Re: Using BGP to multihome on links of different bandwidth
On 07/25/2006 08:46:49 PM, Alex Thurlow wrote: We currently have 2 links that are shared via BGP. One is an OC-12, and the other is 100Mb ethernet. Under just a normal BGP setup, our 100Mb line would be saturated as it attempted to send traffic there based on routing distance. My question is, is there a way to share these 2 lines and not saturate the smaller one? There's probably a way to use the "probability" parameter in conjunction with "route-to", especially if you're doing policy based routing. However, that's off the top of my head. I've not tried any such thing and am a BGP noob so can't say what the interactions are there. Seems to me you might need to abandon BGP. If so, one way to go is to partition the internet with 2 static routes, and poke at it with a stick until you get the bandwidth balance right. Also, it's not clear to me how you're going to keep the inbound traffic from saturating the link, unless you're nat-ting or something and do the "probability" with that. Regards, Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Re: rdr over ip alias
yea but don't work for me on OpenBSD 3.9 with 2 NIC wan and lan I have NAT on primary IP and "rdr ... to $alias_whit_second_public_ip port 80 -> $prv_machine" but the trafict don't work and without alias the same rule work. work rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $web_server port 80 don't work rdr pass on $ext_if proto tcp from any to $alias port 80 -> $web_server port 80 Huh. This works perfectly fine for me on FreeBSD with pf. I've got it on a couple of machines, and no problems yet.: rdr pass on $ext_if proto tcp from any to alias.domain.org -> 192.168.17.26 Granted - I'm not using a variable for the alias address, I've got the actual hostname in there, and I'm redirecting all traffic, not just port 80, but it /should/ work the same...
Using BGP to multihome on links of different bandwidth
New to the list, and with a question I can't seem to find an answer to anywhere else. A little preface - I have recently switched jobs, so I am in a new network situation. There are some upcoming changes, and I wish to switch from our current Linux router to OpenBSD-pf. We currently have 2 links that are shared via BGP. One is an OC-12, and the other is 100Mb ethernet. The reason we have lines of unmatched speed is that we could get the 100Mb cheap and are wanting to test the usefulness of multihoming. Under just a normal BGP setup, our 100Mb line would be saturated as it attempted to send traffic there based on routing distance. Because of this, there are IPtables rules that count how many pps are going on the 100Mb line, and if there are over a certain amount, they mangle the packets and send them over the OC-12 instead. In this way, we are able to share these 2 lines of differing bandwidth. My previous OpenBSD/pf experience was limited mainly to bridging firewalls, but I would like to use it for a new router. My question is, is there a way to share these 2 lines and not saturate the smaller one? I have looked around, and it doesn't seem to be a very common question, so I come here to the experts. I was not able to actually find any other way to do it besides iptables, so any other product (juniper, xorp, cisco, etc.) that might be able to do this would be interesting to me as well. Thanks, Alex Thurlow
Re: rdr over ip alias
On Tue, Jul 25, 2006 at 04:52:49PM -0400, mnothic wrote: > yea but don't work for me on OpenBSD 3.9 with 2 NIC wan and lan > > I have NAT on primary IP and "rdr ... to $alias_whit_second_public_ip > port 80 -> $prv_machine" > but the trafict don't work and without alias the same rule work. > > work > rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $web_server > port 80 > > don't work > rdr pass on $ext_if proto tcp from any to $alias port 80 -> $web_server > port 80 Remember that unlike filtering rules, nat/rdr use the first match instead of the last. Does something above your "$alias port 80 ->" rule also match? Perhaps something with ($ext_if)? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: rdr over ip alias
On 7/25/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote: On Tue, Jul 25, 2006 at 01:07:06PM -0400, mnothic wrote: > I need documentation it approaches incoming traffic in an IP ALIAS and > port redirected to a private IP and port Start with the pf.conf(5) man page, as on http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf There is nothing special about redirecting connections that originally have an IP alias as the destination address, you just specify that in the "rdr ... to $alias -> $new_dest" part. Daniel yea but don't work for me on OpenBSD 3.9 with 2 NIC wan and lan I have NAT on primary IP and "rdr ... to $alias_whit_second_public_ip port 80 -> $prv_machine" but the trafict don't work and without alias the same rule work. work rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $web_server port 80 don't work rdr pass on $ext_if proto tcp from any to $alias port 80 -> $web_server port 80 cat hostname.xl0 inet a.a.a.154 255.255.255.248 NONE inet alias a.a.a.155 255.255.255.255 inet alias a.a.a.156 255.255.255.255 inet alias a.a.a.157 255.255.255.255 inet alias a.a.a.158 255.255.255.255
Re: rdr over ip alias
On Tue, Jul 25, 2006 at 01:07:06PM -0400, mnothic wrote: > I need documentation it approaches incoming traffic in an IP ALIAS and > port redirected to a private IP and port Start with the pf.conf(5) man page, as on http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf There is nothing special about redirecting connections that originally have an IP alias as the destination address, you just specify that in the "rdr ... to $alias -> $new_dest" part. Daniel
rdr over ip alias
I need documentation it approaches incoming traffic in an IP ALIAS and port redirected to a private IP and port -- Jorge "mandatory" Medina.
