This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
unix:gateway [2010/05/16 20:32] robm +DNS caching / redirecting of WAN domains |
unix:gateway [2013/10/13 12:32] robm [IP Forwarding and NAT] |
||
---|---|---|---|
Line 21: | Line 21: | ||
node [shape=record] | node [shape=record] | ||
modem [label=" | modem [label=" | ||
- | gateway [label=" | + | gateway [label=" |
switch [label=" | switch [label=" | ||
} | } | ||
Line 31: | Line 31: | ||
modem: | modem: | ||
lan -> switch | lan -> switch | ||
- | switch -> gateway:lan:w | + | switch -> gateway:eth0:w |
- | gateway: | + | |
} | } | ||
Line 40: | Line 39: | ||
^ Device ^ Notes ^ | ^ Device ^ Notes ^ | ||
| modem | ADSL modem with 1x phone line socket and 1x ethernet socket. Tends to get clogged for some reason (high latency, but connection stays up) | | | modem | ADSL modem with 1x phone line socket and 1x ethernet socket. Tends to get clogged for some reason (high latency, but connection stays up) | | ||
- | | gateway | Fast desktop PC with two network | + | | gateway | Linux host with *one* network |
| LAN | 4 or so PCs, Wii, Xbox, couple of Nintendo DS consoles, etc | | | LAN | 4 or so PCs, Wii, Xbox, couple of Nintendo DS consoles, etc | | ||
Line 63: | Line 62: | ||
subgraph cluster_gateway_pc | subgraph cluster_gateway_pc | ||
{ | { | ||
- | gateway_pc [shape=record, | + | gateway_pc [shape=record, |
label=" | label=" | ||
} | } | ||
Line 73: | Line 72: | ||
{ | { | ||
edge [arrowhead=none] | edge [arrowhead=none] | ||
- | internet -> gateway_modem: | + | internet -> gateway_modem: |
- | gateway_modem: | + | gateway_modem: |
- | gateway_pc:lan -> lan [label=" | + | gateway_pc:eth0 -> lan [label=" |
- | gateway_modem: | + | gateway_modem: |
} | } | ||
Line 86: | Line 85: | ||
- PC broadcasts via DHCP for an IP address | - PC broadcasts via DHCP for an IP address | ||
- Modem (LAN, 192.168.1.1) responds with an IP address + static settings | - Modem (LAN, 192.168.1.1) responds with an IP address + static settings | ||
- | * Gateway IP = Gateway (eth1, 192.168.1.2) | + | * Gateway IP = Gateway (eth0, 192.168.1.2) |
- | * Primary DNS = Gateway (eth1, 192.168.1.2) | + | * Primary DNS = Gateway (eth0, 192.168.1.2) |
* Secondary DNS = Modem (LAN, 192.168.1.1) | * Secondary DNS = Modem (LAN, 192.168.1.1) | ||
- User of PC starts to browse example.com | - User of PC starts to browse example.com | ||
- PC queries Gateway (eth1) for IP of example.com (1.2.3.4) | - PC queries Gateway (eth1) for IP of example.com (1.2.3.4) | ||
* If Gateway' | * If Gateway' | ||
- | - PC connects to example.com (1.2.3.4) via Gateway (eth1, 192.168.1.2) | + | - PC connects to example.com (1.2.3.4) via Gateway (eth0, 192.168.1.2) |
- Gateway applies traffic shaping | - Gateway applies traffic shaping | ||
- | - Gateway | + | - Gateway forwards the shaped traffic to Modem (LAN) |
- Modem (WAN) forwards connection to ISP | - Modem (WAN) forwards connection to ISP | ||
- ISP do their thing | - ISP do their thing | ||
- ISP sends response to Modem (WAN) | - ISP sends response to Modem (WAN) | ||
- | - Modem (LAN) forwards response to Gateway | + | - Modem (LAN) forwards response to Gateway |
- | - Gateway | + | - Gateway applies traffic shaping and forwards response to PC |
===== Configuration ===== | ===== Configuration ===== | ||
Line 164: | Line 163: | ||
Kernel IP routing table | Kernel IP routing table | ||
Destination | Destination | ||
- | 192.168.1.1 | + | 192.168.1.0 |
- | 192.168.1.0 | + | |
0.0.0.0 | 0.0.0.0 | ||
</ | </ | ||
Important features: | Important features: | ||
- | | + | * All LAN traffic goes via '' |
- | | + | |
* The rest (internet traffic) should be forwarded through 192.168.1.1 (Modem LAN) | * The rest (internet traffic) should be forwarded through 192.168.1.1 (Modem LAN) | ||
Line 181: | Line 178: | ||
</ | </ | ||
- | {{:unix: | + | Configuration files to edit: |
+ | |||
+ | ''/ | ||
+ | < | ||
+ | option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; | ||
+ | |||
+ | send host-name "< | ||
+ | send dhcp-requested-address 192.168.1.2; | ||
+ | supersede domain-name "local robmeerman.co.uk"; | ||
+ | supersede routers 192.168.1.1; | ||
+ | prepend domain-name-servers 127.0.0.1; | ||
+ | |||
+ | request subnet-mask, | ||
+ | domain-name, | ||
