Using IPFW & DUMMYNET with an existing IPFILTER/IPNAT setup for QoS

J. Seth Henry jshamlet at comcast.net
Wed Aug 11 10:59:00 PDT 2004


Hello,
I have an existing FreeBSD based router/internet gateway system that is using 
ipfilter & ipnat. It performs quite well, and my wife would be mightily 
irritated if I screwed it up. :)

However, we have VoIP through Vonage, and a standard Comcast cable modem 
connection to the Internet. Most of the time, everything works well, but when 
I upload large files to the office via FTP, the sound gets choppy - to the 
point where we end up having to use our cell phones.

So, I would like to set up IPFW & DUMMYNET to provide a basic QoS service.

All I really need to do is reserve sufficient bandwidth for, or give highest 
priority to, the ATA - followed by ssh. I believe it needs at least 128kbps 
in each direction for adequate sound quality. I merely want to give ssh 
traffic a higher priority (or reserve bandwidth for) over everything else, so 
that I can still get into my systems even when an ftp session is running.

First, a bit about my (fairly simple) network:

<CM>--< external IF: fxp0    ROUTER internal IF: xl0 >---< SWITCH >

The switch has its own management port, 2 SmartUPS with management cards, a 
Cisco ATA, and 5 PC's.

To simplify management of IP addresses, I use isc-dhcp for both obtaining the 
router WAN address (dhclient), and for distributing fixed addresses to all of 
the network hosts (dhcpd) (except for the switch and UPS' - which don't 
support DHCP correctly) I don't yet manage local DNS services, so I simply 
distribute a fixed hosts file. 

The router is also a stratum 2 time server for the nework (all hosts that can 
synchronize their clocks to the router, not an external time server) via 
ntpd. 

Eventually, I plan to run a local DNS server - but I haven't gotten around to 
it yet. I would like to run my own to support my local naming scheme, without 
passing any information back up the tree, as well as caching DNS information 
should Comcast have a DNS problem. This, however, is a task for another day.

So, we have:

<ipf.rules>
#################################################################
# Outside Interface
#################################################################

pass in quick on fxp0 proto tcp from any to any port = 21 flags S keep frags 
keep state
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep frags 
keep state
pass in quick on fxp0 proto tcp from any to any port = 23 flags S keep frags 
keep state
pass in quick on fxp0 proto udp from any to any port = 68 keep state
pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep frags 
keep state

pass out quick on fxp0 proto tcp from any to any flags S keep frags keep state
pass out quick on fxp0 proto udp from any to any keep state keep frags
pass out quick on fxp0 proto icmp from any to any keep state

block out quick on fxp0 all
block in log quick on fxp0 all

#################################################################
# Inside Interface
#################################################################
pass in quick on xl0 all
pass out quick on xl0 all

#################################################################
# Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

<ipnat.rules>
map fxp0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp
rdr fxp0 0.0.0.0/0 port 21 -> 192.168.1.2 port 21 tcp
rdr fxp0 0.0.0.0/0 port 22 -> 192.168.1.2 port 22 tcp
#below is a irc identd port forwarding example
#rdr fxp0 0.0.0.0/0 port 113 -> 192.168.1.5 port 113 tcp
map fxp0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto
map fxp0 192.168.1.254/24 -> 0/32

<dhcpd.conf>
# dhcpd.conf

# option definitions common to all supported networks...
option domain-name "gambrl01.md.comcast.net";
option domain-name-servers 68.48.0.6, 68.48.0.12;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-update-style ad-hoc;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# Local systems are defined here, and use DHCP as a convenience

host alexandria {
  hardware ethernet 00:30:48:21:8b:8a;
  fixed-address alexandria;
}

host switch {
  hardware ethernet 00:50:ba:ec:61:b3;
  fixed-address switch;
}

host net_ups {
  hardware ethernet 00:c0:b7:6a:00:dd;
  fixed-address net_ups;
}

host serv_ups {
  hardware ethernet 00:c0:b7:a3:a5:67;
  fixed-address serv_ups;
}

host vonage-ata {
  hardware ethernet 00:0d:29:0a:af:2e;
  fixed-address vonage-ata;
}

host office_pc {
  hardware ethernet 00:50:04:ae:90:16;
  fixed-address office_pc;
}

host den_pc {
  hardware ethernet 00:d0:b7:ab:cb:fd;
  fixed-address den_pc;
}

host bedroom_pc {
  hardware ethernet 00:e0:81:23:c2:fd;
  fixed-address bedroom_pc;
}

host spyglass {
  hardware ethernet 00:04:5a:95:47:aa;
  fixed-address spyglass;
}

# Guest IP space (for visiting laptops, temporary systems, etc)
subnet 192.168.1.0 netmask 255.255.255.0 {
    default-lease-time 432000;
    max-lease-time 518400;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.1;
    option domain-name-servers 68.48.0.6, 68.48.0.12;
    option domain-name "gambrl01.md.comcast.net";
    option time-servers 192.168.1.1;
    range 192.168.1.20 192.168.1.35;
}

<rc.conf>
#Default overrides

#Firewall/router configuration
ipfilter_enable="YES"
ipfilter_flags=""
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
gateway_enable="YES"
ipmon_enable="NO"
ipmon_flags="-Dv -P /var/run/ipmon.pid /var/log/firewall.log"
#firewall_enable="YES"
#firewall_script="YES"
#firewall_type="open"
#firewall_logging="yes"

hostname="router.gambrl01.md.comcast.net"
defaultrouter="68.49.56.1"
dhcp_program="/usr/local/sbin/dhclient"
ifconfig_fxp0="DHCP"
ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
moused_type="auto"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"
xntpd_enable="YES"
xntpd_flags="-c /etc/ntp.conf -p /var/run/ntpd.pid"
xntpd_program="/usr/sbin/ntpd"
saver="NO"
inetd_enable="NO"
dhcpd_enable=YES
dhcpd_conf=/usr/local/etc/dhcpd.conf
dhcpd_ifaces="xl0"

At the moment, the kernel has been compiled for only IPFILTER/IPNAT support. I 
have a new kernel ready which has options for both IPFILTER & IPFW/DUMMYNET - 
but I haven't placed it in service just yet.  I used these options:


<router kernel configuration (relevant sections) >
# IPFILTER/IPNAT options (routing & NAT)
options         IPFILTER                #ipfilter support
options         IPFILTER_LOG            #ipfilter logging
options         IPFILTER_DEFAULT_BLOCK  #block all packets by default
options         RANDOM_IP_ID
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
# IPFW/DUMMYNET options (QoS)
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         DUMMYNET
options         NMBCLUSTERS
options         HZ=1000

Is there a HOWTO on how to do this? Alternately, has someone done this - and 
could you share your setup info?

Specifically, I want to learn how to integrate the QoS components of 
IPFW/DUMMYNET into a working IPFILTER/IPNAT setup -  I would prefer not to 
start over with IPFW if possible. I'm a little fuzzy on how to plumb all of 
these pipes, though.

Thanks,
Seth Henry




More information about the freebsd-questions mailing list