I tried to search the solution for this situation but didn't find anything.
There is an Internet Exchange throughout our country.In remote areas,Internet is expensive because of Fiber Transmission cost.There is some service available for boosting internet speed.
The service works like this - If i purchase the service, they will give me a VPN, the VPN boosts the internet speed by tunneling Internet speed via Internet Exchange Speed.
Let's say I have-
1Mbps of Internet Bandwidth
10Mbps of Internet Exchange Bandwidth
The VPN has 5Mbps of Internet Bandwidth, so i will get 5Mbps of Internet VPN'ed via Internet Exchange Traffic.
What we want to acomplish is that to block the Speed boost.Because of this,Our Internet Purchased Internet Exchanged Bandwidth gets full. we simply want if anyone tries to boost internet,he should not get more that 1Mbps or the package he subscribes.also we cannot lower the Internet Exchange Bandwidth.
Re: Seperating IX traffic from Internet Trafic
The only technical solution to this is to throttle the bandwidth from the IP addresses to the VPN servers of that service (which may migrate dynamically, but if it does, it should be trackable using the VPN's fqdn as the address item in /ip firewall address-list row), because you cannot see the actual source and destination of the traffic inside the VPN transport packets.
But I don't understand the whole bandwidth cost issue:
But I don't understand the whole bandwidth cost issue:
- If the problem is the bandwidth deficience in the rural areas, how does the bandwidth shaping of access to internet sites outside the country help reduce the total bandwidth utilisation in those areas? I'd expect the large service providers like Google and Facebook, which generate most user traffic, to have local caches within the IX space, so the bulk of the user traffic would stay within the IX anyway.
- if the problem is the bandwidth on the international links, it's the VPN provider's worry, not yours - your users do not use your international links but the VPN provider's ones.
Re: Seperating IX traffic from Internet Trafic
The bandwidth transmission cost is very high on rural areas. as the Internet Bandwidth is very costly,adding the transmission cost it gets very high. For home user scinerio,we have many Media Streaming Service,Govt. Service passed through Internet Exchange.Though Internet Exchange Bandwidth price is not so high,the transmission price remains same.
The Problem arises when people boost their Internet.Our Internet Exchange Traffic gets full,legitimate uses cannot access Internet Exchange Bandwidth Based Service. so our plan is like this-
The Problem arises when people boost their Internet.Our Internet Exchange Traffic gets full,legitimate uses cannot access Internet Exchange Bandwidth Based Service. so our plan is like this-
- If a user try to boost his internet,he will get the same amount of Internet Bandwidth He subscribed.
- other users should use Internet Exchange Bandwidth smoothly
Re: Seperating IX traffic from Internet Trafic
So what you are actually saying is that the "real internet" traffic heavily inreases the use of the bandwidth if no limit is imposed on it, and the only reason I can imagine is that the content available via Internet Exchange is much less attractive than the one available via Real Internet.
OK - from what you say it seems you already have two bandwidth limitation classes per user, and you classify the traffic based on the "remote IP" (seen from user perspective), where some prefixes (subnets) identify the Internet Exchange class, and the rest is classified as Real Internet. So to me, the whole task is to find out whether the IP addresses of the VPN servers are static or dynamic, and if they are dynamic, to find out how do the VPN clients learn them. And then make traffic to/from those servers be classified as internet one although the addresses are actually from the Internet Exchange address space. The actual bandwidth through the VPN will be slightly less than the one of direct access to Real Internet due to the VPN overhead, but I don't think it should bother you.
From legal point of view it may be a bit complicated, it depends on how your end user contracts are written (whether they expressly prohibit use of technical means to overcome the bandwidth regulation).
What you are not able to do is to selectively throttle only those VPN packets which carry the Real Internet payload, so if the VPN client software is so stupid that it sends everything through the tunnel, by the above you'd limit also the Internet Exchange traffic for the VPN users.
But more important, as soon as providers of attractive contents build local caches for it within the Internet Exchange address space, you'll be back where you are now, as the actual issue is not "Real internet" vs "Internet Exchange" but attractive contents vs. inattractive one. And blocking or bandwidth-limiting just part of Google or Facebook services selectively while leaving other services of the same providers unrestricted is a mission impossible.
OK - from what you say it seems you already have two bandwidth limitation classes per user, and you classify the traffic based on the "remote IP" (seen from user perspective), where some prefixes (subnets) identify the Internet Exchange class, and the rest is classified as Real Internet. So to me, the whole task is to find out whether the IP addresses of the VPN servers are static or dynamic, and if they are dynamic, to find out how do the VPN clients learn them. And then make traffic to/from those servers be classified as internet one although the addresses are actually from the Internet Exchange address space. The actual bandwidth through the VPN will be slightly less than the one of direct access to Real Internet due to the VPN overhead, but I don't think it should bother you.
From legal point of view it may be a bit complicated, it depends on how your end user contracts are written (whether they expressly prohibit use of technical means to overcome the bandwidth regulation).
What you are not able to do is to selectively throttle only those VPN packets which carry the Real Internet payload, so if the VPN client software is so stupid that it sends everything through the tunnel, by the above you'd limit also the Internet Exchange traffic for the VPN users.
But more important, as soon as providers of attractive contents build local caches for it within the Internet Exchange address space, you'll be back where you are now, as the actual issue is not "Real internet" vs "Internet Exchange" but attractive contents vs. inattractive one. And blocking or bandwidth-limiting just part of Google or Facebook services selectively while leaving other services of the same providers unrestricted is a mission impossible.