[LARTC] pptp, vpn & traffic control

[LARTC] pptp, vpn & traffic control

[Don Gould - BVC]

INTRO
I want to set up some traffic control and don't know where to start...

I'm happy to do some reading but need some pointers in the right direction to 
get me started...

I'll explain what I'm doing below so you can make your best recommendations 
based on my skill level.

THE PROBLEM
I have set up a poptop pptp vpn server.  I've done this so that clients 
behind firewalls can use netmeeting to talk to each other. 

(ie: Each user connects to the VPN server then connects netmeeting from point 
to point using the private ip that the poptop pptp vpn assigns each client)

Netmeeting will use up as much bandwidth as it can. (As I understand it)

I want to be able to restrict each vpn tunnel to xk (where xk might be 
128kbits or less).

I also want to be able to stop users from using any ports on the vpn tunnel 
other than the ones required by netmeeting and port 80.

ABOUT ME
I'm a newbi to linux who's bitten off 100% more than I can chew but I'm 
getting there slowly... 

I just worked out how to set up poptop with lots of help.

I have read all about compiling kernels but I still haven't got this sused.

I don't mind doing the reading if people just point me to material that's 
relivant.

I've been following this mailing list for a while but I'm fairly lost as to 
what most of it's about - I learn best by just having a go....

so that's what I'm doing :)

Thanks in advance

Cheers DiG

--
Don Gould
The technology exists to give every home 10mbits per second for $10 per month!

http://sourceforge.net/donate/ - Give a little and watch the love grow!

www.skype.com - sorry it's not a linux tool but it's very kewl!  Wish a linux 
guru would make something for nix as good as this!
news@dslprime.com - Best information about DSL technology and trends I've 
found yet.
http://www.linuxforum.com/forums/ - need I say more? :)
http://australianit.news.com.au/ - My fav IT news site.
http://tusker.org/gallery/GouldWedding - We got married... come on you know 
you

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] pptp, vpn & traffic control

[Martin A. Brown]

Don,

 : I want to set up some traffic control and don't know where to start...

I'll copy my own comments from the LARTC FAQ (o-Matic) [0].


[ begin from FAQ ]

  In addition to the lartc.org HOWTO itself, I'd suggest some introductory
  reading....first my own traffic control overview (and some links to other
  documentation):

    http://tldp.org/HOWTO/Traffic-Control-HOWTO/
    http://tldp.org/HOWTO/Traffic-Control-HOWTO/links.html

  An alternative introduction is Leonardo Balliache's pages:

    http://opalsoft.net/qos/DS.htm

  Werner Almesberger's still relevant implementation overview of 1999
  warrants (and rewards) careful study:

    http://www.almesberger.net/cv/papers.html
    http://www.almesberger.net/cv/papers/tcio8.pdf

  Once you have an understanding of the entire traffic control system, the
  easiest way to some practical configurations is with the tcng software:

    http://tcng.sourceforge.net/

  The tcng software reads a structured configuration file, where the "tc"
  command line utility is documented in parts of documents all over the
  'net.

[ end from FAQ ]

I'd suggest my Traffic Control HOWTO and Werner's pages for you until you have
a rough idea of the entire system.  Once you understand the system, head over
to the LARTC site [1] to get some detailed help on what commands to use.
Also never forget that Stef Coene has a large set of pages [2] which detail HTB
and traffic control generally in an excellent fashion.

 : (ie: Each user connects to the VPN server then connects netmeeting from
 : point to point using the private ip that the poptop pptp vpn assigns
 : each client)

Neat idea.

 : Netmeeting will use up as much bandwidth as it can. (As I understand
 : it)

So will a bulk file download.  ;-)

 : I want to be able to restrict each vpn tunnel to xk (where xk might be
 : 128kbits or less).

You'll probably want to use an HTB tree with a child class where
rateÎil\x128kbit for each of your clients...but you'll probably get some
ideas of your own as you familiarize yourself with the tools.

 : I also want to be able to stop users from using any ports on the vpn
 : tunnel other than the ones required by netmeeting and port 80.

Use iptables.  The iptables tutorial [3] will help you here.

 : I have read all about compiling kernels but I still haven't got this
 : sused.

This makes no sense to me.  What means this verb "sused"?  Is that what
happens when an admin leaves, dropping a lousy old crufty SuSe box in your
lap?  ( "I've been Sused!"  ?? )  In seriousness, though, what
distribution and kernel are you using?  It is likely if you have a recent
installation that you have everything you need already (with the possible
exception of an HTB-capable tc).

