Author Topic: Bandwidth limiting  (Read 3996 times)

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« on: August 27, 2009, 08:40:06 pm »
Code: [Select]
        (ADSL Internet xl0)                        
                   |
        +-------OpenBSD-------+
        |                     |
(Igor vr0)                   (Vanja vr1)    

Cao drustvo hoce li neko da mi pomogne da napisem PF skriptu za bandwidth download limit. Imam 2Mb ADSL (xl0) i hocu da ga podelim sa Igor (vr0) i Vanja (vr1) tako da kada su zajedno na internetu podele bandwidth na pola - po 1Mb svakom. kada Igor izadje da Vanja dobije cela 2Mb i suprotno. Kada razmenjuju fajlove izmedju sebe u lokalu da se iskoristi celih 100Mb.

Pre smo imali switch za ta dva kompjutera i trebao nam je samo jedan queue na ruteru pa sam ga lako podesio ali sad nemam pojma sta treba da radim i kako da podelim ADSL na dva interface-a.

Igor

soxxx

  • Administrator
  • Hero Member
  • *****
  • Posts: 1438
Bandwidth limiting
« Reply #1 on: August 28, 2009, 01:55:31 pm »
Ne bi trebalo biti tesko da se nesto napise, ali sad zaista nemam vremena. Ako se ne javi niko uskoro pokusacu ja. U medjuvremenu ti dajem link koji ce ti itekako biti od pomoci:

http://www.openbsd.org/faq/pf/queueing.html

Link sadrzi dva primera koriscenja ALTQ-a.
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #2 on: August 29, 2009, 12:15:32 pm »
imam ja taj faq odstampan i pokusao sam taj drugi primer da upotrebim i jedino sto sam uspeo je da napravim po queue na obe mreze i dam im po 1Mb kao total bandwidth bez prioriteta i pozajmljivanja. :S Ajde please ako budes mogao da mi pomognes posto ja ovo stvarno ne znam ni odakle da pocnem.

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #3 on: August 30, 2009, 02:59:40 am »
Code: [Select]
####################################
# NIC
####################################

# Igor
intIF = "vr0"
# Vanja
intIF2 = "vr1"
# Internet
extIF = "xl0"
# OpenVPN
vpn_if="tun0"

#####################################
# Javni Servisi
#####################################
#ssh, apache
PubServices = "{ 22, 80 }"

# Torrent port
torrentPort = "57277"
torrentPort2 = "31099"

#ekiga
ekiga_sip = "5060"
ekiga_h323 = "1720"

# ICMP
IcmpTypes = "echoreq"

#########################################
## Lokal
#########################################

subnet = "192.168.0.0/16"
vpn_network = "10.0.0.0/16"
# Igor - Laptop
IgorLaptop    = "192.168.2.2"
VanjaDesktop   = "192.168.0.2"

#########################################
# TABELE
#########################################

# Blokirani IP
table persist
table persist file "/etc/blacklisted.conf"

##########################################
## Opcije
##########################################

# Ispusti pakete
set block-policy drop

# Ignorisi loopback interfejs
set skip on lo0

# optimizacija
scrub in all fragment reassemble random-id

#########################################
## ALTQ QUEUE U PRIPREMI
#########################################

# U PLANU :
# (a) Igor i Vanjuska da dobiju po 1Mb rezervisanog bandwidtha (URADJENO)
# (b) kada nije pun kapacitet mreze Igor/Vanja mogu da pozajme ostatak bandwidtha
# (c) Vanjuska ima veci prioritet :)
# (c) Protok u lokalu ostaje 99Mb

#altq on $intIF cbq bandwidth 100Mb queue { lokal_1, adsl_1 }
#queue lokal_2 bandwidth 99Mb cbq(default)
#queue adsl_2 bandwidth 1Mb cbq

#altq on $intIF2 cbq bandwidth 100Mb queue { lokal_2, adsl_2 }
#queue lokal_2 bandwidth 99Mb cbq(default)
#queue adsl1_2 bandwidth 1Mb cbq

#########################################
## NAT / Redirection
##########################################

# ugasi NAT izmedju lan mreza
no nat on $intIF2 inet proto {tcp, udp} from $intIF:network to $intIF2:network
no nat on $intIF inet proto {tcp, udp} from $intIF2:network to $intIF:network

