From general Linux tips to upgrade options, the following is an archive of NetEqualizer support questions and answers over the years. The content below is made up of answers to commonly asked questions as well as advice pulled directly from customer e-mails.

Archive Contents

General FAQs

• What is the NetEqualizer?
• How does NetEqualizer differ from other traffic shaping alternatives?
• Who can benefit from this type of product?
• How does NetEqualizer help ISPs?
• How does NetEqualizer know who is “hogging bandwidth”?
• What is unique about NetEqualizer ‘s throttling mechanism?
• Does NetEqualizer cause any delay in a network?
• Can we provide different service tiers and have them enforced with NetEqualizer?
• What can we do during peak traffic usage?
• If the default rules slow some users, then how do they help eliminate customer complaints during busy conditions?
• What happens if NetEqualizer fails, will our network go down?
• What is the Penalty_Unit?
• What is the Power Requirement for a NetEqualizer unit?
• What are the shipping weights and sizes for a NetEqualizer unit?
• APconnections’ Policy for Supporting Used Equipment Purchases

Specific Setup and Technical Issues

• Where should I locate NetEqualizer?
• What Are The Default Rules and How Do They Work?
• Cheat Sheets for converting to NetEQ’s TRUNK_UP & TRUNK_DOWN Units (bytes/sec)
• Adding VLAN Hard Limit
• How Does the NetEqualizer/AirEqualizer Accomplish Priority QoS?
• Do You Recommend Doing Specific Application Rules?
• How Do I Give Priority to My Video or Voice Services?
• NetEqualizer Fails to Boot
• General Question about Setting up TRUNK Sizes and Tuning
• Setting up Ethernet Flow Control
• Cannot View ntop Reports
• Tracking Bandwidth Usage
• Setting Trunk Size For Maximum Performance
• Initial Setup Questions and Answers
• Access Point Configuration in a Wireless Network
• Stopping Encrypted p2p
• Priority and Connection Limits
• Setting Passwords
• Starting Firewall and ntop at System Start
• Management Port with a VLAN Configuration
• Blocking Applications by Port
• Location and Use of the NetEqualizer Log File
• Default Administrative Password for ntop on the NetEqualizer
• NetEqualizer Takes a Long Time to Become Fully Functional with Large Number of Pool Entries
• Customer Added a Connection Limit but the User Is Still Exceeding the Connection Count
• Upload Speeds Are Related to Download Speeds
• Speed Tests Are Not Working
• When to Upgrade
• NetEqualizer Working with Vonage and Skype
• Priority for Video
• Display Instantaneous Bandwidth Usage
• User Limits Verses Hard Limits
• Using Pools to Relieve Congestion at a Wireless Access Point
• Streaming Video
• Do Connection Limits Kick in When the Trunk Is 85 Percent Saturated?
• Setting the Ratio Parameter
• More Initial Set Up Questions
• Is a Jumpy Connection Caused by NetEqualizer Penalties?
• Monitor Instantaneous Bandwidth on a Connection
• Does NetEqualizer Support a Way to Show Instantaneous Bandwidth Usage by User?
• How Does the NetEqualizer Handle Nat’d IP Addresses? Does Equalizing Still Work?
• What Is the Relationship between HOGMAX and HOGMIN?
• Why Do the PENALTY THRESHOLD Numbers in the Log Change When Default Rules Are Off?
• How Long Are Streams Averaged For?
• Is NetEqualizer Fairness the Same Thing As Partitioning Bandwidth Equally among Users?
• Can NetEqualizer Block Skype?
• Installing a Third NIC Card
• Connection Limits and a Shared Subnet
• VLAN Shaping and Accuracy
• Shaping an Entire Subnet — Practical Limitations
• Does the NetEqualizer Have a Command Line API?
• ntop Reporting Not Loading
• Netflix and NetEqualizer
• Giving Priority to Certain Servers and Subnets
• Using NetEqualizer to Stop Denial of Service Viruses
• Ping Is Dropping Packets
• What Are The Bridge Route And Mask For? Do I Need to Change My Network Topology in Order to Route Packets to the NetEqualizer?
• Configuring a NetEqualizer Correctly When Your Upstream Provider Does Not Guarantee a Fixed Amount of Bandwidth at All Hours of the Day
• What Is Considered a High Penalty Unit?
• NetEqualizer Seems to Be Causing My Network to Slow Down
• How NetEqualizer Enforces Fixed-Rate Limits
• NetEqualizer and Gaming
• Displaying TCP or UDP connections filter
• Keep the NetEqualizer Date/Time updated via your own NTP Time Servers
• Keep the NetEqualizer Date/Time updated via the Internet Time Servers
• Calculate instantaneous bandwidth for a single IP
• Tuning for Hard Limits, Pools and VLANS greater than 10 megabits
• Does the NetEqualizer Support Bursting?
• How Does the NetEqualizer Function with BGP Balancing Three Internet Links?
• Do You Support the Latest ntop Protocols?
• Set Up NetEqualizer to Automatically Reboot after a Power Outage ?

Peer-to-Peer Specific Questions

• What Should We Do for Shaping of Peer-to-Peer Traffic?
• How Do I Set Up the NetEqualizer/AirEqualizer to Best Stop All P2P Traffic?
• How Do I Stop Kazaa Traffic and Give Priority to HTTP?
• Is There Anything Else I Should Do to Protect My Network against P2P Users?

General FAQs

What is the NetEqualizer

NetEqualizer is an automated traffic shaping appliance that works like putting a traffic cop on a freeway interchange to ensure that everybody gets on and off without creating gridlock. The left turners, the right turners, and the aggressive drivers who would otherwise cut in line behave much better when the traffic officer is there. The router between the Internet and your subnet is just such an interchange, and NetEqualizer is the traffic cop.

Internally, NetEqualizer operates similarly to a packet sniffer; it examines Internet data by listening to all traffic on an Internet segment, typically a trunk between a group of users and the Internet. As each Internet packet comes by on the trunk, an arbitrator examines the packet and learns to whom the packet is going—the end user. NetEqualizer keeps a small database of the activity going on over an Internet segment; then, using a set of predefined rules, it determines which users are consuming excessive bandwidth. During periods of peak network usage, data rates to users who are consuming excessive amounts of bandwidth are imperceptibly slowed as needed to alleviate congestion.

(Top)

How does NetEqualizer differ from other traffic shaping alternatives?

1. Other technologies force network administrators and operators to build and manage extensive and expensive policy libraries based on application and user groups. NetEqualizer automatically relieves bandwidth congestion with its built-in fairness algorithm, which applies traffic policies based on the behaviors of application types.
2. Most of the other tools that we are aware of can only shape or control traffic coming from your network. NetEqualizer influences traffic coming into your network as well as the traffic leaving your network.
3. NetEqualizer is cost-effective. The appliance listens to traffic on your network and then makes a decision every half second on how to make adjustments to traffic flows. Other tools attempt to adjust dynamically traffic flows with every new packet sensed on your network. The NetEqualizer methodology allows very low-powered, inexpensive hardware to handle very large traffic flows. NetEqualizer does sacrifice a degree of accuracy to ensure cost-effectiveness, however, since data users are generally more concerned with their “experience” rather than hard network performance numbers, the high price of ensuring extreme accuracy can rarely be cost justified.

NetEqualizer Placement in your network

(Top)

Who can benefit from this type of product?

Any organization that purchases bulk Internet access and redistributes it to a group of users, including corporations, regional service providers, universities, hotels, etc., can benefit from installing NetEqualizer on their network.

(Top)

How does NetEqualizer help ISPs?

Internet Service Providers (ISPs), like phone companies, rely on the fact that only a small percentage of their customers will be actively using bandwidth at any moment in time and, therefore, most of them have oversold their networks and do not have enough bandwidth to meet peak demands.

Economics dictate that regional ISPs who purchase their bandwidth from backbone service providers perform a juggling act between the cost of bandwidth and meeting the service expectations of their customers. Inevitably, some percentage of end users will attempt large downloads. The net result is that all users suffer, even those who are not doing large file transfers. NetEqualizer prevents the majority of users from suffering poor response at the expense of a few heavy users.

(Top)

How does NetEqualizer know who is “hogging bandwidth”?

NetEqualizer keeps track of all active users on your network, including a history of how much bandwidth each user is using, how long they have been using it, and how much of your total network capacity is being used. It then applies “intelligent” rules that take all these factors into account. It will slow down the heaviest users as your network becomes more congested.

(Top)

What is unique about NetEqualizer ‘s throttling mechanism?