-Martin

 [0] http://www.docum.org/stef.coene/qos/faq/cache/
     http://www.docum.org/stef.coene/qos/faq/cache/46.html
 [1] http://lartc.org/
     http://lartc.org/howto/
 [2] http://docum.org/
 [3] http://iptables-tutorial.frozentux.net/

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] pptp, vpn & traffic control

[Don Gould - BVC]

Thanks for the help so far...

>  : (ie: Each user connects to the VPN server then connects 
> netmeeting from : point to point using the private ip that the 
> poptop pptp vpn assigns : each client)
> 
> Neat idea.

Thanks.  It works quite well with VPN off a NT4 machine but I wanted to do it 
all on a nix machine :)

Talk about make things hard thou...  getting RRAS working on NT took an hour.
 
>  : I want to be able to restrict each vpn tunnel to xk (where xk 
> might be : 128kbits or less).
> 
> You'll probably want to use an HTB tree with a child class where
> rateÎil\x128kbit for each of your clients...but you'll probably get 
> some ideas of your own as you familiarize yourself with the tools.

Before I got your message I spent a couple of hours reading chapter 9 of the 
how to at lartc.org.

The HTB option makes sense in concept to me...  

Can you provide some example syntax for me given the following...

Lan Testing...
I have set up poptop with a local IP of 192.168.1.6 and remote IP of 
192.168.1.200-250

I have 2 windows machines (XP Home & Win2k server) connecting as clients.

They come up as ppp0:192.168.1.200 and ppp1:192.168.1.201 when I check using 
ifconfig.

The machines are all connected to a 10bit hub

I would like to slow the connections to 56kbits

Internet Testing...

On Monday Telecom NZ will deliver the second of 2 128k ADSL connections.

I will then put the two WIN machines on Inet1 and the linux box on Inet2.

I would like to slow the connections to 56kbits - this should mean that Inet1 
and 2 both have 112kbits running across them.

Does this all make sense?

As I understand it the HTB works by limited the 'outgoing' data and not the 
incomming data and the limits will be placed on the ppp sessions and not the 
eth0.

How do I make the limiting start when the ppp session comes up?

>  : I also want to be able to stop users from using any ports on the vpn
>  : tunnel other than the ones required by netmeeting and port 80.
> 
> Use iptables.  The iptables tutorial [3] will help you here.

I suspected you were going to say as must...  iptables is next on my learning 
curve!

 
>  : I have read all about compiling kernels but I still haven't got this
>  : sused.
> 
> This makes no sense to me.  What means this verb "sused"?  

I might not have spelt it right.  Like the English use the word 'sorted' as 
in "I don't have the problem sorted out."  In other words, "I understand the 
theory of compiling a kernel but I haven't done it in pratice".  :)  Sorry 
for using slang on an international forum :)


> Is that what
> happens when an admin leaves, dropping a lousy old crufty SuSe box 
> in your lap?  ( "I've been Sused!"  ?? ) 

heheheh :)  

 In seriousness, though,
>  what distribution and kernel are you using?  It is likely if you 
> have a recent installation that you have everything you need already 
> (with the possible exception of an HTB-capable tc).

I'm using Rethat 9 with kernel 2.4.20-8.

Thanks again for your assistance.

Cheers DiG
 
--
Don Gould
The technology exists to give every home 10mbits per second for $10 per month!

http://sourceforge.net/donate/ - Give a little and watch the love grow!

www.skype.com - sorry it's not a linux tool but it's very kewl!  Wish a linux 
guru would make something for nix as good as this!
news@dslprime.com - Best information about DSL technology and trends I've 
found yet.
http://www.linuxforum.com/forums/ - need I say more? :)
http://australianit.news.com.au/ - My fav IT news site.
http:/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] pptp, vpn & traffic control

[Martin A. Brown]

Hello Doug,

 : Before I got your message I spent a couple of hours reading chapter 9
 : of the how to at lartc.org. The HTB option makes sense in concept to
 : me...

Right....good...LARTC doc is quite good, though occasionally dense.

 : Can you provide some example syntax for me given the following...

I'll refrain until you have a more fully-formed scenario.  Since you are
new to Linux traffic control, let me suggest that you consider using tcng
(I'm a big fan--it's much more human-legible than raw tc syntax).  See my
tcng and HTB HOWTO [0].

