best sollution (and also simple) to guarantee a bandwidth (Was: Welcome to the "freebsd-isp" mailing list)

Carlos Alloatti calloatti at gmail.com
Mon May 23 15:15:55 PDT 2005 

On 5/23/05, ovidiue at unixware.ro <ovidiue at unixware.ro> wrote:
> Citat Carlos Alloatti <calloatti at gmail.com>:
> 
> > I have just done that, I set up FreeBSD with 2 network cards, bridge,
> > ipfw and dummynet. It works without a glitch, has been up for 20 days.
> >
> > Yo have to set up pipes and queues in ipfw rules
> >
> 
> How many users you have ? can you send me the config files?
> 

rl0 connects to Internet, rl1 connects to LAN

/etc/rc.conf

hostname="bridge.local"
network_interfaces="rl0 rl1 lo0"
ifconfig_rl1="inet xxx.xxx.xxx.xxx netmask 255.255.255.0"
defaultrouter="xxx.xxx.xxx.1"
#required for ipfw support
firewall_enable="YES"
firewall_type="/etc/rc.firewall.rules"
firewall_quiet="NO"
firewall_logging="YES"

/etc/resolv.conf

domain local
nameserver xxx.xxx.xxx.xxx
nameserver yyy.yyy.yyy.yyy

/etc/hosts
127.0.0.1 localhost.local localhost
xxx.xxx.xxx.xxx bridge.local bridge

/etc/sysctl.conf

net.link.ether.bridge.config=rl0:1,rl1:1
net.link.ether.bridge.enable=1

# Controls whether bridged packets are passed to ipfw
net.link.ether.bridge.ipfw=1

# Delta between rule numbers when auto-generating them
net.inet.ip.fw.autoinc_step=10

# Bridged packets are accepted after the first pass through the firewall 
# irrespective of the setting of the sysctl variable
net.inet.ip.fw.one_pass=1

# Lazily delete dynamic pipes/queue once they have no pending traffic
net.inet.ip.dummynet.expire=1

kern.polling.enable=1

net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5

# The blackhole sysctl(8) MIB is used to control system behaviour when con-
# nection requests are received on TCP or UDP ports where there is no
# socket listening.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1


# /etc/rc.firewall.rules

# UPload pipe
pipe 1 config bw 128Kbits/s queue 10 gred 0.002/5/15/0.10

# DNload pipe
pipe 2 config bw 320Kbits/s queue 15 gred 0.002/5/15/0.10

# 64Kbits pipe
pipe 3 config bw 64Kbits/s queue 5 gred 0.002/5/15/0.10

# *** queues ***
# Upload queues pipe 1
queue 01101 config weight 50 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 01102 config weight 30 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 01103 config weight 15 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 01104 config weight 04 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 01199 config weight 01 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10

# Download queues pipe 2
queue 02201 config weight 40 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 02202 config weight 35 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 02203 config weight 20 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 02299 config weight 05 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10

# 64Kbits queues pipe 3
queue 03101 config weight 10 buckets 128 pipe 3 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 03201 config weight 90 buckets 128 pipe 3 mask dst-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10

# *** firewall ***
# loopback
add 01000 pass all from any to any via lo0
add 01010 deny all from any to 127.0.0.0/8
add 01020 deny ip from 127.0.0.0/8 to any

# Disabled IP addresses
#add 00011 deny ip from xxx.xxx.xxx.xxx to any

# Deny ip inbound traffic from non-routable reserved address spaces
add 02000 deny ip from 192.168.0.0/16 to any // RFC 1918 private IP
add 02010 deny ip from 172.16.0.0/12 to any // RFC 1918 private IP
add 02020 deny ip from 10.0.0.0/8 to any // RFC 1918 private IP
add 02030 deny ip from 0.0.0.0/8 to any // loopback
add 02040 deny ip from 169.254.0.0/16 to any // DHCP auto-config
add 02050 deny ip from 192.0.2.0/24 to any // reserved for docs
add 02060 deny ip from 204.152.64.0/23 to any // Sun cluster interconnect
add 02070 deny ip from 224.0.0.0/3 to any // Class D & E multicast

add 02200 deny ip from any to 192.168.0.0/16 // RFC 1918 private IP
add 02210 deny ip from any to 172.16.0.0/12 // RFC 1918 private IP
add 02220 deny ip from any to 10.0.0.0/8 // RFC 1918 private IP
add 02230 deny ip from any to 0.0.0.0/8 // loopback
add 02240 deny ip from any to 169.254.0.0/16 // DHCP auto-config
add 02250 deny ip from any to 192.0.2.0/24 // reserved for docs
add 02260 deny ip from any to 204.152.64.0/23 // Sun cluster interconnect
add 02270 deny ip from any to 224.0.0.0/3 // Class D & E multicast

