Linux router with schedule based QOS.

seanbranagh · ‎02-08-2007

I am looking for an easy to use package to install on CentOS that I can use as a gateway that will allow me to QOS the external interface based on schedule, something with a webif would be nice.
I am looking for this because I have just got Sky to switch on Anytime+
I have broadband with AAISP which is amazing but they have quite strict policy on usage Mon-Fri 9-6. It has never been an issue before but with 2 Sky HD boxes using Anytime+ it could be.
I can put the boxes on a separate Vlan or just on a separate gateway on the Lan. I have 2 existing gateways, a Cisco 2600 and a ClearOS virtualized install. I have 32 public addresses and most of my stuff is virtualized so I have endless flexibility to do what I need to achieve this.
Any recommendations?

Anonymous · ‎22-04-2012

Have a look at "Advanced Policy Firewall (APF)" - http://www.rfxn.com/projects/advanced-policy-firewall/
and this tutorial might help - http://www.howtoforge.com/how-to-install-and-configure-advanced-policy-firewall-apf-on-centos-5.3
[quote=Ubuntu 'synaptic']Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations.
The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.
The management of APF on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution.
Summary of features:
* detailed and well commented configuration file
* granular inbound and outbound network filtering
* user id based outbound network filtering
* application based network filtering
* trust based rule files with an optional advanced syntax
* global trust system where rules can be downloaded from a central management server
* reactive address blocking (RAB), next generation in-line intrusion prevention
* debug mode provided for testing new features and configuration setups
* fast load feature that allows for 1000+ rules to load in under 1 second
* inbound and outbound network interfaces can be independently configured
* global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit)
* configurable policies for each ip on the system with convenience variables to import settings
* packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
* prerouting and postrouting rules for optimal network performance
* dshield.org block list support to ban networks exhibiting suspicious activity
* spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks
* any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled)
* additional firewalled interfaces can have there own unique firewall policies applied
* intelligent route verification to prevent embarrassing configuration errors
* advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
* filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
* configurable type of service options to dictate the priority of different types of network traffic
* intelligent default settings to meet every day server setups
* dynamic configuration of your servers local DNS revolvers into the firewall
* optional filtering of common p2p applications
* optional filtering of private & reserved IP address space

seanbranagh · ‎02-08-2007

Thanks for the suggestion, I had a look at a few Linux options but have since been able to achieve this with my Cisco 2611:
Current configuration : 1810 bytes
!
! Last configuration change at 23:42:01 UTC Mon Apr 23 2012
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname natgateway
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
no aaa new-model
no ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.19.7.0 10.19.7.50
ip dhcp excluded-address 10.19.7.70 10.19.7.255
!
ip dhcp pool DPA
network 10.19.7.0 255.255.255.0
dns-server 10.19.7.72 10.19.7.2
default-router 10.19.7.2
!
!
!
!
class-map match-any SKY_QoS
match access-group name SKY_ACL
!
!
policy-map SKY_Policy
class SKY_QoS
police cir 450000
conform-action transmit
exceed-action drop
!
!
!
interface Ethernet0/0
ip address X.X.X.X 255.255.255.224 secondary
ip address X.X.X.X 255.255.255.224 secondary
ip address X.X.X.X 255.255.255.224
ip nat outside
half-duplex
hold-queue 100 out
!
interface Ethernet0/1
ip address 10.19.7.1 255.255.255.0
ip nat inside
half-duplex
service-policy output SKY_Policy
hold-queue 100 out
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static 10.19.7.72 X.X.X.X
ip nat inside source static 10.19.7.75 X.X.X.X
no ip http server
no ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
!
ip access-list extended SKY_ACL
permit ip any 10.19.7.40 0.0.0.3 time-range SKY_Time
access-list 1 permit 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
password
login
!
ntp clock-period 17208812
ntp server 82.219.4.31
time-range SKY_Time
periodic weekdays 8:00 to 17:00
!
!
end

Linux router with schedule based QOS.

Linux router with schedule based QOS.

Re: Linux router with schedule based QOS.

Re: Linux router with schedule based QOS.