The bandwidth manager is used to shape or prioritize incoming and outgoing network traffic. You can limit and prioritize bandwidth based on IP address, IP address ranges, port, and port ranges.

The Bandwidth Monitor service provides hourly bandwidth measurements from our remote system monitors. The service is an excellent tool for monitoring your Internet Service Provider's (ISP) quality of service. This service will monitor your downstream rate, the rate at which you can receive data from an external source (download speed).

The bandwidth manager is designed to guarantee a certain speed for either an IP address and/or port on your LAN (or DMZ). The bandwidth manager does not manage traffic to the ClarkConnect box itself. To demonstrate how the system works, lets go through a scenario with a voice-over-IP (VoIP) server. We have:

• a 1000 kbit/s upload and download connection to the Internet
• a voice-over-IP (VoIP) server at 192.168.1.80 on our local network
• enabled a bandwidth rule that reserves 500 kbit/s upload and download for the VoIP server

In our example, the network is at first completely congested with web downloads. The VoIP server is idle, so the full 1000 kbit/s is used for the web downloads. In other words, the web downloads are allowed to “borrow” the bandwidth we have reserved for the VoIP server. Someone in the office then makes an outbound 4-person conference call via the voice-over-IP server. The conference call requires 300 kbit/s and the bandwidth manager will go into action. The lower priority web downloads will get slowed from the maximum 1000 kbit/s to 700 kbit/s. The higher priority conference call will receive its required 300 kbit/s.

A bandwidth management rule contains the following six parameters.

The first parameter is an optional nickname you can use to easily identify the rule. Valid nicknames can contain alphanumeric characters (A-z0-9) and optional dashes '-' or underscores '_”. Spaces are not allowed.

The IP address parameter can contain:

• A single IP address
• A IP address range
• nothing

If this field is left blank, then the bandwidth rule will be used by all IP addresses will. IP ranges can be specified using network and netmask, for example: 192.168.0.1/255.255.255.0 or 192.168.0.1/24.

The port parameter is used to apply a bandwidth rule to a particular service. For instance, you can limit web traffic by specifying port 80. If the port is left empty, then all ports will be affected. You may also specify a colon-delimited port range. For instance, 5000:5010 would impact all the ports between 5000 and 5010.

Priority provides a mechanism to prioritize traffic when all bandwidth rules are at capacity. Higher priority traffic will be given preference over lower priority traffic. There are 7 priority levels, 1 - 7, where 1 is the highest priority. By default, traffic that is not matched by a bandwidth rule will be assigned the lowest priority.

The upload rate in kilobits per second. If left empty, the upload rate will be unlimited.

The download rate in kilobits per second. If left empty, the download rate will be unlimited. Note: If both upload and download are left empty, then the rule will be invalid.

In order to manage peer-to-peer traffic, make sure you have the Peer-to-Peer module installed.

Configuring bandwidth control for peer-to-peer is similar to creating a regular bandwidth rule. However, you need to specify the peer-to-peer network instead of the IP address and port.

Depending on where you are and who you are talking too, there are different measurement units used for bandwidth. Here are some tips to help with converting from one unit to another – capitalization is important:

Conversion tips:

• Mega is 1000 times larger than kilo
• A byte is 8 times larger than a bit

Examples:

• 1 Megabit per second is approximately 1000 kilobits per second
• 1 Megabyte per second is approximately 8000 kilobits per second

Links

• Linux Advanced Routing and Traffic Control
• HTB Queueing

The Dynamic Host Configuration Protocol (DHCP) allows hosts on a network to request and be assigned IP addresses. This service eliminates the need to manually configure new hosts that join your network.

If you did not select this module to be included during the installation process, you must first install the module.

You can enable and disable the DHCP server at any time.

Unless you are running more than one DHCP on your network, enable Authoritative mode. When this is enabled, then DHCP requests on unknown leases from unknown hosts will not be ignored. This will be the case when a foreign laptop is plugged into your network.

The server can auto-configure the default domain name for systems using DHCP on your network. You can either use a registered domain (for example: example.com) or you can simply make one up (for example: lan). Example:

• A desktop system on your local network has a system name scooter and uses DHCP.
• The domain name specified in the DHCP server is example.com.
• On startup, the desktop system appends example.com to its system name. Its full hostname would become scooter.example.com.

In a typical installation, the DHCP server is configured on all LAN interfaces. To add/edit DHCP settings for a particular network interface, click on the appropriate add/edit button. The following screenshot highlights the button for adding DHCP settings for the eth1 network interface.

