Routing and bandwidth problem

Ron Goulard foz at techville.org
Wed May 5 03:18:29 UTC 2004 

On Tue, 2004-05-04 at 22:36, Rodolfo J. Paiz wrote:
> Hey...
> 
> I have no idea of which FM to R here, so I will happily accept pointers to 
> good documentation and HOWTO documents. Any other help is also welcome, as 
> I will need to solve this problem very soon. The problem is this:
> 
> My small business is one of four tenants in a small building. The other 
> three have agreed to allow me to buy one big connection and then resell 
> service to them, such that they get a better price and I get to subsidize 
> my own Internet service. However, while I *could* set this up quickly 
> without any controls, they each want different service levels and amounts 
> of bandwidth and will be paying different prices, so I want to do this 
> properly.
> 
> The firewall/gateway will run Fedora Core 1. I think I need *five* Ethernet 
> adapters in the server (eth0 to the ISP, and eth1-eth4 to the four tenants) 
> so that each client is properly isolated into their own network and cannot 
> access the other clients' computers. If there is a way to do this securely 
> and safely without a gaggle of Ethernet cards, please do tell! I can think 
> of doing this with 801.2q VLAN tagging, but that requires a managed switch 
> which is far more expensive. It seems to me that multiple Ethernet cards 
> are the simplest *and* cheapest way to do it.
> 
> I know how to provide masquerading, firewall, gateway, DNS, DHCP, NTP, and 
> other services. What I don't know how to do is the following:
> 
>          1. Required: Limit the total bandwidth a client can use to either 
> 128 Kbps or 256 Kbps.
> 
>          2. Optional: Allow each client to exceed their limit if no one 
> else is using the space. That is, a customer who stays late when all other 
> offices are gone for the night, or someone who gets lucky that no one else 
> is using the Net at that particular moment, could get access to the entire 
> Internet connection (say, 512 Kbps). But if everyone is using the bandwidth 
> simultaneously, then each would get their fair share (what they paid for 
> and I provide, proportionately).
> 
>          3. Optional: Even though traffic *through* the server (client 
> connecting to Internet) should be throttled and limited, it would be ideal 
> for traffic *to* the server (client connecting to the firewall) to have 
> full 100 Mbps link speed. This would allow me to download the FC2 ISO 
> images to the server at night, for example, and then let clients grab them 
> at 100 Mbps over the internal network instead of having that internal 
> download also throttled to 256 Kbps.
> 
>          4. Optional: Provide each tenant with an FTP-served directory on 
> the server which can *only* be accessed from their network. So if they pull 
> down the confidential something or their wife's nude pictures, other 
> tenants cannot get at that information.
> 
> Can someone offer some hints, pointers, suggestions, or magic beans?
> 
> Thanks in advance!

Something that I've found in FC1 is cbq, part of the shapecfg package
(and needs iproute I believe).  Basically it uses tc to control
traffic.  It may help out with much of this without having to grab/find
other software, allowing you to keep it updated with existing fc1
repositories.

I've begun playing with it myself in my spare time and suggest you read
/sbin/cbq (large, fairly well documented bash script).  Can't provide
any help yet though.

Ron

More information about the users mailing list