• You are losing out on amazing benefits because you are not a member. Join for free. Register now.
  • Big Two-Day Giveaway - Win an Amazon Kindle, a Mystery Gadget and Branded Gear. Enter Here.
  • Test your broadband speed and win prizes worth R5,000. Enter here.

Splitting International and Local Bandwidth with IPcop

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#1
Hey Everyone. (Latest Version)

I managed to get my IPcop firewall to split traffic between International and Local. I was all ways jealous of those who used routesentry :) but I was not prepared to do away with my IPcop and didnt want to create PPPoE connections on the PC's, and know there must be a way to do this on IPcop.

I would like to acknowledge that I used the idea from Fausto's post (http://mybroadband.co.za/vb/showthread.php?t=52541). I also used Fausto's excel spreadsheet to get the list of local subnets. Thank You.

This is what I did:

(You need to SSH into the IPcop box with putty or similar app)

The first thing I needed to find out is what is the pppd command that I need in order to set up a second PPPoE connection to my isp. All I did is issue the following command while I had a connection running:

ps -ef|grep pppd

I got the following:

root 12942 1 0 Jan24 ? 00:00:00 /usr/sbin/pppd plugin rp-pppoe.so eth1 usepeerdns noipdefault defaultroute hide-password ipcp-accept-local ipcp-accept-remote passive noccp nopcomp novjccomp user MyUserName lcp-echo-interval 20 lcp-echo-failure 3 lcp-max-configure 50 maxfail 5

I then saved the command into a separate file for later use in a script.

I made a couple of changes to the command for my second link. The first change I made was use the "nodefaultroute" option as I was going to be setting up only the static local subnets as routes. I also took out the "hide-password" option. I was going to use the "password" option directly in the command itself.

My new pppd command now looks like this:

/usr/sbin/pppd plugin rp-pppoe.so eth1 usepeerdns noipdefault nodefaultroute ipcp-accept-local ipcp-accept-remote passive noccp nopcomp novjccomp user MyUserName password MyPassword lcp-echo-interval 20 lcp-echo-failure 3 lcp-max-configure 50 maxfail 5

If you now issue this command, it will create a second PPPoE. This session I use for my local bandwidth using the login and password for my ISP's local only bandwidth. This will now create a ppp1 interface.

if you now issue the "ifconfig" command you should see something resembling this:

ppp0 Link encap:point-to-Point Protocol
inet addr:41.242.xxx.xxx P-t-P:41.242.64.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1492 Metric:1
RX packets:22389 errors:0 dropped:0 overruns:0 frame:0
TX packets:18924 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:13928646 (13.2 MB) TX bytes:2324103 (2.2 MB)

ppp1 Link encap:point-to-Point Protocol
inet addr:165.146.xxx.xx P-t-P:165.146.136.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1492 Metric:1
RX packets:33469 errors:0 dropped:0 overruns:0 frame:0
TX packets:25741 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:34376539 (32.7 MB) TX bytes:3326728 (3.1 MB)

Where ppp0 is international and ppp1 is local.

Now that we have both connections up and running we need to add in the static routes for our local only interface (ppp1 in my case). For each static route issue the following command:

route add -net 129.227.206.0 netmask 255.255.255.0 ppp1
.
.
.
route add -net 163.199.18.0 netmask 255.255.255.0 ppp1
etc. etc.

We now need to tell IPcop, that any traffic not found in the above static routing, to now use the international interface (ppp0 in my case). Issue the following command.

route add default dev ppp0 metric 0

While testing, I found that when trying to send emails using local only bandwidth, the email gets rejected. So in my case, since I use smtp.saix.net, I had to explicitly add a static route to this host on my international bandwidth interface. I issued the following command:

route add -host 196.25.240.94 ppp0

Now, the last thing to do is to enable NAT/MASQUERADING for ppp0 and ppp1, you need to add the following iptables command:

iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

And Bobs your uncle, Janes your Aunt this now effectively splits the bandwidth accordingly.

What I did is put all of this into a script file. The script basically does the following:

It runs every 2 minutes (in the cron) and checks if international is up (ppp0). If it is up, it then checks to see if local is up (ppp1). If both are up and running the script exits. If International is up, and local is not, it re-establishes ppp1, the routes etc and exits. If international is down but local is up, I just kill the process that is running local (ppp1). My IPcop box will then just automatically attempt to re-start international session as that is what the default profile is set to. At the next script cycle (within 2mins), the local connection will be re-established.

For my use, I only wanted local running if international was running, thats why I use the above logic, to try and keep ppp1 and ppp0 basically in sync.

