Creating a Hybrid Connection to Balance Traffic

Creating a Hybrid Connection to Balance Traffic

[Paul Aumer-Ryan]

I've got a peculiar situation that I hope you all
would listen to and offer feedback on any possible
implementations.

So I've recently broke down and purchased a DSL
connection for my home computer, and I've just
discovered the joys of p2p file sharing (i.e., being
able to download television shows that my local
stations have stopped carrying, like Enterprise). 
Anyway, as you can guess, these video files are rather
large, and other users also grab them from my computer
as well, so my upload speeds are rather high.  Since
I've subscribed to DSL service through a local ISP,
and since local ISPs are big on service but not on
resources, I got a call from them recently asking me
to tone down my upload bandwidth usage on the DSL
line.  I've pretty much got to listen or I will lose
my service.

My local setup consists of a linux box acting as a
gateway for my home network of (gasp!) one computer
and a laptop.  The linux box currently uses ipchains
to perform the necessary IP masquerading for the
connection.  Some quick stats:

eth0: external network connection (to ISP)
eth1: internal network
ppp0: modem attached, but not currently used.

So here comes the question: since I've got to reduce
my upload usage, I'd like to try to use the linux box
to do a special form of SNAT routing.  I would like
all outgoing data to leave through the attached ppp0
interface (the modem which I can hook up to a dialup
ISP) and all incoming data to come back in through the
eth0 interface (the broadband connection to my local
ISP).  Basically, I need to do a form of SNAT routing
that overwrites the source address of packets leaving
on the ppp0 interface with the IP address of the eth0
interface, so when their replies come back the will
come on the faster broadband connection.  This way the
upload bandwidth usage on the DSL connection will be
effectively zero, while I will still be able to enjoy
the fast download speeds of the DSL line, satisfying
both me and the ISP.

My issues include the current usage of SNAT routing
(masquerading) since my local network connects to the
internet through the linux box's one IP address, and
how to use ipchains, iptables, or ipnatctl (or others)
to perform this extra set of SNAT routing.  Does
anyone have any ideas on how to implement this?

Sorry for the long story, and I thank everyone in
advance for their time.  Have a good one,
Paul

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Re: Creating a Hybrid Connection to Balance Traffic

[Oskar Andreasson]

Hi Paul,

Your story sounds like you are looking for assymetric routing, which 
should be doable with policy routing. Check out 
http://www.policyrouting.org where Matthew Marsh is currently working on 
getting his excellent book "Policy Routing using Linux" online. 

Note that it isn't fully up on the net yet, so if you need to find out how
it works quickly, you may want to buy the book. 

Other resources that may be of interest is http://www.lartc.org,
http://www.netfilter.org and http://www.frozentux.net. The last two sites
contains information on iptables in linux kernel 2.4, which you may want
to upgrade to if you are still running kernel 2.2.

Hope this is of some help.

----
Oskar Andreasson
http://www.frozentux.net
mailto:blueflux@koffein.net

On Sat, 26 Oct 2002, Paul Aumer-Ryan wrote:

> I've got a peculiar situation that I hope you all
> would listen to and offer feedback on any possible
> implementations.
> 
> So I've recently broke down and purchased a DSL
> connection for my home computer, and I've just
> discovered the joys of p2p file sharing (i.e., being
> able to download television shows that my local
> stations have stopped carrying, like Enterprise). 
> Anyway, as you can guess, these video files are rather
> large, and other users also grab them from my computer
> as well, so my upload speeds are rather high.  Since
> I've subscribed to DSL service through a local ISP,
> and since local ISPs are big on service but not on
> resources, I got a call from them recently asking me
> to tone down my upload bandwidth usage on the DSL
> line.  I've pretty much got to listen or I will lose
> my service.
> 
> My local setup consists of a linux box acting as a
> gateway for my home network of (gasp!) one computer
> and a laptop.  The linux box currently uses ipchains
> to perform the necessary IP masquerading for the
> connection.  Some quick stats:
> 
> eth0: external network connection (to ISP)
> eth1: internal network
> ppp0: modem attached, but not currently used.
> 
> So here comes the question: since I've got to reduce
> my upload usage, I'd like to try to use the linux box
> to do a special form of SNAT routing.  I would like
> all outgoing data to leave through the attached ppp0
> interface (the modem which I can hook up to a dialup
> ISP) and all incoming data to come back in through the
> eth0 interface (the broadband connection to my local
> ISP).  Basically, I need to do a form of SNAT routing
> that overwrites the source address of packets leaving
> on the ppp0 interface with the IP address of the eth0
> interface, so when their replies come back the will
> come on the faster broadband connection.  This way the
> upload bandwidth usage on the DSL connection will be
> effectively zero, while I will still be able to enjoy
> the fast download speeds of the DSL line, satisfying
> both me and the ISP.
> 
> My issues include the current usage of SNAT routing
> (masquerading) since my local network connects to the
> internet through the linux box's one IP address, and
> how to use ipchains, iptables, or ipnatctl (or others)
> to perform this extra set of SNAT routing.  Does
> anyone have any ideas on how to implement this?
> 
> Sorry for the long story, and I thank everyone in
> advance for their time.  Have a good one,
> Paul
> 
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> 
> 