+ | netbios-name-servers, | ||
+ | rfc3442-classless-static-routes, | ||
+ | </ | ||
- | {{: | ||
==== IP Forwarding and NAT ==== | ==== IP Forwarding and NAT ==== | ||
Line 191: | Line 203: | ||
<code sh> | <code sh> | ||
- | # Unnessary? | ||
- | #iptables –flush | ||
- | #iptables –table nat –flush | ||
- | #iptables –delete-chain | ||
- | #iptables –table nat –delete-chain | ||
- | # | ||
- | ##Setup IP forwarding and masquerating.. | ||
- | #iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE | ||
- | #iptables –append FORWARD –in-interface eth0 -j ACCEPT | ||
- | |||
echo 1 > / | echo 1 > / | ||
</ | </ | ||
Line 212: | Line 214: | ||
</ | </ | ||
+ | === Disabling ICMP Host Redirection === | ||
+ | |||
+ | As you probably noticed from the physical topology diagram, there is only one network interface on the gateway PC, and so you may find that the gateway PC informs all of its clients that they can talk to the modem directly: | ||
+ | |||
+ | < | ||
+ | PING google.com (173.194.37.104) 56(84) bytes of data. | ||
+ | From skuld.local (192.168.1.2): | ||
+ | 64 bytes from lhr14s02-in-f104.1e100.net (173.194.37.104): | ||
+ | </ | ||
+ | |||
+ | This can be disabled on-the-fly via: | ||
+ | |||
+ | < | ||
+ | echo 0 | sudo tee / | ||
+ | echo 0 | sudo tee / | ||
+ | </ | ||
+ | |||
+ | **Update 2013-10:** This guide used to update ''/ | ||
+ | |||
+ | Or permanently by adding the following to ''/ | ||
+ | |||
+ | < | ||
+ | net/ | ||
+ | net/ | ||
+ | net/ | ||
+ | net/ | ||
+ | </ | ||
+ | |||
+ | See http:// | ||
==== DNS Service ==== | ==== DNS Service ==== | ||
< | < | ||
Line 224: | Line 255: | ||
</ | </ | ||
* '' | * '' | ||
- | - Alias '' | + | - Alias '' |
* '' | * '' | ||
* < | * < | ||
Line 259: | Line 290: | ||
sudo wondershaper eth0 $((3712*1000)) $((448*1000)) | sudo wondershaper eth0 $((3712*1000)) $((448*1000)) | ||
</ | </ | ||
+ | |||
+ | I used to use Ubuntu' | ||
+ | |||
+ | <code sh> | ||
+ | #!/bin/sh | ||
+ | |||
+ | # Adapted from http:// | ||
+ | |||
+ | DOWNLINK=$2 | ||
+ | UPLINK=$3 | ||
+ | DEV=$1 | ||
+ | |||
+ | if [ " | ||
+ | then | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | # Display status when DOWNLINK/ | ||
+ | if [ " | ||
+ | then | ||
+ | tc -s qdisc ls dev $DEV | ||
+ | tc -s class ls dev $DEV | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | # Clear both IN and OUT | ||
+ | tc qdisc del dev $DEV root 2> /dev/null > /dev/null || true | ||
+ | tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null || true | ||
+ | |||
+ | if [ " | ||
+ | then | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | ############################################################################### | ||
+ | # UPLINK | ||
+ | |||
+ | # Set root Queuing Discipline (qdisc) to Class Based Queuing (cbq) | ||
+ | tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 1000mbit | ||
+ | |||
+ | # Traffic is either headed to the gateway (i.e. internet traffic) or not. | ||
+ | # Internet uplink is scarse, so aggresively shape it. LAN uplink is plentiful, | ||
+ | # do not restrict it. | ||
+ | |||
+ | # ============================================================================= | ||
+ | # INTERNET GATEWAY: Shape to $UPLINK speed, this prevents huge queues in the | ||
+ | # DSL modem that cause massive latency | ||
+ | tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit \ | ||
+ | allot 1500 prio 5 bounded isolated | ||
+ | |||
+ | # High priority internet traffic | ||
+ | tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \ | ||
+ | allot 1600 prio 1 avpkt 1000 | ||
+ | # .. and its actual queue that holds the packets | ||
+ | tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 | ||
+ | |||
+ | |||
+ | # Default priority internet traffic, bulk transfers. | ||
+ | tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $((9*$UPLINK/ | ||
+ | allot 1600 prio 2 avpkt 1000 | ||
+ | # .. and its actual queue that holds the packets | ||
+ | tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 | ||
+ | |||
+ | # Low priority traffic. | ||
+ | tc class add dev $DEV parent 1:1 classid 1:30 cbq rate $((8*$UPLINK/ | ||
+ | allot 1600 prio 2 avpkt 1000 | ||
+ | # .. and its actual queue that holds the packets | ||
+ | tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 | ||
+ | |||