The network, netmask and broadcast are automatically detected. In almost all circumstances, you want to use these detected default values.

Keep a range of IP addresses available for systems and services that require static addresses. For instance, VPN and some types of network printers require static IP addresses.

In a typical local area network, the first 99 IP addresses are set aside for static addresses while the remaining addresses from 100 to 254 are set aside for the systems using the DHCP server. Adjust these settings to suit your needs and your network.

The server can auto-configure the DNS settings for systems using DHCP on your network. By default, the IP address of the caching DNS server on your ClarkConnect system is used. You should change this setting if you want to use an alternate DNS server.

If you have a Microsoft Windows Internet Naming Service (WINS) server on your network, you can provide the IP address to all Windows computers on your network. This will allow Windows systems to access resources via Network Neighborhood. You can enter the LAN IP address of your ClarkConnect system here if you have enabled the WINS server on ClarkConnect.

A list of systems that are actively using the DHCP server is shown in the Active Leases table. If you would like to make a DHCP lease for a particular system permanent, you can click on the appropriate Add button in this list. In the screenshot below, the button to add 192.168.2.212/Scooter as a static lease is shown.

• You should only have one (1) DHCP server per network.
• Enabling DHCP on your Internet connection is not a good idea.

• Dnsmasq Documentation

Hosts (/etc/hosts) is a simple text file that associates IP addresses with hostnames. If you have the caching DNS server installed, all the entries in the hosts file will be made available.

A host is defined as any system with an IP address – desktop, laptop, printer, media device, etc. Each host can have a hostname, along with any number of aliases. For example, you could add a hostname for a file server on your network with the following settings:

• IP Address: 192.168.1.10
• Hostname: fileserver.example.com

After adding the hostname, you are given an opportunity to add additional aliases (or hostnames) for the given host. If we were using the file server as a backup server, we could add backup.example.com to the list of aliases.

You may have noticed that a default alias is added whenever you add a hostname. For example, adding the hostname fileserver.example.com will also add the default alias fileserver. This alias can be used as a shortcut on your network. How? If you use the ClarkConnect DHCP server, you can specify a default domain name. Staying with our example, our default domain name should be set to example.com. Any system using DHCP could then access other systems on the network using the alias (fileserver) instead of the full hostname (fileserver.example.com).

• Dnsmasq

A configuration page for configuring your network cards, hostname and DNS servers.

Linux will auto-detect most PCI-based network cards. Older ISA cards may require setting parameters for the IRQ and IO. You may also need to disable plug-and-play features on the card. Please check Red Hat's Hardware Compatibility Lists to see what settings may be required for your brand of network card.

When configuring a network interface, the first thing you need to consider is the network role. Will this network card be used to connect to the Internet, for a local network, for a network with just server systems? The following network roles are supported in ClarkConnect and are described in further detail in the next sections:

• External - network interface with direct or indirect access to the Internet
• LAN - local area network
• Hot LAN - local area network for untrusted systems
• DMZ - de-militarized zone for a public network

On a standalone system, your network card should be configured with an external role, not a LAN role.

The external role provides a connection to the Internet. On a ClarkConnect system configured as a gateway, the external role is for your Internet connection. On a ClarkConnect system configured in standalone mode, the external role is for connecting to your local area network.

With the Office and Enterprise Editions, you can have more than one external interface configured for load balancing and automatic failover. See the Multi-WAN section of the user guide for details.

Gateway Setting – If you have a static IP address, it is important to make sure the gateway configuration setting is correct. If the gateway setting is missing or invalid, your system will be unable to reach the Internet. On most networks, the gateway IP address will be on the same network as your external IP address. For example, an external IP address of 10.22.22.22 will typically have a gateway at 10.22.22.1 or 10.22.22.254. In some circumstances, the gateway will not be on the same network. You will see a warning message about this unusual gateway configuration.

The LAN (local area network) role provides network connectivity for your desktops, laptops and other network devices. LANs should be configured with an IP address range of 192.168.x.x or 10.x.x.x. For example, you can configure your ClarkConnect LAN interface with the following:

• IP: 192.168.1.1
• Netmask: 255.255.255.0

All systems on your LAN would have IP addresses in the range of 192.168.1.2 to 192.168.1.254.

Hot LAN (or “Hotspot Mode”) allows you to create a separate LAN network for untrusted systems. Typically, a Hot LAN is used for:

• Servers open to the Internet (web server, mail server)
• Guest networks
• Wireless networks

A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN. As an example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in the meeting room could access the Internet and each other, but not the LAN used by employees.