Almost all Internet communications have a client/server model where the client is sending requests and the server is sending data. This is true for ftp transfers, streaming video and streaming audio. Even if the client and server are sending UDP packets there is always a client/server relationship. The slowing or delaying of client requests is a much better way to throttle the data back than slowing or queuing the data coming from the server. The NetEqualizer limits bandwidth by looking at the large user(s) of bandwidth and slowing requests from the client.

This is radically different from the methods employed by WFQ, TOS and other packet shaping tools. It is the only method that allows you some actual control over Internet traffic coming into your network.

The biggest advantage to slowing down client requests is that you get at the source of traffic problems without employing expensive and complex queuing algorithms.

(Top)

Does NetEqualizer cause any delay in a network?

The NetEqualizer is a transparent bridge, allowing you to insert it into any segment of an Ethernet network without adversely affecting Ethernet packet transmission.

(Top)

Can we provide different service tiers and have them enforced with NetEqualizer?

Yes you can. NetEqualizer allows you to set bandwidth limits on individual users or subnets, allowing you to effectively manage a tiered service structure.

(Top)

What can we do during peak traffic usage?

NetEqualizer has a safety valve that watches over your network called the “default rules”. The default rules are activated when your trunk becomes 95 percent utilized (you can adjust this limit). Your heaviest bandwidth users are incrementally slowed so as to not impact your other users. This safety valve is unique to NetEqualizer. AP Connections’ customers report that complaints of slow network speeds drop dramatically following installation of the product and implementation of the congestion safety valve.

(Top)

If the default rules slow some users, then how do they help eliminate customer complaints during busy conditions?

When our safety valve kicks in, it typically does not affect the types of activities that users notice. Latency sensitive activities such as e-mail, chat, music streams, Web browsing and even voice streams are generally not heavy bandwidth users and are left untouched. These activities get priority while users downloading large files are slowed. Improvement to your service quality is immediate and you greatly reduce busy hour complaints.

(Top)

What happens if NetEqualizer fails, will our network go down?

NetEqualizer takes advantage of a mature feature already built into the Linux operating system called STP (spanning tree protocol). Two NetEqualizers placed in parallel will automatically set up a master/slave relationship where one server will back the other. NetEqualizer s come pre-configured to take advantage of this feature. There are also some network switches on the market that will allow you to use STP and take over if the NetEqualizer ever failed.

NetEqualizer – Active/Passive Redundancy Configuration

(Top)

What is the Penalty_Unit?

The PENALTY_UNIT is the amount of delay an IP packet gets. So the actual packets get put in a line and must wait that long to pop out. The units are 100ths of seconds.

The variable ANCIENT is the minimum time the NetEqualizer will continue to delay packets between a connection.

So if user A is downloading from server B and they exceed the “threshold” based on the internal algorithm, we would start delaying each packet (in both directions) between user A and server B in two queues, one for each direction. We continue this for a minimum of time (ANCIENT) which is in seconds.

The reason for doing it in both directions is that delaying the “client” requests tends to smoothly slow the server sending.

(Top)

What is the Power Requirement for a NetEqualizer unit?

NE2000 using a P4 CPU – 1.35A at 110V 150Watt

(Top)

What are the shipping weights and sizes for a NetEqualizer unit?

NE2000 = 17lbs 22Lx20Wx7H

(Top)

APconnections’ Policy for Supporting Used Equipment Purchases

https://netequalizernews.com/2010/01/18/support-and-equipment-resale-policies-for-netequalizer/

Top)

Specific Setup and Technical Issues

Where should I locate NetEqualizer?

Locate NetEqualizer between your network and the Internet. Tune the default settings and it will immediately start relieving congestion. This plug-and-play ability is the driving vision and design behind NetEqualizer. Yes, there are “traditional” optional administration features offered, but we cannot overemphasize the importance of the turn-key concept.

Click image for larger version

(Top)

What Are The Default Rules and How Do They Work?

NetEqualizer/AirEqualizer default rules determine priority based on the following criteria:

1. How busy is the network, if the network is not busy then take no action let users have the bandwidth they need.
2. If the network is near capacity (determined by using the RATIO and TRUNK_UP and TRUNK_DOWN) then…
3. Look at all the connections on the network
4. How long has each connection been active
5. How much bandwidth has this connection used since it first started
6. How much bandwidth has this connections used in the last 8 seconds

The NetEqualizer/AirEqualizer takes all the input above and then decides based on a formula on what connections to slow down and what connections to grant priority for.

One important property about the NetEqualizer/AirEqualizer intelligence is that it does priority allocation by connection and not by user. So, for example, a user with two connections open — one doing web surfing, and the other a peer-to-peer application — will most likely have the peer-to-peer application reduced while the user’s web surfing will continue to get quick responses.

Adding VLAN Hard Limit

Issue:

If I look in the active connections, I can see the VLAN number on the end of the line.

Connection table entries with VLAN # second from last column

Data is shown in the 5th column

> 18 1262 80 259 2283 69.63.176.168 10.99.2.117 101 1
> 19 1810 5816 185 193 94.236.0.145 10.99.2.192 99 1

If I look at the log there still isn’t any VLAN traffic reported

> 05/14/09 14:09:23 VLAN 99 Traffic up: 1 VLAN Traffic down: 1
> 05/14/09 14:09:23 VLAN 101 Traffic up: 1 VLAN Traffic down: 1
> 05/14/09 14:09:23 VLAN 100 Traffic up: 1 VLAN Traffic down: 1
> 05/14/09 14:09:23 Traffic up: 16608 Traffic down: 278920 POOL 0

Solution:

The connection table snapshot is not taken at the same moment in time that the log reports traffic. Therefore, it is not uncommon for one to show traffic while the other shows nothing.

(Top)

• Cheat Sheets for Converting to NetEQ’s TRUNK_UP & TRUNK_DOWN Units (bytes/sec)

For those of you that want a simple way to convert from megabits/sec to bytes/sec, here is an easy way to do it. Open one of the documents linked below, follow the instructions, and enter your pipe size. It will do all the conversions for you, so that you have bytes/sec, which is what you enter in the NetEqualizer GUI “trunk_up” and “trunk_down” fields.

MSWord document that contains an embedded spreadsheet. It is saved as a “.doc” file, so that it can be opened with older versions of MSWord. bitstobytes conversion cheat sheet

OpenOffice.org document that contains an embedded spreadsheet. It is saved as a “.odt” file.
bitstobytes conversion cheat sheet

(Top)

• How Does the NetEqualizer/AirEqualizer Accomplish Priority QoS?

It is a very unique technology and very simple. First clear your head about the way QoS is typically done in the Cisco™ model using bit tagging and such… NetEq Customer: ok

In default mode, the NetEqualizer/AirEqualizer treats all your standard traffic as one big pool. It constantly re-adjusts bandwidth allocation for users automatically (when your network is busy). It does this by temporarily squeezing the amount of bandwidth a big download might be using in order to insure great response times for e-mail, chat, http, VOIP users…

So in essence the NetEqualizer/AirEqualizer is already providing one level of QoS in the default setup.

Now when you tell the NetEqualizer/AirEqualizer to give specific priority to your video server (for example) it automatically squeezes all the other users into a smaller pool, and leaves the video server traffic alone. In essence this reserves bandwidth for the video server at a higher priority than all the generic users. When the video stream is not active the generic data users are allowed to use more bandwidth. Very simple and requires no bit tagging!

NetEqualizer Fails to Boot ( customer inserted third NIC for management):

This unit is having issues booting properly. We hooked it up to a vga monitor and it appears to fail when trying to boot from disk after a cold start. It goes to PXE boot, fails, tries PXE a second time, gives a media error, and displays DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER. Occasionally it will boot from the disk if the unit is reset using the front reset button.

On the boot issue, did you install a 3rd nic in that unit? If so then take out the riser card and the additional nic and see if it boots.

Did you upgrade the software on that unit having boot issues? If you did then it is possible the card is not inserted totally or needs to be taken out and plugged back in to make sure it is making a good connection. Same with the cable for the CF-to-IDE adapter, unplug and plug back in those cable ends to make sure they are making a good connection.

We don’t typically sell riser cards for any of the units. We also don’t recommend using a lot of additional lan cards either. Realtek may be okay but we suggest Intel since that will use the existing module and not load something else. Intel Pro cards are what is compatible with our currently running module. We have no experience with running any other card on the units. We have used other cards in the past but we started shipping units with Intel or Broadcom chipsets because we found them better for us.

Is there a reason you can’t just use the existing interfaces for management? Multiple IP’s can be assigned on the unit as is and the IP of the unit doesn’t have to be anything special to match the traffic going through it. In fact the IP of the NetEqualizer can be bogus and traffic will still pass through it.

(Top)

Do You Recommend Doing Specific Application Rules?

