From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id E31563B2A4 for ; Wed, 9 Nov 2022 11:23:43 -0500 (EST) Received: by mail-wm1-x332.google.com with SMTP id a11-20020a05600c2d4b00b003cf6f5fd9f1so1657347wmg.2 for ; Wed, 09 Nov 2022 08:23:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=TKYjG20mceXZMg7XslT3WHAKQzu9Y8QugJkiNxp1CCk=; b=Ij0+dIFsbiijXvL92cJ20RungeZuVZSvYmyX3c/4hYOnTZoVSyDST7lQQTvVKGGjUW wtsUmacpKzHpNKIZSCke5PgpRDOVwMeTxz2SB+yXpYJJqpdi5l5s0jQaCXxh4gyED0ba zwLLeLzBrrEgJk93eJLESVrrXRg/p5yQkHEoAVsbkJXYJ6s5Nu2I7+5G/qBd+SKMqz8H V7PmflujMJsrOIHpCVQsu9Fdn4xfnqjLAf0zpZHllooHEaZnWy5xVeHw5ulkJDkB/pUD gjMf4kmpoNZ/CaVhr2z5oMgDys392fquUhOpxp5OBMH5CT0Ej/5cCaMfTtC2NgrhprJY eojA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TKYjG20mceXZMg7XslT3WHAKQzu9Y8QugJkiNxp1CCk=; b=ChAGaTYj43FdtgBK7UR/kkP9V21Q90NTyBYoIEqTk2fyo1rajOxR0EsWx/kd1r7KXo xVKj3AdMfMRPxthgrzI5r5w22ttQUh5LC01w9/XYjADv4O12PceW88dKLCZkwWU4DQxZ NqJKtzfEEeBSqB2gnQIH2Z7V9FDuQrbOGgiIENDPcc7sDbSpyQYFPTpdkRLYxI28ngwD 757XG8OcWsYDKYuQAPIgQoW7nLNiE8otTK7p+IP5doP3ykZcVQ/SpW8eVgMBQSHLFIHX qB12qxY2xaEhXAuh01M71QLwqzGYbXwLU1jMapYdw7tsC6fMOyJFez5omzYzLXwbCieE 0irw== X-Gm-Message-State: ACrzQf2UDvEpGOBvf/cxPn9H4PpnyPB3lPHz+T+haSye+2LwX7AaKiFS hBlmLDDX5hi5gltzVrFugvVgQVA75mvIrjpGaPRLCFlL X-Google-Smtp-Source: AMsMyM5YTDteOwWEtXsHkd3+MBeac6EgQ4AxwYNvdeTXGMnLMO0yYVnT8c1yTRtx2oH/tW83REIFMIcYl9rvcD1hOE0= X-Received: by 2002:a1c:7c08:0:b0:3cf:6fd0:8168 with SMTP id x8-20020a1c7c08000000b003cf6fd08168mr912408wmc.206.1668011022557; Wed, 09 Nov 2022 08:23:42 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Taht Date: Wed, 9 Nov 2022 08:23:29 -0800 Message-ID: To: Herbert Wolverson Cc: libreqos Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [LibreQoS] Tracking unknown IPs (maybe for 1.4?) X-BeenThere: libreqos@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Many ISPs need the kinds of quality shaping cake can do List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2022 16:23:44 -0000 does dhcp option 82 work on openwrt? I long ago reflashed all my m2 and m5s to openwrt. outperforms ubnts default build across the board if you tune down the txop size to 2.5ms. On Wed, Nov 9, 2022 at 8:20 AM Herbert Wolverson via LibreQoS wrote: > > We have a bespoke solution to do similar (I keep meaning to make it more = generic and open source it). The basic operation is (using our Mimosa devic= es as an example; it's actually a lot more complicated than that since we h= ave everything from apartment complexes with Ethernet jacks to regular Ubiq= uiti devices in bridge mode): > > A server contains an instance of FreeRADIUS. > Periodically, a script runs and queries UISP. It finds client sites with = a device matching the type "Mimosa C5x" and an "other device" entitled "Ser= vice IP". > > A radius record is then added for the CPE (using the MAC and IP from the = Mimosa device), placing the Mimosa CPE on the IP address in the "mimosa" re= cord. > A second radius record is added that matches Option 82 headers to see tha= t a request passed through the Mimosa. This will always hand out the IP add= ress from the "Service IP" record. > The radius database is refreshed with this information. > > When a CPE comes online, the DHCP server sends a RADIUS request. If the M= AC address matches a RADIUS record, the device is assigned to the CPE addre= ss from the RADIUS records. > When a customer's device sends a DHCP request, it passes through the CPE.