Re: an issue with borrowing by subqueues
as i know you need to specify in your parrent rule a borrow word. So in anykind of parent rule or sub parent rule you need a borrow rule so he can borrow from his parrent or his subrules can borrow from the parrent rule. something like this : # First internal interface QoS altq on $int_if1 cbq bandwidth 100Mb queue { lan_in, std_in } queue lan_in bandwidth 90Mb cbq queue std_in bandwidth 1900Kb cbq (borrow red) { ssh_im_in, dns_in, users_in } queue ssh_im_in bandwidth 128Kb cbq queue dns_in bandwidth 128Kb cbq (default) queue users_in bandwidth 1644Kb cbq (borrow red) \ { user1_in, user2_in, user3_in, user4_in, user5_in } queue user1_in bandwidth $bwsp cbq (borrow) queue user2_in bandwidth $bwsp cbq (borrow) queue user3_in bandwidth $bwsp cbq (borrow) queue user4_in bandwidth $bwsp cbq (borrow) queue user5_in bandwidth $bwsp cbq (borrow) On 7/21/06, Michal Soltys <[EMAIL PROTECTED]> wrote: I noticed, that for some reason, subequeues have hard time borrowing unless the parent queue can borrow itself. For example, consider following setup (only important parts): altq on $if_100 cbq bandwidth 100Mb queue { if100_www,if100_mail, \ if100_misc, if100_ftp, if100_pri, if100_extbulk, if100_ack } queue if100_misc on $if_100 bandwidth 2.8Mb cbq(default borrow) queue if100_www on $if_100 bandwidth 25Mb cbq \ {if100_www_int, if100_www_sqd} queue if100_www_int on $if_100 bandwidth 5Mb cbq(borrow) queue if100_www_sqd on $if_100 bandwidth 20Mb cbq(borrow) queue if100_mail on $if_100 bandwidth 15Mb cbq(borrow) #...remaining queues... #and following rule: pass in on $if_100 inet proto tcp from any to $srv_100 port www flags S/SAFR keep state queue (if100_www_int, if100_ack) In this scenario (note - no borrow in parent if100_www), I got following results: queue root_fxp0 bandwidth 100Mb priority 0 cbq( wrr root ) {if100_misc, if100_www, if100_mail, if100_ftp, if100_pri, if100_extbulk, if100_ack} [ pkts: 24451 bytes: 34995648 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 516.5 packets/s, 5.91Mb/s ] queue if100_www bandwidth 25Mb {if100_www_int, if100_www_sqd} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue if100_www_int bandwidth 5Mb cbq( borrow ) [ pkts: 24448 bytes: 34995380 dropped pkts: 0 bytes: 0 ] [ qlength: 11/ 50 borrows: 18713 suspends: 1357 ] [ measured: 516.5 packets/s, 5.91Mb/s ] queue if100_www_sqd bandwidth 20Mb cbq( borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] Now, if I add (borrow) to if100_www queue: queue if100_www on $if_100 bandwidth 25Mb cbq(borrow) \ {if100_www_int, if100_www_sqd} the results: queue root_fxp0 bandwidth 100Mb priority 0 cbq( wrr root ) {if100_misc, if100_www, if100_mail, if100_ftp, if100_pri, if100_extbulk, if100_ack} [ pkts: 86969 bytes: 124483434 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 6563.2 packets/s, 75.16Mb/s ] queue if100_www bandwidth 25Mb cbq( borrow ) {if100_www_int, if100_www_sqd} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 86678 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue if100_www_int bandwidth 5Mb cbq( borrow ) [ pkts: 86967 bytes: 124483226 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 86880 suspends: 0 ] [ measured: 6563.2 packets/s, 75.16Mb/s ] queue if100_www_sqd bandwidth 20Mb cbq( borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] No suspends, almost identical borrows, and quite a difference in bandwidth. It somehow looks, that parent queue prohibits borrowing, unless it can borrow itself from the root queue. Is it intended (or maybe a bug or misconfiguration on my side) ? I was under impression (including pf faq examples) that if a subqueue has the borrow attribute, it can use extra bw from parent queue, regardless if the parent can or cannot borrow itself. -- Key fingerprint = 9864 E575 E207 FB90 44C8 26A2 0167 E57E 66ED 0F1D