Wednesday, June 11, 2014

Satellite Internet -- Squishing the FAP and taming the wild Bandwidth Hogs

This one is a little dated, I am using Gargoyle  for this purpose now.  It handles HTTPS (and other non-HTTP traffic) much better.

Note: I wrote this about 2 years ago, but didn't post it, as I thought the instructions were woefully incomplete. I didn't feel like re-installing Squish again just so I could write a more accurate article. However, about a month ago I had a hard drive crash on the Squish-O-Matic box and had to reinstall ClearOS and Squish again.  

One of the first things I did when I got laid off (from SkyTel in 2009) was procure new Internet service.  DSL and cable are not available at Casa Mike (until recently known as "the place where cell phone signals go to die") , so the only choices I really had were satellite and dialup.  I went with HughesNet service, and opted for a pole mount over a roof mount, partly because I anticipate needing a new roof someday.  Installation went very well.  The installation crew was prompt and courteous, and did a neat and professional job.  I ran some speed tests after the install, and the new connection seemed quite zippy.  There was much rejoicing in the McArthur household -- for about 2 hours.  That is how long it took for the household teenagers (experiencing their first Internet "fix" in weeks) to hit HughesNet's infamous FAP.
Below is the whole saga of how I (eventually) managed to ration precious satellite bandwidth using Linux, the Squid proxy and something called Squish.

As a "network guy", I have done my share of prioritizing traffic with QOS, filtering SPAM and other unwanted traffic, and using content-filtering to keep users away from "inappropriate" sites.  One would think that I would have had a ready-made remedy to this situation in my bag of tricks -- as it turns out, I didn't and had to do much Googling and trial-and-error to put together a workable (but not perfect) bandwidth rationing scheme.

I quickly found that there wasn't much I could do on a Cisco 851, or even a WRT54G running OpenWRT/DD-WRT to fix this.  In the WRT's case, there just wasn't enough flash or RAM to install everything needed.  QoS wasn't much help.

I began by putting the ClearOS Linux distro (formerly known as ClarkConnect) on an old desktop machine with 2 NICs. This machine became the firewall between my Home LAN and the HughesNet device.  I later replaced the desktop  hardware with a salvaged Net Integrator Micro II, which was much more compact and quiet (fanless).

ClearOS was a good distro to use for this purpose, because it is designed to be both a firewall and a general purpose office file/intranet server.  It has a web GUI that makes it a simple task to setup a transparent Squid web cache, and to turn on content-filtering with Dan's Guardian.  These two features helped a great deal -- the Squid cache made it so that if one person in the house viewed a page, it did not have to be downloaded again if someone else in the house wanted to see it.

At first, I used Dan's Guardian to block YouTube and other bandwidth-wasting sites.  This helped, but it turned into a game of whack-a-mole as the kids would find new video/audio intensive sites, mostly videogame reviews and podcasts.  Dan's Guardian was helpful for blocking content that I objected to, but my problem was not so much the "content" of the sites as the sheer volume of data traffic that they generated.
What I needed was a bandwidth quota system, and I finally found one in Squish.  Squish is an add-on for the Squid proxy that runs a cron job to periodically collect usage statistics form the Squid log. When a computer (or user) exceeds its quota for the day, Squish blocks HTTP access until the user's 24-hour usage is back under quota.  Squish isn't perfect, it works on HTTP only, and does not affect HTTPS, FTP, or BitTorrent.  More of its limitations are described in the Squish FAQ.

Installing Squish on ClearOS 5.2 was a bit tricky, and will be the subject of another article. The short version is that you need to install the gd and gd-devel packages, as well as the Perl GD module from CPAN. (ClearOS is derived from Red Hat , so yum can install most of the necessary packages). The Squish FAQ has general build and installation instructions.

Once I had Squish installed, I still had to configure it to work well with HughesNet.  The default cron job provided by the Squish install scripts runs Squish every 5 minutes, 24 hours per day, and does not make exception for the HughesNet unlimited download window (usage between 1 am and  6 am Central Time does not count against the FAP).  I wanted to allow users to take advantage of that period without affecting their squish quota, so I created some bash scripts and modified the cron schedule:
Here are the lines I added to /etc/crontab

*/5 6-23 * * * root /usr/local/squish/
*/5 0 * * * root /usr/local/squish/
2 1 * * * root /etc/squid/
55 5 * * * root /etc/squid/  un-squishes users, and saves Squid usage data for usage in the morning
#Script to reinitialize squid access log and squish db.
#Saves Squish data every night so it can be restored in the morning

mv /var/log/squid/access.log /var/log/squid/access.log.bak
mv /var/lib/squish/userdb.stor /var/lib/squish/userdb.stor.bak
cp /etc/squid/squished.blank /etc/squished
service squid restart
/usr/local/squish/ restores the previous night's Squid data, and begins running Squish again:

#Script to restore squid access log and squish db. 
#Restores the previous day's Squish data so it can be tracked across 
#multiple days

mv /var/log/squid/access.log.bak /var/log/squid/access.log
mv /var/lib/squish/userdb.stor.bak /var/lib/squish/userdb.stor 
cp /etc/squid/squished.blank /etc/squished
service squid restart

/etc/squid/squished.blank is an "empty" squish status file, create it by copying /etc/squid/squished to /etc/squid/squished.blank (while no users are currently squished).

Set appropriate bandwidth quotas for users and/or machines by editing the Squish configuration file: /etc/squid/squish.conf 

#### Squish Configuration File /etc/squid/squish.conf

#Bandwidth-sucking kids
#Kid1 25h/day 100Mb/day

#wired 25h/day 100Mb/day

#wireless 25h/day 100Mb/day

#wired 25h/day 171Mb/day

#Wireless 25h/day 171Mb/day

# Catchall -- people and IP's not matched by the above rules
.* 25h/day 20Mb/day

No comments:

Post a Comment