Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-doc-cvs

From: Sven Vermeulen <swift@××××××××××××.org>
To: gentoo-doc-cvs@l.g.o
Subject: [gentoo-doc-cvs] cvs commit: home-router-howto.xml
Date: Tue, 20 May 2008 18:57:51
Message-Id: E1JyX1t-0004Su-2d@stork.gentoo.org
1 swift 08/05/20 18:57:45
2
3 Modified: home-router-howto.xml
4 Log:
5 Coding style
6
7 Revision Changes Path
8 1.60 xml/htdocs/doc/en/home-router-howto.xml
9
10 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/home-router-howto.xml?rev=1.60&view=markup
11 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/home-router-howto.xml?rev=1.60&content-type=text/plain
12 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/home-router-howto.xml?r1=1.59&r2=1.60
13
14 Index: home-router-howto.xml
15 ===================================================================
16 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v
17 retrieving revision 1.59
18 retrieving revision 1.60
19 diff -u -r1.59 -r1.60
20 --- home-router-howto.xml 27 Jul 2007 17:50:59 -0000 1.59
21 +++ home-router-howto.xml 20 May 2008 18:57:45 -0000 1.60
22 @@ -1,16 +1,16 @@
23 <?xml version='1.0' encoding='UTF-8'?>
24 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.59 2007/07/27 17:50:59 nightmorph Exp $ -->
26 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.60 2008/05/20 18:57:45 swift Exp $ -->
27
28 <guide link="/doc/en/home-router-howto.xml" lang="en">
29 <title>Home Router Guide</title>
30
31 <author title="Author">
32 - <mail link="vapier@g.o">Mike Frysinger</mail>
33 + <mail link="vapier@g.o">Mike Frysinger</mail>
34 </author>
35
36 <abstract>
37 -This document details how to turn an old Gentoo machine into a router
38 +This document details how to turn an old Gentoo machine into a router
39 for connecting your home network to the internet.
40 </abstract>
41
42 @@ -27,8 +27,8 @@
43
44 <p>
45 Building your own router out of old spare parts has many advantages over buying
46 -a pre-made canned router by say Linksys. The biggest one by far is control
47 -over the connection. The other advantages are left up to your imagination;
48 +a pre-made canned router by say Linksys. The biggest one by far is control
49 +over the connection. The other advantages are left up to your imagination;
50 just about anything can be done in this scenario, it's just a matter of needing
51 it.
52 </p>
53 @@ -42,10 +42,10 @@
54 </p>
55
56 <p>
57 -Before getting started, there's a few basic requirements you must meet. First,
58 +Before getting started, there's a few basic requirements you must meet. First,
59 you'll need a computer that has at least 2 Network Interface Cards (NICs) in
60 -it. Next, you'll need the configuration settings for your internet connection
61 -(may include things like IP/DNS/Gateway/username/password). Finally, you'll
62 +it. Next, you'll need the configuration settings for your internet connection
63 +(may include things like IP/DNS/Gateway/username/password). Finally, you'll
64 need a bit of spare time and some Gentoo loving.
65 </p>
66
67 @@ -64,7 +64,7 @@
68 <impo>
69 Due to security precautions, I would highly suggest you shut down any unneeded
70 services on the router until we have a chance to get the firewall up and
71 -rolling. To view the currently running services, just run <c>rc-status</c>.
72 +rolling. To view the currently running services, just run <c>rc-status</c>.
73 </impo>
74
75 </body>
76 @@ -77,91 +77,91 @@
77 <body>
78
79 <p>
80 -Your kernel needs to have the drivers running for both your NICs. To see if
81 -your cards are already setup, just run <c>ifconfig</c>. Your output may differ
82 -slightly from the following, that's fine. What matters is that the interface
83 +Your kernel needs to have the drivers running for both your NICs. To see if
84 +your cards are already setup, just run <c>ifconfig</c>. Your output may differ
85 +slightly from the following, that's fine. What matters is that the interface
86 shows up at all.
87 </p>
88
89 <pre caption="Checking NICs">
90 # <i>ifconfig -a</i>
91 -eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
92 - BROADCAST MULTICAST MTU:1500 Metric:1
93 - RX packets:0 errors:0 dropped:0 overruns:0 frame:0
94 - TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
95 - collisions:0 txqueuelen:1000
96 - RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
97 - Interrupt:11 Base address:0x9800
98 -
99 -eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
100 - BROADCAST MULTICAST MTU:1500 Metric:1
101 - RX packets:0 errors:0 dropped:0 overruns:0 frame:0
102 - TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
103 - collisions:0 txqueuelen:1000
104 - RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
105 - Interrupt:10 Base address:0x9400
106 +eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
107 + BROADCAST MULTICAST MTU:1500 Metric:1
108 + RX packets:0 errors:0 dropped:0 overruns:0 frame:0
109 + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
110 + collisions:0 txqueuelen:1000
111 + RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
112 + Interrupt:11 Base address:0x9800
113 +
114 +eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
115 + BROADCAST MULTICAST MTU:1500 Metric:1
116 + RX packets:0 errors:0 dropped:0 overruns:0 frame:0
117 + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
118 + collisions:0 txqueuelen:1000
119 + RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
120 + Interrupt:10 Base address:0x9400
121 </pre>
122
123 <p>
124 If you do not see your two cards showing up and you're not sure what kind of
125 -cards you have, try running <c>lspci | grep Ethernet</c>. You can get that
126 -from <c>emerge pciutils</c>. Once you have this information, go into your
127 +cards you have, try running <c>lspci | grep Ethernet</c>. You can get that
128 +from <c>emerge pciutils</c>. Once you have this information, go into your
129 kernel and add support for the correct drivers.