Well, you end up sort of chasing your tail and creating work for yourself every week. Even if you do manage to block one type of p2p traffic your users will likely scatter to the latest p2p, which may be so new it is not supported. In essence this would require a business model where you would need to purchase upgrades every several months from your vendor to stay ahead of the game. Even the most expensive products cannot keep up with all the latest applications so we believe the method of specific application tagging is inferior to our behavior based method. Behavior based, although not 100 percent perfect will never fail you and it should solve your bandwidth issues without having to constantly upgrade application databases and license fees.

How Do I Give Priority to My Video or Voice Services?

This is supported by the NetEqualizer/AirEqualizer and makes perfect sense. In other words let the default shaping handle the bad applications and then tell the NetEqualizer/AirEqualizer what your priority applications are.

General Question about Setting up TRUNK Sizes and Tuning

Check your Misc/Show NetEq Version and if your version is less than 1.28x. Then, set your INACTIVE_TICS=400. If your version is greater than 1.28x. Then, set it to 200.

Set your trunk up and down to 6×128000 which is 768000

We never penalize any connection under HOGMIN and yours is set to 128000 bytes per second which means we are letting almost everything through without a penalty. 128000 bytes per second is 1 megabit per second per connection. Every IP can have multiple connections so you aren’t letting the NetEqualizer help you control heavy connections.

HOGMIN should be 12000 and HOGMAX should be 32000 by default.

Trunk up and down are not hard limits. They are just variables that tell us when to start looking for large connections to slow down when your bandwidth is saturated.

In short try the following:
TRUNK_UP=768000
TRUNK_DOWN=768000
HOGMIN=12000
HOGMAX=32000
INACTIVE_TICS=400 or 200 depending on version.

(Top)

Setting up Ethernet Flow Control

We have an NE2000-45. I would like to know if it is possible to enable “flow control” (in the Ethernet jargon, not bandwidth shaping jargon) on a specific interface or interfaces of the NE2000 and if so what the command(s) for doing so would be.

You can look at the quick start guide which explains how to use the ethtool program to hard code your LAN ports.

There is a link to the quick start guide at the bottom left edge of the web GUI.

(Top)

Cannot View ntop Reports

I’m facing a problem with my NetEqualizer. I cannot view the ntop reports although the ntop is started. Also I cannot view the Show the Log command from the GUI.

I Rebooted the Machine, I reset the ntop files but still nothing. I using IE7 and Firefox 2.0. Do you have any suggestions?

Your symptoms are normally caused by the unit being assigned the same IP as some other device. Or routing issues. Also if there is a firewall in place between you and the NetEqualizer. Some products like Zonealarm (although it is a good program) can also be the cause.

The web GUI uses port 80 by default and the ntop reports use port 3000.

You didn’t say what type of error you get when you try to do Show the Log but if it is the same as the ntop issue but you can do things like Misc/Show NetEq Config or Reports and Graph…/Active Connections and they work fine all the time then it is less likely your software is having an issue and not a routing issue.

(Top)

Tracking Bandwidth Usage

In a WISP environment, is it feasible to track/show monthly bandwidth stats (total used) using the NetEq?

You can track/show bandwidth stats with ntop on all our current NetEqualizer models. You can also pull raw data off ntop and save it in your own database for use however you wish.

(Top)

Setting Trunk Size for Maximum Performance

What changes do I need to make in the up and down speeds to make sure it works at max performance.

Just set the trunk up and trunk down (in bytes) to what you actually have now. Parameters/Modify parameters.

Bytes to Bits conversion table
500 4kbits
1000 8kbits
2000 16kbits
4000 32kbits
8000 bytes = 64kbits
16000 bytes = 128kbits
32000 bytes = 256kbits
48000 bytes = 384kbits
64000 bytes = 512kbits
96000 bytes = 768kbits
128000 bytes = 1megbit

(Top)

Initial Setup Questions and Answers:

Thank you very much. I do have to resolve some issues in my mind before I receive and configure the device.

Regarding servers or services requiring additional connections. Any external IP address would require additional connections beyond the global setting, is this correct?

Yes you put a separate connection limit in for them , you must do this first before setting the global. The quick start guide warns about the order.

In other words, all of my DNS servers, my email server, my gateway, et al which would sit on the WAN side of the box or for all intents and purposes off my network.

If multiple customers are trying to access say Google at the same time, which is a real possibility, would additional connections be required for such sites?

No it would be a very transient condition and would correct itself quickly… they would all have to be on the same second and it would still work just a bit slower.

Or are the additional connections only required for those connections initiated on my network?

Yes, DNS servers e-mail servers

It may be more clear to me when I see the GUI, but not seeing screen shots, I need to understand what I need to calculate before I set the device up.

I need to better understand the trunk up and trunk down functions. I contract for 2M of bandwidth at the present time. Testing shows my actual pipe can change at different times. I have measured it at 4M many times. Not sure how my upstream provider has provisioned my bandwidth, and do not want to wreck a good thing by asking.

I would set the TRUNK for 2 megabits then.. the 4 megabits is likely transient and cannot be counted on. You need to protect against your worst case bandwidth if you get a bit more than 2 megabits it is likely not during busy hours anyway.

So, where should I set the size? What are the ramifications of setting it too large? Too small? I imagine that by setting it too large, the device will not kick in if indeed my bandwidth at the moment is 2M instead of 2? Or should I just set it at 2M to be safe? Help me understand the function.

Being somewhat spatially challenged, I am very interested in the ntop functionality. A picture is worth a thousand words. I see nothing in the quickstart regarding ntop. Is there a tutorial or some pointers on getting this implemented?

You turn it on from the GUI wait about 10 minutes for data collection to build up, once it is on, the menus are very easy to navigate so there is not much to document. Five minutes of poking around should do it.

I have a Symantec security gateway on my network. If I want to put the NetEqualizer inline with my upstream provider, I would put it between my backhaul and one of the wan ports of the Symantec. I imagine then the two IP addresses I’ll need http and ssl, should be in the subnet of the wan ports/backhauls, correct?

I have no idea what you are talking about sorry …. as long as the NetEq sees the IP addresses coming from your network you will be fine. There is nothing specific you need to do for any IP address (other than the connection limit exemptions)

The Symantec has 2 wan ports and will failsafe to the second provider if one fails. I need to get straight in my mind how I will provision this.

You obviously want the NetEq on the active Port…. if one goes down than you will be without equalizing but that should be a temp condition

(Top)

Access Point Configuration in a Wireless Network

I talked with someone this week about my setup problem. I’ve had the neteq for about a week and using it in my wisp. My problem is it see’s only my access points and not the clients beyond. The person I talked to told me how I needed to set things up but I need it in writing so I can have someone program my cisco router and I can change my system settings. The EQ is between my cisco 3825 router and a switch, then it goes out to multiple backhauls to switches then to access points (12). I am using tranzeo’s for everything, and I’ve contacted tranzeo but they deferred to you on this issue. My AP’s and client radios are all in router mode. Can someone tell me exactly the way I need to have my system setup for the neteq to work to its full capacity? Thanks

You simply need to put your Radio’s in Bridging mode and set your router at your head end to do DHCP and NAT (instead of doing DHCP and NAT at your AP’s).

(Top)

Stopping Encrypted p2p

I believe my p2p customers have found a way to beat my shaping with your product. After reading some forums on BitTorrent, does the netequalizer recognize encrypted p2p torrents? I don’t use any routers on my network other than a Nomadix USG, so I really don’t have an option to block ports. Any suggestions would be appreciated. I am purchasing another unit next week to manage 650 college students. My current clients (most of them new to the net) just think they are having issues with their downloads. College students are a bit more savvy

If you have read our and implemented our suggestions for connection limits you have the best containment of encrypted of BitTorrent on the market. Blocking ports never really worked very well , even before encrypted BitTorrent was invented. Connection limits are not a complete block , but they do contain about 80 percent of it. There is nothing that completely blocks encrypted bit torrent and not likely to be in the future.

(Top)

Priority and Connection Limits:

I do have the global set at 30 in 30 out. My question is I have business customers with 17 computers on their network and my big client’s son just got married and had 52 single users on his network. If they are set as a priority host,
are they still restricted by the global connection limit? Thank you for responding. I don’t have a lot of time to research.

I have my XXXX set to the default 200 sessions in 60 seconds with a burst of 400 (recommended by their engineer) if the user hits 401, their mac address is blocked. Really making my p2p users mad because they have to call in to get unblocked. I hope your DHCP beta works, I would like to get rid of the XXX. Any minor change to it starts locking up my wireless equipment and difficult to configure. Your product is a much better bandwidth limiter.

We have not done much more with the DHCP beta. It does require a complete hardware (and more expensive) upgrade so as you can imagine not many takers seems most are sticking with lower end routers for the DHCP. The XXXXX is overkill?