I initially tried to use the systems /etc/rc.d scripts to achieve this, but met with limited success, I was not to aufait with these scripts and how they all interlink. Also I was worried that a new IPcop update will automatically override these scripts, so decided to use the cron method.

Below is the script that I am using:

DATE=`date`
LOGFL=/tmp/rt.set.log
echo "----------------------" >> $LOGFL
echo $DATE >> $LOGFL

LOCAL=ppp1
INTL=ppp0
PPCHKI=`ifconfig|grep $INTL|awk '{print $1}'`
PPCHKL=`ifconfig|grep $LOCAL|awk '{print $1}'`
if [ "$PPCHKI" == $INTL ]; then
if [ "$PPCHKL" == $LOCAL ]; then
echo "$LOCAL already exists. Exiting..." >> $LOGFL
exit
fi
else
if [ "$PPCHKL" == $LOCAL ]; then
PID=`ps -ef|grep MyLocalUserName|awk '{print $2}'`
echo "NO $INTL, therfor killing $LOCAL PID $PID" >> $LOGFL
kill -9 $PID
fi
echo "$INTL Not connected. Exiting..." >> $LOGFL
exit
fi

echo "Creating connection..." >> $LOGFL
PPUSER=MyUserName
PPASS=MyPassword
/usr/sbin/pppd plugin rp-pppoe.so eth1 usepeerdns noipdefault nodefaultroute ipcp-accept-local ipcp-accept-remote passive noccp nopcomp novjccomp user $PPUSER password $PPASS lcp-echo-interval 20 lcp-echo-failure 3 lcp-max-configure 50 maxfail 5
sleep 5
echo "Setting up routes..."
route add -net 129.227.206.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.207.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.208.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.209.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.210.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.211.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.212.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.213.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.214.0 netmask 255.255.255.0 $LOCAL
route add -net 129.227.215.0 netmask 255.255.255.0 $LOCAL
route add -net 137.158.0.0 netmask 255.255.0.0 $LOCAL
route add -net 137.214.0.0 netmask 255.255.0.0 $LOCAL
route add -net 137.215.0.0 netmask 255.255.0.0 $LOCAL
<snip>
route add -net 80.87.74.0 netmask 255.255.254.0 $LOCAL
route add -net 80.87.76.0 netmask 255.255.254.0 $LOCAL

echo "Setting Intl. Route..."
route add default dev $INTL metric 0
# SAIX does not allow email to be sent from local only account, therfore
# have to explicitly add the IP of smtp.saix.net to INTL route
route add -host 196.25.240.94 $INTL
sleep 2
echo "Adjusting IPTABLES..."
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
sleep 2
echo "--- END SCRIPT ---" >> $LOGFL

the entry in my crontab looks like this:

#Added to check for ppp1 every 2 mins
*/2 * * * * /tmp/rt.set > /dev/null


Some Notes:

I am by no means a Network/Linux/IPcop guru. The above does work for me though. And I have no doubt that this could be tweaked and improved and streamlined.

I cannot say if the above punches any holes in the firewall. What I can say is that I ran a shields up test at https://www.grc.com/default.htm and it passed 100% stealth. My firewall logs look pretty normal and I have not noticed anything thing strange. To my knowlege and experience all seems OK.

What I also noticed, as that as soon as the second PPPoE connection is established, IPcop shows that connection as the RED connection, although both connections are treated as RED. So all remote admin, SSHing will be done via the local connection (which is what I want in my case).

If anyone can spot any weaknesses or problems please give feedback.


I see the indentation of the script is removed. Not sure why. Must be the forum software. Appologies.
 
Last edited:

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#3
I agree. This is true. But for my needs this works well. Once setup, the whole network is setup. Any PC that joins the network will automatically use this configuration. I have 4 PC's at home, and I occasionally get family and friends who bring their notebooks to my house to use the network, and by default their bandwidth will be split, I dont have to make sure that each PC has routesentry loaded.
 

ColinR

Expert Member
Joined
Aug 24, 2006
Messages
3,751
#4
I'm convinced - gonna give it a go now.

BTW: do you need two NIC's for IP cop and PPOE connections?
 

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#5
I'm convinced - gonna give it a go now.

BTW: do you need two NIC's for IP cop and PPOE connections?
You need at least 2 NICs, one for your GREEN (internal) network and one for your RED (Internet). You can have upto 4 NIC's.
 

