[kwlug-disc] Two ethernet ports - 1 in, 1 out

[unsolicited]

Generally, short answer is: your ISP connection is so much slower than 
your internal connection, especially if gigabit NICs, you need not 
worry. YMMV. QoS could be an issue, as John points out. (That's 
traffic prioritization, a different beastie than discussed so far - 
except for John's comments below.)

More inline.

john at netdirect.ca wrote, On 01/25/2010 2:11 PM:
> kwlug-disc-bounces at kwlug.org wrote on 01/25/2010 01:28:26 PM:
>> Boiling it down to 'what do I want to do', I suspect that'll illustrate 
>> how stupid of a question I'm asking.  I now recall when i've seen this 
>> done in the past that it was for security reasons, where one port faces 
>> outside and another port faces outside.

Yes, which is what I was addressing (security). And I suspect John 
too, but perhaps he was going further, too.

> Did you mean inside/outside?

???

>> The reason I was asking was really just for traffic issues - thinking 
>> that if I had some network traffic and my voice traffic running though a 
>> machine that perhaps having inbound traffic on one port and outbound on 
>> another would prevent any possible traffic overloads.  But now I state 
>> that explicitly, I suspect the answer is that there's not enough traffic 
>> there to worry about.
> 
> You can bond interfaces and with the proper switch configuration utilize 
> the throughput of both interfaces. This is just making things faster and 
> doesn't address the traffic issue. You do need the ability to set up 
> trunking on the switch ports and this generally is only available to 
> expensive switches. A bond can be used in fail-over mode with any switch. 
> Bonding works by assigning the same IP address to more than one port.
> 
> To actually control traffic it's called QoS (quality of service) or 
> traffic shaping. Typically a system will have one queue to schedule 
> outgoing packets and it's a FIFO (1st in 1st out) queue. It's not fair if 
> one application is pumping huge packets and another app like VoIP is 
> putting out a steady stream of small packets. Given infinite bandwidth 
> it's fair, but with Internet connections it generally isn't.

Just bought 
http://www.canadacomputers.com/index.php?do=ShowProduct&cmd=pd&pid=020105&cid=NTW.311.651 
based on a list heads up from Richard some time ago. 8 port gigabit 
smart switch with QoS, $115. Vlan, lacp, etc., too. Sadly, no nice 
bandwidth graphs, no command line interface - perhaps I should have 
waited. (Don't have nautilus, nmap, mrtg, etc., set up, yet. Perhaps 
I'm mixing terms here, too.) Just typical router superficial web 
interface - not at all what I expected from a Cisco product. 
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9994/ps9996/data_sheet_c78-500596.html

Note, for trunking, the other end (i.e. the PC) has to support it, 
too. As far as I know, that means two NICs of the same manu/model. FYI.

> Iproute2 also provides traffic shaping. It can be configured through the 
> 'tc' utility. The idea is to create several queues for a network device 
> and distribute packets among the queues based on rules. So VoIP packets 
> get one queue, downloads get another. Then, basically, you can assign 
> guaranteed throughput to each queue, but allow them to burst if there is 
> unused throughput.

But this is coming out per box(?). i.e. Multiple boxes going out to 
the internet would still permit one box to overwhelm the rest. Which 
is to say, you still need that firewall (perhaps pc / openwrt based), 
collecting all the internal traffic, to be doing this shaping (as 
well) to the one port out to the internet.

If I understand correctly, with a single service asterisk box, 
separate from the webserver, then just turning on QoS, and the shaping 
above on this firewall box, would do you. i.e. Second NIC / mucking 
about on the asterisk box could be avoided, in favour of doing it on 
the firewall (and helping all traffic, internal and external, in the 
process). Probably for your house, Cedric's/Lori's OpenWRT box would 
do you. e.g. of flexibility, OpenWRT box can have each internal nic 
port being its own VLAN. And, per Lori, can run asterisk - perhaps 
sufficiently for your (external?) needs.

Note also, every (internal) hop has to be QoS aware. e.g. If you have 
a switch in your office (room), cause you have so many machines but 
only one line back to the router, that switch in your office also has 
to be QoS aware. Doesn't have to be a smart switch, just QoS aware. 
Mind you, Lori has commented in the past that there's so much 
bandwidth available in the office that traffic is never so 
overwhelming that QoS is necessary / useful. i.e. QoS prioritizes 
traffic, typically not kicking in (usefully?) until you flood any 
given connection, and that seldom happens in actuality. (4 AM call 
when backups are running?)

> Keep in mind that you can only directly control outgoing traffic. You can 
> only indirectly control incoming traffic, but it doesn't work in all 
> situations.
> 
> Asking an ISP to control your incoming bandwidth might be difficult, 
> although I've never tried. I know that Unlimitel offers DSL connections 
> that have built-in QoS for VoIP.

Glenn, remind us, do you currently have an internal Asterisk box? (I 
forget.) And, are you currently experiencing difficulties that have 
lead you to ask the (bandwidth) question?