LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Virtual interface Routing (http://www.linuxquestions.org/questions/linux-networking-3/virtual-interface-routing-819716/)

abakhiet 07-14-2010 12:06 AM

Virtual interface Routing
 
Hola,
I need to make some solution for my home network, i have a linux server which is:
Quote:

Linux Centos 5.5
So, what i need to do is to make a virtual interface for my clients which set its bandwidth up to 1Mb/s shared to them, but my real bandwidth is 2Mb/s.
Also, after that, i have two questions:
Quote:

1. How to set this rate limitation to that interface ???
2. How to edit this interface to let it work and route the client data to my ADSL router ???
I'm already generate the virtual interface using webmin managment tool, so i need to set its rate and route data.
Thanks in davance ...

tlowk 07-14-2010 03:22 PM

# first make the virtual interface


vconfig add eth0 200

# assume modem has 192.167.200.1/24

ip a a 192.168.200.2/24 dev eth0.200
ip link set eth0.200 up

ip route del default
ip route add default via 192.168.200.1


# now the bandwith limitation on outgoing only
(so downloadspeed for the connected computer)

tc qdisc add dev eth0.200 handle 1:0 root dsmark indices 1 default_index 0
tc qdisc add dev eth0.200 handle 2:0 parent 1:0 tbf burst 1024 limit 20480 mtu 1514 rate 1024kbps

more info you'll find in LARTC (lartc.org/manpages)

correction: in the tc command you need to substitute the eth0.200 to the device where the other pc is connected not the one of the adsl router

abakhiet 07-14-2010 08:32 PM

cool, thanks my friend ...
I need to ask you about how to route my proxy server via DHCP ???

tlowk 07-15-2010 01:57 AM

I don't really understand your question. you like dhcp to configure your client to use a proxy? What do you like
to have as a result?

abakhiet 07-15-2010 08:18 AM

Quote:

Originally Posted by tlowk (Post 4033602)
I don't really understand your question. you like dhcp to configure your client to use a proxy? What do you like
to have as a result?

Thank you for replay, bit what i meed first is to configure the rate limiting ratio.
My solution is to make some rate limiting to use bandwidth of my network.

abakhiet 07-19-2010 01:03 AM

Thabks for all, but really i need to know what is the bebefits for all of these commands:
Quote:

ip a a 192.168.200.2/24 dev eth0.200
ip link set eth0.200 up
and these two lines:
Quote:

ip route del default
ip route add default via 192.168.200.1
Here is the most important step, it is talk about BW, so i need a clear brief if you can:
Quote:

tc qdisc add dev eth0.200 handle 1:0 root dsmark indices 1 default_index 0
tc qdisc add dev eth0.200 handle 2:0 parent 1:0 tbf burst 1024 limit 20480 mtu 1514 rate 1024kbps
Thanks in advance ...

tlowk 07-19-2010 01:34 AM

the vconfig creates the vlan interface

ip a a (addr add) adds an ip address to that interface
ip link .. enables the interface (so it can be used)

if the adsl router is connected to that vlan is has to be
used in the default route so remove the existing one, and
add the adsl modem as a default gateway

The tc command is explained in the LARTC mentioned above, this
token bucket filter (TBF) is not very advanced and in most cases
you will probably prefer HTB combined with a way to select for
each computer after this one. I can't explain all details here
so I think you'll need to look for details into this LARTC guide.

abakhiet 07-19-2010 06:20 AM

cool, but really i'm very confused about my diagram, where my diagram is:
Virtual Interface: eth0:5
ip address: 10.10.10.1/24
Default GW: 196.xxx.xxx.xxx/30
Also, i need to ask about some GUI that can maanage these options in an ease fashion ???
so, really i'm confused, please help me ...

tlowk 07-19-2010 12:45 PM

Virtual Interface: eth0:5
ip address: 10.10.10.1/24
Default GW: 196.xxx.xxx.xxx/30

the first is easy, this creates eth0.5
# vconfig add eth0 5

The default gateway would be the ipaddress of you adsl router, but here are some options:
1) home / small networks will probably have an external address (in your case in the range 196.xxx.xxx.xxx/30 ??) but maybe they have also on the inside network a private range and they handle the NAT (network address translation)
in this case you need to know this private address maybe it will be in this 10.10.10.0/24 range

2) bigger networks where you adsl router has a public IP and your network also has public IP's in this case 4 but that is a bit optimistic anyway
196.xxx.xxx.xxx/30
-> 32-30 means the last 2 bits are 'for you'

00 -> network
01 -> gateway (probably the adsl router)
10 -> your pc ( the only really usable)
11 -> broadcast of you /30 network

this means
your default route has to be the ip address 196.xxx.xxx.xxx with last 2 bits 01
the ip of your pc the one with the last bits 10

now the question is how is this router connected?
- to your eth0 ?
- to your eth0.5 ?

first case : eth0
# ip addr add 196.x.x.x01/30 dev eth0
# ip link set eth0 up

second case eth0.5
#vconfig add eth0 5
#ip addr add 196.x.x.x01/30 dev eth0.5
#ip link set eth0.5 up



My question is, why do you want to use VLAN's here? does you pc only has one network interface? does it have to integrate into something extisting?

since my rough guess that a network card will cost less than 10USD/EUR whatever and to your ADSL router you don't need the best at all, most cards will offer 100Mbit and that will be far more than the speed your ADSL can handle in the real world I think.

the TC commands you need to use on the other interface the the modem so eth0.5 or eth0. you limit the speed from your server to the client behind it. This will limit the download speed which is probably what you like to achieve.