+ | # ============================================================================= | ||
+ | # LAN | ||
+ | tc class add dev $DEV parent 1: classid 1:40 cbq rate 1000mbit \ | ||
+ | allot 1500 prio 5 borrow sharing | ||
+ | tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10 | ||
+ | |||
+ | # ============================================================================= | ||
+ | # Filters | ||
+ | |||
+ | # LAN traffic ----------------------------------------------------------------- | ||
+ | tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 \ | ||
+ | match ip dst 192.168.0.0/ | ||
+ | tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 \ | ||
+ | match ip dst 10.0.0.0/8 flowid 1:40 | ||
+ | tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 \ | ||
+ | match ip dst 172.16.0.0/ | ||
+ | |||
+ | # Internet traffic ------------------------------------------------------------ | ||
+ | |||
+ | # TOS Minimum Delay (ssh, NOT scp) in 1:10: | ||
+ | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | ||
+ | match ip tos 0x10 0xff flowid 1:10 | ||
+ | |||
+ | # ICMP (ip protocol 1) in the interactive class 1:10 so we | ||
+ | # can do measurements & impress our friends: | ||
+ | tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \ | ||
+ | match ip protocol 1 0xff flowid 1:10 | ||
+ | |||
+ | # pablo.iranzo@uv.es provided a patch for the MLDonkey system | ||
+ | # The MLDonkey uses small UDP packets for source propogation | ||
+ | # which floods the wondershaper out. | ||
+ | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | ||
+ | match ip protocol 17 0xff \ | ||
+ | match ip sport 4666 0xffff \ | ||
+ | | ||
+ | |||
+ | # prioritize small packets (<64 bytes) | ||
+ | |||
+ | tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \ | ||
+ | match ip protocol 6 0xff \ | ||
+ | match u8 0x05 0x0f at 0 \ | ||
+ | match u16 0x0000 0xffc0 at 2 \ | ||
+ | | ||
+ | |||
+ | |||
+ | #for a in $NOPRIOPORTDST | ||
+ | #do | ||
+ | # tc filter add dev $DEV parent 1: protocol ip prio 14 u32 \ | ||
+ | # match ip dport $a 0xffff flowid 1:30 | ||
+ | #done | ||
+ | # | ||
+ | #for a in $NOPRIOPORTSRC | ||
+ | #do | ||
+ | # tc filter add dev $DEV parent 1: protocol ip prio 15 u32 \ | ||
+ | # match ip sport $a 0xffff flowid 1:30 | ||
+ | #done | ||
+ | # | ||
+ | #for a in $NOPRIOHOSTSRC | ||
+ | #do | ||
+ | # tc filter add dev $DEV parent 1: protocol ip prio 16 u32 \ | ||
+ | # match ip src $a flowid 1:30 | ||
+ | #done | ||
+ | # | ||
+ | #for a in $NOPRIOHOSTDST | ||
+ | #do | ||
+ | # tc filter add dev $DEV parent 1: protocol ip prio 17 u32 \ | ||
+ | # match ip dst $a flowid 1:30 | ||
+ | #done | ||
+ | |||
+ | # Internet traffic catch-all: bulk. | ||
+ | tc filter add dev $DEV parent 1: protocol ip prio 18 u32 \ | ||
+ | match ip dst 0.0.0.0/0 flowid 1:20 | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # DOWNLINK | ||
+ | # | ||
+ | # Limit downloads to slightly less than the maximum achievable speed. This | ||
+ | # prevents a queues building up in the ISP (which is typically a huge FIFO), | ||
+ | # and so reduces round-trip time; effectively reducing latency. | ||
+ | |||
+ | # Ingress policer | ||
+ | # (FYI: The term " | ||
+ | # ingress equivalent) | ||
+ | |||
+ | tc qdisc add dev $DEV handle ffff: ingress | ||
+ | |||
+ | # LAN traffic is exempt from policing | ||
+ | tc filter add dev $DEV parent ffff: protocol ip prio 40 u32 \ | ||
+ | match ip src 192.168.0.0/ | ||
+ | police pass \ | ||
+ | flowid :1 | ||
+ | tc filter add dev $DEV parent ffff: protocol ip prio 40 u32 \ | ||
+ | match ip src 10.0.0.0/8 \ | ||
+ | police pass \ | ||
+ | flowid :1 | ||
+ | tc filter add dev $DEV parent ffff: protocol ip prio 40 u32 \ | ||
+ | match ip src 172.16.0.0/ | ||
+ | police pass \ | ||
+ | flowid :1 | ||
+ | |||
+ | # Internet traffic that arrives too fast should be discarded | ||
+ | tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 \ | ||
+ | match ip src 0.0.0.0/0 \ | ||
+ | police rate ${DOWNLINK}kbit burst 10k drop \ | ||
+ | flowid :1 | ||
+ | </ | ||
+ | |||
+ | ==== Transparent Web Proxy ==== | ||
+ | |||
+ | < | ||
+ | |||
+ | Then edit ''/ | ||
+ | - the '' | ||
+ | - the '' | ||
+ | |||
+ | Restart Squid ('' | ||
+ | |||
+ | < | ||
===== The 1 NIC problem ===== | ===== The 1 NIC problem ===== |