130 </p>
131
132 <p>
133 The next thing you'll need is support for iptables and NAT (and packet shaping
134 -if you want). The following list is split up into always required (*),
135 -required only for adsl via PPPoE (a), suggested for everyone (x), and only
136 -for shaper (s) features. It does not matter whether you build the features
137 -into the kernel or as a module so long as when the feature is needed, the
138 -correct module(s) are loaded (module loading is left to the reader as a fun
139 +if you want). The following list is split up into always required (*),
140 +required only for adsl via PPPoE (a), suggested for everyone (x), and only
141 +for shaper (s) features. It does not matter whether you build the features
142 +into the kernel or as a module so long as when the feature is needed, the
143 +correct module(s) are loaded (module loading is left to the reader as a fun
144 exercise however).
145 </p>
146
147 <pre caption="Network Options">
148 -Networking options ---&gt;
149 - [*] TCP/IP networking
150 - [*] IP: advanced router
151 - [*] Network packet filtering (replaces ipchains)
152 +Networking options ---&gt;
153 + [*] TCP/IP networking
154 + [*] IP: advanced router
155 + [*] Network packet filtering (replaces ipchains)
156 <comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
157 - [*] Socket Filtering
158 + [*] Socket Filtering
159
160 - IP: Netfilter Configuration ---&gt;
161 - [*] Connection tracking (required for masq/NAT)
162 - [x] FTP protocol support
163 - [x] IRC protocol support
164 - [*] IP tables support (required for filtering/masq/NAT)
165 - [*] IP range match support
166 - [x] MAC address match support
167 - [*] Multiple port match support
168 - [*] Packet filtering
169 - [*] REJECT target support
170 - [x] REDIRECT target support
171 - [*] Full NAT
172 - [*] MASQUERADE target support
173 - [s] Packet mangling
174 - [s] MARK target support
175 - [x] LOG target support
176 -
177 - QoS and/or fair queueing ---&gt;
178 - [s] QoS and/or fair queueing
179 - [s] HTB packet scheduler
180 - [s] Ingress Qdisc
181 -
182 - [a] PPP (point-to-point protocol) support
183 - [a] PPP filtering
184 - [a] PPP support for async serial ports
185 - [a] PPP support for sync tty ports
186 - [a] PPP Deflate compression
187 - [a] PPP BSD-Compress compression
188 - [a] PPP over Ethernet
189 + IP: Netfilter Configuration ---&gt;
190 + [*] Connection tracking (required for masq/NAT)
191 + [x] FTP protocol support
192 + [x] IRC protocol support
193 + [*] IP tables support (required for filtering/masq/NAT)
194 + [*] IP range match support
195 + [x] MAC address match support
196 + [*] Multiple port match support
197 + [*] Packet filtering
198 + [*] REJECT target support
199 + [x] REDIRECT target support
200 + [*] Full NAT
201 + [*] MASQUERADE target support
202 + [s] Packet mangling
203 + [s] MARK target support
204 + [x] LOG target support
205 +
206 + QoS and/or fair queueing ---&gt;
207 + [s] QoS and/or fair queueing
208 + [s] HTB packet scheduler
209 + [s] Ingress Qdisc
210 +
211 + [a] PPP (point-to-point protocol) support
212 + [a] PPP filtering
213 + [a] PPP support for async serial ports
214 + [a] PPP support for sync tty ports
215 + [a] PPP Deflate compression
216 + [a] PPP BSD-Compress compression
217 + [a] PPP over Ethernet
218 </pre>
219
220 <note>
221 Some things may be slightly different in a 2.4 vs 2.6 kernel, but you should be
222 -able to figure it out :). Even among 2.6 kernels, these options have a
223 -tendency to move around. Good luck!
224 +able to figure it out :). Even among 2.6 kernels, these options have a
225 +tendency to move around. Good luck!
