[ previous ] [ next ] [ threads ]
 
 From:  krt <kkrrtt at gmail dot com>
 To:  alex at nkpanama dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0 scenario
 Date:  Sat, 28 Apr 2007 09:23:28 -0700
It's a bit hard to handle SIP directly, as it's data session is 
established using random ports.

IAX is easy to classify as it uses regular ports.

I wouldn't give SMTP so much weight if it's inbound, the spammers use it 
too.

I would give DNS high priority - your high priority traffic depends on 
it too.  It's usually tiny anyways, using UDP request/reply packets.  I 
can't think of a reason to ever make it lower priority, unless you run a 
large public DNS server and need to SSH into it to fix, monitor and 
maintain it.


I'd specially make a last place bucket - p2p traffic, etc. and make 
everything unknown "somewhat" usable - you don't know if unknown traffic 
will be valuable (SSH?  https on a random port to some web shopping 
site?) or not.  If your traffic is being permitted, you might as well 
classify it so that it can be used.   Then again, maybe you want P2P 
traffic up there a notch - who knows?!?


You don't need to think of carving the pipe up statically, in other words.:

All backlogged (i.e., with packets queued) queues linked to the same 
pipe share the pipe's bandwidth proportionally to their weights (higher 
weight = higher share of bandwidth). Note that weights are not 
priorities; a queue with a lower weight is still guaranteed to get its 
fraction of the bandwidth even if a queue with a higher weight is 
permanently backlogged.


The rest seems normal - firewalling with multiple interfaces, etc.  I 
don't know if 9 interfaces is a limitation to be concerned with, I've 
had at least 6 in a box with no real issues other than usable system 
bandwidth.


I suggest avoiding 192.168.1.x, but only because almost every device on 
the planet ships with it by default.  It's hard to VPN tunnel when both 
sides have the same IP space.  It's even worse if someone brings in 
their access point from home (i.e. the computer store at lunch) and just 
plugs it in.  It's hard to get to the firewall if you can't reach it's 
IP... to see why the firewall isn't working, but you can ping 
192.168.1.1 ...











Alex Neuman van der Hans wrote:
> Dear list,
> 
> Don't see why not, but just in case, let me know if you see any obstacle 
> for something like the following to work:
> 
> The ingredients:
> 
> 1 Internet connection
> 8 different internal physical network segments (let's call them 
> 192.168.1.x through 192.168.168.8.x)
> 1 PC w/m0n0 and 9 NIC ports (in whatever way possible supported by m0n0)
> 
> I want to do traffic shaping between network segments so that:
> 
> * I set apart X amount of bandwidth for VOIP devices (by MAC or IP 
> address, for example)
> * I prioritize SIP/IAX above everything else
> * I give SMB/CIFS (ports 135:139 and 445) priority after VOIP
> * I give SMTP/POP3 priority after SMB
> * I give squid traffic to-from the proxy the next level of priority
> * I give a few other things (DNS, for example) the next-to-last level
> * I give *everything else* last place priority
> 
> On the firewall side, I want to:
> * Block traffic to-from anywhere by default except where allowed
> * Allow traffic between segments on specific ports to specific servers 
> (squid, web, print, etc.)
> * Allow the proxy server to retrieve web pages from the internet
> * Allow the mail server to send/receive mail through the internet 
> connection
> 
> 
> Anything I should watch out for? Again, I *don't see why it shouldn't 
> work*, but I'd love to know about any pitfalls before I embark on this 
> project.
> 
> Regards,
> 
> Alex
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>