Squid bandwidth quota's?

jonmullen

Platinum Member
Jun 17, 2002
2,517
0
0
I am in a situation that I need to set up monthly bandwidth quotas for all my users. I have each user in a seperate acl based on their mac address. How can I get squid setup to track their bandwidth over the month and start to implement delay pools if the exceed their allotment... I have dont a fair amount of googleing and found nothing about bandwidth quotas. If someone could point me in the right direction of documentation or a howto that would be great. I would have thought there would be more info on this considering how many universities are doing this.
 

groovin

Senior member
Jul 24, 2001
857
0
0
oooh. thats a tough one. as far as my limited workings with squid have been... i havent seen anything like that done.

i heard something about mrtg but i know nothing about it. if you ever figure it out, please post it... id like to know. good luck!
 

Garion

Platinum Member
Apr 23, 2001
2,329
6
81
Ahh.. Proxies, my favorite subject.

Some basics: First of all, proxies don't care about MAC addresses. They work strictly at the IP layer. Unless you have static IP's, you're never going to be able to get good statistics on individual users without doing user authentication on the proxy. That's always an option, but then you have to deal with all of the associated management costs of that, too.

Even if you can monitor users, it's nearly impossible to do any kind of quota management within Squid, that I know of. The only way that I can think to do it would be a bit clunky. Enable logging user authentication, and make sure your log entries include the file size of each object. At the end of each day, run a script to parse the log and sum up the objects requested by each user and add it all up for your quota period (month, week, etc.). You'd then need ANOTHER script to parse this data and edit the Squid access filters to deny anybody that's over their quota. You could make this script run each hour, every few hours, etc. I've got this first script already written to pull from a squid log format file and sum it up, if you want it.

Nasty, difficult, but that's the only way I see to pull it off with what I know now. That is, unless you want to go out and snag a commercial product like WebSense (that costs $20+/user!) that can do it.

The only thing I found looking through Google was one guy that was trying to develop a system like this down under.
Here's the link. I didn't see anything come out of it, but you might drop him a line and see what he ended up doing (if anything).

- G
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
jonmullen, why don't you do this at the IP layer instead? There are traffic accounting tools available and OpenBSD and Linux can do reasonable IP traffic shaping. Do accounting to find out who's over the limit, and if so a little bit of scripting in a cron job can add them to the traffic shaper.
 

jonmullen

Platinum Member
Jun 17, 2002
2,517
0
0
I guess I dont mind just maping everyone to a static ip address and doing it that way, but from the reading it looked like squid would allow me to create an acl based on an arp MAC address, the command looked something like this in the squid.conf:

acl user1 arp 0A:04:00:11:1C:4F

I was thinking the only way to do what I wanted was the idea of several scripts to read the log and make decisions based on it. Then to rewrite the squid.conf file. I doubt this will be too hard for me, since I have worked with Perl quite a bit. My question is my idea of putting users in to acl's based on their MAC address a bad idea? I am not to worried about how it makes it hard to manage, I am going to end up writting a web interface that will be used to administrate the box. My concern is if squid logs the amount of bandwidth used for each acl? The goal for the user tracking side, is to be able to add them to the system when they have been approved, and then not have them have to do anything on their computer to use the internet. (ie no proxy log in or whatever) Thus why I though MAC would be a good idea, its harder for them to change or spoof than an ip address.

Garion---If you have any scripts that would make parseing the log file easier, that would be a big help, or any other ideas you have. I am fairly new to proxies. The most I have done before is setup some basic cacheing proxies. TIA
 

Garion

Platinum Member
Apr 23, 2001
2,329
6
81
The scripts I have manipulate log files, not the proxies themselves - We use big iron proxies (a single one of my boxes can do about 2Gb/s of streaming and 300+Mb/s of HTTP and I have a bunch of them), but they dump logs in squid format and I can parse those. Send me a PM with your e-mail address and I'l sanitize the script and get it off to you. Not terribly complex, but it does a nice job of summarizing the logs.

Doing things by ACL, even by IP is a iffy thing. MAC could be difficult, especially if you build a complex solution around it and you suddenly need to install a WAN where you don't HAVE visibility to the MAC address. It's also got a downfalls - if John's machine hits his quota, he can just walk next door and use Ted's while he's on vacation, on a day off or by lunch. Authenticating users is really the ONLY way to create real user-based quotas.

How many users do you have to deal with? Why do you want to do this? What's the issue? There are some other products and services out there that might help you deal with your problem that you might not be familiar with.

- G
 

jonmullen

Platinum Member
Jun 17, 2002
2,517
0
0
To tell the truth the quota is really more of a second thought, and we are not really worried about it on a per-user basis as we are on a per machince basis. We are dealing with about 80 users. It is a college soroity setting, and the girls computers have been out of control with virus and worm infections. As a result the house is setting up new internet policies. The first of which is the girls mush have anti-virus, that is uptodate. This is spoted check by the house mother, and allowing them access to the network or not will be taken care of through a web admin interface I will be building later. The second new policy is that the girls are not to have any p2p filesharing apps. This will also be spot checked, but now she sees the need for the extra controll she gets over the house internet by implimenting a proxy. The purpose of the bandwidth quota is to discourage p2p fileshareing, and try to conserve bandwidth. The hope is that even though spotchecking will not make sure everyone has stopped using p2p apps, but that when they get cut off they will learn to correct the problem themselves. The reason for now that they dont want try user authentication is it is likely to create more hassels than is it benificial. If there is any other info that would be helpful just ask.
 

buleyb

Golden Member
Aug 12, 2002
1,301
0
0
wouldn't assigned dynamic addressing be a better option than static addressing? That way the clients can remain stupid, and you can always change the adresses from the server.
 

jonmullen

Platinum Member
Jun 17, 2002
2,517
0
0
Originally posted by: buleyb
wouldn't assigned dynamic addressing be a better option than static addressing? That way the clients can remain stupid, and you can always change the adresses from the server.

Thats how it is now...technically they are dynamic, but I have given dhcpd such a large batch if ip's that its not going to run out...so each girl ends up getting the same ip address assigned to her each time. But I really dont care too much about what there ip address is since it would not take a at whole lot of smarts for them to learn they can give themselves their own ip or change it when they feel like it. Thats why its alot harder for them to spoof a MAC address.