226 </note>
227
228 </body>
229 @@ -177,10 +177,10 @@
230
231 <p>
232 There are many ways to connect to the internet so I'll just cover the ones I'm
233 -familiar with. That leaves us with ADSL (PPPoE) and cable modems
234 -(static/dynamic). If there are other methods out there, feel free to write up
235 -a little blurb and e-mail me. Feel free to skip any of the following sections
236 -in this chapter that don't apply to you. This chapter is just about getting
237 +familiar with. That leaves us with ADSL (PPPoE) and cable modems
238 +(static/dynamic). If there are other methods out there, feel free to write up
239 +a little blurb and e-mail me. Feel free to skip any of the following sections
240 +in this chapter that don't apply to you. This chapter is just about getting
241 the router connected to the internet via eth1.
242 </p>
243
244 @@ -191,17 +191,17 @@
245 <body>
246
247 <p>
248 -All the fancy PPPoE software that used to be provided by rp-pppoe
249 -(<uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>) has been
250 -integrated into the <uri link="http://samba.org/ppp/">standard PPP
251 -package</uri>. Simply <c>emerge ppp</c> and you'll be on your way. Remember
252 -how I said you'll need username/password information? Well I wasn't lying so
253 -I hope you have it now! Load up <path>/etc/conf.d/net</path> in your favorite
254 +All the fancy PPPoE software that used to be provided by rp-pppoe
255 +(<uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>) has been
256 +integrated into the <uri link="http://samba.org/ppp/">standard PPP
257 +package</uri>. Simply <c>emerge ppp</c> and you'll be on your way. Remember
258 +how I said you'll need username/password information? Well I wasn't lying so
259 +I hope you have it now! Load up <path>/etc/conf.d/net</path> in your favorite
260 editor and set it up.
261 </p>
262
263 <note>
264 -In order for the following net settings to work, you must have
265 +In order for the following net settings to work, you must have
266 baselayout-1.12.9 or later installed on your system.
267 </note>
268
269 @@ -214,9 +214,9 @@
270 link_ppp0="eth1"
271 plugins_ppp0=( "pppoe" )
272 pppd_ppp0=(
273 - "defaultroute"
274 - "usepeerdns"
275 - <comment>There may be other settings you want, see /etc/conf.d/net.example</comment>
276 + "defaultroute"
277 + "usepeerdns"
278 + <comment>There may be other settings you want, see /etc/conf.d/net.example</comment>
279 )
280 username_ppp0="vla9h924"
281 password_ppp0="boogie"
282 @@ -227,19 +227,19 @@
283 </pre>
284
285 <warn>
286 -When the DSL interface comes up, it will create ppp0. Although your NIC is
287 -called eth1, the IP is actually bound to ppp0. From now on, when you see
288 +When the DSL interface comes up, it will create ppp0. Although your NIC is
289 +called eth1, the IP is actually bound to ppp0. From now on, when you see
290 examples that utilize 'eth1', substitute with 'ppp0'.
291 </warn>
292
293 <warn>
294 -Make sure you change the permissions of the /etc/conf.d/net file so that only
295 +Make sure you change the permissions of the /etc/conf.d/net file so that only
296 root can read/write it since you're sticking your username/password in it.
297 </warn>
298
299 <warn>
300 -For people transitioning from the <c>rp-pppoe</c> package, or for people who
301 -hit weird connection resets, see the MTU section in the Troubleshooting
302 +For people transitioning from the <c>rp-pppoe</c> package, or for people who
303 +hit weird connection resets, see the MTU section in the Troubleshooting
304 chapter.
305 </warn>
306
307 @@ -251,8 +251,8 @@
308 <body>
309
310 <p>
311 -If you have a static IP then you will need a few more details than if
312 -you have a dynamic IP. For static users, you will need your IP,
313 +If you have a static IP then you will need a few more details than if
314 +you have a dynamic IP. For static users, you will need your IP,
315 gateway, and DNS servers.
316 </p>
317
318 @@ -316,28 +316,28 @@
319
320 <p>
321 I bet it'd be nice if everyone else in your house could just plug their
322 -computers into the network and things would just work. No need to remember
323 +computers into the network and things would just work. No need to remember
324 mind-numbing details or make them stare at confusing configuration screens!
325 -Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
326 +Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
327 (DHCP) and why you should care.
328 </p>
329
330 <p>
331 -DHCP is exactly what its name implies. It's a protocol that allows you
332 -to dynamically configure other hosts automatically. You run a DHCP server on
333 +DHCP is exactly what its name implies. It's a protocol that allows you
334 +to dynamically configure other hosts automatically. You run a DHCP server on
335 the router, give it all the information about your network (valid IPs,
336 DNS servers, gateways, etc...), and then when the other hosts start up, they
337 -run a DHCP client to automatically configure themselves. No fuss, no muss!
338 +run a DHCP client to automatically configure themselves. No fuss, no muss!
