Re: Need help with bandwidth management . . .


"Jeff Liebermann" <jeffl@xxxxxxxxxx> wrote in message
news:94v8249955bq0c3nbig28t53u2o87obnul@xxxxxxxxxx
On Thu, 8 May 2008 22:25:56 -0500, "JM" <jake@xxxxxxxxx> wrote:

...that connects to a Linksys WRT54G rev 2 that I
flashed with dd-wrt r23 sp2.

Old version. Please re-flash with DD-WRT v24 RC6.2.
<http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Frelease+candidates%2FDD-WRT+v24+RC6.2%2FBroadcom%2FLinksys%2FWRT54GS_v2/>
I suggest the dd-wrt.v24_generic_nokaid.bin version.
The bandwidth managements (QoS) is much better in v24 than in v23:
<http://www.dd-wrt.com/wiki/index.php/Quality_of_Service>

I first used v24 RC5 on a WRT54G v8, but swapped in the v2 with r23 sp2 when
I mistakenly thought the v24 RC5 was not port forwarding. Since my post I
rectified the problem and put the other back in. I'm interested to see what
changes accompany the RC7. Thanks for the suggestion.


The internet pipe is a T1 provided by a local
LEC. We estimate that during the summer the network will need to support
30-50 users.

Ouch. That's possible, but not likely. All it takes is one P2P user,
and they will saturate all your available outgoing bandwidth. At
least the T1 is symmetrical, so it handle more outgoing traffic than a
DSL line, but it still can be killed by just one user. What you're
really looking for is not bandwidth management. You're looking for
applications control or abuse management. That's not easy.

All the above, actually. I'd like to have a method of capping each
connection, but I'm sure the equipment to accomplish that is not "free or
low cost." I've worked a couple of hours today with the v24 RC5 firware's
QoS lan port settings, and I cannot get anything consistent. Theoretically,
I should be able to connect each of the 3 APs into one of the router's
switch ports and limit the bandwidth per port (the settings are
256k/512k/1m/10m/100m). However, this does not provide me "per connection"
bandwidth limiting - only "per AP" - and, besides, the lan settings don't
seem to work by the numbers. It does have some effect, but not in any
precise way.

As for applications control, can that be accomplished to any significant
degree by port filtering? Is it realistic that I could sniff the network
over time and identify ports that typically are used for things like music
and video downloads and then block these ports? Are these ports consistent,
or do they differ according to the particular service, vendor, client
software, etc?


These daze, users are accustomed to a minmal DSL line with a
1.5Mbit/sec download limit. That's the same as your entire T1 with
30-50 users. Even if you succeed in balancing the load among these
30-50 users, the average performance will be so low, that you're
certain to have 30-50 complaints. What you probably consider abuse,
it common practice on their home connections. I suggest you consider
either a bigger pipe, faster connection, or multiple connections using
a load balancing router.

I broached the topic of more bandwidth the first day I got involved. The
LEC that provides the T1 can bring in "business class" ADSL circuits for
about $80/month (the T1 costs about $350/month). I think the DSL is 4mb/1mb
or so. I like T1s, from a network admin standpoint, but I'm not sure it's
the best solution in this case. It's an easy sell for the LECs, because
it's a dynamic pipe that carries the voice and data. The LEC provides an
IAD (fancy channel bank) and breaks out two connections - one that
terminates on a RJ-21'ish block for the phone system and a 10/100 port for
the customer router. It's a good product, and I've had good experiences
with it for other customers, especially those with bursty voice traffic.
But this RV park almost never has more than two voice lines going at one
time. It has occurred to me that we could get 3-4 copper lines (at ~35 per)
and ~3 DSL circuits for what they are paying for the T1. See, part of the
thought process for the T1 (they used to have 2 with a different provider)
was to provide the guests with phone lines. However, it just hasn't
materialized. Everyone has cell phones, and almost no one needs a dial up
or fax line. There is a fax in the main office for publick use.


There are several strategic considerations that need addressing, and the
first one in my opinion is bandwidth management. Just in the last 2-3
days
we've seen the inernet speed drop to a crawl when one or two users start
hogging bandwidth with what appear to be massive downloads.

Yep. Slimbox downloads of videos. IPTV (watch TV on your computah).
You might consider sniffing the traffic to identify the exact type and
source of the traffic.

