ipfw, dummynet and a large subnet to shape

Sean Hafeez sahafeez at edgefocus.com
Mon Jun 16 10:15:27 PDT 2003 

Damn. I just had a brain fart. I have nodes (wireless AP's) on this 
network that I do not wanted limited. So based on the 1st matching rule 
if I:

ipfw -f flush
/sbin/natd -interface rl0
ipfw add divert natd all from any to any via rl0
ipfw add allow ip from any to 10.0.0.5
ipfw add allow ip from any to 10.0.0.6
ipfw add allow ip from 10.0.0.5 to any
ipfw add allow ip from 10.0.0.6 to any
ipfw add pipe 1 ip from any to any in recv rl1
ipfw add pipe 2 ip from any to any out xmit rl1
ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s

Will it work? I want to exclude a range or a single IP from the pipe and 
shape eveything that is not excluded.




Ben Pfountz wrote:
> My guess here, but...
> 
> It has to do with you using the src-ip and dst-ip in creating a mask for
> each pipe.  When using src-ip as a mask, the dst-ip doesn't matter and
> therefore shows as 0.0.0.0/0.
> 
> Alot of the knowledge I have gained from dummynet came from trial and error.
> I have not really written any of it down in a paper format, though I should.
> 
> Ben
> 
> 
> ----- Original Message ----- 
> From: "Sean Hafeez" <sahafeez at edgefocus.com>
> To: "Ben Pfountz" <netprince at vt.edu>
> Cc: <freebsd-ipfw at freebsd.org>
> Sent: Monday, June 16, 2003 12:23 PM
> Subject: Re: ipfw, dummynet and a large subnet to shape
> 
> 
> 
>>Thanks. Just did that. I will see how it goes. I have one question:
>>
>>ipfw pipe show
>>
>>0001:   1.024 Mbit/s    0 ms   50 sl. 29 queues (256 buckets) droptail
>>     mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
>>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
>>Pkt/Byte Drp
>>  32 ip       10.0.128.16/0             0.0.0.0/0       14      924  0
>>   0   0
>>  64 ip       10.0.128.32/0             0.0.0.0/0        1       70  0
>>   0   0
>>00002:   1.024 Mbit/s    0 ms   50 sl. 23 queues (256 buckets) droptail
>>     mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
>>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
>>Pkt/Byte Drp
>>  17 ip           0.0.0.0/0         10.0.128.16/0        7      658  0
>>   0   0
>>  33 ip           0.0.0.0/0         10.0.128.32/0        1      147  0
>>   0   0
>>  35 ip           0.0.0.0/0         10.0.128.34/0        1      147  0
>>   0   0
>>
>>
>>Sorry if it is hard to read - I just want to know why the IP's show up
>>as 0.0.0.0/0 and does it matter?
>>
>>Is there any better docs on dummynet - the man page is not the best. I
>>would be interested on seeing any work that anyone has does. Google does
>>not really have alot of good stuff.
>>
>>
>>
>>Thanks!
>>
>>
>>
>>
>>Ben Pfountz wrote:
>>
>>>You probably want something more like this:
>>>
>>>ipfw -f flush
>>>/sbin/natd -interface rl0
>>>ipfw add divert natd all from any to any via rl0
>>>ipfw add pipe 1 ip from any to any in recv rl1
>>>ipfw add pipe 2 ip from any to any out xmit rl1
>>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
>>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
>>>
>>>Remember that incoming packets are destined for your outside interface
>>
> until
> 
>>>the firewall diverts the packets to natd.  For this reason, your pipe
>>
> for
> 
>>>packets coming in in rl0 would have always had a dst-ip of your outside
>>>interface.
>>>
>>>Hope this helps.
>>>
>>>Ben
>>>
>>>
>>>----- Original Message ----- 
>>>From: "Sean Hafeez" <sahafeez at edgefocus.com>
>>>To: <freebsd-ipfw at freebsd.org>
>>>Sent: Monday, June 16, 2003 11:22 AM
>>>Subject: ipfw, dummynet and a large subnet to shape
>>>
>>>
>>>
>>>
>>>>i have been reading thru all the links on google and the man pages and
>>>>facts and have come to realize that the information is quite - not
>>>>right.
>>>>
>>>>here is what i need to do:
>>>>
>>>>i have a network - 10.0.0.0/22 that is nat'd. the external interface
>>>>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s.
>>>>when i say everyone i mean each unique user (ie, 10.0.0.23 or
>>>>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down
>>>>and up.
>>>>
>>>>here is what i got.
>>>>
>>>>ipfw -f flush
>>>>/sbin/natd -interface rl0
>>>>ipfw add 999 divert natd all from any to any via rl0
>>>>ipfw add pipe 1 ip from any to any in via rl1
>>>>ipfw add pipe 2 ip from any to any in via rl0
>>>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
>>>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
>>>>
>>>>i have add:
>>>>
>>>>net.inet.ip.fw.one_pass=0
>>>>net.inet.ip.dummynet.hash_size=256
>>>>net.inet.ip.dummynet.max_chain_len=64
>>>>
>>>>to sysctl.conf.
>>>>
>>>>does not seem to be working right. have i got this wrong?
>>>>
>>>>thanks!
>>>>
>>>>_______________________________________________
>>>>freebsd-ipfw at freebsd.org mailing list
>>>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>>>
>>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>freebsd-ipfw at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>>
>>>
>>
>>
>>_______________________________________________
>>freebsd-ipfw at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>>
> 
> 
> 
> 
>

More information about the freebsd-ipfw mailing list