# upali NAT
nat on $extIF inet proto {tcp, udp} from $intIF:network to any -> (xl0) port 10000:32255
nat on $extIF inet proto {tcp, udp} from $intIF2:network to any -> (xl0) port 32255:50000
nat on $extIF inet proto {tcp, udp} from $vpn_network to any -> (xl0) port 50000:65535

# Preusmeri torrent port kod Igora na Laptop i Vanje na Desktop
rdr on $extIF proto { tcp, udp } from any to any port $torrentPort -> $IgorLaptop
rdr on $extIF proto { tcp, udp } from any to any port $torrentPort2 -> $VanjaDesktop

# Preusmeri SIP, STUN, H.323 kod Igora na Laptop
rdr on $extIF proto { tcp, udp } from any to any port 5000:5100 -> $IgorLaptop
rdr on $extIF proto { tcp, udp } from any to any port 3478:3479 -> $IgorLaptop
rdr on $extIF proto { tcp, udp } from any to any port 1720 -> $IgorLaptop

#########################################
## FILTERI
##########################################

# podrazumevano blokiraj i loguj zaostali saobracaj
block log (all, to pflog0) all

#antispoof
antispoof quick for { lo vr0 vr1 xl0 }

# Blokiraj icmp echoreq
block in on $extIF inet proto icmp all icmp-type $IcmpTypes

# Blokiraj i zapisi ssh bruteforce napade
# i zabrani saobracaj za hostove u blacklisted tabeli
block drop out log (all) quick on $extIF from any to
block drop in log (all) quick on $extIF from to any

# Dozvoli torrente saobracaj Igoru i Vanji
pass in on $extIF inet proto { tcp, udp } from any to $IgorLaptop port $torrentPort  
pass out on $extIF proto { udp, tcp } from $myLaptop port $torrentPort  
pass in on $extIF inet proto { tcp, udp } from any to $VanjaDesktop port $torrentPort2  
pass out on $extIF proto { udp, tcp } from $VanjaDesktop port $torrentPort2

#SIP Igor
pass in on $extIF inet proto { tcp, udp } from any to $IgorLaptop port 5000:5100
pass out on $extIF inet proto { tcp, udp } from $IgorLaptop port 5000:5100
#H.323 Igor
pass in on $extIF inet proto { tcp, udp } from any to $IgorLaptop port $ekiga_h323
pass out on $extIF inet proto { tcp, udp } from $IgorLaptop port $ekiga_h323
#STUN Igor
pass in on $extIF inet proto { tcp, udp } from any to $IgorLaptop port 3478:3479
pass out on $extIF inet proto { tcp, udp } from $IgorLaptop port 3478:3479

# Dozvoli pristup na http i squid
pass in on $extIF inet proto { udp, tcp } from any to any port 80
#pass in log (all, to pflog0) on $extIF inet proto tcp from any to any port squid

# Dozvoli ogranicen pristup na ssh
# (max 50 konekcija po hostu i 5 konekcija za 3 sekunde )
# bruteforce napade prebaci u tabelu na dalju obradu
pass quick proto { tcp, udp } from any to any port 22 \
        flags S/SA keep state \
        (max-src-conn 50, max-src-conn-rate 5/3, \
        overload flush global)

#OpenVPN tunel
pass in on $extIF proto udp from any to port 1194 keep state
pass quick on $vpn_if

# Dozvoli sav odlazeci saobracaj
pass out on $extIF proto tcp all modulate state flags S/SA
pass out on $extIF proto { udp, icmp } all keep state
pass out on $extIF proto esp from any to any keep state

# Dozvoli neogranicen pristup resursima mreze Igoru i Vanji :)
# Igor
pass in on $intIF from $intIF:network to any
pass out on $intIF from any to $intIF:network

# Vanjuska
pass in on $intIF2 from $intIF2:network to any
pass out on $intIF2 from any to $intIF2:network

Ne zamerita ako sam c/p nesto usro sad smo dosli iz kafane danas sam nesto pokusaua i nece moci ovo planirano bez vr0<->1 bridge mislem

