ipfw, dummynet and a large subnet to shape

Ben Pfountz netprince at vt.edu
Mon Jun 16 10:25:09 PDT 2003 

It looks like it should work, but you should always try it.  I have almost
never written a firewall ruleset that worked the way I expected it to work
on the first try.  You should take a laptop and become a wireless client,
then try to download something with a reliably high download rate.  Then you
should go to one of your client machines on the LAN and try to download
something as well.  You could even reduce the bandwidth rate just for
testing, for example 56Kbit/s.  This would help to prove whether or not the
pipes are working.

Ben

----- Original Message ----- 
From: "Sean Hafeez" <sahafeez at edgefocus.com>
Cc: <freebsd-ipfw at freebsd.org>
Sent: Monday, June 16, 2003 1:15 PM
Subject: Re: ipfw, dummynet and a large subnet to shape


> Damn. I just had a brain fart. I have nodes (wireless AP's) on this
> network that I do not wanted limited. So based on the 1st matching rule
> if I:
>
> ipfw -f flush
> /sbin/natd -interface rl0
> ipfw add divert natd all from any to any via rl0
> ipfw add allow ip from any to 10.0.0.5
> ipfw add allow ip from any to 10.0.0.6
> ipfw add allow ip from 10.0.0.5 to any
> ipfw add allow ip from 10.0.0.6 to any
> ipfw add pipe 1 ip from any to any in recv rl1
> ipfw add pipe 2 ip from any to any out xmit rl1
> ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
> ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
>
> Will it work? I want to exclude a range or a single IP from the pipe and
> shape eveything that is not excluded.
>
>
>
>
> Ben Pfountz wrote:
> > My guess here, but...
> >
> > It has to do with you using the src-ip and dst-ip in creating a mask for
> > each pipe.  When using src-ip as a mask, the dst-ip doesn't matter and
> > therefore shows as 0.0.0.0/0.
> >
> > Alot of the knowledge I have gained from dummynet came from trial and
error.
> > I have not really written any of it down in a paper format, though I
should.
> >
> > Ben
> >
> >
> > ----- Original Message ----- 
> > From: "Sean Hafeez" <sahafeez at edgefocus.com>
> > To: "Ben Pfountz" <netprince at vt.edu>
> > Cc: <freebsd-ipfw at freebsd.org>
> > Sent: Monday, June 16, 2003 12:23 PM
> > Subject: Re: ipfw, dummynet and a large subnet to shape
> >
> >
> >
> >>Thanks. Just did that. I will see how it goes. I have one question:
> >>
> >>ipfw pipe show
> >>
> >>0001:   1.024 Mbit/s    0 ms   50 sl. 29 queues (256 buckets) droptail
> >>     mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
> >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> >>Pkt/Byte Drp
> >>  32 ip       10.0.128.16/0             0.0.0.0/0       14      924  0
> >>   0   0
> >>  64 ip       10.0.128.32/0             0.0.0.0/0        1       70  0
> >>   0   0
> >>00002:   1.024 Mbit/s    0 ms   50 sl. 23 queues (256 buckets) droptail
> >>     mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
> >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> >>Pkt/Byte Drp
> >>  17 ip           0.0.0.0/0         10.0.128.16/0        7      658  0
> >>   0   0
> >>  33 ip           0.0.0.0/0         10.0.128.32/0        1      147  0
> >>   0   0
> >>  35 ip           0.0.0.0/0         10.0.128.34/0        1      147  0
> >>   0   0
> >>
> >>
> >>Sorry if it is hard to read - I just want to know why the IP's show up
> >>as 0.0.0.0/0 and does it matter?
> >>
> >>Is there any better docs on dummynet - the man page is not the best. I
> >>would be interested on seeing any work that anyone has does. Google does
> >>not really have alot of good stuff.
> >>
> >>
> >>
> >>Thanks!
> >>
> >>
> >>
> >>
> >>Ben Pfountz wrote:
> >>
> >>>You probably want something more like this:
> >>>
> >>>ipfw -f flush
> >>>/sbin/natd -interface rl0
> >>>ipfw add divert natd all from any to any via rl0
> >>>ipfw add pipe 1 ip from any to any in recv rl1
> >>>ipfw add pipe 2 ip from any to any out xmit rl1
> >>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
> >>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
> >>>
> >>>Remember that incoming packets are destined for your outside interface
> >>
> > until
> >
> >>>the firewall diverts the packets to natd.  For this reason, your pipe
> >>
> > for
> >
> >>>packets coming in in rl0 would have always had a dst-ip of your outside
> >>>interface.
> >>>
> >>>Hope this helps.
> >>>
> >>>Ben
> >>>
> >>>
> >>>----- Original Message ----- 
> >>>From: "Sean Hafeez" <sahafeez at edgefocus.com>
> >>>To: <freebsd-ipfw at freebsd.org>
> >>>Sent: Monday, June 16, 2003 11:22 AM
> >>>Subject: ipfw, dummynet and a large subnet to shape
> >>>
> >>>
> >>>
> >>>
> >>>>i have been reading thru all the links on google and the man pages and
> >>>>facts and have come to realize that the information is quite - not
> >>>>right.
> >>>>
> >>>>here is what i need to do:
> >>>>
> >>>>i have a network - 10.0.0.0/22 that is nat'd. the external interface
> >>>>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s.
> >>>>when i say everyone i mean each unique user (ie, 10.0.0.23 or
> >>>>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down
> >>>>and up.
> >>>>
> >>>>here is what i got.
> >>>>
> >>>>ipfw -f flush
> >>>>/sbin/natd -interface rl0
> >>>>ipfw add 999 divert natd all from any to any via rl0
> >>>>ipfw add pipe 1 ip from any to any in via rl1
> >>>>ipfw add pipe 2 ip from any to any in via rl0
> >>>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s
> >>>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s
> >>>>
> >>>>i have add:
> >>>>
> >>>>net.inet.ip.fw.one_pass=0
> >>>>net.inet.ip.dummynet.hash_size=256
> >>>>net.inet.ip.dummynet.max_chain_len=64
> >>>>
> >>>>to sysctl.conf.
> >>>>
> >>>>does not seem to be working right. have i got this wrong?
> >>>>
> >>>>thanks!
> >>>>
> >>>>_______________________________________________
> >>>>freebsd-ipfw at freebsd.org mailing list
> >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> >>>>To unsubscribe, send any mail to
"freebsd-ipfw-unsubscribe at freebsd.org"
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>_______________________________________________
> >>>freebsd-ipfw at freebsd.org mailing list
> >>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> >>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> >>>
> >>>
> >>
> >>
> >>_______________________________________________
> >>freebsd-ipfw at freebsd.org mailing list
> >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> >>
> >>
> >
> >
> >
> >
> >
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>

More information about the freebsd-ipfw mailing list