You will need to exempt the IP address of that one customer, to do this put a single connection limit in for their IP address set it to 1000 ,something big. Then THIS IS IMPORTANT…. remove the global and re-add it in. Do a soft reset on the unit. The exemptions to the global connection limit must come before the global connection rule logically hence the need to remove and re-add the global when making an exemption.

FYI you should not need that XXXXXX connection block. Ours is dynamic meaning it only blocks while those connections are active. It lets them back in when the cease to exists (can be within seconds), that is why we can do the much lower count. Our connection count and your XXXXXX do not match because we account for them much differently so you can’t easily say 400 on the XXXXXX is equal to 50 on ours just no way of knowing. I am confident that theirs is overkill though so I’d take that out.

(Top)

Setting Passwords

XXXX University have just purchased one of your devices.

I am having a problem though. I have gone into the change GUI password section and set the password but it is not sticking. Is there someone who can help me? I was able to change the root password via SSH just fine though and that has stuck.

You should not use anything but letters and numbers in your web GUI password.

If you are having problems with some web GUI screens then make sure your browser is set not to cache the pages. IE needs to be set to “Every visit to the page”.

If for some reason you can’t get into the web GUI now and you can get into SSH then after you login via SSH do:

cp /art/htpasswd /var/www/arbi/.htpasswd

This will reset the web GUI password to the default.

(Top)

Starting Firewall and ntop at System Start:

I would like to have the firewall and ntop start at system startup. What are the steps involved in adding this to the autostart config? Thank you.

The firewall always starts up upon a reboot. It is up to you to manually edit the firewall rules file and put in your own rules though. By default there are no rules in it.

To start ntop upon reboot you do Misc/Edit autostart and put in as the ast line: /etc/init.d/ntop start

(Top)

Management Port with a VLAN Configuration

If you need to get to the management web GUI or SSH via a Vlan other than Vlan 1 then you will need to add a 3rd NIC port to do so.  Please contact us for details on adding a 3rd NIC port for your unit.

Note: Vlan traffic passing through the NetEqualizer does not need any special setup and you can manage that traffic with a NetEqualizer with rules like Hard limit for a Vlan.

(Top)

Blocking Applications by Port:

Can I block applications by port?
The problem with port and application shaping is that programs jump ports and talk on different ports after an inital conversation in a most all scenarios. Application signatures also need to be updated and watched constantly. As for blocking applications by signature, although this sounds appealing it often becomes an expensive false promise for those vendors who try. We have written extensively on this subject in our white paper.

(Top)

Location and Use of the NetEqualizer Log File

What is the location of the NetEqualizer log file? Can it be directed to a log server?

What is the default user/pass for the ntop installation? Or, where’s the ntop.conf file, I think that has it?

We are running neteq to manage our ResNet bandwidth. We have limited them to 10M. There are about 200 users.

/tmp/arblog

The contents of our log typically should not be used for anything but making sure the unit is working. The entries you see in there are our equalizing efforts and are applied to all connections over HOGMIN when your bandwidth is saturated. These IPs that are in there are most likely collateral damage and not necessarily the ones that caused the bandwidth to jump up, they just happened to have a connection size on one or more connections that was higher than HOGMIN. The reason equalizing happened could be simply that you had a lot of good traffic and all it took was a dozen connections that were not large happening all at one time and pushing it up to where we started equalizing.

The log does not show hard limits or connection limits being imposed either. We don’t log those things because they would typically make the log file so huge that it would not be usable.

(Top)

Default Administrative Password for ntop on the NetEqualizer

We try not to give out the admin login info for the ntop reports without making sure you understand a couple of things.

There are a few hundred config options in ntop and its plugin system that someone could alter so we can’t begin to tell you what to change to get it back to our default setup. The netflow and rrdPlugin plugin’s must both be running. Do not setup your own devices in ntop and never toggle on DNS resolution within ntop or you run the risk of filling up your disk space and it is possible that when you go to make a change to the NetEqualizer config settings that everything will be gone.

If you do get ntop or your system in a state that we can’t resolve easily then your only option in fixing it is to get a new software image file (you will need to have purchased the NSS option for your unit) and

(Top)

NetEqualizer Takes a Long Time to Become Fully Functional with a Large Number of Pool Entries

As we edit the config, we restart the neteq service. When we do that we experience 15-20 min of load time. The unit still functions, but it slowly pulls in the new priority IPs or b/w pool IPs.

It would obviously load much faster if it had one line to specify a /24 or /23 subnet as opposed to 254 or 510 lines.

E-mail us if you are having this issue. We have a special configuration to handle a faster start-up with a large number of pool entries.

(Top)

Customer Added a Connection Limit but the User Is Still Exceeding the Connection Count

Adding a connection limit to an IP when that IP is active and currently has more connections than you are going to allow them in the future will not kill off current overages. As the connections that are over the newly added rule go away then new ones can’t be made until they are under the limit.

The only other reason for a connection limit to not be working is if you have the NetEq process turned off.

BTW there is a way to add these connection limits up per IP by doing Misc/Run a Command of:

/art/count

That will show you a count per IP (incoming connections first and then outgoing connections later).

Doing /art/count 10 will show only those IP’s with more than 10 connections.

Also note: Please do not compare our connection counts with those reported by your router or firewall. Our accounting rules are much different. We only considered a connection active if we have seen traffic in the last 1/2 second. A firewall extends this period up to a minute.

(Top)

Upload Speeds are Related to Download Speeds

When the download side of your trunk is saturated the NetEqualizer will Penalize packets going in both directions (it will deliberately slow upload packets if they are related to the download or going to the same place).

Why?

If a user is downloading, the best way to get the download to back off and slow down is to delay the return packets (what are called Acks or acknowledgments) on the same connection. And, that is exactly what the NetEqualizer does in some situations.

Please also note that up to 20 percent of the traffic for any download shows up as an upload or vice versa. So, a large upload would also trigger penalties on the download side (if the download link was saturated).

Also note that if your download link is saturated, with or without a NetEqualizer, upload speeds will suffer because uploads need Acks coming from the other direction and if the download is saturated the Acks, it will have latency and the upload will slow down.

In other words, if one direction is saturated, all directions will be affected. There is no avoiding this.

The moral of the story is this: Upload and download speeds are intertwined and you cannot have one or the other saturated without affecting the other.

(Top)

Speed Tests Are Not Working

Note: If you are speed testing then you need to be aware of how the NetEqualizer is going to behave when it sees this. It is going to penalize that speed test because you are trying to take more than your fair share or that you have saturated your trunk up or down. If you don’t want a speed test to be “equalized” then you can use the Add Rules/Mask and put in the IP of the speed test site and it will not be slowed down even if your network bandwidth is full.

Speed test’s are not typical network traffic streams. Usually something doesn’t download something as fast as possible and then upload something on the same connection as fast as possible. The reason the speed test is slowed down more on the upload side is that it is already under penalty by the time it gets to the upload portion but the download portion may have gotten a couple of seconds of unequalized bandwidth before the penalty kicked in.

We recently purchased the neteq and I’ve had some issues with it. I setup everything like the guide suggested, but it seems like it is slowing the network down. We have a 15meg connection and we usually see no more than 13 megs used on it. With the neteq turned on, just doing a speed test from my PC will penalize the connection and take us down to a complete crawl. Any ideas?

Also, I was wanting to use the Neteq to set up the speed packages for our customers. We do this by IP address. I’ve been trying to set up that as well, and I can’t get it to consistently show the speed I request (i.e., a 2meg package will bounce from 1700k to 1950 and no penalties kicking in) Any ideas there? I’m doing this with hard limits. Maybe I’m setting it up wrong.

Here are two non graphic ways to see instantaneous bandwidth on your NetEqualizer:

For the entire unit, you can enter (from the GUI):

misc->run a command

/usr/sbin/brctl getpeak my 0

For a particular IP, you can filter the active connections table:

misc->run a command

/usr/sbin/brctl getbrain my 0 | grep x.x.x.x

(Top)

User Limits Verses Hard Limits

I’ve added to the user limit file in this format:
IP%205.xxx.xxx.xx&INTERVAL%MONTH&WARN1%1%myname@myemail.com%Restricted%64 for all the IPs I want to slow down, but I still see many customers in ntop exceeding 500 kbps. The goal is to rate-limit all non-servers in the 205.257.202.0/24 subnet to 64 kbps.

The PDF instructions state this:

(Top)

Using Pools to Relieve Congestion at a Wireless Access Point

Here is a suggestion to relieve the congestion on that AP:

1) Create a pool from the main menu and assign a bandwidth quota to it. I would use 1.5 megabits as that is what you seem to experiencing as your MAX throughput on that AP.

