My requirement :
I need to run a wifi hotspot from a pc. People connecting to the hotspot should be able to access the local web server running on the pc at full speed and at throttled speeds when accessing the internet. I have tried setting up the system using the software tools listed below. I am running this on a low power pc. So I want this to be as optimised as it can be. I need you to check and verify if I am doing all this right.
- people connected to wlan0 should access 127.0.0.1:80 at full speed.
- people connected to wlan0 should access the internet through eth0 at 50KBps.
Interface and PC Setup :
- eth0 - wired internet connection
- wlan0 - acts as hotspot - using hostapd
- dnsmasq for dhcp and dns for the hotspot
- local web server runs on 127.0.0.1:80
- squid for throttling network transfer rates
dnsmasq config file:(for ip range and dns setting)
interface=wlan0 # Use interface wlan0
except-interface=lo
listen-address=172.24.1.1 # Explicitly specify the address to listen on
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
For routing the traffic
IP table entries
Rule1
Squid (throttling networkspeed) server runs in port 3128. So route the eth0(internet providing interface name) tcp port 80 and 443 to squid server for throttling network speed. So that squid runs like a proxy server.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.24.1.1:3128
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.24.1.1:3128
Rule2
Here route the wlan0(client) request to squid proxy server running in port 3128
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 3128
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 3128
Rule3
It helps to give responce for the client who connect with wlan0
sudo iptables --t nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
Rule4
Route particular ip request to lo (local server runs in 127.0.0.1:80)
iptables -t nat -A PREROUTING -i wlan0 -p tcp -d 172.24.1.1 -j DNAT --to-destination 127.0.0.1:80
Squid configuration
acl test src 172.24.1.2/24
delay_pools 1
delay_class 1 1
delay_parameters 1 100000/100000 #100kilobyte per second
delay_access 1 allow test
All this looks like it is working but the pc and network get slow at times and definitely slow when a lot of people are accessing the hotspot.
Also how do I do a performance analysis of this firewall system?