ColinR

Expert Member
Joined
Aug 24, 2006
Messages
3,751
#6
You need at least 2 NICs, one for your GREEN (internal) network and one for your RED (Internet). You can have upto 4 NIC's.
OK, will get that second NIC lying around installed. Asking because the docs say you at least one...
 

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#7
OK, will get that second NIC lying around installed. Asking because the docs say you at least one...
It has been a while since I did a full install, So I do stand to be corrected. Maybe what I meant was that for IPcop to work, you need at least 2 connections, one can be a simple Dial up modem the other a NIC.
 

ColinR

Expert Member
Joined
Aug 24, 2006
Messages
3,751
#9
routesentry is much simpler to set up...
True, but this is a way neater/transparent option for multiple PC's on one ADSL connection.

We're currently running RouteSentry (great app), and a Proxy. Setting up every app to use that proxy is a nightmare, never mind the email setup - uggh.

If this works properly, and as Bernie says, can be stabilised/improved to the point where it's perfect - GREAT!

Thanks for sharing Bernie.
 

ASS_SAZiN`

Senior Member
Joined
Jul 14, 2005
Messages
517
#10
Well done this is great!

I also wanted to do this for a while! Finlay opted to go for Ubuntu and got it running nicely! Will like to give it a go again on IPcop!
 

Tinuva

The Magician
Joined
Feb 10, 2005
Messages
7,997
#11
routesentry is much simpler to set up...
Thats true, but what a mission if you want to share to that to rest of your home network, and it doesnt work with Vista :p

Now I have gone for a similar route as the OP, however mine was much much simpler.

I use a bit of a heavier linux firewall distro called Euro Node (the free version at http://euronode.org/).

My reason for this is, I want to do more with my linux box that just share the internet and so this works good with an awesome out of the box debian install that is almost as easy as ipcop and I can update it myself!

I just made a few copies of the pppoe scripts and a little bit of tweaking to the ip-up.d as close to possible as the linux thread thats floating around.

Of coarse euronode is not as easy as ipcop, but just as secure and can do a lot more ;)
 

ColinR

Expert Member
Joined
Aug 24, 2006
Messages
3,751
#13
Eventually got IPCop to recognise the network cards. And it's confirmed running with the normal international account.

Question is, where is the full script to run?
and what is the Script option under the PPPoE settings? - could it not be added in there?
 

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#14
Eventually got IPCop to recognise the network cards. And it's confirmed running with the normal international account.

Question is, where is the full script to run?
and what is the Script option under the PPPoE settings? - could it not be added in there?
I will PM you the full script that I use as it is very large. It contains all the local subnets. Or if you prefer, PM me an email address I will email it aswell.

That script option as far as I understand is used to connect to your ISP without using the PAP or CHAP options. I'm not 100% sure though if it can be used for this purpose. Here is the extract from the documentation.

Authentication. Username and Password are the username and password that your ISP should have supplied to you when you opened your account with them. There are several ways in which ISPs use this username and password to login to their systems. The most common methods are PAP or CHAP. Select this if your ISP uses either of those two. If your ISP uses a text-based login script, choose standard login script. For people in the UK who use Demon Internet as their ISP, a special script has been created for them to use. The "Other" login script option has been provided for people who have ISPs with special needs. If you need to do this, you will need to login to the IPCop box and create a file in /etc/ppp. This filename (without the /etc/ppp component) should be entered into the Script name box. The file contains 'expect send' pairs, separated by a tab. USERNAME will be substituted for the username and PASSWORD for the password. Examine the file demonloginscript in /etc/ppp, and use it as an example of what should be in this file.

If you get this script option to work, let me know, as that would be really neat. I will hack around a bit with this script option aswell, see what I can achieve if anything.

--
OK, I put the full file on www.4shared.com. Here is the link. Its called rt.set

http://www.4shared.com/dir/1869544/c1bbda86/sharing.html
 
Last edited:

ColinR

Expert Member
Joined
Aug 24, 2006
Messages
3,751
#15
Damn, I'm such a n00b @ this!

I've managed to edit and copy the script into the usr/bin folder... now I'm trying to run it (let alone use it with cron)

I've set the execute permissions. I get a syntax error near unexpected token 'fi'

Any ideas what I'm doing wrong here?
 

sleeper

Well-Known Member
Joined
Sep 30, 2005
Messages
273
#16
Bernie - this is EXCELENT !! Thank you !!!

I've used Fausto's router scripts before, but the problem I had was when the router restarted the routes was obviously missing. And, when the line dropped. I've used routesentry for a while now (great util), but I have 4 pc's here at home, and the WA's IS accounts only allows 2 concurrent connections. I tried the iPig solution that an1tb0dy sugessted in another post, but my PC kept on BSOD - after uninstalling iPig, it was fine again. And, 1 of the other PC's could not connect via iPig, no clue why not.