339 For more information about DHCP, you can always visit <uri
340 link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
341 </p>
342
343 <p>
344 We'll use a package called dnsmasq which provides both DHCP and DNS services.
345 -For now lets just focus on the DHCP aspect. Note that if you want to run a
346 +For now lets just focus on the DHCP aspect. Note that if you want to run a
347 different DHCP server, you can find another example in the Fun Things chapter.
348 -Also, if you wish to tinker with the DHCP server settings, just read the
349 -comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
350 +Also, if you wish to tinker with the DHCP server settings, just read the
351 +comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
352 though.
353 </p>
354
355 @@ -354,12 +354,12 @@
356 </pre>
357
358 <p>
359 -Now your little router is a bona-fide DHCP server! Plugin those computers and
360 -watch them work! With Windows systems you should go into the TCP/IP Properties
361 +Now your little router is a bona-fide DHCP server! Plugin those computers and
362 +watch them work! With Windows systems you should go into the TCP/IP Properties
363 and select the 'Obtain an IP address automatically' and 'Obtain DNS server
364 -address automatically' options. Sometimes the changes aren't instantaneous, so
365 +address automatically' options. Sometimes the changes aren't instantaneous, so
366 you may have to open a command prompt and run <c>ipconfig /release</c> and
367 -<c>ipconfig /renew</c>. But enough about Windows, let's get back to our
368 +<c>ipconfig /renew</c>. But enough about Windows, let's get back to our
369 favorite penguin.
370 </p>
371
372 @@ -372,25 +372,25 @@
373
374 <p>
375 When people want to visit a place on the internet, they remember names, not a
376 -string of funky numbers. After all, what's easier to remember, ebay.com or
377 -66.135.192.87? This is where the DNS steps in. DNS servers run all over the
378 +string of funky numbers. After all, what's easier to remember, ebay.com or
379 +66.135.192.87? This is where the DNS steps in. DNS servers run all over the
380 internet, and whenever someone wants to visit 'ebay.com', these servers turn
381 'ebay.com' (what we understand) into '66.135.192.87' (what our computers
382 -understand). For more information about DNS, you can always visit <uri
383 +understand). For more information about DNS, you can always visit <uri
384 link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
385 </p>
386
387 <p>
388 Since we're using dnsmasq for our DHCP server, and it includes a DNS server,
389 -you've got nothing left to do here! Your little router is already providing
390 -DNS to its DHCP clients. Bet you wish everything was this easy ;).
391 +you've got nothing left to do here! Your little router is already providing
392 +DNS to its DHCP clients. Bet you wish everything was this easy ;).
393 </p>
394
395 <p>
396 -You're welcome to choose other DNS servers if you're more comfortable with
397 -them, but the reason dnsmasq is great is because it was designed to do exactly
398 -what we want and nothing more. It's a little DNS caching/forwarding server for
399 -local networks. We're not looking to provide DNS for our own domain here, just
400 +You're welcome to choose other DNS servers if you're more comfortable with
401 +them, but the reason dnsmasq is great is because it was designed to do exactly
402 +what we want and nothing more. It's a little DNS caching/forwarding server for
403 +local networks. We're not looking to provide DNS for our own domain here, just
404 offer simple DNS services to everyone else on our LAN.
405 </p>
406
407 @@ -409,17 +409,17 @@
408 </p>
409
410 <p>
411 -This is where Network Address Translation (NAT) steps in. NAT is a way of
412 -connecting multiple computers in a private LAN to the internet when you have a
413 -smaller number of public IP addresses available to you. Typically you are given
414 +This is where Network Address Translation (NAT) steps in. NAT is a way of
415 +connecting multiple computers in a private LAN to the internet when you have a
416 +smaller number of public IP addresses available to you. Typically you are given
417 1 IP by your ISP, but you want to let your whole house connect to the internet.
418 -NAT is the magic that makes this possible. For more information about NAT, you
419 +NAT is the magic that makes this possible. For more information about NAT, you
420 can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
421 </p>
422
423 <note>
424 -Before we get started, make sure you have iptables on your system. Although it
425 -is automatically installed on most systems, you may not have it. If you don't,
426 +Before we get started, make sure you have iptables on your system. Although it
427 +is automatically installed on most systems, you may not have it. If you don't,
428 just run <c>emerge iptables</c>.
429 </note>
430
431 @@ -473,13 +473,13 @@
432
433 <p>
434 Once you've typed out all of that, the rest of your network should now be able
435 -to use the internet as if they were directly connected themselves.
436 +to use the internet as if they were directly connected themselves.
437 </p>
438
439 <p>
440 The ip_dynaddr option is useful for dial on demand systems or when your ISP
441 -gives out dynamic addresses. This works around the problem where a connection
442 -is attempted before the internet interface is fully setup. Really this just
443 +gives out dynamic addresses. This works around the problem where a connection
444 +is attempted before the internet interface is fully setup. Really this just
445 provides for a smoother network experience for users behind your router.
