ipfw, dummynet and a large subnet to shape

Sean Hafeez sahafeez at edgefocus.com
Mon Jun 16 09:24:00 PDT 2003 

Thanks. Just did that. I will see how it goes. I have one question:

ipfw pipe show

0001:   1.024 Mbit/s    0 ms   50 sl. 29 queues (256 buckets) droptail
     mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
  32 ip       10.0.128.16/0             0.0.0.0/0       14      924  0 
   0   0
  64 ip       10.0.128.32/0             0.0.0.0/0        1       70  0 
   0   0
00002:   1.024 Mbit/s    0 ms   50 sl. 23 queues (256 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
  17 ip           0.0.0.0/0         10.0.128.16/0        7      658  0 
   0   0
  33 ip           0.0.0.0/0         10.0.128.32/0        1      147  0 
   0   0
  35 ip           0.0.0.0/0         10.0.128.34/0        1      147  0 
   0   0


Sorry if it is hard to read - I just want to know why the IP's show up 
as 0.0.0.0/0 and does it matter?

Is there any better docs on dummynet - the man page is not the best. I 
would be interested on seeing any work that anyone has does. Google does 
not really have alot of good stuff.



Thanks!




Ben Pfountz wrote:
> You probably want something more like this:
> 
> ipfw -f flush
> /sbin/natd -interface rl0
> ipfw add divert natd all from any to any via rl0
> ipfw add pipe 1 ip from any to any in recv rl1
> ipfw add pipe 2 ip from any to any out xmit rl1
> ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
> ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
> 
> Remember that incoming packets are destined for your outside interface until
> the firewall diverts the packets to natd.  For this reason, your pipe for
> packets coming in in rl0 would have always had a dst-ip of your outside
> interface.
> 
> Hope this helps.
> 
> Ben
> 
> 
> ----- Original Message ----- 
> From: "Sean Hafeez" <sahafeez at edgefocus.com>
> To: <freebsd-ipfw at freebsd.org>
> Sent: Monday, June 16, 2003 11:22 AM
> Subject: ipfw, dummynet and a large subnet to shape
> 
> 
> 
>>i have been reading thru all the links on google and the man pages and
>>facts and have come to realize that the information is quite - not
>>right.
>>
>>here is what i need to do:
>>
>>i have a network - 10.0.0.0/22 that is nat'd. the external interface
>>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s.
>>when i say everyone i mean each unique user (ie, 10.0.0.23 or
>>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down
>>and up.
>>
>>here is what i got.
>>
>>ipfw -f flush
>>/sbin/natd -interface rl0
>>ipfw add 999 divert natd all from any to any via rl0
>>ipfw add pipe 1 ip from any to any in via rl1
>>ipfw add pipe 2 ip from any to any in via rl0
>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
>>
>>i have add:
>>
>>net.inet.ip.fw.one_pass=0
>>net.inet.ip.dummynet.hash_size=256
>>net.inet.ip.dummynet.max_chain_len=64
>>
>>to sysctl.conf.
>>
>>does not seem to be working right. have i got this wrong?
>>
>>thanks!
>>
>>_______________________________________________
>>freebsd-ipfw at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>>
> 
> 
> 
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> 
>

More information about the freebsd-ipfw mailing list