zatuhavani komunikace z WAN pres DNAT do LAN
Petr Podrabsky
petrpo na gmail.com
Úterý Prosinec 2 23:17:34 CET 2008
Zdravim vespolek,
potreboval bych poradit, zda jste neco podobne resili. Je linux server
pripojeny do Internetu pres DSL (2048kbit/512kbit) Bluetone. Ve
vnitrni siti je serverova aplikace s ucetnim sw. K aplikaci pristupuji
2 lide pres vzdalenou plochu, 1.z vnitrni LAN-ky, 2.z Internetu ze
site O2 (DNAT).
Provoz ven (512kbit) QOS-uji pomoci htb.init nasledovne:
--------------------------
eth4:
DEFAULT=999
--------------------------
eth4-2.root:
RATE=400Kbit
--------------------------
eth4-2:10.ssh.dns:
CEIL=350Kbit
RATE=64Kbit
BURST=10K
LEAF=sfq
PRIO=2
RULE=*:22,
RULE=,*:22
RULE=*:23,
RULE=*:53,
--------------------------
eth4-2:20.pop.imap:
CEIL=350Kbit
RATE=16Kbit
BURST=2K
LEAF=sfq
PRIO=4
RULE=*:110,
RULE=,*:110
RULE=*:143,
RULE=,*:143
RULE=*:993,
RULE=,*:993
RULE=*:995,
RULE=,*:995
--------------------------
eth4-2:25.rdesktop:
CEIL=350Kbit
RATE=212Kbit
BURST=8K
LEAF=sfq
PRIO=3
RULE=*:3389,
RULE=,*:3389
--------------------------
eth4-2:30.smtp:
CEIL=350Kbit
RATE=16Kbit
BURST=2K
LEAF=sfq
PRIO=7
RULE=*:25,
RULE=,*:25
eth4-2:35.ssh-8822:
CEIL=350Kbit
RATE=32Kbit
BURST=10K
LEAF=sfq
PRIO=5
RULE=*:8822,
RULE=,*:8822
--------------------------
eth4-2:40.nagi:
CEIL=256Kbit
RATE=16Kbit
BURST=2K
LEAF=sfq
PRIO=4
RULE=*:5900,
RULE=,*:5900
eth4-2:50.ftp:
CEIL=350Kbit
RATE=32Kbit
BURST=3K
LEAF=sfq
PRIO=5
RULE=*:20,
RULE=,*:20
RULE=*:21,
RULE=,*:21
--------------------------
eth4-2:80.www:
CEIL=350Kbit
RATE=8Kbit
BURST=4K
LEAF=sfq
PRIO=4
RULE=*:80,
RULE=,*:80
RULE=*:443,
RULE=,*:443
eth4-2:90.p2p:
CEIL=50Kbit
RATE=1Kbit
BURST=2K
LEAF=sfq
PRIO=10
RULE=*:1024:65535,
eth4-2:999.default:
CEIL=350Kbit
RATE=1Kbit
BURST=2K
LEAF=sfq
PRIO=9
--------------------------
Problem se projevuje tak, ze clovek vzdalene z jine lokality pres
vzdalenou plochu pracuje. Kdyz na vzdalene plose chvili nedela, stane
se, ze komunikace pres vzdalenou plochu zamrzne. Pomuze akorat shozeni
vzdalene plochy a opet prihlaseni ke vzdalene plose pres jmeno a
heslo.
Napadly mne dve moznosti, jak komunikaci z internetu na server vylepsit:
1) navysit odchozi rychlost
2) nastavit vzdalenemu klientovi VPN spojeni do firmy (predpokladam,
ze na VPN spojeni bude vice drzet)
3) mozna se da skloubit 1) i 2)
Diky za jakekoliv dalsi podnety a napady.
------------------------------
Petr Podrabsky
Další informace o konferenci Linux