446 </p>
447
448 @@ -495,8 +495,8 @@
449 <body>
450
451 <p>
452 -Believe it or not, you're done :). From here on out, I'll cover a bunch of
453 -common topics that may interest you. Everything in this chapter is completely
454 +Believe it or not, you're done :). From here on out, I'll cover a bunch of
455 +common topics that may interest you. Everything in this chapter is completely
456 optional.
457 </p>
458
459 @@ -509,10 +509,10 @@
460
461 <p>
462 Sometimes you would like to be able to host services on a computer behind the
463 -router, or just to make your life easier when connecting remotely. Perhaps you
464 +router, or just to make your life easier when connecting remotely. Perhaps you
465 want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
466 -router and be able to connect to them all. The only caveat is that you can
467 -only have one service/machine combo per port. For example, there is no
468 +router and be able to connect to them all. The only caveat is that you can
469 +only have one service/machine combo per port. For example, there is no
470 practical way to setup three FTP servers behind your router and then try to
471 connect to them all through port 21; only one can be on port 21 while the
472 others would have to be on say port 123 and port 567.
473 @@ -521,9 +521,9 @@
474 <p>
475 All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
476 [-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
477 -to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
478 -forwarding. If you are forwarding an external port to the same port on the
479 -internal machine, you can omit the destination port. See the iptables(8) man
480 +to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
481 +forwarding. If you are forwarding an external port to the same port on the
482 +internal machine, you can omit the destination port. See the iptables(8) man
483 page for more information.
484 </p>
485
486 @@ -585,9 +585,9 @@
487 <body>
488
489 <p>
490 -Internet Relay Chat utilizes the ident service pretty heavily. Now that the
491 +Internet Relay Chat utilizes the ident service pretty heavily. Now that the
492 IRC clients are behind the router, we need a way to host ident for both the
493 -router and the clients. One such server has been created called
494 +router and the clients. One such server has been created called
495 <c>midentd</c>.
496 </p>
497
498 @@ -598,7 +598,7 @@
499 </pre>
500
501 <p>
502 -There are a few other ident servers in portage. Depending on your needs, I
503 +There are a few other ident servers in portage. Depending on your needs, I
504 would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
505 </p>
506
507 @@ -610,43 +610,43 @@
508 <title>Traffic Shaping</title>
509 <body>
510 <p>
511 -This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
512 -found over at the TLDP. Feel free to refer to the original document
513 +This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
514 +found over at the TLDP. Feel free to refer to the original document
515 for more details.
516 </p>
517
518 <p>
519 -Here we will be setting up what some people refer to as a "Packet Shaper",
520 -<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
521 -or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
522 -Simply put, we want to setup rules on our router that will slow down
523 -certain activities (like sending large e-mails or downloading from P2P
524 -networks) while keeping other activities (like browsing the web or playing
525 -online video games) reasonably fast. A 30 second difference in a video
526 -game is a lot worse than a 30 second difference in downloading large
527 +Here we will be setting up what some people refer to as a "Packet Shaper",
528 +<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
529 +or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
530 +Simply put, we want to setup rules on our router that will slow down
531 +certain activities (like sending large e-mails or downloading from P2P
532 +networks) while keeping other activities (like browsing the web or playing
533 +online video games) reasonably fast. A 30 second difference in a video
534 +game is a lot worse than a 30 second difference in downloading large
535 files :).
536 </p>
537
538 <p>
539 -The first thing is to make sure your kernel has all the features added to
540 -it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
541 -information. Next, you will need to <c>emerge iptables iputils</c> so that
542 -you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
543 +The first thing is to make sure your kernel has all the features added to
544 +it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
545 +information. Next, you will need to <c>emerge iptables iputils</c> so that
546 +you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
547 commands.
548 </p>
549
550 <p>
551 -Before we jump into the commands, let's cover a little of the theory. The
552 -way this whole system works is to classify common network streams and then
553 -to prioritize them. You use iptables to classify network streams, iputils
554 -to define the different priority levels, and the kernel to adjust speeds.
555 -Just remember that although you can control outbound traffic pretty tightly
556 -(from the LAN to the WAN), your ability to control inbound traffic (from
557 -the WAN to the LAN) is somewhat limited. Just remember that the following
558 -examples are to get your feet wet; if you want more then I'd suggest
559 -reading up on the subject. In this example, we will be using the
560 -<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
561 -packet scheduling algorithm. Still with me? Great, let's start shaping :).
562 +Before we jump into the commands, let's cover a little of the theory. The
563 +way this whole system works is to classify common network streams and then
564 +to prioritize them. You use iptables to classify network streams, iputils
565 +to define the different priority levels, and the kernel to adjust speeds.
566 +Just remember that although you can control outbound traffic pretty tightly
567 +(from the LAN to the WAN), your ability to control inbound traffic (from
568 +the WAN to the LAN) is somewhat limited. Just remember that the following
569 +examples are to get your feet wet; if you want more then I'd suggest
570 +reading up on the subject. In this example, we will be using the
571 +<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
572 +packet scheduling algorithm. Still with me? Great, let's start shaping :).