2) Add all the IP addresses to the pool below is a tool. Do this from the shell command line.

3) Once your pool is running, the LOG will report the bandwidth for that pool every 20 seconds. If you want to see the instantaneous usage, you can use this command from the command line. If you see penalties for this pool, in the log you’ll know it is trying to decongest

brctl getpeak my #

Where # is the pool number

—————— begin script —————

#!/bin/sh
a=$3
if [ $# -lt 2 ]
then
echo USAGE: add_pool_subnet [pool no ] [base ip x.x.x
] [start_ip] [end_ip]
echo will append successive IP addresses to the base
starting at start ip and continuing
echo to include end_ip
echo example so the command add_pool_subnet 1 10.0.0
1 10

echo would add the following IPs into pool 1
echo 10.0.0.1 , 10.0.0.2 …. 10.0.0.10
exit 1
fi
if [ $4 -gt 255 ]
then
echo range too large $4
exit 1
fi
while [ $a -le $4 ]
do
echo ADD_POOL_MEMBER $1 $2.$a
/art/ADD_POOL_MEMBER $1 $2.$a
sleep 1
a=`expr $a + 1`
done

(Top)

Streaming Video

Streaming video has been the big complaint of late and it seems a bit better but still not great (watchable) during peak times. I think that particular issue will need more bandwidth to solve it. So far so good.

Yes, that is correct. There is no magic bullet that can provide streaming video for all without adding more bandwidth. You can raise your HOGMIN to 36,000. This will allow low resolution to run and only throttle high-resolution, which is a nice compromise. One thing that helps is if you send out a memo for students to use a player that buffers a bit before playing. That will smooth out the video during peak times with the caveat that they might have to wait a few minutes for it start (much less annoying) . Even the high-speed Comcast circuits will get throttled and hammer videos that go longer than 15 minutes. If you watch two 10-minute YouTube videos in a row, they put you in the penalty bucket.

(Top)

Do Connection Limits Kick in When the Trunk is 85 Percent Saturated?

I’ve got the connection limits at 60 (30in/30out). I thought I would start high and see how that goes. What does your typical college/university set that to? Does it treat inbound and outbound separately from an equalizing standpoint or does equalizing happens once either link is maxed out?

Connection limits and equalizing are totally separate. Connection limits get enforced on an IP regardless of trunk usage.

As for inbound and outbound connections, 30 in and 30 out should be fine. We are actually seeing quite a bit less p2p this year than last, and you may not have any violators in a typical day. Last year, a residence hall with 1000 students might have upwards of 20 at any onetime.

(Top)

Setting the Ratio Parameter

Do you have a standard practice or suggestion for what to set the ratio to? What trade-offs exist for setting it too high or too low?

Note:The Ratio parameter determines the percentage of Trunk Saturation where Equalizing kicks in.

We like 85 percent as a simple rule. The trick is how much time do you have between when equalizing kicks in and your network maxes out. If you set it at 50 percent, you would be kicking in too early. If you set it at 99 percent, it would be too late. I would guess that as network size gets to 100 megabits and beyond, you can go above 85 without any problems since it’s not so much a percentage, but how much actual bandwidth do you have in reserve.

(Top)

More Initial Set Up Questions

We are getting ready to put the NetEqualizer box into place and do some testing. I have several questions I’m hoping you can help me with:

1. Our first step is to put the box in and just have it pass traffic without any equalizing or anything turned on. Is this possible? Do we do this simply by disabling default rules, or is there a different global setting to simply let it pass traffic through with no equalizing?

Yes, turning the default rules off should do the trick.

2. We are going to test this on our Internet link which serves our entire campus. The link size is 300Mbps. Can you suggest some appropriate settings?

— Penalty unit 2
— HOGMIN 24000
— Ratio 90 percent

Make sure your ethernet link is not getting errors. There should be some tips in the quick start guide on this.

3. There will be several servers (web, dns, email) that are on our campus. We are worried they will get equalized and performance will degrade significantly. Should we be masking off these servers? If so, how does that affect our equalizing threshold? For example, say these servers are consuming 20Mbps, and our link is actually 300. How does NetEQ accommodate for this “ignored traffic”.

If these servers are using mostly local traffic, then you should mask them. If they are serving video, then use priority on their IP addresses but do not use priority for anything else. Otherwise, leave them alone.

4. We have had a hard time with our firewall when we had low “connection limit” numbers. According to your docs, you suggest placing a connection limit. We are not interested in that because we saw major problems (particularly with servers) when this feature was enabled on our firewall.

Depending on your browser, loading a single webpage can cause about 30-40 independent flows as it downloads images, etc. If you do turn on our connection limit, make sure to exempt all critical servers with high connection counts — 2000 is a good number. There are tips on how to do this in the quick start guide. If you have issues please make sure we can get access to the unit and call our support or e-mail support@apconnections.net

5. It has been asked, “When equalizing is turned on, are packets being dropped or simply delayed within the box itself?”

The default is to queue. In cases of denial of service or something that does not back off, packets may be dropped. But, as a rule, you should not notice this.

6. If the box is powered off, will traffic still pass through it? (Packeteer does this, just curious).

Not as purchased, but we do have an option to configure it that way with an upgrade. However, we believe that feature is usually sold on fear, so we do not push it. :)

(Top)

Is a Jumpy Connection Caused by NetEqualizer Penalties?

I have a laptop that I am connecting to an outside source to push a video stream up to. People here on campus will in turn connect to that outside source to pull the stream back down. There will also be others external to the campus pulling down this stream, too, but that is not an issue right now. However, the stream coming back down to campus is a bit jumpy. Not real bad, but I want to make sure it is not the NetEqualizer that is doing it. Can you give me suggestions?

You can monitor the log for Penalties on this IP.

From the shell

cat /tmp/arblog | grep x.x.x.x

Where x.x.x.x is the IP of the address that is jumpy.

(Top)

Monitor Instantaneous Bandwidth on a Connection

Is there a way that I can see how much bandwidth a specific IP address is using through the NetEQ? That would be wonderful to see too.

You can see this by filtering from the command line “brctl getbrain my 0 | grep x.x.x.x”

This will show you only those entries for that IP. The fourth field is the wavg (the average utilization on that connection).

(Top)

Does NetEqualizer Support a Way to Show Instantaneous Bandwidth Usage by User?

There are two levels of reporting on the NetEq. One is using ntop which is an open source reporting tool which shows you bandwidth usage by IP, Port etc and you can also see graphical usage reports over time. If you google NTOP you can see 100,000’s of pages of information on this popular tool. The resolution of ntop is approximately five minutes.

The second is an internal table (essentially a real-time sniffer) which will show you instantaneous usage , averages per IP over the last several seconds. This report is a simple table, but if you are interested in monitoring a particular IP it can be down with some simple filtering.

(Top)

How Does the NetEqualizer Handle Nat’d IP Addresses? Does Equalizing Still Work?

For users behind a Nat’d router, yes it is true they all appear as a single IP to the NetEqualizer, but when we do equalizing a connection we take into account the local and remote IP, and in most cases that defines a unique pair. The net result is that Equalizing will not bring down the entire IP.

(Top)

What Is the Relationship between HOGMAX and HOGMIN?

HOGMAX is a hold over VARIABLE that is essentially dormant. however

HOGMAX must however be set higher than HOGMIN at all times.

If you want Equalization to hold off on users until they are at 200 kbs you can set HOGMIN to 25000 (and HOGMAX can remain at 32000)

This will get you EQUALIZING on a connection when your trunk is at 90 percent (your Ratio parameter setting) and 200kbs or more on a user connection (at the same time).

We have been doing this for a long, long time and you may want tighten up your HOGMIN below 25000 if your trunk start s maxing out. 4.5 megabits can get eaten quite quickly by just a few users pulling 200kbs. You may be ok though since I don’t know your current make up (types of users)

(Top)

Why Do the PENALTY THRESHOLD Numbers in the Log Change When Default Rules Are Off?

The THRESHOLDS become meaningless when default rules are off, in the LOG they get dynamically set to a number a much larger than the current traffic, they still however show up. With the default rules off, you lose equalizing in the pool; however the pool upper limit is still enforced.

(Top)

How Long Are Streams Averaged For?

We average a stream over 8 seconds (default). So a stream running for one second and pulling 800 kbs would be counted as 80 kbs in the first second, 160 kbs in the next second, etc. This separates large Web pages,chat, e-mail, from larger persistent streams. A stream (video) running two minutes or 30 seconds would be treated the same.We do have some customers have taken the average out to 30 seconds you can do whatever you want with it, but I think over time our eight second average has proved to be best for balancing a congested network, in the end something has to give.