Re: Creating a Hybrid Connection to Balance Traffic

[Andrew Smith]

> I've got a peculiar situation that I hope you all
> would listen to and offer feedback on any possible
> implementations.
> 
> So I've recently broke down and purchased a DSL
> connection for my home computer, and I've just
> discovered the joys of p2p file sharing (i.e., being
> able to download television shows that my local
> stations have stopped carrying, like Enterprise). 
> Anyway, as you can guess, these video files are rather
> large, and other users also grab them from my computer
> as well, so my upload speeds are rather high.  Since
> I've subscribed to DSL service through a local ISP,
> and since local ISPs are big on service but not on
> resources, I got a call from them recently asking me
> to tone down my upload bandwidth usage on the DSL
> line.  I've pretty much got to listen or I will lose
> my service.
> 
> My local setup consists of a linux box acting as a
> gateway for my home network of (gasp!) one computer
> and a laptop.  The linux box currently uses ipchains
> to perform the necessary IP masquerading for the
> connection.  Some quick stats:
> 
> eth0: external network connection (to ISP)
> eth1: internal network
> ppp0: modem attached, but not currently used.
> 
> So here comes the question: since I've got to reduce
> my upload usage, I'd like to try to use the linux box
> to do a special form of SNAT routing.  I would like
> all outgoing data to leave through the attached ppp0
> interface (the modem which I can hook up to a dialup
> ISP) and all incoming data to come back in through the
> eth0 interface (the broadband connection to my local
> ISP).  Basically, I need to do a form of SNAT routing
> that overwrites the source address of packets leaving
> on the ppp0 interface with the IP address of the eth0
> interface, so when their replies come back the will
> come on the faster broadband connection.  This way the
> upload bandwidth usage on the DSL connection will be
> effectively zero, while I will still be able to enjoy
> the fast download speeds of the DSL line, satisfying
> both me and the ISP.
> 
> My issues include the current usage of SNAT routing
> (masquerading) since my local network connects to the
> internet through the linux box's one IP address, and
> how to use ipchains, iptables, or ipnatctl (or others)
> to perform this extra set of SNAT routing.  Does
> anyone have any ideas on how to implement this?
> 
> Sorry for the long story, and I thank everyone in
> advance for their time.  Have a good one,
> Paul

Not sure how to MASQUERADE a connection and to specify a
differnet IP address (which I guess is what you want to do)
but you also need to check that the dialup ISP does not do
egress filtering - coz if they do - it will not work anyway.

Use google to look up egress, but basically it means that they
may only allow the source IP of outgoing packets to match the
IP address they supply you and they drop all other packets.
This is apparently common in the USA.

If they don't do egress then you should be able to do it - but
not sure how :-) I can think of things to try - but no idea if
any are correct - basically using the "-t nat" table,
"-A POSTROUTING" and something like -j SNAT
but that would also require changing the rule every time the
dialup DHCP IP changes and I'm not sure about what happens to
return packets.

-- 
-Cheers
-Andrew

MS ... if only he hadn't been hang gliding!

