Soekris transparent qos/altq firewall bridge


Soekris firewall
Originally uploaded by btmspox.

The QoS Firewall is up. I don’t have a copy of my scripts right now. When I was testing it, some how and I don’t know how, pf got turned off. It’s turned on by default on startup using flashdist’s rc script. This took me a while to figure out when it wasn’t working. I still haven’t found any documentation about using altq/pf with a transparent bridge. Half the documentation out there on the net is about altq before it was merged with pf. I’ll try to post my configs later, as I think they’ll help. I swear that I read somewhere that you can only use altq when filtering in on a transparent bridge, but it appears to work either way for me. I don’t think random early detection / RED is working correctly, as the firebox’s bandwidth monitor still shows very spikey traffic. Maybe this isn’t avoidable. I have no idea if using ToS bits or explicit congestion notification / ECN will make any difference with the upstream to iron this out, or if I can justify the time spent on company time.

I configured the third port on the 4801 as a monitor port by adding it to the bridge as a span.(“brconfig bridge0 addspan sis2”, this is all in one line in my rc file “brconfig bridge0 add sis0 add sis1 addspan sis2”.) The manual says it can’t be a bridge member and a span at the same time. I couldn’t get it to be either. This sucks, as it seems like it doesn’t bridge when it’s a span, so your monitoring station will need to have another link if you expect it to perform dns resolution and stuff.

I also can’t find the modern equivalent of altqstat. I have no idea how to monitor the queues. I tried searching, but this is difficult as I earlier noted there’s lots of old docs. I tried asking in #pf on freenode and nobody said a thing all day. I’ve been using etherape on the monitoring station but at the moment trying to add other protocols to the protocol analyzer window doesn’t do anything and I haven’t discovered why.

But it’s working. I had to pull VoIP traffic out of the VPN for now, and remember that RTP is all over the place, but I got it into a queue. I need to really research pf some more. As much as I’ve played with it, I don’t really really get it, and I think it is about time I did.

Eric, Joel and I met at FreedomHEC this morning and saw some more presentations. I’ve never been to an “unconference” before, so it was very laid back, but interesting. I’m sure it will be more busy and popular next year, as this was the first. Unfortunately the wireless internet only worked outside of the room we were in, on the 76th floor (or 75th floor mezzaine or something) and my ubuntu installation lacked any sort of development tools so I had to keep leaving to get them installed. It’s STILL not working right, and I’m a little frustrated with it. And my netgear atheros card is giving me “ath_attach: unable to attach hardware: ‘Hardware self-test failed’ (HAL status 14)” errors. Which mades me think I broke it switching back and forth between it and the orinoco card playing around. That sucks. I need it for a client test on wednesday. I’ll probably have to go buy another and I get the feeling the boss doesn’t like these expenses. Which is weird. Since we run exchange and shit. But we’re Microsoft gold certified partners and all that, so it’s probably really free in the end.

Someone came up to me at freedomhec and asked what I did. I told them I was a trainer at a vocational type school and they said, “like Strategy?”. I was dumbfounded. Advertising works?

I’m test posting this through flickr. I’m sure this is a mistake. But here goes.

4 thoughts on “Soekris transparent qos/altq firewall bridge

  1. l0k1

    From what I understand, you have to use ndis wrappers to make the Netgear’s do anything real. I know that it’s necessary (from experimentation) to at least run WPA shit. We just got a WRT54GL recently, and Pac wanted to run WPA. Orinoco is mostly scratching it’s head at it, and I’m having the same kind of spottiness with my Netgear card (it used to lock my windows install up). Firmware is “hacked” on it now, as it were (firmware is: v4.71.1, Hyperwrt 2.1b1 + Thibor15c [May 12 2006]) but it seems to be more stable than the one we used to have.

    Anyways, I almost assume you’re already using ndis?

  2. btm

    I was using the MadWifi drivers. It’s an easy package with ubuntu, i think i might not even have had to install it.

    But I definately borked the netgear. I get all kinds of HAL errors when I try to use it now, randomly.

    I’m using the madwifi drivers now too, with my new minipci card. But yeah, wrt54g’s still suck. Mine’s running dd-wrt, and neither my atheros or orinoco can see it at the moment. but I can see this super fast linksys ap with default settings.

  3. l0k1

    As I recall (haven’t fucked with it yet, laptop is today’s project, Twinview was yesterdays), MadWifi installed the Atheros drivers, yes? That should work fine.

    Also, from what I understand you need to install the Beta +1 network manager in order to get the card to really work, apparently the one in Ubuntu Dapper Beta isn’t the newest. I can find the package if you like.

  4. btm

    root@tp600x:/usr/src/linux# ls /lib/modules/2.6.15-23-386/madwifi
    ath_pci.ko wlan_acl.ko wlan.ko wlan_wep.ko
    ath_rate_sample.ko wlan_ccmp.ko wlan_tkip.ko wlan_xauth.ko

    If that comes out okay… Madwifi contains my atheros driver, yes. Like I mentioned elsewhere, I installed dapper from a -current iso and I’ve kept up to date since. but i haven’t had to use network manager for anything, it’s just that configuring wpa_supplicant by hand takes some testing in the config files. I’m posting from a WPA-PSK TKIP AP at the moment, using the Atheros based CM9 Mini-PCI card using wpa-supplicant.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.