(Top)

Is NetEqualizer Fairness the Same Thing As Partitioning Bandwidth Equally Among Users?

This question was part of a discussion on the Educause user group list. Equalizing is a bit smarter than just dividing up bandwidth partition equally. Here is the excerpt from the discussion.

Cal’s question stumped me, because we have not been in that situation. Most streaming videos (i.e. YouTube) are so short that they’re over before our NetEqualizer would escalate penalties sufficient to damage the user experience. We also have a pretty decent amount of bandwidth for our number of users. In order to avoid misleading anyone with a bad answer, I forwarded Cal’s question to the vendor (APconnections) and got the response below in 11 minutes. If you want to get in touch with them, they’re at www.netequalizer.com admin@apconnections.net (No, I’m not on the payroll <grin> – but I do think it’s one of my better IT investments).

APCONNECTIONS RESPONSE:

That is a good question.

We don’t just divide the bandwidth equally like a “brain-dead” controller. It is a system of dynamic priorities that rewards smaller users at the expense of heavy users, it is very, very dynamic and there is not pre set limit on any user. In fact we do not keep track of users at all, we monitor user streams. So a user may be getting one stream slowed down while at the same time having another stream untouched.

Also Situations where we cut back large streams are generally for a short duration. The NetEqualizer has a special feature whereby you can exempt and give priority to any IP address specifically for this kind of event. I am sure in this case they know what server the video is coming from.

The way I explain it is: most admins can easily identify and exempt a rare exception to our shaping rules which get it “right” most of the time. And at our price point this is what admins are gravitating toward.

(Top)

Can NetEqualizer Block Skype?

The short answer is no, it is not designed to this mission however we have been accused of blocking skype, and yes it would be possible. Below follows some more discussion on the subject .

I got a call from a customer the other day who claimed our NetEqualizer was working great, except that it was interfering with their Skype calls, and he wanted us to make it stop.

The problem is we were not touching his Skype calls at all. And then it hit me.

His upstream ISP must be interrupting them. I can’t be sure of this, but there really was no other explanation. His access was good and we checked a couple of Skype calls and their bandwidth load was well below the threshold of anything the NetEqualizer would touch by design.

Then I had another Aha moment while looking at their Skype streams on our built-in sniffer. The calls seemed to stay fairly steady in a tight range around 16kbs.

It would be very easy and low-cost to target streams in this range and periodically drop some packets, enough to make the call sound horrific while leaving any non streaming media in that bandwidth range alone. I have no intention of tweaking our NetEqualizer to fill this mission; however I did some quick research on the subject and did not come up with anything to make me think it would not work. If you are a Skype geek, feel free to comment.

(Top)

Installing a Third NIC Card

As of 2015 all new units will ship with an administration port already installed. If you have an older unit and need to add a third NIC card for administration purposes please contact support

(Top)

Connection Limits and a Shared Subnet

For the connection limit, all our users are in the same subnet. If I just put a connection limit on that subnet and on nothing else, will only the user subnet be limited? And all the non-subnet IPs will have no limit?

If you set a connection limit on a subnet, then yes, each IP on that subnet will get an Individual limit. For example, if you set a limit of 40 on subnet X, then every member of subnet X will have a limit of 40 total connections (20 up and 20 down).

So, everything else will be “left alone”? I don’t need to add any more rules?

Yes, if the only thing you have set is a connection limit on a subnet, then no other IP’s will have connection limits.

(Top)

VLAN Shaping and Accuracy

I’m looking to limit upload and download on a VLAN-by-VLAN basis. Each VLAN currently has 1-15 users (one has 80). I’m not sure what you mean by toll quality? Can you explain?

It has to do with the technology on how we limit the speed of users sharing a VLAN. It would be very simple to just DROP packets and enforce a fixed rate limit for the VLAN when the threshold was reached, and it would be very accurate. However, this creates a very unpleasant experience for users. So, the proper way to do it is to try to queue packets (slow them down a bit) and not drop them. The accuracy when doing this method can be variable for a variety of reasons, however it is much better than dropping packets. To improve accuracy (yes, we know how), we would need to provision very expensive hardware, and then the issue would be that it would price us out of many customers’ range, hence the compromise in accuracy. But, it works and we have been doing it for years this way.

(Top)

Shaping an Entire Subnet — Practical Limitations

Customer: I wanted to put all of our student IP addresses in a pool so I could limit the total bandwidth that they use and have their usage equalized among them. However, there are more than 23,000 IP addresses that are allocated to the dorm networks. Steve said that it was more than your lookup tables were designed to deal with. If I could specify these addresses using subnet and mask, I would only need two entries. So I was wondering if this might be a feature that could be added?

APconnections: It would not matter if you put them in the subnet or not. The limitation is a physical one. The NetEqualizer is designed primarily to keep a group of users from crashing a trunk that already has a restriction on it.

If you go the other direction and try to fix a specific a limit on a trunk (break off a smooth chunk of bandwidth from another trunk), things get complicated in terms of resources. In a brain-dead type router or link, you can just drop packets at some fixed hard limit, which we could do but it would not be very smooth (this is what some fixed link providers do and why the link crashes at saturation).

If you put more than 1,000 or so students into a pool at one time, we try to set them up as an aggregate with a steady flow of bandwidth. This requires a buffer for each stream (and resources). You could certainly try it, nothing bad would happen, but it might not enforce the cap very well.

To do this correctly we would have to build a much more powerful system with a cost factor likely double or triple of what we have now (it’s not that we don’t know how). So that is the trade-off restriction we are working with.

Customer: Thank you for your explanation. We have since turned on global connection limits which has helped some.

(Top)

Does the NetEqualizer Have a Command Line API?
Many customers have a need to integrate the NetEqualizer with a third-party provisioning system. In order to make a turn-key provisioning process, you can call remote rsh command line utils from another computer as part of the provisioning. For example, setting up a new MAC address or IP address with a fixed rate cap.

The API is not “officially documented or supported.” However, for a competent shell programmer, the basic commands
are easy to use as they are all written in Perl or Shell and can be found in the directory /art.

Most of the basic commands will appear in all CAPs

Note: Many the of the commands are self documented; however there are possible some small undocumented nuances so please test carefully if you do decide to write a remote ssh script.

(Top)

ntop Reporting Not Loading

We are having some problems viewing the ntop reports on our NetEqualizer. When I log in to the unit and click on view ntop reports it opens in a new tab but it will not load, it says network is taking too long to respond. I know that ntop is running though, because when I click on start ntop it says ntop is already running.

ntop runs on port 3000, so make sure you are allowing port 3000 on your firewall or port protection software if you use it.

Be aware that if you changed any of the settings from the default ntop setup, that they may be the problem and you should tell us about those changes.

NetEqualizer comes with enough RAM to handle the majority of networks ‘ reporting needs, but on some very full networks or
those that have trojans or viruses live on them, the default amount of RAM or even the default amount of disk space provided for ntop (256meg) may not be enough for ntop to run for very long before running out of resources to it. Be sure you first do the Reset ntop files and then Start ntop and try to view the reports within the first few minutes. If ntop works for the first few minutes but fails to keep going then you should find out what the problem IP is and try to fix it.

For those of you that cannot provide us direct access to the unit you can do the following:

Log into the web GUI and send us the output of the following.

1. Do Misc/Run a Command and run the command of: ps ax
2. Do Misc/Run a Command and run the command of: mount
3. Do Misc/Run a Command and run the command of: cat /var/log/dmesg
4. Do Misc/Show NetEq Config

We will be looking at the results you provide to see if the disk partition that ntop uses is mounted and is not read-only and that your ntop disk partition is not having issues with read or write issues.

(Top)

Netflix and NetEqualizer

Anything that I can adjust to help video stream a little better? I have a client trying to watch NetFlix movies online and is complaining that it continually buffers on him.

Video can sustain 700 kbs or higher, which is 1/2 a T1. You can certainly give this one user priority to solve the problem, but does your business case allow you to go down this route? How many 700 kbs stream can you sustain at one time with your current pipe. There is no magic when it comes to satisfying the customers thirst for video.

The other option that we have seen used with YouTube is to advise customers to use a player that pre-buffers the video before playing. This works well with a 10 minute video, and I am sure Netflix has an option to download the movie first before watching it.

Most wireless ISPs just cannot afford to let customers watch unlimited (real-time) video at 39.99 per month.

Now, if you know the IPs of the Netflix servers you can do other things like allow those servers to go by without being equalized using the priority by IP and the hard limit by IP. If you know the Netflix servers IPs and you can control how much they can take via your router or firewall, then you can do other things as well.

