[LARTC] Egress shaping over multiple interfaces?

[LARTC] Egress shaping over multiple interfaces?

[Martijn Klingens]

Hello,

After reading the excellent HOWTO I got traffic shaping working nicely over 
ethernet devices on a test setup. I can't put this setup live though, because 
our main firewall has three 2mbit hdlc interfaces instead of a single device.

We are using multipath routing using iproute2 nexthop at the moment, and that 
works fine for firewalling. But now I have a need for shaping and shaping 
only works over a single interface it seems and not over multiple interfaces.

According to the HOWTO I can setup a teql device to bundle the hdlc0-2 into a 
single teql0 device, but that requires an extra combined IP address at both 
sides it seems.

The question is whether I can get away with setting up the teql device over 
the three hdlc IPs with an ip on the teql device that's either fake or one of 
our class C subnet (maybe even reuse the IP of the ethernet card on the other 
end), without having our provider to change their config.

The round robin routing is not the problem, we have that working correctly for 
quite a while already, it's the fact that teql requires an extra IP which 
nexthop routing doesn't that bothers me a bit. And since this is a live 
router I am not going to take risks by messing with it without proper 
research...

Is there any advice to give me here? Or do you need more information first?

Thanks in advance for any help,
-- 
Martijn

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Egress shaping over multiple interfaces?

[Stef Coene]

On Thursday 31 October 2002 15:20, Martijn Klingens wrote:
> Hello,
>
> After reading the excellent HOWTO I got traffic shaping working nicely over
> ethernet devices on a test setup. I can't put this setup live though,
> because our main firewall has three 2mbit hdlc interfaces instead of a
> single device.
>
> We are using multipath routing using iproute2 nexthop at the moment, and
> that works fine for firewalling. But now I have a need for shaping and
> shaping only works over a single interface it seems and not over multiple
> interfaces.
Yes you can if you apply the needed patches to the kernel and iptables so you 
can use the imq device.  It's a virtual device and you can use the normal 
cbq/htb/tbf qdiscs on it.  You can redirect packets to it with iptables and 
you can do it from any interface you want and also from IN + OUT.  So you can 
create 1 imq device, redirect all packets that leaves hdlc0-2 and shape on 
that imq device.
IMQ link :
http://trash.net/~kaber/imq

> According to the HOWTO I can setup a teql device to bundle the hdlc0-2 into
> a single teql0 device, but that requires an extra combined IP address at
> both sides it seems.
The teql can only be used if you have a linux on both sides of the 2 links.

> The question is whether I can get away with setting up the teql device over
> the three hdlc IPs with an ip on the teql device that's either fake or one
> of our class C subnet (maybe even reuse the IP of the ethernet card on the
> other end), without having our provider to change their config.
>
> The round robin routing is not the problem, we have that working correctly
> for quite a while already, it's the fact that teql requires an extra IP
> which nexthop routing doesn't that bothers me a bit. And since this is a
> live router I am not going to take risks by messing with it without proper
> research...
>
> Is there any advice to give me here? Or do you need more information first?

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Egress shaping over multiple interfaces?

[Martijn Klingens]

On Thursday 31 October 2002 17:06, Stef Coene wrote:
> Yes you can if you apply the needed patches to the kernel and iptables so
> you can use the imq device.  It's a virtual device and you can use the
> normal cbq/htb/tbf qdiscs on it.  You can redirect packets to it with
> iptables and you can do it from any interface you want and also from IN +
> OUT.  So you can create 1 imq device, redirect all packets that leaves
> hdlc0-2 and shape on that imq device.
> IMQ link :
> http://trash.net/~kaber/imq

Thanks for the quick reply!

Looks like I need this, since our provider uses a Cisco router and not a linux 
box, so teql is not an option :(

Now I only hope this applies properly to our kernel... (btw, how stable is it? 
I'm always hesitant to use code that is not in the mainstream kernel on a 
production firewall).
-- 
Martijn

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Egress shaping over multiple interfaces?

[Stef Coene]

On Thursday 31 October 2002 17:33, Martijn Klingens wrote:
> On Thursday 31 October 2002 17:06, Stef Coene wrote:
> > Yes you can if you apply the needed patches to the kernel and iptables so
> > you can use the imq device.  It's a virtual device and you can use the
> > normal cbq/htb/tbf qdiscs on it.  You can redirect packets to it with
> > iptables and you can do it from any interface you want and also from IN +
> > OUT.  So you can create 1 imq device, redirect all packets that leaves
> > hdlc0-2 and shape on that imq device.
> > IMQ link :
> > http://trash.net/~kaber/imq
>
> Thanks for the quick reply!
>
> Looks like I need this, since our provider uses a Cisco router and not a
> linux box, so teql is not an option :(
>
> Now I only hope this applies properly to our kernel... (btw, how stable is
> it? I'm always hesitant to use code that is not in the mainstream kernel on
> a production firewall).
I think it's stable.  At least I never heard people complaining about it.  But 
maybe nobody is using it :)
And it's a small hack.

Maybe Patrick knows this better.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Egress shaping over multiple interfaces?

[Hasso Tepper]

Stef Coene wrote:
> On Thursday 31 October 2002 17:33, Martijn Klingens wrote:
> > Now I only hope this applies properly to our kernel... (btw, how
> > stable is it? I'm always hesitant to use code that is not in the
> > mainstream kernel on a production firewall).
>
> I think it's stable.  At least I never heard people complaining
> about it.  But maybe nobody is using it :)
> And it's a small hack.

IMQ? I'm using it in the production. 100 IMQ devices 10 - 50 of them 
in use. Number of devices in use is changing in boxes and I had to 
create just enough IMQ devices. I'm using IMQ in combination with TBF 
to get bidirectional shaping. No problems at all.

with my best wishes,

-- 
Hasso
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/