add 03000 deny icmp from any to me icmptypes 8 in via rl0 // deny
pings from outside to bridge
add 03010 deny ip from any to me dst-port 22 in via rl0 // deny SSH
from outside to bridge
add 03020 deny ip from any to me dst-port 113 in via rl0 // deny ident
from outside to bridge
add 03030 deny ip from any to me dst-port 10000 in via rl0 // deny
webmin from outside to bridge

add 03200 deny ip from any to any frag in // Deny any late arriving packets

add 04000 deny ip from any to any dst-port 67 // Bootstrap Protocol
Server (DHCP)
add 04010 deny ip from any to any dst-port 68 // Bootstrap Protocol
Server (DHCP)
add 04020 deny ip from any to any dst-port 42 // Host Name Server
(Wins) MS/Windows
add 04030 deny ip from any to any dst-port 135 // DCOM Service Control
Manager MS/Windows
add 04040 deny ip from any to any dst-port 137 // NetBIOS Name Service
MS/Windows
add 04050 deny ip from any to any dst-port 138 // NetBIOS Datagram
Service MS/Windows
add 04060 deny ip from any to any dst-port 139 // NETBIOS Session
Service MS/Windows
add 04070 deny ip from any to any dst-port 445 // Microsoft Directory
Services MS/Windows

add 04200 deny ip from any to any src-port 67 // Bootstrap Protocol
Server (DHCP)
add 04210 deny ip from any to any src-port 68 // Bootstrap Protocol
Server (DHCP)
add 04220 deny ip from any to any src-port 42 // Host Name Server
(Wins) MS/Windows
add 04230 deny ip from any to any src-port 135 // DCOM Service Control
Manager MS/Windows
add 04240 deny ip from any to any src-port 137 // NetBIOS Name Service
MS/Windows
add 04250 deny ip from any to any src-port 138 // NetBIOS Datagram
Service MS/Windows
add 04260 deny ip from any to any src-port 139 // NETBIOS Session
Service MS/Windows
add 04270 deny ip from any to any src-port 445 // Microsoft Directory
Services MS/Windows

# *** Traffic shaping ****
add 05100 pass ip from me 22 to any // do not enqueue traffic from bridge ssh
add 05110 pass ip from any to me 22 // do not enqueue traffic to bridge ssh

# 64Kbits
add queue 03101 ip from 200.43.89.19 to any in via rl1 // Roura
add queue 03201 ip from any to 200.43.89.19 in via rl0

add queue 03101 ip from 200.43.89.33 to any in via rl1 // Diblasio
add queue 03201 ip from any to 200.43.89.33 in via rl0

# P2P
add 10000 queue 02299 tcp from any to any src-port 6881-6999 in via
rl0 // P2P BitTorrent
add queue 02299 tcp from any to any dst-port 6881-6999 in via rl0 //
P2P BitTorrent
add queue 01199 tcp from any to any src-port 6881-6999 in via rl1 //
P2P BitTorrent
add queue 01199 tcp from any to any dst-port 6881-6999 in via rl1 //
P2P BitTorrent

add queue 02299 ip from any to any src-port 412 in via rl0 // P2P DirectConnect
add queue 01199 ip from any to any src-port 412 in via rl1 //
Hated_P2P DirectConnect

add queue 02299 ip from any to any src-port 1044-1045 in via rl0 //
P2P DirectFileExpress
add queue 01199 ip from any to any src-port 1044-1045 in via rl1 //
P2P DirectFileExpress

add queue 02299 ip from any to any src-port 1214 in via rl0 // P2P
FastTrack (Kazaa)
add queue 01199 ip from any to any src-port 1214 in via rl1 // P2P
FastTrack (Kazaa)

add queue 02299 ip from any to any src-port 2340 in via rl0 // P2P CuteMX
add queue 01199 ip from any to any src-port 2340 in via rl1 // P2P CuteMX

add queue 02299 ip from any to any src-port 4329 in via rl0 // P2P iMest
add queue 01199 ip from any to any src-port 4329 in via rl1 // P2P iMest

add queue 02299 ip from any to any src-port 4661-4665 in via rl0 //
P2P EDonkey2000
add queue 01199 ip from any to any src-port 4661-4665 in via rl1 //
P2P EDonkey2000
add queue 02299 ip from any to any src-port 4672 in via rl0 // P2P
Edonkey2000 (get more info on this)
add queue 01199 ip from any to any src-port 4672 in via rl1 // P2P
Edonkey2000 (get more info on this)

add queue 02299 ip from any to any src-port 5190 in via rl0 // P2P SongSpy
add queue 01199 ip from any to any src-port 5190 in via rl1 // P2P SongSpy

add queue 02299 ip from any to any src-port 5500-5503 in via rl0 //
P2P HotlineConnect
add queue 01199 ip from any to any src-port 5500-5503 in via rl1 //
P2P HotlineConnect

add queue 02299 ip from any to any src-port 6346 in via rl0 // P2P Gnutella
add queue 01199 ip from any to any src-port 6346 in via rl1 // P2P Gnutella