Re: Creating a Hybrid Connection to Balance Traffic

[Kevin Dwyer]

On Sun, 27 Oct 2002 10:14:41 +1100 (EST)
Andrew Smith <nfml@k1k2.com> wrote:

> Use google to look up egress, but basically it means that they
> may only allow the source IP of outgoing packets to match the
> IP address they supply you and they drop all other packets.
> This is apparently common in the USA.

But distressingly not common enough.

I know for a fact that Verizon does do this with their DSL which uses
PPPoE (except I was hypothetically testing some theoretical spoofing
ideas ;). I know for a fact dozens of ISPs who do not because it would
load their equipment to excess.

-- 
/* Kevin Dwyer                                Allegiance Internet */
/* network security engineer                   Commerce Center II */
/* email: Kevin.Dwyer@algx.net                7601 Ora Glen Drive */
/* phone: 240-616-2075                        Greenbelt, MD 20770 */
/*      >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++.     */

Re: Creating a Hybrid Connection to Balance Traffic

[Joel Newkirk]

On Saturday 26 October 2002 03:04 pm, Paul Aumer-Ryan wrote: (snipped heavily)
> I've got a peculiar situation that I hope you all
~
> discovered the joys of p2p file sharing (i.e., being
~
> to tone down my upload bandwidth usage on the DSL
~
> and a laptop.  The linux box currently uses ipchains

Well, that's not iptables, but you can set up with iptables and drop ipchains 
use... :^)

> So here comes the question: since I've got to reduce
> my upload usage, I'd like to try to use the linux box
> to do a special form of SNAT routing.  I would like
> all outgoing data to leave through the attached ppp0
> interface (the modem which I can hook up to a dialup
> ISP) and all incoming data to come back in through the
> eth0 interface (the broadband connection to my local
> ISP).  Basically, I need to do a form of SNAT routing

with IPTables, you would need to determine the IP of the DSL
(probably dynamic, but probably the same throughout a connection) and perform 
a basic SNAT using it.  MASQ wouldn't work, since it automagically determines 
the IP of the connection it's going out on, and you need to make it lie.  You 
may find the dial-up ISP will not accept packets with an unexpected source 
IP, though.  I'd recommend testing with tcp port 80 settings first, and see 
if your lan can browse the web, and which interface the packets go out/come 
in.

Presuming that the P2P is not running on the firewall machine:
in an iptables/ip script you could do something like this:
[disclaimer: I've never constructed an Iproute2 rule before, that part could 
very easily be completely wrong... the rest too, but...:^]

# set DSLIP to the IP of the DSL (eth0)
DSLIP=$(/sbin/ifconfig "eth0" | grep inet | cut -d":" -f 2 | cut -d" " -f 1)
# set TOS (Type-Of-Service) for routing to mincost (appropriate :^)
/sbin/iptables -t mangle -A PREROUTING {matches} -j TOS --set-tos 0x02
# tell Iproute2 to route mincost packets out the dialup (I think)
/sbin/ip route add -tos 0x02 protocol static dev ppp0 
# do SNAT in postrouting of any mincost packets, cross fingers
/sbin/iptables -t nat -A POSTROUTING -p tcp -m tos --tos 0x02 -j SNAT \ 
--to-source $DSLIP


For the prerouting {matches}, minimal would be "-i eth1" to handle only 
packets coming in from your lan.  (again assumes the p2p node's there)  I'd 
suggest, if this all works, to be a bit more selective: try passing only p2p 
packets by setting a TOS only for packets with specified TCP source or 
destination ports, something like:

/sbin/iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 4661:4666 -j TOS 
--set-tos 0x02

to route outbound data from EDonkey.  The ip route add will fail if ppp0 isn't 
up, not sure how to handle this.  I presume you're not using a PPPoE DSL?  
That would probably give you ppp0 for DSL and ppp1 for dialout. (or reverse, 
or whatever, but not a hardware interface like eth0)

Now, with all that said, be sure to check if the p2p software itself offers 
bandwidth limiting ability.  (many do)  That's probably the simplest throttle 
available.

j

-- 
 "Redefining the role of the United States from enablers to keep the peace to 
enablers to keep the peace from peacekeepers is going to be an assignment." 
-George W. Bush