573 </p>
574
575 <pre caption="Setup">
576 @@ -654,20 +654,20 @@
577 RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
578 RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>
579
580 -<comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
581 +<comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
582 ip link set dev ${DEV} qlen 30
583 tc qdisc add dev ${DEV} root handle 1: htb default 45
584 tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
585 </pre>
586
587 <p>
588 -Here we initialized the system which will be used to prioritize all of
589 -our network traffic. We created our queue, told it to use the HTB
590 -algorithm, and set the default classification level to '45'. The
591 -default is completely arbitrary, as are the levels we choose from
592 -here on out. The only thing that matters is how the levels compare
593 -relatively; a level '10' packet will be given preference over a
594 -level '45' packet. Let's move on to declaring different levels.
595 +Here we initialized the system which will be used to prioritize all of
596 +our network traffic. We created our queue, told it to use the HTB
597 +algorithm, and set the default classification level to '45'. The
598 +default is completely arbitrary, as are the levels we choose from
599 +here on out. The only thing that matters is how the levels compare
600 +relatively; a level '10' packet will be given preference over a
601 +level '45' packet. Let's move on to declaring different levels.
602 </p>
603
604 <pre caption="Declaring levels">
605 @@ -690,14 +690,14 @@
606 </p>
607
608 <p>
609 -Many people run ntp clients on their computers. Obviously, the more clients in
610 -the world, the larger the load the ntp servers need to shoulder. In
611 +Many people run ntp clients on their computers. Obviously, the more clients in
612 +the world, the larger the load the ntp servers need to shoulder. In
613 environments like home networks though, we can help keep the load down on
614 -public servers while still providing the proper time to all our computers. As
615 +public servers while still providing the proper time to all our computers. As
616 an added bonus, our private updates will be a lot faster for the clients too!
617 All we have to do is run a ntp server on our router that synchronizes itself
618 with the public internet servers while providing the time to the rest of the
619 -computers in the network. To get started, simply <c>emerge ntp</c> on the
620 +computers in the network. To get started, simply <c>emerge ntp</c> on the
621 router.
622 </p>
623
624 @@ -722,12 +722,12 @@
625
626 <note>
627 You should make sure that you allow inbound and outbound communication on the
628 -ntp port (123/udp) when setting up the server. The client just needs outbound
629 +ntp port (123/udp) when setting up the server. The client just needs outbound
630 access on port 123 over udp.
631 </note>
632
633 <p>
634 -Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
635 +Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
636 run the ntp client so setup is a lot simpler.
637 </p>
638
639 @@ -746,10 +746,10 @@
640 <body>
641
642 <p>
643 -For those who run multiple Gentoo boxes on the same lan, you often want to
644 -keep from having every machine running <c>emerge sync</c> with remote
645 -servers. By setting up a local rsync, you save on both your bandwidth and
646 -the Gentoo rsync servers' bandwidth. It's pretty simple to do.
647 +For those who run multiple Gentoo boxes on the same lan, you often want to
648 +keep from having every machine running <c>emerge sync</c> with remote
649 +servers. By setting up a local rsync, you save on both your bandwidth and
650 +the Gentoo rsync servers' bandwidth. It's pretty simple to do.
651 </p>
652
653 <note>
654 @@ -758,10 +758,10 @@
655 </note>
656
657 <p>
658 -Since every Gentoo machine requires rsync, theres no need to emerge it. Edit
659 -the default <path>/etc/rsyncd.conf</path> config file, uncomment the
660 -<c>[gentoo-portage]</c> section, and make sure you add an <c>address</c>
661 -option. All the other defaults should be fine.
662 +Since every Gentoo machine requires rsync, theres no need to emerge it. Edit
663 +the default <path>/etc/rsyncd.conf</path> config file, uncomment the
664 +<c>[gentoo-portage]</c> section, and make sure you add an <c>address</c>
665 +option. All the other defaults should be fine.
666 </p>
667
668 <pre caption="Rsync server config">
669 @@ -771,9 +771,9 @@
670 address = 192.168.0.1
671
672 [gentoo-portage]
673 - path = /mnt/space/portage
674 - comment = Gentoo Linux Portage tree
675 - exclude = /distfiles /packages
676 + path = /mnt/space/portage
677 + comment = Gentoo Linux Portage tree
678 + exclude = /distfiles /packages
679 </pre>
680
681 <p>
682 @@ -802,9 +802,9 @@
683
684 <p>
685 Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
686 -on the router. You may have your own reason for wanting to do so, but I run it
687 +on the router. You may have your own reason for wanting to do so, but I run it
688 so that the users see mail as being sent instantly and the work of
689 -retrying/routing is left up to the mail server. Some ISPs also don't allow for
690 +retrying/routing is left up to the mail server. Some ISPs also don't allow for
691 mail relaying for accounts that aren't part of their network (like Verizon).
