Stupid cband and mod_bw.

[theweaselking]

Geek pop quiz:

I have an Apache2 server.
I want to limit clients *over the internet* to a maximum connection speed.
I do not wish to limit clients *on the intranet* at all.

I have CBand installed, which lets me handily limit connections based on IP of the incoming connection.

The problem: People, both internally and externally, use the FQDN of the server. This means the same URL works in all places, right? That's wonderful, right?

Well, no. That resolves to the external IP, and connecting to the external IP from the intranet results in you resolving the FQDN to the external IP, sending your traffic to the IP, and the router catching it, saying "Oh, that's me", and forwarding it to the server. Meaning *all* connections appear to be coming from the router's IP.

Meaning, I can limit by IP, but I only ever see one IP.

Solutions?

I'm thinking, run a DNS server internally, accessible to the LAN only, with DHCP assigning this DNS as first, last, and only DNS server. This server knows the internal IPs of things and is convinced of it's own authoritativeness. For anything it doesn't know, it goes outside to the regular DNS.

So, connections from inside the firewall resolve the FQDN to the internal IP. Connections from the outside resolve it to the external IP. Cband is set to hinder only people on the outside.

Great, right?

Well, almost. First, CBand's website is down and their documentation is thus missing. Second, this is a lot of work and adds a new server that I don't want to run.

Who's got a magic bullet for me to solve this one?

("Buy a router that does the QoS restrictions for you" is cheating. Acceptable if you've got a suggestion on one for realtively cheap, but still cheating.)

Comments

[jackoutofthebox.livejournal.com]

How about changing the permissions of the User Template to limit access?

[theweaselking.livejournal.com]

The server's Apache2 running on Linux. I'm not aware of any User Templates outside of IIS.

However, it *does* require a username and password to access it. I wonder if I can restrict based on that in the .htaccess files, somehow?

[ronebofh.livejournal.com]

Change internal DNS so the FQDN of the server points to the internal IP address and not the external IP address. Limit the router's IP.

Oh, helps to read everything. You don't already have internal DNS. You suck. How do you run an internal network without internal DNS? Or do i want to know?

[theweaselking.livejournal.com]

Yeah, I was hoping for a simpler fix that didn't require an internal DNS server.

Oh, well. If there's no easier fix, that one's not hard.

[theweaselking.livejournal.com]

How do you run an internal network without internal DNS? Or do i want to know?

It's a single /24 subnet with a dozen static IPs, a VPN range, and a standard DHCP range. Internal name resolution is done via WINS, because there's a Samba server sitting in the middle of it all, and the DHCP server sends out the WINS address.

The network was set up by blind, drunken, home-user monkeys, and I'm a contractor arriving long after the fact. Anything that works, I do not touch - which is why they're still running a WRT54G version *2* as their "corporate" router. As their needs evolve and they require new functionality, I fix each bit up to a semi-reasonable small-business spec.

[ronebofh.livejournal.com]

Oh, man, you're a contractor. This is another reason why i can't contract. I would probably start by setting the place on fire.

[theweaselking.livejournal.com]

It's really not that bad.

[ronebofh.livejournal.com]

You're probably right. I'm just in a bad way right now.

[theweaselking.livejournal.com]

Totally understandable!

Whereas for me, I am my own boss, I have more clients than I know what to do with and so I'm referring them to my friends and acquiantances, I'm making good money, and I'm having *fun* with the new problems and strange experiences that happen when you're called in to fix things in a startup that's gotten just a little too big to do things themselves, but not big enough to afford a guy like me full-time.

Absolutely, bad setups can be frustrating, but these are all cases where they *know* it's bad, they know *how* it's bad (if not why) and they've called me in specifically because they want me to tell them what it will cost to make it better.

[elffin.livejournal.com]

WINS! The ultimate ironic name. I dared not think they'd be using WINS.

[theweaselking.livejournal.com]

On a small network, without a Domain, WINS works right out of the box, seamlessly, and totally without user intervention.

I like that in a service.

[elffin.livejournal.com]

You don't already have an internal DNS cache / proxy server? And you call yourself a BOFH???

"I'm thinking, run a DNS server internally, accessible to the LAN only, with DHCP assigning this DNS are first, last, and only DNS server. This server knows the internal IPs of things and is convinced of it's own authoritativeness. For anything it doesn't know, it goes outside to the regular DNS."

That is exactly the way I would and have solved this problem. You don't even have to cache DNS queries - though it does speed up internal name resolution performance, lightens the load on your upstream DNS server, etcetera. And lets you be the fascist BOFH when you wish to.

[theweaselking.livejournal.com]

Why would I want a proxy server? I genuinely *do not care* what the users are up to, and I don't pay for the bandwidth. A proxy is just another potential point of failure. It adds nothing of value.

And no, not running an internal DNS, yet. The network was set up by blind, drunken, home-user monkeys, and I'm a contractor arriving long after the fact. Anything that works, I do not touch - which is why they're still running a WRT54G version *2* as their "corporate" router.

