From owner-freebsd-isp Mon Nov 15 21: 1:58 1999 Delivered-To: freebsd-isp@freebsd.org Received: from mail.fil.net (mail.fil.net [202.57.102.7]) by hub.freebsd.org (Postfix) with ESMTP id ECE3614D22 for ; Mon, 15 Nov 1999 21:01:46 -0800 (PST) (envelope-from aLan@fil.net) Received: from fil.net ([202.57.102.6]) by mail.fil.net (Netscape Messaging Server 3.62) with ESMTP id 291; Tue, 16 Nov 1999 13:01:33 +0800 Message-ID: <3830E52A.64728158@fil.net> Date: Tue, 16 Nov 1999 13:01:30 +0800 From: "aLan Tait" X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Warren Welch Cc: freebsd-isp@freebsd.org Subject: Re: Duel Nic's Testing References: <38301010.E9BF0643@fil.net> <4.2.1.19991116021126.05133650@arthur.intraceptives.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wow! Thanks, At least I am on the right track. > Well, thats a good start!!! > What about your email??? (Seriously consider something like QMAIL...) Yes, Email is on the priority list right after the NT Proxy dies. Which means right after squid is running (that box is lacking a part, checking for it daily). I plan on using using Qmail, with a web-based attachment for the Cafes. But the computer that will run it is the NT proxy and bad as it is, it is the best I have right now... So I am working on the FW as I have all the parts! > Yep, should be fine... Especially with your minimal bandwidth... (BW is > expensive here too!) It's good to have a 2nd opinion. I found an entry on the ALTQ site that said a P-1 200 MHz would handle full 100baseT speed, so I figured a 120 MHz ought to at least handle an E-1 > Ultimately, I think you're going to interrupt something along the lines... Yea, I realize that. I just want to get a little more "friendly" with it before I "cut the line". After I wrote that I realized I have an "unused" subnet that is mine, but my provider won't route it until I buy at least 512K. I'll use it for testing and then put it back later. The idea is to set the box up, then just change the IP's to the real ones and hopefully early some Sunday morning I won't effect very many at all (that is our one "dead time"). > > Unfortunately you're going to have to interupt the traffic somewhere along > the lines, to actually insert the box into the network. I'd kinda suggest, > looking at it a different way. If you want to use your existing devices, > you're going to have to subnet your network, which in my opinion is a waste > of addresses. An alternative is to use RFC1918 addresses between the > router and the outside interface of the firewall... > > This would be transparent (mostly) to your users, and blocks the outside > world from even trying to do funny things to the firewall... This is what > we do here. That is really a great idea. I'd never thought to do that! Although I plan later to replace the router (which only works when you blow a lot of cold air on it) with a serial card and let the FreeBSD box do our routing. What's to root? If it ain't on our network, put it on the microwave to SNMI! > > Should do, but as I mentioned, this will waste IP's which could otherwise > be used more productively... You'll also have to remember that you'll have > to route from one 1.2.102 subnet to get to another... Not that this is a > problem, but it does add... (Specially later when you might decided to use > dynamic routing protocols like RIP/OSPF and later BGP.) YES! I fully agree, I would rather leave my network at /23 and be done with it. I really like the idea of using the Intranet private addresses - adds another blanket of security and frees my addresses for my use. > > I'd get to doing the squid part real quick... This can, and probably will > lead to significant BW savings, especially if you can peer off a parent, > and considering the relative ease of setting this up, it's almost worth > doing before you get the FW fully up and running. Yea, I can see that - I am just waiting for a cable that you could go and buy in under an hour, it takes me three weeks to get or I have to make a two day trip via boat - ain't living in an island pair-o-dice grand! > The other thing I'd say, is that you should consider not redirecting HTTP > outbound traffic to the squid box. Some things don't pass through the > proxy transparently enough, and it actually works better if you get your > users to set proxy settings in their browser. What you can do, is redirect > the traffic to the proxy box, and get that to bounce it to an internal web > page describing to your users how to setup their browsers. (Take a look at > SquidGuard http://info.ost.eltele.no/freeware/squidGuard/ ...) I am looking at this and bookmarked it for when I start the squid box. I see what you mean. However, I think my upstream provider is transparent proxying my bandwidth already. I do have some HTTP problems and I am wondering what kind of problems transparent proxying causes??? Things I have complaints about are hotmail.com and mirc (maybe icq also according to my wife). > >I was also looking at ipfw and dummynet, but couldn't find > >anything about allowing higher bandwidth when others are not > >using it. > > No, you can't do it with dummynet... Aside from that, IPFilter is a much > better solution, and system. The other downside to IPFW is that you have > to setup separate daemons for every bandwidth allocation. Well that is one question I don't need to spend any more time thinking about... Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message