add queue 02299 ip from any 6666-6668 to any in via rl0 // P2P dcc
add queue 01199 ip from any 6666-6668 to any in via rl1 // P2P dcc

add queue 02299 ip from any to any src-port 6699-6701 in via rl0 // P2P Napster
add queue 01199 ip from any to any src-port 6699-6701 in via rl1 // P2P Napster

add queue 02299 ip from any to any src-port 7668 in via rl0 // P2P Aimster
add queue 01199 ip from any to any src-port 7668 in via rl1 // P2P Aimster

add queue 02299 ip from any to any src-port 7788 in via rl0 // P2P BuddyShare
add queue 01199 ip from any to any src-port 7788 in via rl1 // P2P BuddyShare

add queue 02299 ip from any to any src-port 8311 in via rl0 // P2P Scour
add queue 01199 ip from any to any src-port 8311 in via rl1 // P2P Scour

add queue 02299 ip from any to any src-port 8888-8889 in via rl0 // P2P OpenNap
add queue 01199 ip from any to any src-port 8888-8889 in via rl1 // P2P OpenNap

add queue 02299 ip from any to any src-port 28864-28865 in via rl0 //
P2P hotComm
add queue 01199 ip from any to any src-port 28864-28865 in via rl1 //
P2P hotComm

# Uploads
add 11000 queue 01103 tcp from any to any iplen 0-80 tcpflags ack in
via rl1 // ack
add queue 01101 ip from any to any iplen 0-100 in via rl1 // small packet
add queue 01101 udp from any to any dst-port 53 in via rl1 // DNS query
add queue 01101 ah from any to any in via rl1 // ah authentication header
add queue 01101 esp from any to any in via rl1 // esp encapsulating
security payload
add queue 01101 gre from any to any in via rl1 // gre Generic Routing
Encapsulation
add queue 01101 udp from any to any dst-port 27960 in via rl1 // Enemy Territory
add queue 01102 icmp from any to any in via rl1 // icmp internet
control message protocol
add queue 01104 ip from any to any in via rl1 // Uploads catches rest

# Downloads
add 12000 queue 02201 icmp from any to any in via rl0 // icmp internet
control message protocol
add queue 02201 ip from any to any iplen 0-100 in via rl0 // small packet
add queue 02201 udp from any to any src-port 53 in via rl0 // DNS query
add queue 02201 ah from any to any in via rl0 // ah authentication header
add queue 02201 esp from any to any in via rl0 // esp encapsulating
security payload
add queue 02201 gre from any to any in via rl0 // gre Generic Routing
Encapsulation
add queue 02201 udp from any to any src-port 27960 in via rl0 // Enemy Territory
add queue 02202 tcp from any to any src-port 554 in via rl0 // Real Audio stream
add queue 02202 tcp from any to any src-port 1755 in via rl0 //
Windows Media Audio stream
add queue 02203 ip from any to any in via rl0 // Downloads catches rest

# eof rc.firewall.rules



mkdir /root/kernels
cp /usr/src/sys/i386/conf/GENERIC /root/kernels/BRIDGE 
cd /usr/src/sys/i386/conf
ln -s /root/kernels/BRIDGE
ee /root/kernels/BRIDGE

ident       BRIDGE
#options INET6 # IPv6 communications protocols
#device gif # IPv6 and IPv4 tunneling # wbridge
#device faith # IPv6-to-IPv4 relaying (translation)
#device plip # TCP/IP over parallel
options     IPFIREWALL
options     IPFIREWALL_DEFAULT_TO_ACCEPT
options     IPFIREWALL_FORWARD
options     IPDIVERT
options     IPSTEALTH

options     IPFIREWALL_VERBOSE
options     IPFIREWALL_VERBOSE_LIMIT=5

options     DUMMYNET
options     BRIDGE

options     HZ=1000

# Optional
options     NMBCLUSTERS=4096

# Optional
options     DEVICE_POLLING

save file

cd /usr/src
make buildkernel KERNCONF=BRIDGE
make installkernel KERNCONF=BRIDGE

Read Handbook, and all you can find

http://www.freebsd.org/cgi/man.cgi?query=bridge&sektion=4

http://www.freebsd.org/cgi/man.cgi?query=netintro&sektion=4&apropos=0&manpath=FreeBSD+5.3-RELEASE+and+Ports

http://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5&apropos=0&manpath=FreeBSD+5.3-RELEASE+and+Ports

http://info.iet.unipi.it/~luigi/polling/

http://www.freebsd.org/cgi/man.cgi?query=polling&sektion=4&apropos=0&manpath=FreeBSD+5.3-RELEASE+and+Ports

http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/article.html

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

Well, cant do more for you, I knew nothing about FreeBSD before i set
up this machine, I learned enough to do this in a week, You can do it
too.

-- 
Carlos Alloatti
calloatti_at_gmail.com

More information about the freebsd-isp mailing list