= The CPE's "option 82" support decorates the DHCP request with the CPE's MA= C address in a header. This then matches the second rule in Radius, ensurin= g that no matter what device the customer plugged in - it gets the Service = IP. > > This then dovetails into the QoS - because we can be 100% sure that the c= ustomer's router has the IP address of the Service IP record in their clien= t site. > > It took about an afternoon to setup, and is really nice. We have addition= al rules like "place unknown CPEs into a block that is redirected to a page= reminding the installer to call in the account for setup", special handlin= g of suspended accounts and similar. > > People have been begging Ubiquiti to a) support option 82 properly on the= M5/M2 line (I have a 10 year old request still unanswered!), and b) provid= e some sort of RADIUS setup baked into UISP. The latter won't happen, becau= se it reduces vendor lock-in. But it's really easy to setup, and use UISP a= s a "source of truth". (Obviously, when your clients are bridged you need t= o take precautions - client isolation, switch port isolation and DHCP snoop= ing) > > > On Wed, Nov 9, 2022 at 10:07 AM dan wrote: >> >> How are you linking UISP to RADIUS? >> >> On Sat, Nov 5, 2022 at 10:29 AM Robert Chac=C3=B3n via LibreQoS wrote: >>> >>> In our particular case we use RADIUS tied to UISP so we don't have the = immediate need, but I think it's an important feature to add. >>> >>> Perhaps cpumap-pping can have a feature to define "shaped subnets" duri= ng the filter setup, and then we could query cpumap-pping for a JSON output= of IPs detected in traffic that are in the "shaped subnets" groups, but no= t defined in the hash map. >>> >>> Curious to hear what others think here. Would others need this in order= to adopt LibreQoS? >>> >>> >>> On Sat, Nov 5, 2022 at 7:33 AM Herbert Wolverson via LibreQoS wrote: >>>> >>>> As we approach the v1.3 pre-release feature freeze, I've been thinking= a little bit about nice things to have. One thing I found useful in both B= racketQoS and Preseem was the ability to grab a list of IP addresses that h= ad been through the shaper, but weren't mapped to a queue (obviously, only = from within the "allowed IP" range - we're not trying to map the Internet!)= . >>>> >>>> In Preseem, there's a link to download a CSV file containing all the u= nmapped IP addresses and how much traffic they have consumed. BracketQoS (p= re cpumap-pping) has a report showing the IPs (no traffic). >>>> >>>> *Why is this useful?* >>>> >>>> Knowing which local IP addresses were processed but not mapped lets yo= u find: >>>> >>>> * the times that a device was installed, but the on-boarding process w= asn't completed. Yes, that shouldn't happen. And - unfortunately - it occas= ionally does. If you're using RADIUS-based authentication, it's really diff= icult for this to happen - but not everyone is. >>>> * If there's a bug in your shaper integration, it's helpful to see "oo= ps, I put X on the default" >>>> * Just occasionally, you get a customer who needs a special setup; it'= s helpful to see that it worked. >>>> >>>> *Current Status* >>>> >>>> Before cpumap-pping, Bracket was grabbing them by reading the pping ou= tput and listing addresses that didn't match a shaping rule. That doesn't w= ork now: >>>> >>>> * xdp_pping is spitting out TC handles, rather than IP addresses. >>>> * With a default rule in place, and handling for IPv6 and IPv4 subnets= , an IP address might not exactly match an entry (requires an LPM trie look= up) - and IPs matching a default rule (::/0 or 0.0.0.0/0) will always come = back with the "default" handle. >>>> >>>> It's currently pretty tricky to do. >>>> >>>> So I'm curious; would others like to see this? I have a few ideas for = how to make it work, but don't want to start serious planning/design if I'm= the only one who wants the feature. >>>> _______________________________________________ >>>> LibreQoS mailing list >>>> LibreQoS@lists.bufferbloat.net >>>> https://lists.bufferbloat.net/listinfo/libreqos >>> >>> >>> >>> -- >>> Robert Chac=C3=B3n >>> CEO | JackRabbit Wireless LLC >>> Dev | LibreQoS.io >>> >>> _______________________________________________ >>> LibreQoS mailing list >>> LibreQoS@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/libreqos > > _______________________________________________ > LibreQoS mailing list > LibreQoS@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/libreqos --=20 This song goes out to all the folk that thought Stadia would work: https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-69813666656= 07352320-FXtz Dave T=C3=A4ht CEO, TekLibre, LLC