dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
35
lutful
... of ideas
Premium Member
join:2005-06-16
Ottawa, ON

2 edits

lutful to cmaenginsb1

Premium Member

to cmaenginsb1

Re: Help with Network flow

Click for full size
said by cmaenginsb1:

You also have not provided an example of how to use the 802.1x authentication process to set PPPOE rate limiting.
The very first WISP "controller" box I commissioned actually had 802.1X/Radius and MAC-based authentication using exact same traffic controller code based on linux "tc" ... see screenshot. I proposed first "802.1X" base WISP network in fall of 2004 while that controller development was in progress.

When we started exploring 802.1X in late summer of 2004, Mikrotik may have lacked some of those features - that can be verified from their change logs. Required WISP equipment was fully debugged by early 2005 including first 48V PoE 125mW 5.8Ghz transparent bridge and first 48V PoE 200mW 2.4Ghz 802.11g/WDS/802.1X AP.

There was no 802.1X CPE at that point but the controller would have authenticated every computer and laptop directly in that small WISP network. Meanwhile we were developing that WRAP-based 802.1X CPE and a better RADIUS/802.1X server.

When I have time, I will put together a full document with more screenshots and explanations. I failed on the business side ... but hopefully some popular WISP vendor could take this up and succeed. I boldly predict that will change the tone of 802.1X vs PPPoE debates in the future.
cmaenginsb1
Premium Member
join:2001-03-19
Palmdale, CA

cmaenginsb1

Premium Member

said by lutful:

said by cmaenginsb1:

You also have not provided an example of how to use the 802.1x authentication process to set PPPOE rate limiting.
The very first WISP "controller" box I commissioned actually had 802.1X/Radius and MAC-based authentication using exact same traffic controller code based on linux "tc" ... see screenshot. I proposed first "802.1X" base WISP network in fall of 2004 while that controller development was in progress.

When we started exploring 802.1X in late summer of 2004, Mikrotik may have lacked some of those features - that can be verified from their change logs. Required WISP equipment was fully debugged by early 2005 including first 48V PoE 125mW 5.8Ghz transparent bridge and first 48V PoE 200mW 2.4Ghz 802.11g/WDS/802.1X AP.

There was no 802.1X CPE at that point but the controller would have authenticated every computer and laptop directly in that small WISP network. Meanwhile we were developing that WRAP-based 802.1X CPE and a better RADIUS/802.1X server.

When I have time, I will put together a full document with more screenshots and explanations. I failed on the business side ... but hopefully some popular WISP vendor could take this up and succeed. I boldly predict that will change the tone of 802.1X vs PPPoE debates in the future.
I would appreciate this as I am trying to avoid going to PPPOE as I don't need the encapsulation just a "better" way to manage IP addresses and bandwidth configuration.
I don't have the time to build something from scratch so even a moderately technical "cookbook" would be of help.
vaden9
Premium Member
join:2009-10-11

vaden9

Premium Member

said by cmaenginsb1:

I would appreciate this as I am trying to avoid going to PPPOE as I don't need the encapsulation just a "better" way to manage IP addresses and bandwidth configuration.
I don't have the time to build something from scratch so even a moderately technical "cookbook" would be of help.
Does it make sense to compile a vetted list of CPEs which completely and correctly support IEEE 802.1x so that as many folks as possible feel comfortable with the alternative?
lutful
... of ideas
Premium Member
join:2005-06-16
Ottawa, ON

lutful to cmaenginsb1

Premium Member

to cmaenginsb1
said by cmaenginsb1:

I don't have the time to build something from scratch so even a moderately technical "cookbook" would be of help.
That 2004 WISP appliance actually used a whole bunch of java classes (Apache Tomcat) ... above are just for networking stuff and authentication stuff. I was trying to show how that per user traffic control was done using iptables/tc like most linux-based projects. :)

For example this is the add user profile script:
#!/bin/sh
#
# Adds the TC (traffic control) rules for a user.
#
# NOTE: tc.sh must be run before this script
#
# $1 is the mark number (marked by IPTables)
# $2 is max upload speed (in bits per sec)
# $3 is max download speed (in bits per sec)
#
 
EXTDEV="eth0"
INTDEV="eth1"
 
UPCIEL=$2
DOWNCIEL=$3
UPRATE=$((UPCIEL / 2))
DOWNRATE=$((DOWNCIEL / 2))
 
# Path to the traffic control application
TC=/sbin/tc
 
# Add the upload rules
$TC class add dev $EXTDEV parent 1:20 classid 1:${1} htb rate $UPRATE ceil $UPCIEL prio 3
$TC qdisc add dev $EXTDEV parent 1:${1} handle ${1}: sfq perturb 10
$TC filter add dev $EXTDEV parent 1:0 protocol ip prio 3 handle ${1} fw flowid 1:${1}
 
# Add the download rules
$TC class add dev $INTDEV parent 1:20 classid 1:${1} htb rate $DOWNRATE ceil $DOWNCIEL prio 3
$TC qdisc add dev $INTDEV parent 1:${1} handle ${1}: sfq perturb 10
$TC filter add dev $INTDEV parent 1:0 protocol ip prio 3 handle ${1} fw flowid 1:${1}
 
exit 0