Routing and bandwidth problem
Ron Goulard
foz at techville.org
Wed May 5 03:18:29 UTC 2004
On Tue, 2004-05-04 at 22:36, Rodolfo J. Paiz wrote:
> Hey...
>
> I have no idea of which FM to R here, so I will happily accept pointers to
> good documentation and HOWTO documents. Any other help is also welcome, as
> I will need to solve this problem very soon. The problem is this:
>
> My small business is one of four tenants in a small building. The other
> three have agreed to allow me to buy one big connection and then resell
> service to them, such that they get a better price and I get to subsidize
> my own Internet service. However, while I *could* set this up quickly
> without any controls, they each want different service levels and amounts
> of bandwidth and will be paying different prices, so I want to do this
> properly.
>
> The firewall/gateway will run Fedora Core 1. I think I need *five* Ethernet
> adapters in the server (eth0 to the ISP, and eth1-eth4 to the four tenants)
> so that each client is properly isolated into their own network and cannot
> access the other clients' computers. If there is a way to do this securely
> and safely without a gaggle of Ethernet cards, please do tell! I can think
> of doing this with 801.2q VLAN tagging, but that requires a managed switch
> which is far more expensive. It seems to me that multiple Ethernet cards
> are the simplest *and* cheapest way to do it.
>
> I know how to provide masquerading, firewall, gateway, DNS, DHCP, NTP, and
> other services. What I don't know how to do is the following:
>
> 1. Required: Limit the total bandwidth a client can use to either
> 128 Kbps or 256 Kbps.
>
> 2. Optional: Allow each client to exceed their limit if no one
> else is using the space. That is, a customer who stays late when all other
> offices are gone for the night, or someone who gets lucky that no one else
> is using the Net at that particular moment, could get access to the entire
> Internet connection (say, 512 Kbps). But if everyone is using the bandwidth
> simultaneously, then each would get their fair share (what they paid for
> and I provide, proportionately).
>
> 3. Optional: Even though traffic *through* the server (client
> connecting to Internet) should be throttled and limited, it would be ideal
> for traffic *to* the server (client connecting to the firewall) to have
> full 100 Mbps link speed. This would allow me to download the FC2 ISO
> images to the server at night, for example, and then let clients grab them
> at 100 Mbps over the internal network instead of having that internal
> download also throttled to 256 Kbps.
>
> 4. Optional: Provide each tenant with an FTP-served directory on
> the server which can *only* be accessed from their network. So if they pull
> down the confidential something or their wife's nude pictures, other
> tenants cannot get at that information.
>
> Can someone offer some hints, pointers, suggestions, or magic beans?
>
> Thanks in advance!
Something that I've found in FC1 is cbq, part of the shapecfg package
(and needs iproute I believe). Basically it uses tc to control
traffic. It may help out with much of this without having to grab/find
other software, allowing you to keep it updated with existing fc1
repositories.
I've begun playing with it myself in my spare time and suggest you read
/sbin/cbq (large, fairly well documented bash script). Can't provide
any help yet though.
Ron
More information about the users
mailing list