Tell me if the explanation above is a bit understandable, I don't know about tools for this. I'd put it in some init script and let it start with the server.

abakhiet 07-20-2010 01:00 PM

I'm really sorry, I have some mis-understand to my issue
first, i need to protect my ADSL router by makeing some bridging between eth0 and eth0:5, and my ADSL router is connected to my eth0.
so my DHCP server is working in eth0:5 and give customers this range:
Quote:

IP: 10.10.10.xxx/24
mask: 255.255.255.0
GW: 10.10.10.1
DNS: 8.8.8.8, 8.8.4.4
i can make this issue, but i need to ask about how to make bridging between eth0 and eth0:5 to let my customers surf the web.
About your question that is:
Quote:

why do you want to use VLAN's here?
I need to make isolation and protect my buiseness network, which is VOIP network from being attacked from local network.
Thanks for you, waiting your help :D

tlowk 07-20-2010 02:49 PM

I'm sorry, but when you bridge eth0 and eth0.5 it will be like your 'customers' are connected to eth0. Since you can consider eth0.5 similar to eth5 but with the weird situation that it shares the same cable as eth0. If you bridge between eth0 and eth0.5 it would be like placing a switching hub (= network switch) between eth0 and this assumed eth5 so this will not give
any protection at all to you router.

BUT I think you just formulated in the wrong way.

My guess is that you want a network on eth0.5 with 10.10.10.0/24 that is NATed to your ADSL router.

+ ------------+
+--------------+ 196.x.x.x/30 | +---- 10.10.10.x/24 (eth0.5)
| ADSL router |--------------------+ ROUTING PC |
+--------------+ | +-----10.20.10.x/24
+-------------+

Is this a bit what you have in mind? I can imagine you have 2 networks that are
not supposed to see each other. but until now I only read here above
about the 196.x.x.x/30 public network and the 10.10.10.0/24 private network

What about the third network that I just invented as 10.20.10.x/24 ?


for this to work it is important to enable your kernel as router

# cat /proc/sys/net/ipv4/ip_forward
when this does return a 0 set it to 1
# echo 1 > /proc/sys/net/ipv4/ip_forward

then the next step would be to handle the NAT, with a postrouting rule,
like the one below.

iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE

Does this look to what you are looking for? I could probably refine the
firewall a bit for this. But I think we first need to agree on what the
desired situation is.

abakhiet 07-20-2010 11:13 PM

1 Attachment(s)
Thanks a lot for your efforts, but really i make some attachement for my network and what i need to do protecting my biz. network.
So i think you prefere to install a new NIC to my server, i will do it, but i need to make routing between two networks.
By the time, i'm don't using iptables, it is disabled on my server.
:D Thanks in advance :D

abakhiet 07-25-2010 06:53 AM

hola, to all
i make all of this, but i add some new real NIC, but no client can go for the internet, here is my client config:
Quote:

IP: 10.10.10.0/24
GW: 10.10.10.1/24
DNS: 8.8.8.8, 8.8.4.4
but no one can go for the web, also i have the default gateway my real ip address for my modem ADSL.
Thanks in advance ...

tlowk 07-25-2010 07:07 AM

to allow 'Server' to forward traffic between eth1 and eth0 and vice versa you'll need to make sure there is the 1 in /proc/sys/net/ipv4/ip_forward as I explained before.

Then with a program like wireshark or simply tcpdump you can see probably what is going on when you type on a machine in the customers network 'ping 8.8.8.8'

type on the server first:
tcpdump -i eth1 icmp

when you see the request arriving you know that part is ok (I expect it is like that)

Then you use
tcpdump -i eth0 icmp

here you will see the problem (is see 2 options)
1) maybe you don't see anything ( no 1 in ...ip_forward)
2) the origin of the request is 10.10.10.x (no NAT) and not 192.168.1.x ( same as Server)

Since you want to have NAT you'll need the iptables command to enable it, it also has to be enabled in the kernel but I think centos will have this enabled

when you have this command which you'll need anyway, you can clean the firewall and retry tcpdump if it showed no good results
iptables -t nat -F
iptables -F
iptables -t mangle -F
and check again with tcpdump

abakhiet 07-25-2010 09:53 AM

Really Thanks, but i need to say that all is fine and i need to ask you what happean if my iptables is disabled ??? as i do now ???
so, i will try and tell you the result :D


All times are GMT -5. The time now is 08:19 PM.