Re: [LARTC] pptp, vpn traffic control
Hello Doug, : Before I got your message I spent a couple of hours reading chapter 9 : of the how to at lartc.org. The HTB option makes sense in concept to : me... Rightgood...LARTC doc is quite good, though occasionally dense. : Can you provide some example syntax for me given the following... I'll refrain until you have a more fully-formed scenario. Since you are new to Linux traffic control, let me suggest that you consider using tcng (I'm a big fan--it's much more human-legible than raw tc syntax). See my tcng and HTB HOWTO [0]. [ snip ] : As I understand it the HTB works by limited the 'outgoing' data and not : the incomming data and the limits will be placed on the ppp sessions : and not the eth0. Premise: You can only shape what you transmit [1]. (Yes, exceptions to this rule exist.) : How do I make the limiting start when the ppp session comes up? Good question.this will probably require some glue code. Shell, perl, whatever you like. Others may have better suggestions. In short, the traffic control structures inside the kernel are static--they can be manipulated (added/removed), although my impression (and my own usage) relies on creating a static traffic control configuration. Regardless, if you can hook into an ip-up or if-up script on your PPTP server, then you can write raw tc commands which create the traffic control structures (and iptables, hint...hint) for each connection. : I'm using Rethat 9 with kernel 2.4.20-8. Retchhat? (I never stop with the teasing, do I?) If you choose to use tcng, you may end up needing dsmark. That's easy with RedHat boxen in the post 2.4.20 world. modprobe dsmark works very well. Almost everything you'll need is built as a module for your use. You will, however need a custom tc. I have a now-outdated SRPM you can use as a template for rebuilding against the recently issued iproute errata package [2], or you can use the binary provided by Martin Devera (author of HTB) [3]. -Martin [0] http://tldp.org/HOWTO/Traffic-Control-tcng-HTB-HOWTO/ [1] http://tldp.org/HOWTO/Traffic-Control-HOWTO/rules.html [2] http://linux-ip.net/traffic-control/iproute-2.4.7-7.src.rpm * [3] http://luxik.cdi.cz/~devik/qos/htb/ http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz * You can use this as an example, but please understand that it is grossly out of date. If you don't know how to build SRPMS, just skip it and grab Martin Devera's tc. -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] pptp, vpn traffic control
On Thu, 18 Dec 2003 17:21:46 -0600 (CST), Martin A. Brown wrote Hello Doug, Hi MartiUG :) : Can you provide some example syntax for me given the following... I'll refrain until you have a more fully-formed scenario. bugger... having done lots of reading yesterday the one thing I learnt about htb is that I'm going to need some help! :) Since you are new to Linux traffic control, let me suggest that you consider using tcng (I'm a big fan--it's much more human-legible than raw tc syntax). See my tcng and HTB HOWTO [0]. Hummm let's stick to one system at a time? Having read all about HTB yesterday I do actually understand most of it I think... Just not sure how I'm going to bind the bits to ppp yet... : How do I make the limiting start when the ppp session comes up? Good question.this will probably require some glue code. Shell, perl, whatever you like. Others may have better suggestions. In short, the traffic control structures inside the kernel are static- -they can be manipulated (added/removed), although my impression (and my own usage) relies on creating a static traffic control configuration. Regardless, if you can hook into an ip-up or if- up script on your PPTP server, then you can write raw tc commands which create the traffic control structures (and iptables, hint...hint) for each connection. I spent some time this morning looking at ip-up.local and its parameters. I can see I can get the pppX, local and remote ip numbers. My current thinking is that I just add a line to the script to 'add'/bind the new ip when the connection goes live, then add a line to ip-down.local to remove the rule when the link goes down. So how about this...?... # In ip-up.local tc qdisk add dev pppX root handle 1:X htb tc class add dev pppX parent 1:X classid 1:X htb rate 56kbit ceil 56kbit tc filter add dev pppX parent 1:X protocol ip prio 1 u32 \ match ip dest X-remoteIP flowid 1:X How do I remove all this when the ppp connection goes off line? Cheers DiG -- Don Gould The technology exists to give every home 10mbits per second for $10 per month! http://marc.theaimsgroup.com/?l=poptop-serverr=1w=2 - For all your poptop needs. http://sourceforge.net/donate/ - Give a little and watch the love grow! www.skype.com - sorry it's not a linux tool but it's very kewl! Wish a linux guru would make something for nix as good as this! [EMAIL PROTECTED] - Best information about DSL technology and trends I've found yet. http://www.linuxforum.com/forums/ - ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] pptp, vpn traffic control
Don, : I want to set up some traffic control and don't know where to start... I'll copy my own comments from the LARTC FAQ (o-Matic) [0]. [ begin from FAQ ] In addition to the lartc.org HOWTO itself, I'd suggest some introductory readingfirst my own traffic control overview (and some links to other documentation): http://tldp.org/HOWTO/Traffic-Control-HOWTO/ http://tldp.org/HOWTO/Traffic-Control-HOWTO/links.html An alternative introduction is Leonardo Balliache's pages: http://opalsoft.net/qos/DS.htm Werner Almesberger's still relevant implementation overview of 1999 warrants (and rewards) careful study: http://www.almesberger.net/cv/papers.html http://www.almesberger.net/cv/papers/tcio8.pdf Once you have an understanding of the entire traffic control system, the easiest way to some practical configurations is with the tcng software: http://tcng.sourceforge.net/ The tcng software reads a structured configuration file, where the tc command line utility is documented in parts of documents all over the 'net. [ end from FAQ ] I'd suggest my Traffic Control HOWTO and Werner's pages for you until you have a rough idea of the entire system. Once you understand the system, head over to the LARTC site [1] to get some detailed help on what commands to use. Also never forget that Stef Coene has a large set of pages [2] which detail HTB and traffic control generally in an excellent fashion. : (ie: Each user connects to the VPN server then connects netmeeting from : point to point using the private ip that the poptop pptp vpn assigns : each client) Neat idea. : Netmeeting will use up as much bandwidth as it can. (As I understand : it) So will a bulk file download. ;-) : I want to be able to restrict each vpn tunnel to xk (where xk might be : 128kbits or less). You'll probably want to use an HTB tree with a child class where rate=ceil=128kbit for each of your clients...but you'll probably get some ideas of your own as you familiarize yourself with the tools. : I also want to be able to stop users from using any ports on the vpn : tunnel other than the ones required by netmeeting and port 80. Use iptables. The iptables tutorial [3] will help you here. : I have read all about compiling kernels but I still haven't got this : sused. This makes no sense to me. What means this verb sused? Is that what happens when an admin leaves, dropping a lousy old crufty SuSe box in your lap? ( I've been Sused! ?? ) In seriousness, though, what distribution and kernel are you using? It is likely if you have a recent installation that you have everything you need already (with the possible exception of an HTB-capable tc). -Martin [0] http://www.docum.org/stef.coene/qos/faq/cache/ http://www.docum.org/stef.coene/qos/faq/cache/46.html [1] http://lartc.org/ http://lartc.org/howto/ [2] http://docum.org/ [3] http://iptables-tutorial.frozentux.net/ -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/