[elffin.livejournal.com]

- I'd offer to buy it off them. It's hard to find a decent* WRT54G these days.

*capable of supporting GPL firmware

They're blind, drunken, home-user monkeys - but not so blind or drunken that they have a Microsoft box sitting somewhere waiting to be told it is the authoritative DNS proxy?

[jsbowden.livejournal.com]

WRT54G_L_ is what you're looking for.

[theweaselking.livejournal.com]

The old WRT54Gs support the open-source stuff. The L was created as a reaction to the revelation that they had to open the source of the router because they'd use GPL'd components.

So yeah. The version 2 can, totally, do what he wants it to.

[jsbowden.livejournal.com]

The L is the Intel base the WRT54G was built on until v5, and can do anything the v1 - v4 versions can. You pay extra for buying the older hardware, which I find hilarious, but if you really want to flash your firmware on your residential router, it's the one that will let you do it. Personally, I get in enough dealing with that kind of shit at work, and don't bother.

[elffin.livejournal.com]

I really do want a Broadcom chipset and not the ADMTek, which is why I say "thankee".

[theweaselking.livejournal.com]

I'm with you in terms of really not wanting to deal with it.

I'm just saying, the v2 *can* be flashed with the standard open freeware. You don't strictly need the L.

[elffin.livejournal.com]

Thankee.

*blithely looks at WRT54G specs*

VERY much.

[theweaselking.livejournal.com]

The guy who built the network was a Linux geek, one of their earliest employees, and they were a startup *very* short on cash at the time.

So when they needed a server, he built them a (pretty nice, actually) Debian box and set it up to run CVS and Bugzilla and MediaWiki and integrate them. When they needed a network, he bought them a router, plugged it in, left all the defaults set, and called it good.

So it was a mixed bag, all things considered. "Blind, drunken, home-linux-user monkeys", maybe?

But no, no handy Win2K3 server gathering dust. However, it's really not hard to set up bind to do what I want it to. It's exactly the setup that Zimbra uses, and I've set up Zimbra repeatedly.

[erdrick.livejournal.com]

Many routers will let you change the port of incoming connections, ie. external port 80 -> internal port 8000.

That way you can distinguish connections based on the incoming port, and run Apache on both ports, but also use the port to restrict bandwidth.

Might not work for you but it's a suggestion.

[erdrick.livejournal.com]

o wait i guess it won't LOL!

[corruptedjasper.livejournal.com]

You're just lucky the router supports that route to the server. My old SMC Barricade ADSL modem/router did, but my newer Speedtouch 716 actually fails to send internal connections to the external IP through the portforwards.

I ended up having to put the FQDN in hosts.

The speedtouch does feature a DNS proxy, incidentally -- it's just that all it can add into the net is "speedtouch.lan" and ".lan".

[squizzlzilla.livejournal.com]

if you don't want an internal DNS server, add the internal IP address to the hosts file (be it /etc/hosts or C:/windows/system32/drivers/etc/hosts

the hosts file is the first place used for resolution, so it 'aces' everything else. and assuming not too many client machines, it's not a huge headache to change.

[squizzlzilla.livejournal.com]

if you're dealing with macs, i can't help you.)

[theweaselking.livejournal.com]

Macs have a host file too. OSX is a FreeBSD skin, so the back end is basically is just like Linux (only stupid), to go with the front end which is Windows (only stupid).

[theweaselking.livejournal.com]

Running bind and passing the DNS out with the DHCP information is much less work than changing hosts files, and it provides me with one-stop shopping for later changes, too.

But hosts are a good thought.

[squizzlzilla.livejournal.com]

It is an inelegant solution, and it does not scale, but it does work :)

local dns server for the win, though.

[zastrazzi.livejournal.com]

Do you control the external dns server, or have relative freedom in your requests? You could always have the external dns server provide the external IP to =!your IP's and the internal IP to your IP's for the fqdn

If not, running your own bind instance is the best long term solution.

[theweaselking.livejournal.com]

No control over the external DNS, unless you really want to try to convince *Bell* to make exceptions for a small business DSL customer.

(not happening)

So, yeah, there seems to be a consensus. All good!

[prk.livejournal.com]

Does the router have an option to _not_ NAT from an internal IP to an internal IP, thus letting your server see the original source IP for internal connections?

prk.

[quotation.livejournal.com]

Sounds like they need a backwards assmonkey reacharound. Let's assume that to be the trademarked term for what I'm about to describe. You may use it with this client.

Tell the Apache2 server to also act like a caching http proxy for internal users to access the internet through. Set their browser proxy to be the internal IP of the Apache2 server.

Or is that an additional point of failure?

[theweaselking.livejournal.com]

That's a much larger pain in the ass. An internal DNS server that tells them lies about the location of the HTTPS server has worked wonders.

But thanks!