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #4 on: August 30, 2009, 10:50:31 am »
pa daj iscimao si me za skriptu u 3 AM :) kad vec znas i procitao si knjigu :P reci bar na kom to samo interfejsu treba queue i kako si mislio da ih grupisem:

altq on {$IntIF,$IntIF2} cbq bandwidth 2Mb queue { 1, 2, 3, 4, 5 }

je isto kao
 
altq on $IntIF
altq on $IntIF2

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #5 on: August 30, 2009, 12:26:18 pm »
ako ti se ne svidja zadatak zaobidji ga slobodno jerbo sa tobom ga necu resiti sigurno ;)

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #6 on: August 30, 2009, 05:22:06 pm »
pa ovoliko me nisu terali da citam ni na fakultetu :)
probaj @oko pa mi javi, nego izgleda  shared queue je bedak u PF
http://osdir.com/ml/os.openbsd.bugs/2005-10/msg00126.html
http://digitalfreaks.org/~lavalamp/Queues.png
http://www.monkey.org/openbsd/archive/misc/0310/msg01375.html
http://www.mail-archive.com/misc@openbsd.org/msg67307.html
Verovatno cu kupiti novi switch ili napraviti vr0<->vr1 bridge pa na njemu queue i bog da me vidi :D

Izvinjavam se neznalici ako sam ga povredio tek sam malopre dosao sebi :P

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #7 on: August 31, 2009, 01:29:47 am »
@oko man' se price i daj skript za shared queue da me razuveris :D

@neznalice bas tako ;)

soxxx

  • Administrator
  • Hero Member
  • *****
  • Posts: 1438
Bandwidth limiting
« Reply #8 on: August 31, 2009, 02:00:28 pm »
@all

Zamolio bih sve ucesnike foruma da ne brisu svoje poruke iz tema, sada neznam ni sta sam sinoc citao, ni na sta se odgovori odnose.

@Ig0r

Zanimljiv problem. Priznajem da sam mislio da ce ovo biti lakse, ali tek sad kad sam stvarno procitao tvoju prvu poruku vidim o cemu se radi. Neces moci da koristis altq na bridge interfejsu kao sto si mislio. Mislim da ce najbezbolnije biti da izvadis jednu mreznu i onda kupis neki jeftini switch, povezes sa mreznom i onda povezes sa switchom ostala 2 kompjutera.
Code: [Select]
         (ADSL Internet xl0)                        
                   |
                OpenBSD
                   |
                  vr0
                   |
                 switch
                |      |
                |      |
                |      |
           (Igor)      (Vanja)    
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #9 on: August 31, 2009, 09:27:42 pm »
Quote from: soxxx
Neces moci da koristis altq na bridge interfejsu kao sto si mislio.

uspeo sam sve sto sam planirao. ali glava mi se naduvala od muke , idem na voPi sa curom pa kad se vratim dajem skriptu


a za brisanje postova stvarno no koment

soxxx

  • Administrator
  • Hero Member
  • *****
  • Posts: 1438
Bandwidth limiting
« Reply #10 on: September 03, 2009, 01:11:05 pm »
Daj da vidimo pf.conf i skicu mreze. Pozajmljivanje radi?
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD

Ig0r

  • Newbie
  • *
  • Posts: 9
Bandwidth limiting
« Reply #11 on: September 03, 2009, 03:50:21 pm »
pozajmljivanje radi, imam manjih problema u lokalu i sa torrent, prvo nisam mogao ni da pingujem preko bridga dok nisam iskljucio pfil_member.

Pravila za pf su jako cudna umesto pass out ja radim pass in na bridge0 da bi queue radio, to sam slucajno otkrio sa tcpdump. Ima par slucajeva gde saobracaja zaobilazi queue.

Na poslu sam pa nemam vremena da crtam skicu , pf ima tri nova pravila , pass in on $br_if from $igor i $vanja queue , i pass out on $br_if from any to xxx.xxx.xxx.xxx/16 queue.

 Bridge, vanja i igor dele isti subnet, trudio sam se da kopiram topografiju sa switchom. Eto ne znam sta jos da kazem, kad dodjem u stan pusticu vam skripte.

Za sada sam zadovoljan jer mozemo opusteno da chetujemo i surfujemo. Torrent je najveci problem jer zaobilazi queue i trosi ceo bandwidth do te mere da se desava da ne ostane dovoljno ni za ssh