(Top)

Giving Priority to Certain Servers and Subnets

You can use our priority feature, however it works by IP, so you will have to enter a list of IPs. The good news is that priority is not normally needed at all, except for specific cases of real-time video.

Here is more detail on how we recommend using priority and why.

Equalizing normally favors the types of traffic that users deem important, and trying to anticipate for certain servers as a whole is typically unnecessary

For example:

Let’s say you have an outward customer facing a Web server for a university, and it has all kinds of information including large PDF
information files, but most of the hits involve users retrieving simple web pages.

When a user hits a standard web page, one of less than 500k bytes, that connection will automatically be exempt from any shaping with our normal configuration. In essence, it will already have priority.

If a user hits a large PDF file on your Web server, and the network trunk has room, it will also be untouched.

However, if a user hits a large PDF file when the network trunk is full, that download will be temporarily slowed for a few seconds. And. if the network trunk overload situation abates, the PDF file transfer will return to full speed. Most web users today are some what
subconsciously trained not to freak if a download runs a bit slower than normal (if they notice at all). However, for web pages and things like short e-mails without attachments, they will become agitated if things don’t click along. Equalizing takes advantage of the human factors of this phenomenon.

Now, if you have a real-time streaming video, that may present an occasional exception as a temporarily slowed video tends to get
choppy, which may be unacceptable. Notice that I used the term “real-time” here. For archived videos, it is quite easy to find a
player that will queue up the video locally to ensure a smooth experience and priority would not be needed.

(Top)

Using NetEqualizer to Stop Denial of Service Viruses

Since it seems that connection limits would be a really great idea to contain virus outbreaks and such, is there a reason *not* to implement them, even if we’re very gracious with the limits so they’re fairly high? I’d almost rather have them in place and able to change the number than to implement them if (when) there’s a virus outbreak on campus.

The connection limit rules (when setup incorrectly) have been known to catch things like Google since many people connect to it (really large colleges with 10k or more users run into this issue sometimes). See below for a workaround.

You also need to make sure and exempt all of your DNS, email servers.

Some suggestions:

1. Our latest release out in May allows for a /24 or /16 on the connection limit command. This will allow you to specify a set of IPs.
2. I would hold off on the connection limits for a few days after you go live because likely you don’t have any issues right now over the summer anyway and it will give you time to play with equalizing without any distractions.
3. When you do implement it, I would hit it hard though, 15 up and 15 down is a good number. Realistically, only p2p, servers or viruses use more than 10 simultaneous connections for any duration. Some p2p’s hover around 10 or so. The problem with letting them go higher is that some of the newer bittorrents will use 10 or so connections and some of them will deliver a full T1 of bandwidth on a single connection. These are likely legal distribution sites ?? But, they take a toll on your bandwidth because power users download from them all day. By setting your connection limit pretty small, the users will self identify and call, or just stop doing it once they learn it’s their p2p causing their Internet to lock up — especially if you have these in place at the beginning of the school year.
4. One way you can see if you have a p2p problem is to do:

/art/count 10 (from the misc->run command tab

That will show you users currently pulling more than 10 connections which is a red flag

Ping Is Dropping Packets

There are only two reasons that normally pop up if a simple ping is dropping packets.

First is if you are going over your license level. Example is if you purchased a -10 license and put it on a 100 mbit network connection and expect it to pass 100 mbit. This results in dropping all packets when the license goes over 10 mbit. The license is for the entire unit by default, not how much it is ‘managing’. To find out if you are going over your license just do Misc/Run a Command of “dmesg” and look for lines at the very bottom that start like inc allot.

Second is typically if you have a Cisco involved. Sometimes the network ports don’t sync up with Cisco on the right speed/duplex. You can’t always tell this is the problem until you fix it and it goes away. To find out if you are having some hardware problem like this you can do Misc/Stop NetEq Process and see if the problem still occurs, if it does then you need to hard code lan ports on both the Cisco and the NetEqualizer. Optionally to find out if this is the problem you can stick another brand small switch in between the Cisco and the NetEqualizer. The NetEqualizer has never had connection issues with things like a regular 5 port Linksys 10/100/1000 non smart switch.

(Top)

What Are The Bridge Route And Mask For? Do I Need to Change My Network Topology in Order to Route Packets to the NetEqualizer?

I see in the NetEqualizer configuration a bridge route and mask. What are those for? Do I need to change my network topology in order to route packets to the NetEqualizer?

The BRIDGEIP, BRIDGENETMASK and BRIDGEROUTE are only used for you to get admin access to the unit. The bridge that we use for traffic passing “through” it is totally transparent and the NetEqualizer bridge does not alter packets nor route them.

Even if you switch WAN and LAN cables around it will still work except some things like reports will be reporting off the wrong interface and in may look like out and same for the rules like hard limits and such.

(Top)

Configuring a NetEqualizer Correctly When Your Upstream Provider Does Not Guarantee a Fixed Amount of Bandwidth at All Hours of the Day

There are two options here:

1. If you know when the contention period hits during the day you can have the NetEqualizer dynamically drop its settings and then return to normal at a pre-set time.
2. If it happens randomly throughout the day you will need to set the NetEqualizer to a lower Trunk Setting to account for the worst case all the time, although not perfectly optimal this is much better than locking up.

(Top)

What Is Considered a High Penalty Unit?

Note: Penalty Unit is the amount of delay the NetEqualizer puts on a packet on a targeted stream that is considered a hog of bandwidth.

The PENALTY is progressive. At a value of 100, it corresponds to a full-second delay which is usually viewed as a complete block by most applications. But, this is also a relative number. Some UDP streams will continue to send despite a full-second delay (this is rare, however). So, the definition of what is a high delay is dependent on the application. Anything TCP-based will start to give up around 50 or so 1/2 second.

(Top)

NetEqualizer Seems to Be Causing My Network to Slow Down

Here is a quick check list of common causes that you might want to check before calling support.

1. Is your license key installed? You will get a warning message on the main GUI screen if you do not have a proper license.

2. Is it possible you are exceeding your license speed on the unit? Oftentimes customers accidentally run local traffic across the box in excess of your licensed amount.  To check and see if you are exceeding your license level and thus dropping packets, you can always do Misc/Run a Command of:

• dmesg
• and look for lines with inc allot ……….

A couple in the initial boot up routine is normal, but more of them down towards the bottom of the output means you tried to pass more than your license allowed and we dropped packets.

3. The other common cause of network slowing is when the Ethernet cards on the NetEqualizer do not auto negotiate correctly  with the Ethernet speeds on your router. To manually configure your ethernet card speeds you can look at the quick start guide which explains how to use the ethtool program to hard code your LAN ports.

(Top)

How NetEqualizer Enforces Fixed-Rate Limits

The NetEqualizer bandwidth shaper uses a combination of queuing and dropping to get speed under control. Queuing is the first option, but when a sender does not back off eventually, their packets will get dropped. For the most part, this combination of queuing and dropping works well.

So far we have been inferring a simple case of a single sender and a single queue, but what happens if you have gigabit link with 10,000 users and you want to break off 100 megabits to be shared by 3000 users? How would a bandwidth shaper accomplish this? This is another area where a well-designed bandwidth controller like the NetEqualizer separates itself from the crowd.

In order to provide smooth shaping for a large group of users sharing a link, the NetEqualizer does several things in combination.

1. It keeps track of all streams, and based on their individual speeds, the NetEqualizer will use different queue delays on each stream.
2. Streams that back off will get minimal queuing
3. Streams that do not back off may eventually have some of their packets dropped

The net effect of the NetEqualizer queuing intelligence is that all users will experience steady response times and smooth service.

For a more detailed article on other methods of enforcing fixed-rate limits, click here.

(Top)
Keep the NetEqualizer Date/Time updated via your own NTP Time Servers
You can accomplish this by doing the following if you are on a version of NetEqualizer that has the Misc/Edit any text file. (If you don’t then you will need to edit the /root/settime.sh and /root/crontab files from the command line or SSH with a text editor). 10.0.0.1 below is meant to be your ntp time server so replace it with the correct one.

