15.10 on the router ... Or does it make more sense this to do on the ap with ingress? I have a full linux ap router for each neighbour. Shape outgoing traffic on the interface that faces each customer. Mohan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc