Bandwidth Monitoring and Limiting
 

I am looking to monitor my bandwidth and to limit what bandwidth a computer can use. I know I can use snmp on a router to watch it. I have one WAN connection with 16 IP's. Some PC's do not use a router/device with snmp. They basically connect to the gateway and use the software firewall to control the rest. But there are times during updates and large downloads and things like as such, that are affecting the bandwidth across the network. Here is an example. Today, I was using my telephone (VOIP) I was talking with someone and attaching a large PDF to an email, it was sucking all my bandwidth up that basically took out my upload left over since I could hear the other party talking but they couldn't hear me. Soon as the upload finished, everything was fine. For this paticular example, I would want to reserve 90kbps at all times just for my VOIP since that is whats required to run it. Any ideas? I have a windows network/domain and linux boxes connected to public ips and internal NIC cards to the windows network.

HI There buddy

If I understand correctly, you have a Linux Firewall for your network, that connects to your WAN and to your LAN ( like any firewall .. LOL)

If so, why don't you install SQUID to control your bandwidth ?

You can create delay pools with squid and control the bandwidth limits to prevent your problem.
Let's say you have a 1MB line, then you can configure squid to limit tha MAX connection to 768K, leaving 256K for your VOIP traffic etc.

Inside squid, you simply do the following

You define your network (internal)

acl internalnetwork src 10.1.1.0/24

Then define how many delay pools you want

delay_pools 1

delay_class 1 1
delay_parameters 1 32000/40000
delay_access 1 allow internalnetwork

http_access allow internalnetwork

Thanks. I was just about to research squid as I was running past it a lot. Currently I really don't have one central firewall to say. Each machine has different firewall settings on there public facing NIC's. It looks as if I want to do this, I would have to have one. That sounds right doesn't it? Now it's the main router bridged to switches that static there own ips. So I would have to throttle it some how at that point it seems.

OR what you could do .... but now I am pushing your Linux knowledge ... LOL

Since you have all your PC's with two NIC's, one for internal and one for public, you can install a server, with two network cards, and create a bridge interface between the two NIC's on your new server, and install this between your ISP router and the public switch

SO..

#Internet Line# -- #ISP Router# -- #New server with bridhe ethernets# -- # Public switch#

Then you can run squid on there and use Iptables to redirect all port 80 traffic to port 3128 (squid).

OR ....

You can remove ethernet cable from all PC's going into public switch, install new Linux firewall, and create virtual interfaces on Linux server and port forward all connections from there to each internal PC, basically making your network run the same as it was, but just safer.

SO ..

#Internet Line# -- #ISP router# -- #New linux server# -- #Internal network#

SO on the new Linux firewall you will have one Public IP on the firwall obviously (eth0) and the other network card with an internal IP obviously (eth1)

So on the public ethernet, you can make virtual interfaces ( eth0:0, eth0:1, eth0:2 etc) and with IPTABLES make rule to forward all traffic from each interface to an internal PC respectively. ( I take it there is a good reason why each PC must have its own public IP ?)

Then simply do squid on the new linux server and limit as I said ..

Hope it made sense and helped you ?

Yes actually it does make sense. I just need to think it through and I may play with different ideas on VM. The reason I have different public facing IP's is that I have DNS servers, mail server, and host1 for web servers. Sometimes I think I really should build a cluster. I need more experience there I think before I try that one. Since I have VMware 7, I think I will play with squid and get a feel for it. As I am also messing with moving over to postfix and dovecot. Yet another project. I usally use webmin to remote config/manage the servers. But I like your examples. I can leave everything currently intact and make a single linux server with just squid and webmin on it, and use some VM machines to test it out. Thanks for the suggestions. If you have more ideas or corrections on my reply, please feel free.

I would be more than willing to help you out with squid buddy, I have ALOT of experiance on it, specially Mail servers, firewalls, proxy servers, DNS servers and web servers.
When you ready, ask for advice, I will always help where I can, the more Linux guys I can train, the better I sleep at night knowing one less Microsoft server on the net :)

really?

Kind regards

Or not ?

I don't like the begging for reps.
Should be enough

Kind regards

hi kitek,

you asked for the suggestion, i have one if you want. Why don't you use PFsense it is a firewall and can act as a server, easy to install and configure. It also has all the packages you want to monitor your network. It is a FreeBSD. Try it if you like.

Kind Regards.

True, so true, edited my post

I will check it out as well. I assume it's just PF ;) ?

You could use Untangle, PFSense, M0n0wall... Or use any Hardware Juniper, Cisco Firewall, that can do traffic shaping, monitoring - snmp and so on.

But those are the three OS answers that I know of.

kitek,

its not just a PF, i have used it, it has all the features to be a firewall and a server. You can also check out the options presented by szboardstretcher. The three options are definitely OS(as suggested by szboardstretcher), and if you would like spend a little more you can buy hardware from cisco, juniper, fortinet. They named the technology as UTM means "unified threat management".

Did you try mikrotik? It's world class solution