692 Also, you can easily throttle the delivery of mail so that large attachments
693 won't seriously lag your connection for half an hour.
694 @@ -835,9 +835,9 @@
695 </pre>
696
697 <p>
698 -I'm a huge fan of qmail, but you're free to use a different mta :). When you
699 +I'm a huge fan of qmail, but you're free to use a different mta :). When you
700 setup e-mail on the hosts in your network, tell them that their SMTP server is
701 -192.168.0.1 and everything should be peachy. You might want to visit the <uri
702 +192.168.0.1 and everything should be peachy. You might want to visit the <uri
703 link="http://netqmail.org/">netqmail homepage</uri> for more documentation.
704 </p>
705
706 @@ -849,9 +849,9 @@
707 <title>E-mail Virus Scanning</title>
708 <body>
709 <p>
710 -If you'd like to provide e-mail virus scanning for your users, but
711 -don't want to have to install a virus scanner on every single machine,
712 -then <c>pop3vscan</c> may just be the thing for you; a transparent
713 +If you'd like to provide e-mail virus scanning for your users, but
714 +don't want to have to install a virus scanner on every single machine,
715 +then <c>pop3vscan</c> may just be the thing for you; a transparent
716 Post Office Protocol (POP) scanner.
717 </p>
718
719 @@ -868,9 +868,9 @@
720 <body>
721
722 <p>
723 -Earlier we used dnsmasq to provide DHCP service to all our clients. For most
724 -people with a simple small LAN, this is perfect. But you may need something
725 -with more features. Thus we turn to a full-featured DHCP server as provided
726 +Earlier we used dnsmasq to provide DHCP service to all our clients. For most
727 +people with a simple small LAN, this is perfect. But you may need something
728 +with more features. Thus we turn to a full-featured DHCP server as provided
729 by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks.
730 </p>
731
732 @@ -881,13 +881,13 @@
733 authoritative;
734 ddns-update-style interim;
735 subnet 192.168.0.0 netmask 255.255.255.0 {
736 - range 192.168.0.100 192.168.0.250;
737 - default-lease-time 259200;
738 - max-lease-time 518400;
739 - option subnet-mask 255.255.255.0;
740 - option broadcast-address 192.168.0.255;
741 - option routers 192.168.0.1;
742 - option domain-name-servers 192.168.0.1;
743 + range 192.168.0.100 192.168.0.250;
744 + default-lease-time 259200;
745 + max-lease-time 518400;
746 + option subnet-mask 255.255.255.0;
747 + option broadcast-address 192.168.0.255;
748 + option routers 192.168.0.1;
749 + option domain-name-servers 192.168.0.1;
750 }
751 # <i>nano /etc/conf.d/dhcpd</i>
752 <comment>(Set IFACE="eth0")</comment>
753 @@ -896,9 +896,9 @@
754 </pre>
755
756 <p>
757 -This is the minimal setup required to replace the dnsmasq DHCP functionality
758 -that we used earlier. Speaking of which, you did remember to disable the DHCP
759 -features in dnsmasq didn't you? If not, you should do so now (just comment
760 +This is the minimal setup required to replace the dnsmasq DHCP functionality
761 +that we used earlier. Speaking of which, you did remember to disable the DHCP
762 +features in dnsmasq didn't you? If not, you should do so now (just comment
763 out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart
764 the service).
765 </p>
766 @@ -911,34 +911,34 @@
767 <body>
768
769 <p>
770 -Sometimes you have need of connecting the router to another LAN. Maybe you
771 -want to hook up a group of friends temporarily, or you're a neat freak and
772 -want to section off different groups of computers, or you're just really
773 -really bored. Whatever the reasons, extending the router to other LAN
774 -networks should be pretty straightforward. In the following examples, I will
775 -assume that this new network is connected via a third ethernet card, namely
776 +Sometimes you have need of connecting the router to another LAN. Maybe you
777 +want to hook up a group of friends temporarily, or you're a neat freak and
778 +want to section off different groups of computers, or you're just really
779 +really bored. Whatever the reasons, extending the router to other LAN
780 +networks should be pretty straightforward. In the following examples, I will
781 +assume that this new network is connected via a third ethernet card, namely
782 <c>eth2</c>.
783 </p>
784
785 <p>
786 -First you need to configure the interface. Just take the instructions in the
787 -<uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c>
788 +First you need to configure the interface. Just take the instructions in the
789 +<uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c>
790 with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>.