The status
tools in the APs showed download/upload ratios on these users in the 20/1
range. I've got to find a way to impose QoS on the network.

That's not P2P file sharing. That's probably IPTV or downloading
videos. Any clue as to the approximate number MBytes or what IP's or
URL's are being used? That should give a clue as to what you're
dealing with.

Or music. I've got a Sonicwall SOHO3 that actually provides very good data
of this type. I can stick that in there and watch for a few days.


But a big issue for the company right now is cost, so I have very little
budget to work with. So, if possible, I need to use whatever free and low
cost solutions I can come up with.

The QoS built into the WRT54G with DD-WRT firmware will prevent
saturation but will not stop the abuse. It's easy enough to throttle
specific connections. However, with 30-50 simultaneous users, no
amount of throttling is going to make everyone happy.

That's what I think, too. FWIW, the 30-50 estimate may be a little high,
but still the point remains if the actual use is 20-30 or similar. That's
potentially way too much for a T1. Something I've given thought to this
weekend is an AUP (acceptable usage policy) that is at least posted in the
office, if not made part of the guest contract. Is it realistic that we
whitelist the open ports? I simply don't know enough about the range of
services "needed" for such a population of users. Can one limit the
available internet traffic to "the basics?" Is there such thing?


Thank you for any assistance. Please let me know what information I've
left
out.

1. Number of active users. I suspect that there may be 30-50
connections, but they are not all active at the same time.

Well, that's an interesting thing. While monitoring the connections it
appears that many of the connections stay alive constantly, but the internet
usage is "on and off." In other words, I see some MAC addresses maintain a
wireless connection over a period of hours, but the behavior of the user
seems to be on-off, on-off, on-off. I guess this is not so different that
most networks, but it seems like these residents keep the internet up all
the time, and periodically use it for something specific. These kinds of
connections are the usual, and they don't seem to be problematic. It's the
users that obviously are downloading content that are the killers.

2. Is there a PC available to do monitoring?

Yes.


3. Is everyone connected via wireless or are there wired connections?

The original plan was for both. Conduit is available for the purpose, but
no further network wiring is to be done. There is coax at every "pad" for
TV. I'm relatively sure management is locked into wireless. I do no think
they will consider other options, as long as a solution to the immediate
challenge is within reach.


Are all the wireless connections authenticated or is it a free for
all?

The latter, which is regrettable, in my opinion. But management claims that
security measures would be confusing to this particular user population, and
they don't want to give any reason for these users to go elsewhere.

If open, are you sure that all your users are your RV park
residents and not the neighbors?

I am not sure. To the contrary, I'm sure that we've basically built a free
WISP. FWIW, this park is relatively isolated, but as we know, it only takes
1-2 abusive users to wreck the whole thing. I'm starting to see some kind
of authentication as a necessity.


Do you have a RADIUS server?

Not at this time, but I could provide one.

5. Are you prepared to bill for excessive bandwidth use?

I'm sure I couldn't get this approved.

Thank you for the discussion.

JM














.

Relevant Pages

  • Re: Need help with bandwidth management . . .
    ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ...
    (alt.internet.wireless)
  • Re: Port Attack Question
    ... Mark - The problem is one of the processing on the firewall and available ... The port whether it is POP/SMTPor HTTPis irrelevant aside from the ... connections and may slow the firewall down if enough connections are ... If the attackerhad enough bandwidth or networks to bounce the ...
    (comp.security.firewalls)
  • Re: Multiple APs
    ... See above quotation from the data sheet. ... connections could be handled by various access points. ... With the proper application of bandwidth ... expect instant response time. ...
    (alt.internet.wireless)
  • Re: block_ssh_guessers
    ... port knocking daemon by sheer volume - say, ... might be in the packet (which after all is only going to be a SYN in most ... due to, for example, the logs using up all available disk space. ... _usually_ a waste of time, CPU cycles, disk-space and bandwidth. ...
    (comp.os.linux.security)
  • Re: Postfix - Limit Bandwidth
    ... but it is using up all our bandwidth. ... I've not had to do this with Postfix, but I have with certain other ... And this is because most MTAs will open lots of outbound TCP/IP ... connections if they have lots of mail to deliver. ...
    (Fedora)