Using IPFW & DUMMYNET with an existing IPFILTER/IPNAT setup for QoS
J. Seth Henry
jshamlet at comcast.net
Wed Aug 11 10:59:00 PDT 2004
Hello,
I have an existing FreeBSD based router/internet gateway system that is using
ipfilter & ipnat. It performs quite well, and my wife would be mightily
irritated if I screwed it up. :)
However, we have VoIP through Vonage, and a standard Comcast cable modem
connection to the Internet. Most of the time, everything works well, but when
I upload large files to the office via FTP, the sound gets choppy - to the
point where we end up having to use our cell phones.
So, I would like to set up IPFW & DUMMYNET to provide a basic QoS service.
All I really need to do is reserve sufficient bandwidth for, or give highest
priority to, the ATA - followed by ssh. I believe it needs at least 128kbps
in each direction for adequate sound quality. I merely want to give ssh
traffic a higher priority (or reserve bandwidth for) over everything else, so
that I can still get into my systems even when an ftp session is running.
First, a bit about my (fairly simple) network:
<CM>--< external IF: fxp0 ROUTER internal IF: xl0 >---< SWITCH >
The switch has its own management port, 2 SmartUPS with management cards, a
Cisco ATA, and 5 PC's.
To simplify management of IP addresses, I use isc-dhcp for both obtaining the
router WAN address (dhclient), and for distributing fixed addresses to all of
the network hosts (dhcpd) (except for the switch and UPS' - which don't
support DHCP correctly) I don't yet manage local DNS services, so I simply
distribute a fixed hosts file.
The router is also a stratum 2 time server for the nework (all hosts that can
synchronize their clocks to the router, not an external time server) via
ntpd.
Eventually, I plan to run a local DNS server - but I haven't gotten around to
it yet. I would like to run my own to support my local naming scheme, without
passing any information back up the tree, as well as caching DNS information
should Comcast have a DNS problem. This, however, is a task for another day.
So, we have:
<ipf.rules>
#################################################################
# Outside Interface
#################################################################
pass in quick on fxp0 proto tcp from any to any port = 21 flags S keep frags
keep state
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep frags
keep state
pass in quick on fxp0 proto tcp from any to any port = 23 flags S keep frags
keep state
pass in quick on fxp0 proto udp from any to any port = 68 keep state
pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep frags
keep state
pass out quick on fxp0 proto tcp from any to any flags S keep frags keep state
pass out quick on fxp0 proto udp from any to any keep state keep frags
pass out quick on fxp0 proto icmp from any to any keep state
block out quick on fxp0 all
block in log quick on fxp0 all
#################################################################
# Inside Interface
#################################################################
pass in quick on xl0 all
pass out quick on xl0 all
#################################################################
# Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
<ipnat.rules>
map fxp0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp
rdr fxp0 0.0.0.0/0 port 21 -> 192.168.1.2 port 21 tcp
rdr fxp0 0.0.0.0/0 port 22 -> 192.168.1.2 port 22 tcp
#below is a irc identd port forwarding example
#rdr fxp0 0.0.0.0/0 port 113 -> 192.168.1.5 port 113 tcp
map fxp0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto
map fxp0 192.168.1.254/24 -> 0/32
<dhcpd.conf>
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "gambrl01.md.comcast.net";
option domain-name-servers 68.48.0.6, 68.48.0.12;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-update-style ad-hoc;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# Local systems are defined here, and use DHCP as a convenience
host alexandria {
hardware ethernet 00:30:48:21:8b:8a;
fixed-address alexandria;
}
host switch {
hardware ethernet 00:50:ba:ec:61:b3;
fixed-address switch;
}
host net_ups {
hardware ethernet 00:c0:b7:6a:00:dd;
fixed-address net_ups;
}
host serv_ups {
hardware ethernet 00:c0:b7:a3:a5:67;
fixed-address serv_ups;
}
host vonage-ata {
hardware ethernet 00:0d:29:0a:af:2e;
fixed-address vonage-ata;
}
host office_pc {
hardware ethernet 00:50:04:ae:90:16;
fixed-address office_pc;
}
host den_pc {
hardware ethernet 00:d0:b7:ab:cb:fd;
fixed-address den_pc;
}
host bedroom_pc {
hardware ethernet 00:e0:81:23:c2:fd;
fixed-address bedroom_pc;
}
host spyglass {
hardware ethernet 00:04:5a:95:47:aa;
fixed-address spyglass;
}
# Guest IP space (for visiting laptops, temporary systems, etc)
subnet 192.168.1.0 netmask 255.255.255.0 {
default-lease-time 432000;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 68.48.0.6, 68.48.0.12;
option domain-name "gambrl01.md.comcast.net";
option time-servers 192.168.1.1;
range 192.168.1.20 192.168.1.35;
}
<rc.conf>
#Default overrides
#Firewall/router configuration
ipfilter_enable="YES"
ipfilter_flags=""
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
gateway_enable="YES"
ipmon_enable="NO"
ipmon_flags="-Dv -P /var/run/ipmon.pid /var/log/firewall.log"
#firewall_enable="YES"
#firewall_script="YES"
#firewall_type="open"
#firewall_logging="yes"
hostname="router.gambrl01.md.comcast.net"
defaultrouter="68.49.56.1"
dhcp_program="/usr/local/sbin/dhclient"
ifconfig_fxp0="DHCP"
ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
moused_type="auto"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"
xntpd_enable="YES"
xntpd_flags="-c /etc/ntp.conf -p /var/run/ntpd.pid"
xntpd_program="/usr/sbin/ntpd"
saver="NO"
inetd_enable="NO"
dhcpd_enable=YES
dhcpd_conf=/usr/local/etc/dhcpd.conf
dhcpd_ifaces="xl0"
At the moment, the kernel has been compiled for only IPFILTER/IPNAT support. I
have a new kernel ready which has options for both IPFILTER & IPFW/DUMMYNET -
but I haven't placed it in service just yet. I used these options:
<router kernel configuration (relevant sections) >
# IPFILTER/IPNAT options (routing & NAT)
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_DEFAULT_BLOCK #block all packets by default
options RANDOM_IP_ID
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
# IPFW/DUMMYNET options (QoS)
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options NMBCLUSTERS
options HZ=1000
Is there a HOWTO on how to do this? Alternately, has someone done this - and
could you share your setup info?
Specifically, I want to learn how to integrate the QoS components of
IPFW/DUMMYNET into a working IPFILTER/IPNAT setup - I would prefer not to
start over with IPFW if possible. I'm a little fuzzy on how to plumb all of
these pipes, though.
Thanks,
Seth Henry
More information about the freebsd-questions
mailing list