The Port Forwarding page in the web-based administration is used to forward ports to both LANs and Hot LANs.

In ClarkConnect, a DMZ interface is for managing a block of public Internet IP addresses. If you do not have a block of public IP addresses, then use the Hot LAN role. A typical DMZ setup looks like:

• WAN: An IP addresses for connecting to the Internet
• LAN: A private network on 192.168.x.x
• DMZ: A block of Internet IPs (e.g from 216.138.245.17 to 216.138.245.31)

The web-based administration tool has a DMZ Configuration tool to managed the DMZ network.

ClarkConnect supports virtual IPs. To add a virtual IP address, click on the link to configure a virtual IP address and add specify the IP Address and Netmask.

You will also need to create advanced firewall rules if the virtual IP is on the Internet.

You can access network configuration tools from the Administration Console tool. All other configuration is done remotely via a web browser – the console is only used to change or configure your network information. The console can be accessed from a monitor and keyboard attached the server.

The two network cables coming from your box may need to be swapped. If you are having a hard time connecting to the Internet, make sure you try swapping the cables. In most installs, the network cards and IP settings will work straight out of the box. However, getting the network up the first time can be an exercise in frustration on some installs. Issues include;

• Network cards that are not auto-detected
• Invalid networks settings (username, password, default gateway)
• Finicky cable/DSL modems that cache network card hardware information

Here are some helpful advanced tools and tips to diagnose a network issue. After booting the system, hit Alt-F2 to get to a login prompt. Login with your username root and your password. The following tools will show detailed diagnostic data on your network cards.

• mii-tool displays link status and speed
• ethtool eth0 displays links status, speed, and many other stats - not all cards support this tool
• ifconfig eth0 displays IP settings on eth0

The multi-WAN feature in ClarkConnect allows you to connect your system to multiple Internet connections. ClarkConnect multi-WAN not only provides load balancing, but also automatic failover.

If you did not select this module to be included during the installation process, you must first install the module.

ClarkConnect multi-WAN has the following features:

• auto-failover
• load balanced
• round-robin based on user-defined weights (see configuration section)

To give you an example of how multi-WAN works, imagine two 1 Mbit/s DSL lines with two users on the local network. With every new connection to a server on the Internet, the multi-WAN system alternates WAN interfaces. User A could be downloading a large file through WAN #1, while User B is making a voice-over-IP (VoIP) telephone call on WAN #2.

With some applications, the download speed for the multi-WAN system can use the full 2 Mbit/s available. For example, downloading a large file from a peer-to-peer network will use the bandwidth from both WAN connections simultaneously. This is possible since the peer-to-peer technology uses many different Internet “peers” for downloading. At the other end of the spectrum, consider the case of downloading a large file from a web site. In this case, only a single WAN connection is used – 1 Mbit/s maximum.

Bandwidth aggregation (combining multiple WAN interfaces to look like a single WAN interface) is not possible without help for your ISP since both ends of an Internet connection must be configured.

When multi-WAN is enabled, all active WAN interfaces are used to connect to the Internet. When multi-WAN is disabled, the first active WAN interface is the only network used to connect to the Internet.

Multi-WAN weights are used to load balance outbound Internet traffic. By default, all WAN interfaces are given a weight of one. This default configuration means the network traffic will be (roughly) evenly split amongst the different WAN connections. In one of the typical multi-WAN configurations, a second broadband connection is used for backup. This second connection is often a low-cost and low-bandwidth connection. In this case, you would want to set the weight on your high-bandwidth connection to 3 or 4, while leaving your low-cost/low-end connection with a weight of 1.

In some situations, you may want a system on your local area network (LAN) to always use a particular WAN interface. The screenshot below displays the configuration for two scenarios:

• Sending network traffic for the 216.138.245.16/28 block of Internet IPs out the eth0 WAN.
• Sending network traffic from a voice-over-IP (VoIP) server on the LAN at 192.168.1.100 out the eth1 WAN.

In some situations, you may want to send network traffic for a specific port from your LAN out a particular WAN interface. The screenshot below displays the configuration for always sending DNS traffic (port 53) out the eth0 WAN network. Destination port rules only apply to connections originating on your LAN. These rules do not apply to traffic originating from the ClarkConnect system itself.