791 </p>
792
793 <p>
794 -Then you need to tweak dnsmasq to service the new interface. Just edit the
795 -<path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to
796 -DNSMASQ_OPTS; using -i multiple times is OK. Then edit
797 -<path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line
798 -in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing
799 -<c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is
800 +Then you need to tweak dnsmasq to service the new interface. Just edit the
801 +<path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to
802 +DNSMASQ_OPTS; using -i multiple times is OK. Then edit
803 +<path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line
804 +in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing
805 +<c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is
806 OK too.
807 </p>
808
809 <p>
810 -Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code
811 -listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You
812 +Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code
813 +listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You
814 may want to create another variable, say <c>LAN2</c>, to make things easier.
815 </p>
816
817 @@ -955,31 +955,31 @@
818 <body>
819
820 <p>
821 -If you're having trouble getting your computers to communicate, you may way to
822 -try out the following tools (they can all be found in the <c>net-analyzer</c>
823 +If you're having trouble getting your computers to communicate, you may way to
824 +try out the following tools (they can all be found in the <c>net-analyzer</c>
825 portage category):
826 </p>
827
828 <table>
829 <tr>
830 - <th>Utility</th>
831 - <th>Description</th>
832 + <th>Utility</th>
833 + <th>Description</th>
834 </tr>
835 <tr>
836 - <ti>wireshark</ti>
837 - <ti>GUI tool to view all raw network data according to filters</ti>
838 + <ti>wireshark</ti>
839 + <ti>GUI tool to view all raw network data according to filters</ti>
840 </tr>
841 <tr>
842 - <ti>tcpdump</ti>
843 - <ti>Console tool to dump all raw network data according to filters</ti>
844 + <ti>tcpdump</ti>
845 + <ti>Console tool to dump all raw network data according to filters</ti>
846 </tr>
847 <tr>
848 - <ti>iptraf</ti>
849 - <ti>ncurses based IP LAN monitor</ti>
850 + <ti>iptraf</ti>
851 + <ti>ncurses based IP LAN monitor</ti>
852 </tr>
853 <tr>
854 - <ti>ettercap</ti>
855 - <ti>ncurses based network monitor/control</ti>
856 + <ti>ettercap</ti>
857 + <ti>ncurses based network monitor/control</ti>
858 </tr>
859 </table>
860
861 @@ -991,22 +991,22 @@
862 <body>
863
864 <p>
865 -When starting the dhcp init.d script for the first time, it may fail to load
866 +When starting the dhcp init.d script for the first time, it may fail to load
867 but neglect to give you any useful info.
868 </p>
869
870 <pre caption="DHCP Failing Example">
871 # <i>/etc/init.d/dhcp start</i>
872 - * Setting ownership on dhcp.leases ... [ ok ]
873 - * Starting dhcpd ... [ !! ]
874 + * Setting ownership on dhcp.leases ... [ ok ]
875 + * Starting dhcpd ... [ !! ]
876 </pre>
877
878 <p>
879 -The trick is to know where dhcpd is sending its output. Simply browse to
880 -<path>/var/log</path> and read the log files. Since the exact log file depends
881 +The trick is to know where dhcpd is sending its output. Simply browse to
882 +<path>/var/log</path> and read the log files. Since the exact log file depends
883 on the package you are using as a syslog, try running <c>grep -Rl dhcpd
884 -/var/log</c> to narrow down the possibilities. Chances are you made a typo in
885 -your config file. You could also try running <c>dhcpd -d -f</c> (short for
886 +/var/log</c> to narrow down the possibilities. Chances are you made a typo in
887 +your config file. You could also try running <c>dhcpd -d -f</c> (short for
888 debug / foreground) and debug the error based upon the output.
889 </p>
890
891 @@ -1019,7 +1019,7 @@
892
893 <p>
894 If you experience odd errors (such as not being able to access some webpages
895 -while others load fine), you may be having Path MTU Discovery trouble. The
896 +while others load fine), you may be having Path MTU Discovery trouble. The
897 quick way to test is to run this iptables command:
898 </p>
899
900 @@ -1044,10 +1044,10 @@
901 <body>
902
903 <p>
904 -If (for whatever reason) you want to connect two machines directly together
905 +If (for whatever reason) you want to connect two machines directly together
906 without a hub or switch, a regular ethernet cable will likely not work, unless
907 you have an Auto MDI/MDI-X (also known as "autosensing") capable network
908 -adapter. You will need a different cable called a crossover cable. This <uri
909 +adapter. You will need a different cable called a crossover cable. This <uri
910 link="http://en.wikipedia.org/wiki/Ethernet_crossover_cable">Wikipedia</uri>
911 page explains the low level details.
912 </p>
913 @@ -1065,7 +1065,7 @@
914 <p>
915 I have no final notes other than if you experience any troubles with the guide,
916 please contact <mail link="vapier@g.o">me</mail> or file a bug with <uri
917 -link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
918 +link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
919 some interesting bits you think would enhance this guide, by all means send it
920 my way for inclusion.
921 </p>
922
923
924
925 --
926 gentoo-doc-cvs@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups