[TriLUG] bandwidth provisioning using Linux or BSD?

Aaron Joyner aaron at joyner.ws
Fri Jul 18 15:39:14 EDT 2008


scrub in on $ext_if all fragment reassemble

I haven't written up a pf config from scratch in a few years, so I
can't do it off the top of my head.  Have a look here:
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

specifically the examples at the end of the Queuing section, and you
should be able to work it out from there.  It's a remarkably clear and
simple language.  If you get stuck on a particular point, of don't get
time to look at it by tomorrow, I'll see if I can cook up a config
that'll be closer to what you need than the Examples in the man page
(portions of which are pretty close).

Keep in mind the practical caveat that if you dont' trust those hosts,
and they're are on the same unmanaged L2 switch in the same broadcast
domain, you'll also want to squelch down all traffic to/from other IPs
in that subnet, to prevent them from changing IPs to avoid your
filtering, and you'll want to consider hard coding ARP entries for
them to prevent them from spoofing each other's IPs to steal from the
other person's queue.  The best solution of course is to use a managed
switch and trunk the VLANs to the OpenBSD box so they present on
different interfaces and you can authoritatively control bandwidth to
each port.  Of course, if you go that far, and your throughput rules
remain that simple, most managed L2 switches will allow you to enforce
that type of traffic filtering in the switch itself, if you were so
inclined.

Aaron S. Joyner


On Fri, Jul 18, 2008 at 10:21 AM, Greg Brown <gwbrown1 at gmail.com> wrote:
> Aaron,
>
> Thanks for the info.  For some reason I had it set in my mind that iptables
> was not capable of doing this kind of thing.  Personally I'd prefer to go
> with OpenBSD's pf.  Can you provide a simple config for the following:
>
> Assume: inbound and outbound bandwidth are both 10 meg 10/10
> Gateway Interface: some routeable IP address
> Internal network: 192.168.1.0/24
> Internal Interface: 192.168.1.1 255.255.255.0
> Server A: (connected to a L2 switch) 192.168.1.20
> Server B: (connected to the same L2 switch) 192.168.1.21
>
> I'd like to give both server A and server B 4 megs of bandwidth in and out
> but I'd like them to be able to burst to the full 10 meg if bandwidth above
> 4 meg is unused.
>
> Does that all make sense?
>
> Greg
>
>
> On Fri, Jul 18, 2008 at 10:14 AM, Aaron Joyner <aaron at joyner.ws> wrote:
>
>> You can readily do all this with OpenBSD's pf or Linux's iptables/tc.
>> The former is relatively easy, the latter a good bit more complicated.
>>  Both do the job, but I suspect since you're asking about competitors
>> to a specific product (which I know nothing about), I assume you're
>> expecting an http or at least ncurses style guided interface.  Neither
>> of my suggestions have this, although there are possibly wrappers
>> around them, I'm not familiar with any of them.  If you need
>> suggestions with pf or tc, ask away!
>>
>> Aaron S. Joyner
>>
>>
>> On Fri, Jul 18, 2008 at 8:24 AM, Greg Brown <gwbrown1 at gmail.com> wrote:
>> > Hey all.  I'm in search for a Packeteer-like device that is OSS, or that
>> is
>> > commercial yet runs on a Linux or BSD box (OSS greatly preferred).  Like
>> a
>> > Packeteer I'd like to be able to define slices of available bandwidth to
>> > specific IP addresses (X meg guaranteed to device x.x.x.x with Y burst if
>> > bandwidth is available, etc) - and the complicated thing here is I'd like
>> to
>> > use IPv6 for host addresses.  But the the IPv6 thing aside I'd like to
>> know
>> > what the OSS competitors to Packeteer are and if you have used any I'd
>> like
>> > to know what you thought of the product.
>> >
>> > Greg
>> > --
>> > TriLUG mailing list        :
>> http://www.trilug.org/mailman/listinfo/trilug
>> > TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>> >
>> --
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>



More information about the TriLUG mailing list