Some Internet service providers (ISPs) will not allow traffic from source addresses they do not recognize as their own. The following scenarios will give you a good idea of common issues faced in a multi-WAN environment. In the examples, we assume two connections, but the same issues crop up with three or more connections.

The DNS servers configured on the ClarkConnect system will be provided by one or both ISPs. In our example, we are going to assume that ISP #1 provides the DNS servers. If a DNS request from your network goes out the ISP #2 connection, it might get blocked by ISP #1. Result: DNS requests will only succeed on ISP #1.

Solution – Use DNS servers that are accessible from any network. If your ISPs do not provide such DNS servers, then we recommend using OpenDNS. Note: your DHCP/DSL network configuration settings should have the Automatic DNS Servers checkbox unchecked - see screenshot.

If you have a range of extra IP addresses provided by ISP #1, you may need to explicitly send traffic from these extra IPs out the ISP #1 connection. ISP #2 may drop the packets.

Solution – Use a Source Based Route for your DMZ network.

• Linux Advanced Routing and Traffic Control

Provides basic networking tools to help diagnose network problems.

If you did not select this module to be included during the installation process, you must first install the module.

The connection monitor shows real-time information on connections going in and out of the ClarkConnect system. This tool can be useful when diagnosing issues on your local network (for example, finding a computer with a virus).

• Protocol – the Internet protocol used by the connection
• Expires – the time in hours remaining before the connection expires
• Source – the source IP address
• Destination – the destination IP address
• Status – the status of the connection
• Port – the source port and destination port
• Service – the service associated with the destination port (if known)

The routing table provides technical information on the active routes on the system.

Detailed technical information on the underlying TCP/IP network.

• Linux Advanced Routing and Traffic Control

UPnP should only be used on a home or trusted network. Avoid using this software on office, school other other untrusted networks. See note below.

There are many opponents against UPnP. However, we feel that Open Source is all about giving people choices, and letting intelligent people make intelligent decisions about its use. A lot of us really need this daemon, and can live with the consequences because we are simply connecting a home network to the internet through one IP.

UPnP version 1.0 is inherently flawed. What appears to have happened is that in Microsoft's first UPnP implementation they weren't concerned with security or any advanced controls. Simply all they wanted was connectivity. So we are stuck with this for now. The UPnP server, by itself, does no security checking. If it receives a UPnP request to add a portmapping for some IP address inside the firewall, it just does it. Theoretically this could open up ports on some other system.

ClarkConnect includes support for wireless network cards.

If you did not select this module to be included during the installation process, you must first install the module.

Many wireless network cards work out of the box in Linux (see Links section below). However, we only officially support the following:

• PCI: Netgear 11Mbps 802.11b Wireless PCI Card (MA311)
• ISA-to-PCMCIA bridge: All models
• PCI-to-PCMCIA bridge: Buffalo Tech WLI-PCI-OP
• PCMCIA: Orinoco Silver and Gold 802.11b PCMCIA

From the Orinoco site: “For PCs with an ISA slot, the ORiNOCO ISA adapter is strongly advised.” In other words, only purchase the PCI card if your system is PCI-only.

If you use a PCMCIA (laptop) card, you may need to change some of the settings.

There are a few different types of hardware drivers (PCIC drivers) available for PCMCIA. Consult your hardware's user guide or online support to determine your settings. For the Orinoco PCMCIA cards, use i82365.

Some PCMCIA hardware drivers require special options. In most cases, you can leave the PCIC Options and Core Options blank. Consult your hardware's user guide or online support if the system is unable to detect your card. For the Orinoco PCMCIA cards, you may need to use i365_base=0x3e2 for PCIC Options (leave Core Options blank).

The network configuration for a wireless card is done just like any other network card. However, the following extra wireless-only options are required.

The ESSID is a nickname to give your wireless network. In the screenshot, the name Woburn Wireless is used. When configuring other wireless devices on your network, make sure you use the same ESSID.

The wireless card can run in a number of different modes. The most common are Ad-Hoc and Master/Access Point. From the list of officially supported wireless cards, only Ad-Hoc mode is supported. For un-official wireless cards, you may be able to run the card in other modes.

The Secret Key is used to encrypt your network traffic. The Orinoco Silver card requires a 5-character (40-bit) key prefixed with 's:' - e.g. s:abcde. This must match the settings for other wireless devices on your network.

For added security, you can allow only certain network MAC addresses on your wireless network.

• Seattle Wireless
• Linux Wireless LAN Howto
• WLAN Adapter Chipset Directory

Previous: Software Modules via Apt | Next: Firewall || Return: Index