ipfw, dummynet and a large subnet to shape

Ben Pfountz netprince at vt.edu
Mon Jun 16 08:59:00 PDT 2003 

You probably want something more like this:

ipfw -f flush
/sbin/natd -interface rl0
ipfw add divert natd all from any to any via rl0
ipfw add pipe 1 ip from any to any in recv rl1
ipfw add pipe 2 ip from any to any out xmit rl1
ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s

Remember that incoming packets are destined for your outside interface until
the firewall diverts the packets to natd.  For this reason, your pipe for
packets coming in in rl0 would have always had a dst-ip of your outside
interface.

Hope this helps.

Ben


----- Original Message ----- 
From: "Sean Hafeez" <sahafeez at edgefocus.com>
To: <freebsd-ipfw at freebsd.org>
Sent: Monday, June 16, 2003 11:22 AM
Subject: ipfw, dummynet and a large subnet to shape


> i have been reading thru all the links on google and the man pages and
> facts and have come to realize that the information is quite - not
> right.
>
> here is what i need to do:
>
> i have a network - 10.0.0.0/22 that is nat'd. the external interface
> is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s.
> when i say everyone i mean each unique user (ie, 10.0.0.23 or
> 10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down
> and up.
>
> here is what i got.
>
> ipfw -f flush
> /sbin/natd -interface rl0
> ipfw add 999 divert natd all from any to any via rl0
> ipfw add pipe 1 ip from any to any in via rl1
> ipfw add pipe 2 ip from any to any in via rl0
> ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
> ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
>
> i have add:
>
> net.inet.ip.fw.one_pass=0
> net.inet.ip.dummynet.hash_size=256
> net.inet.ip.dummynet.max_chain_len=64
>
> to sysctl.conf.
>
> does not seem to be working right. have i got this wrong?
>
> thanks!
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>

More information about the freebsd-ipfw mailing list