1. Misc/Run a Command of: touch /root/settime.sh;chmod a+x /root/settime.sh
2. Misc/Edit any text file: /root/settime.sh
3. Put the following lines in the settime.sh file which is currently blank and then post the changes:
/usr/sbin/ntpdate 10.0.0.1
/sbin/hwclock – -localtime – -systohc
4. Misc/Run a Command of: touch /root/crontab
5. Misc/Edit any text file: /root/crontab
Put the following line in
*/5 * * * * /root/settime.sh
Post the changes to the file
6. Do Misc/Run a Command of: crontab /root/crontab
7. Do Misc/Edit autostart and put this same crontab /root/crontab on a new line right above the line that says thedate=`date`

(Top)

Keep the NetEqualizer Date/Time updated via the Internet Time Servers
You can accomplish this by doing the following if you are on a version of NetEqualizer that has the Misc/Edit any text file. (If you don’t then you will need to edit the /root/settime.sh and /root/crontab files from the command line or SSH with a text editor).
1. Misc/Run a Command of: touch /root/settime.sh;chmod a+x /root/settime.sh
2. Misc/Edit any text file: /root/settime.sh
3. Put the following lines in the settime.sh file which is currently blank and then post the changes:
/usr/sbin/ntpdate-debian
/sbin/hwclock – -localtime – -systohc
4. Misc/Run a Command of: touch /root/crontab
5. Misc/Edit any text file: /root/crontab
Put the following line in
*/5 * * * * /root/settime.sh
Post the changes to the file
6. Do Misc/Run a Command of: crontab /root/crontab
7. Do Misc/Edit autostart and put this same crontab /root/crontab on a new line right above the line that says thedate=`date`

(Top)

Calculate Instantaneous Bandwidth for an IP
Using the perl routine below you can find instant bandwidth for any active IP on your network. This is a bit different from what you would find by using NTOP the reporting tool as that tends to average usage over a period of minutes.

assuming with the instructions below that you have some basic
Linux admin knowledge

Save the attached file off into the directory /art on your neteq as a
file called “instant”

You can call it anything you want that is what I called it.

Make sure it is executable

chmod 777 /art/instant

and then run it

/art/instant x.x.x.x

Where x.x.x.x is the ip address of what you what to view the last
second of bandwidth utilization

————————————-begin attached script—————————

#! /usr/bin/perl -w
if ($ARGV[0] eq ”) { die “Usage is: instant x.x.x.x “; }
$up=0;
$down=0;
@x=`/usr/sbin/brctl getbrain my 0 | grep $ARGV[0]`;
foreach $line ( @x) {
chomp($line);
@specials=split(” “,$line);
if ( $specials[5] eq $ARGV[0])
{
$down=$down+$specials[3]
}
if ($specials[6] eq $ARGV[0])
{ $up =$up + $specials[4] }
}

print “Last second bandwidth down for $ARGV[0] = $down Bytes per second \n”;
print “Last second bandwidth up for $ARGV[0]= $up Bytes per second \n”;

(Top)

Tuning for VLANs, HARD LIMITS and Pools Greater Than 10 Megabits

When shaping for POOLS VLANS or hard limits greater than 10 megabits we recommend the following tuning adjustment. This is done from the command line and needs to be done once on power up.

This feature is only available in version 4.6 or higher.

From the command line run the comand:

brctl setshaping my 1 1 2 5

remember to check the current capacity on POOL the command is

brctl getpeak my XXX where XXX is the POOL number.

If your POOL limits are still being enforced to aggressively then increase the re-run the setshaping command and change the last number ( currently 5) to 7 or 8. Keep increasing this number until you have .
an acceptable POOL accuracy.

Remember to put the final brctl command in your autostart file so it will be reset on any restart.

(Top)

Does the NetEqualizer Support Bursting?
Yes, see the following link for details.

(Top)

How Does the NetEqualizer Function with BGP Balancing Three Internet Links?

Customer: I read on a security forum about how Procera does peering into their BGP router so it knows when one of the links is full and hence can adjust its bandwidth shaping to focus on the traffic on the full link. Since the NetEqualizer does not have a peer a head function to read the BGP router, how does it do “equalizing” across three links? What if one is full and the other two links being balanced have capacity?  It seems the NetEqualizer balancing will only kick in when all three links are full.

NetEqualizer Support: If the BGP is balancing the multiple Internet connections then they should come full at nearly the same time and all this peering may not be worth the additional cost. Also, even if one link to the Internet was momentarily full while the others were slack, it would be fairly transient. Perhaps it (peering) might eek out a bit more efficiency, but the error and overhead in BGP is likely a bigger factor. Yes, there is a chance for some spare capacity, but on three good-sized trunks they should track pretty close and dropping your RATIO to 85 percent should keep them all clear.

(Top)

Do You Support the Latest ntop Protocols?

We have upgraded to a newer ntop with our recent 5.0 release. However, since ntop is an open source tool that we integrate, we do not detail what comes with it. We usually update the ntop about once a year in our major releases.

Just a word of caution before you become reliant on ntops’s reporting of protocols (or any other tool for that matter). Generally the protocols reported on ntop are not that reliable, meaning it makes for pretty reports but the accuracy is always in question if you get beyond HTTP, UDCP, TCP breakdowns. In the modern Internet, everything now tunnels through HTTP and HTTPS and often uses encryption and other deceptions so they cannot easily be classified. For example, on a very expensive reporting tools with many engineers costing in the $100,000 range, these devices at best classify 70 percent, and that was our inside data as of 2005.

How do we know this? I led several open source efforts to classify protocols back in 2004, and I also built a discover engine with the University of Colorado. Many of the patterns we used to determine protocols were adopted by ntop and some commercial vendors. We stopped doing it because the accuracy was low, but it seems when people integrate these things to generate reports, it is the report that is important and not the accuracy.

(Top)
Set Up NetEqualizer to Automatically Reboot after a Power Outage
All NetEqualizers in our series (NE2000, NE3000, NE4000, and Lite) are setup to power on like a normal computer, via the BIOS. When you reboot the NetEq just hit the DEL key and go into the BIOS, find the power up settings, and set them to always power on when power is available.

This will cause the NetEqualizer to power on after a power failure without manual intervention (you do not need to hit the power button).

(Top)

Peer-to-Peer Specific Questions

What Should We Do for Shaping of Peer-to-Peer Traffic?

The NetEqualizer/AirEqualizer can spot P2P and related applications based on our default set up (see
below). Yes there are menus for setting up specific rules for each and every application individually but we don’t recommend doing it this way.

(Top)

NetEqualizer and Gaming

NetEqualizer under default setup mode (Equalizing turned on ) will normally make response times quicker for gamers. Recently it has been observed that XBox gamers can be effected by connection limits. If you are experiencing complaints from gamers raise your connection limits. Note as of 2009 Xbox is the only gaming technology where a user on your network may become a host and require more than an average number connections. This is also tends to be the behavior of p2p users . The difference being that a gaming server typical will not move large amounts of data.

(Top)

Showing TCP or UDP connections filter

You can do Misc/Run a Command of:
/usr/sbin/brctl getbrain my 0 | grep x.x.x.x | grep TCP | wc -l

Where x.x.x.x is the ip in question.
This should work as long as the IP is not in a VLAN . The protocol field
that reports TCP gets overwritten by the VLAN Number and in that case so
would not show up.

(Top)

• How Do I Set Up the NetEqualizer/AirEqualizer to Best Stop All P2P Traffic?

Simply set your TRUNK_UP and TRUNK_DOWN to their correct values, make sure DEFAULT_RULES are on, and walk away!

========Step-by-Step Guide to accomplish This============
Step 1. Go to the web GUI.
Step 2. Choose Parameters/Modify parameters
Step 3. Set your TRUNK_UP (outgoing bandwidth) and TRUNK_DOWN
(incoming bandwidth) to match your specific installation.
Step 4. Make sure DEFAULT_RULES is on (this defaults to ON)
Step 5. Click the Modify Param button to apply these changes.
If you modified the TRUNK_UP or TRUNK_DOWN values then you must do steps 6 and 7
Step 6. Go to Miscellaneous/Stop NetEq/AirEq and wait for it to stop.
Step 7. Choose Miscellaneous/Start NetEq/AirEq
===============================================

(Top)

How Do I Stop Kazaa Traffic and Give Priority to HTTP?

Over the past several years with 100’s of installations we have found that our default rules act like a general antibiotic at effectively controlling ALL p2p traffic. It turns out that the “behavior” of p2p traffic is all basically the same. You do not need to set a specific rule for KAZAA to slow it down, it will get caught automatically.

(Top)

Is There Anything Else I Should Do to Protect My Network against P2P Users?

Yes, if you want additional protection against worms and certain types of p2p applications that open 100’s of connections, we advise that you also set your global connection limits to 20 or IN and OUT. Global connection limits prevent each and every IP on your network from opening more than the set number of connections. You should only use the global connection limit on the unit if you have no servers on the internal network. If you do then you must put in individual limits for each IP on your internal network you want to connection limit.

===========Step-by-Step to Accomplish This==========
Step 1. Go to the web GUI.
Step 2. Choose Add rules
Step 3. Choose Global Connection Limits
Step 4. Type in the number of connections to allow in the VAL text box.
Step 5. Click the Add Rule button to apply this rule.
==========================================

(Top)