[Rack] Fwd: [Noisebridge-discuss] Omar: Please don't "re-build" the network

Ben Kochie ben at nerp.net
Sat Oct 26 08:06:41 UTC 2013

So, maybe you should look at how we already do things before you talk 
about any of this.  You clearly do not understand what we have, or have 
tried to understand it otherwise you wouldn't realize how silly you sound.

#1: We already have a fully gigabit managed switch in front of our two ISP 
   * Monkeybrains (wireless, about 20mbps symetrical)
   * Sonic DSL (Configured for Annex M to balance uploads)

The managed switch (Juniper) has vlans configured to allow bikshed (the 
Linux based NAT router for the public space), minotaur, stallion (VM host 
which contains pony) direct access to our 8 public IPs on the Sonic 

The switch also allows bikeshed access to the monkeybrains vlan to provide 
faster internet access.

Bikeshed then provides NAT, automatic failover between the two links, and 
rate shaping.  This could be one of the sources of "the network is slower" 
since we have it setup to explicitly slow down hogging users to keep 
things balanced between multiple users at peak time.  This bandwidth 
limiting is mostly in the outbound direction on monkeybrains.

It's possible the rules need adjustment, or that the CPU in the bikeshed 
box is just a little on the weak side for these rules.  I have another of 
the net6501 Atom CPU soekris machines that we could use to upgrade it.  Or 
we could try adjusting/dropping the existing traffic rules.

The only real problem right now is we had to replace minotaur in a hurry, 
and never fixed our network monitoring of the managed switch to keep an 
eye on bandwidth use.


On Fri, 25 Oct 2013, Omar Zouai wrote:

> I agree, regressions are not a good thing. My main reason to implement a full blown server as a
> router is for traffic shaping and possibly image caching. It was stated that when the network
> was "broken", it was remarkably faster.
> Maybe I wasn't clear enough with my idea. Doing away with the switches are a terrible idea. We
> currently have 2 switches that connect almost all the equipment.
> My idea wasn't to get rid of them, but to change how they are used. The server could be running
> any flavor of Linux(my choice would be either Ubuntu Enterprise Cloud, or straight up Debian.
> but this looks promising http://www.zentyal.org/server/, maybe that could be up while we
> configure our own version?), and DNAT could be achieved with IPtables. First, the line from the
> ISP(s) would be connected to a small switch, then that switch would in turn be plugged into the
> server. The server would then have 2 other NICs(one builtin, and 2 PCI), one of them would run
> equipment that would be like Minotaur, the door, Pony, Stallion, Mode-S, etc. These systems
> would have more upstream bandwidth allocated to them. The next subnet would be for NoiseBridge
> users, they would have more downstream bandwidth, and possibly an image cache(Squid3) to reduce
> network load while surfing the web. 
> Then, the 2 switches would have their respective networks, and would branch off to their
> clients. All the equipment except for BikeShed would still be there.
> Again, I've implemented a similar network in my home. My modem feeds straight to my linux box,
> then I have it connected to a gigabit switch, which then in turn connects to all my devices.
> Squid3 caches all static images that are requested without https(haven't configured an ssl bump
> yet), and serves them locally out of Apache2. DNAT is setup with IPtables, and the only ports
> forwarded are to my Xbox. 
> This is still just my preliminary idea, there is still a lot more room for improvement.

More information about the Rack mailing list