[LARTC] Capping bandwidth based on src/dst ip

[LARTC] Capping bandwidth based on src/dst ip

[Daniel Egger]

Hija,

sorry for sounding a little lost here but that's probably because I am.

Let me explain what I'm trying to do:
I've a gateways with one uplink and several disjoint networks beneath it
like:
                    | T1
                ---------
                |  GW   |
                ---------
               /         \ 
   -------------         -------------
   |10.0.0.0/24|   ...   |10.0.5.0/24|
   -------------         -------------

Now what I need is to simply classify users in the network segments into
speed classes (gold/silver/bronze) and cap their traffic at fixed levels
inbound and outbound. My idea was to simply add one class and one filter
per used ip which should be no problem, however I have no idea how to
get rid of this class and filter once the user vanished or replace it by
another value when a different users shows up taking the same address.

The problems are: How do I figure out the tree id from the ip? Or how
can I reconfigure the limit without knowing the id?

A different idea would be to add (say) 500 classes for each speed level
and remember the used/unused ones in the application and serve the next
free class to a user by creating a filter on logon and removing that
later on.

If you now say: Hey, that pretty easy; please hold on. :) Additionally I
don't know the addresses in advance because they're either served using
DHCP or set up in a fixed manner and routed thanks to arpspoofing so
this doesn't seem to make a good case for hashing. Also I somehow need
to also take care of the traffic which goes through transparent DNS and
http proxies.

Any help and ideas would be greatly appreciated.

-- 
Servus,
       Daniel

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Capping bandwidth based on src/dst ip

[rio]

"Daniel Egger" <egger@..> wrote:
> Hija,
> sorry for sounding a little lost here but that's probably because I am.
> Let me explain what I'm trying to do:
> I've a gateways with one uplink and several disjoint networks beneath it
> like:
>                     | T1
>                 ---------
>                 |  GW   |
>                 ---------
>                /         \
>    -------------         -------------
>    |10.0.0.0/24|   ...   |10.0.5.0/24|
>    -------------         -------------
>
> Now what I need is to simply classify users in the network segments into
> speed classes (gold/silver/bronze) and cap their traffic at fixed levels

You probably should put your users into different segments for different
speed classes. That would be wise if it could be done.
If not, try to make your users in high class get static IP address. Even
DHCP could be set static for the range of ip addresses (exception).

> inbound and outbound. My idea was to simply add one class and one filter
> per used ip which should be no problem, however I have no idea how to
> get rid of this class and filter once the user vanished or replace it by
> another value when a different users shows up taking the same address.
> The problems are: How do I figure out the tree id from the ip? Or how
> can I reconfigure the limit without knowing the id?
> A different idea would be to add (say) 500 classes for each speed level
> and remember the used/unused ones in the application and serve the next
> free class to a user by creating a filter on logon and removing that
> later on.
> If you now say: Hey, that pretty easy; please hold on. :) Additionally I
> don't know the addresses in advance because they're either served using
> DHCP or set up in a fixed manner and routed thanks to arpspoofing so
> this doesn't seem to make a good case for hashing. Also I somehow need
> to also take care of the traffic which goes through transparent DNS and
> http proxies.
> Any help and ideas would be greatly appreciated.

Try with iptables mark. Put each packet you decide to manage into mangle
table with mark.

I hope it will help.

Regards,
Rio Martin.
--
NOC Itenas-net.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Capping bandwidth based on src/dst ip

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1049 bytes --]

Le jeu 27/11/2003 à 23:59, Daniel Egger a écrit :
> Hija,
> 
> sorry for sounding a little lost here but that's probably because I am.

> The problems are: How do I figure out the tree id from the ip? Or how
> can I reconfigure the limit without knowing the id?
> 
> A different idea would be to add (say) 500 classes for each speed level
> and remember the used/unused ones in the application and serve the next
> free class to a user by creating a filter on logon and removing that
> later on.

Looks like you need to shape traffic against user ! The NuFW project is
able to do so. With NuFW and connmark you can add a mark on packets
equal to the userid (even if you've got multiple users on the same
computer). Additionnaly, you can filter packet by user (marking is a
good side effect) 

For more information, see 
	http://www.nufw.org/administration.html#id2847763

> Any help and ideas would be greatly appreciated.

Hope it may help,

BR,
-- 
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)

[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]