Anyways, just wanna say thanks for this solution.

carudden - I did not get any script errors? Took me a while to figure out how to get the script on the IPCop box, and after reading your post, I noticed that I have to give it execute permission (My knowledge of linux is sort of limited to the "ls" command :) So I had to do a lot of googling this morning)
 

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#17
Bernie - this is EXCELENT !! Thank you !!!

I've used Fausto's router scripts before, but the problem I had was when the router restarted the routes was obviously missing. And, when the line dropped. I've used routesentry for a while now (great util), but I have 4 pc's here at home, and the WA's IS accounts only allows 2 concurrent connections. I tried the iPig solution that an1tb0dy sugessted in another post, but my PC kept on BSOD - after uninstalling iPig, it was fine again. And, 1 of the other PC's could not connect via iPig, no clue why not.

Anyways, just wanna say thanks for this solution.

carudden - I did not get any script errors? Took me a while to figure out how to get the script on the IPCop box, and after reading your post, I noticed that I have to give it execute permission (My knowledge of linux is sort of limited to the "ls" command :) So I had to do a lot of googling this morning)
Exellent, glad its worked for others. Thank you

Carudden, did you get it all to work, did you find the fcrontab command.
 

sleeper

Well-Known Member
Joined
Sep 30, 2005
Messages
273
#18
Hmm, I'v just noticed something - I think. After a reboot of the IPCop machine, both ppp0 and ppp1 came up, routes were created, but nadda - no internet. I could not ping anything (not from my machine nor from the IPCop machine), but somehow MSN messanger managed to sign in. (The MSN thing really confuses me)

When I went to the home page of the IPCop web interface, it took quite a while for it to be displayed (the page where it shows what it is connected to with the connect, disconnect and refresh buttons). In order to try to get it working, I then proceeded to delete ppp1 and waited for crontab to re-create the ppp interface and the routes. Still with no luck. At some point in time I pressed the disconnect button, then the connect on the IPCop home page. I recall seeing that the "IPCop's Hostname" was some saix address. After I reconnected, I noticed that IPCop's hostname changed to ****.nngy.isadsl.co.za. And, suddenly everything worked 100%. When I opened the IPCop webinterface home page, it loaded immediately, where previously it took like 5-10 secs to load.

I am going to try to recreate this whole scenario later on today, if this happens again after a reboot, I am going to try to swap the intl and local accounts, so that local is on ppp0 and intl on ppp1. Will give feedback on whether it works better or not.

Cheers
 
Last edited:

Bernie

Expert Member
Joined
May 2, 2006
Messages
1,911
#19
That is strange indeed. I have never had any hassels with a reboot, and have been through quite a few connection resets as well and all seemed to work fine. Not sure if it makes a difference or not, but I am using Webafrica for both international and local only ADSL. Please let me know if you find any problems with the script or if there is a way to improve the setup. But sofar, it has been running quite nicely.

After your second PPPoE is connected IPcop assumes that as the RED connection.

Here is an extract from my system log after a reboot this morning:

08:50:04 ipcop Dynamic DNS ip-update for xxxxxx.selfip.com: success
08:50:01 ipcop PPP has gone up on ppp1
08:49:14 ipcop IPCop started.
08:48:30 ipcop Dynamic DNS ip-update for xxxxxx.selfip.com: success
08:48:23 ipcop PPP has gone up on ppp0
08:48:22 ipcop Dialling Webafrica3GIG.
08:48:22 ipcop Starting RED device eth1.
08:47:19 ipcop PPP has gone down on ppp1
08:47:18 ipcop Rebooting IPCop

Does yours looks similar.

Cheers.
 

sleeper

Well-Known Member
Joined
Sep 30, 2005
Messages
273
#20
Yes, when I look at the network status, it shows ppp1 as red. And, I have the same setup - Both accounts via WebAfrica.

My log looks pretty much just like yours :
14:39:09 ipcop PPP has gone up on ppp1
14:38:36 ipcop IPCop started.
14:38:24 ipcop PPP has gone up on ppp0
14:38:20 ipcop Dialling SAIX 3GB.
14:38:20 ipcop Starting RED device eth1.
14:37:14 ipcop Rebooting IPCop

Can you conform, on the home page, if your IPCop's Hostname is using a SAIX or IS address - I don't know if this is where my prob lies, but this is deffinitely something that changed before it started working again.

Cheers !
 
Top