Keeping tabs on your bandwidth usage

Keeping tabs on your bandwidth usage

I run a business which rents out fully serviced office space on a short and long term basis.  One of the services I offer my customers is internet access.

During the last few months the average ADSL bandwidth usage has grown to over 50 GB per month.  As bandwidth is still relatively expensive in SA (I use Afrihost’s excellent value for money ADSL at R29/GB) I needed to see where this actually goes.

The solution is a ubuntu based linux server with a collection of different open source products installed, plugged into the network just before the traffic enters the internet.

The ideal place for this server is between the network switch and the default gateway.  All traffic from devices on the inside of the bridge will now have to pass through the bridge server before entering the internet.

The server contains two network interfaces and is configured in bridge mode, allowing network traffic to pass through the server transparently, without even being aware of being scanned.

The key to this working is by bridging both ethernet interfaces together, using the ubuntu bridge-utils package and brctl command. Also make sure that http traffic  destined for the web gets redirected to dansguardian for filtering before leaving the network.

Using bridge mode has the added advantagew that it is not only completely invisible, it also require no changes on the existing netork pc’s. As long as it is placed just before the external gateway / firewall then all traffic will pass through it, including hardware devices like wifi routers, etc.

Once the server is installed, configured and switched into bridge mode the necessary monitoring software is installed. I use squid as a proxy server, dansguardian for traffic filtering and ntop for bandwith monitoring.

Dansguardian is great for rule based filtering, but comes with a static set of rules. I expanded my configuration by adding blacklists from shalla. The shalla lists are broken down by category and contains over 1.3 million entries.  As the lists are updated frequently I configured a cron job to download the lists nightly and copy it to the appropriate folders.

In dansguardian I then enable the specific categories that needs to be blocked, like porn, gambling, etc. Dansguard also contains exception lists for blocking or unblocking specific sites, keywords or ip addresses.

Another handy feature of dansguardian is that is uses clamav to automatically scan all downloaded files for virusses before letting it through.

Squid is configured as a transparent proxy server, allowing traffic caching and reporting. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

Ntop is used to monitor and report on all network traffic passing through the server. When configuring ntop make sure to set it to watch the external interface only, so you do not pick up traffic not destined for the internet.

Iptables is used as a firewall for blocking specific protocols or destinations, and also for forwarding all HTTP traffic destined for the internet to dansguardian, which applies its rule based filters and then pass the traffic on to squid, which in turn passes it on to the internet if not served from the local cache.

Some outstanding issues is dealing effectively with bittorrent and peer to peer traffic, without having to create countless manual rules. For now the ntop reports give clear usage by source, target, protocol, etc. It is relatively easy to identify bandwith hogs and deal with them, but it takes time and is a re-active process rather than being pro-active.

Next step is to automate the creation of iptable firewall rules on the fly to filter traffic as it is identified as inappropriate. Another todo is to add is to scan mail for spam and virusses.

5 thoughts on “Keeping tabs on your bandwidth usage

  1. If your clients are paying to use the internet, why use dansguardian to filter content? You should have them pay per gb and have them do what they want with it. The more gb’s they use, the more they have to buy from you.

    Instead of Ntop, have you had a look at Darkstat yet? I’ve seen that ntop is quite a resource hog.

  2. Hi Stephen, I use dansguardian to virus scan traffic but also to filter out illegal movies and mp3 downloads.
    There is also a quality issue, as I want all users to get a good connection. If someone downloads a large file (movie) then it takes all the bandwidth and all the other users get a degraded service.
    I did look at darkstat but it is a bit too limited in the depth of stats it provides, but agree, it is usefull where a lightweight monitoring solution is required.

  3. Hi Gerhard, does it have to be someone based in Cape Town?
    Maybe you can open up ssh or openvpn access to the box for someone to do the config remotely?

  4. Hi Imel,

    I have recently setup a very similar network for providing Internet access. I use many of the same applications but don’t quite see the advantage in using a transparent proxy in bridged mode. This would make more sense if we had access to cheap public IP’s in South Africa. With your solution you are just postponing NAT from the server to the ADSL gateway.

    Performing the PPPoE connection(s) and NAT from the server has several advantages such as being able to use several PPPoE connections and split local and international traffic (save more more money). But with cheaper uncapped connections being available this is not necessary anymore.

    The biggest problem with sharing internet however is users saturating the link with bulk downloads as ISP’s use very large buffers to increase throughput. These however, once full, increases network delay dramatically. In my experience ping times change from 50ms to 1500+ms. This gives a sluggish connection and the appearance that “the internet is slow”. The solution is to cap throughput to just below the maximum level (I found about 5% to work well) in order to keep the buffers empty at all times. Packets are then classified according to amongst other things packet size to determine how interactive the traffic is. Small packets like ping, ssh, telnet and small http traffic gains priority while http downloads, p2p file sharing and ftp get a low priority. Thus even when a user is saturating the link with a file sharing application, another user’s request for an http page would fly through the network server and won’t be hindered by ISP buffers.

    Implementing this is as simple as installing wondershaper (sudo apt-get install wondershaper) and specifying the gateway interface and ADSL downlink and uplink speeds in kbps (wondershaper eth1 315 150 for a 384kpbs line). These speeds should be the achieved throughput from an internet speed test minus 5% as the adsl line speed is not accurate.

    My network is almost always saturated, but web pages still load quickly and users don’t notice. Let me know if you get around to implementing this.

Leave a Reply