  [ snip ]

 : As I understand it the HTB works by limited the 'outgoing' data and not
 : the incomming data and the limits will be placed on the ppp sessions
 : and not the eth0.

Premise:  You can only shape what you transmit [1]. (Yes, exceptions to
this rule exist.)

 : How do I make the limiting start when the ppp session comes up?

Good question.....this will probably require some glue code.  Shell, perl,
whatever you like.  Others may have better suggestions.  In short, the
traffic control structures inside the kernel are static--they can be
manipulated (added/removed), although my impression (and my own usage)
relies on creating a static traffic control configuration.  Regardless, if
you can hook into an "ip-up" or "if-up" script on your PPTP server, then
you can write raw tc commands which create the traffic control structures
(and iptables, hint...hint) for each connection.

 : I'm using Rethat 9 with kernel 2.4.20-8.

Retchhat?  (I never stop with the teasing, do I?)  If you choose to use
tcng, you may end up needing dsmark.  That's easy with RedHat boxen in the
post 2.4.20 world.  "modprobe dsmark" works very well.  Almost everything
you'll need is built as a module for your use.

You will, however need a custom "tc".  I have a now-outdated SRPM you can
use as a template for rebuilding against the recently issued iproute
errata package [2], or you can use the binary provided by Martin Devera
(author of HTB) [3].

-Martin

  [0] http://tldp.org/HOWTO/Traffic-Control-tcng-HTB-HOWTO/
  [1] http://tldp.org/HOWTO/Traffic-Control-HOWTO/rules.html
  [2] http://linux-ip.net/traffic-control/iproute-2.4.7-7.src.rpm *
  [3] http://luxik.cdi.cz/~devik/qos/htb/
      http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz

  * You can use this as an example, but please understand that it is
    grossly out of date.  If you don't know how to build SRPMS, just skip
    it and grab Martin Devera's "tc".

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] pptp, vpn & traffic control

[Don Gould - BVC]

On Thu, 18 Dec 2003 17:21:46 -0600 (CST), Martin A. Brown wrote
> Hello Doug,

Hi MartiUG :)


>  : Can you provide some example syntax for me given the following...
> 
> I'll refrain until you have a more fully-formed scenario.  

bugger... having done lots of reading yesterday the one thing I learnt about 
htb is that I'm going to need some help! :)


> Since you 
> are new to Linux traffic control, let me suggest that you consider 
> using tcng
> (I'm a big fan--it's much more human-legible than raw tc syntax).  
> See my tcng and HTB HOWTO [0].

Hummm....  let's stick to one system at a time?  

Having read all about HTB yesterday I do actually understand most of it I 
think...

Just not sure how I'm going to bind the bits to ppp yet...

> 
>  : How do I make the limiting start when the ppp session comes up?
> 
> Good question.....this will probably require some glue code.  Shell, 
> perl, whatever you like.  Others may have better suggestions.  In 
> short, the traffic control structures inside the kernel are static-
> -they can be manipulated (added/removed), although my impression 
> (and my own usage) relies on creating a static traffic control 
> configuration.  Regardless, if you can hook into an "ip-up" or "if-
> up" script on your PPTP server, then you can write raw tc commands 
> which create the traffic control structures
> (and iptables, hint...hint) for each connection.

I spent some time this morning looking at ip-up.local and its parameters.

I can see I can get the pppX, local and remote ip numbers.

My current thinking is that I just add a line to the script to 'add'/bind the 
new ip when the connection goes live, then add a line to ip-down.local to 
remove the rule when the link goes down.

So how about this...?...

# In ip-up.local
tc qdisk add dev ppp<X> root handle 1:<X> htb
tc class add dev ppp<X> parent 1:<X> classid 1:<X> htb rate 56kbit ceil 56kbit
tc filter add dev ppp<X> parent 1:<X> protocol ip prio 1 u32 \
  match ip dest <X-remoteIP> flowid 1:<X>

How do I remove all this when the ppp connection goes off line?  


Cheers DiG

--
Don Gould
The technology exists to give every home 10mbits per second for $10 per month!
http://marc.theaimsgroup.com/?l=poptop-server&r=1&w=2 - For all your poptop 
needs.
http://sourceforge.net/donate/ - Give a little and watch the love grow!

www.skype.com - sorry it's not a linux tool but it's very kewl!  Wish a linux 
guru would make something for nix as good as this!
news@dslprime.com - Best information about DSL technology and trends I've 
found yet.
http://www.linuxforum.com/forums/ -

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/