Traffic shaping with ipfw/DUMMYNET when using natd

G-der gderama at gmail.com
Wed May 24 07:33:06 PDT 2006 

I've been setting up ipfw and DUMMYNET to do some traffic shaping on my
network.  Right now to test things out I've basicly put everything into two
categories.  There's traffic from 10.0.10.10 which is lower priority (this
is a download machine) and then there's everything else.

The biggest problem I've runinto is that because natd gets the packets first
thing the only way to catch outgoing traffic is on the internal network
interface.  That is if you want to limit based on which internal machine is
generating the traffic like in my case.  After the divert rule for natd the
src-ip field gets changed to my external ip address.  This has a side effect
of limiting all the traffic on that internal interface, even stuff that is
not bound for the internet.

I've tried playing around a little bit with the bridged, diverted, and
diverted-output commands but can't get any of them to catch the packets.

Is there  a way to limit outgoing traffic based on which machine owns the
traffic internally that doesn't have to be done on the internal interface?
Would it be better practice to scan outgoing traffic before the divert rules
for natd?

        extif="rl0"
        intif="rl1"

        #INCOMING TRAFFIC
        #Tested max incoming at 5914Kbit/s

        ${fwcmd} pipe 1 config bw 5800Kbit/s
        ${fwcmd} queue 1 config pipe 1 weight 2         #for torrent traffic
        ${fwcmd} queue 5 config pipe 1 weight 10        #for everything else

        ${fwcmd} add 1000 queue 1 ip from any to 10.0.10.10 in via ${extif}
        ${fwcmd} add 5000 queue 5 ip from any to any in via ${extif}


        #OUTGOING TRAFFIC
        #Tested max outgoing at 390Kbit/s

        ${fwcmd} pipe 2 config bw 360Kbit/s
        ${fwcmd} queue 6 config pipe 2 weight 2
        ${fwcmd} queue 10 config pipe 2 weight 10
        ${fwcmd} add 6000 queue 6 ip from 10.0.10.10 to any in via ${intif}
        ${fwcmd} add 8000 queue 10 ip from any to any in via ${intif}

Here's the rules, I appreciate the assistance.  Please cc me on reply, I'm
not a regular subscriber.

Thank you

Gene Dinkey

More information about the freebsd-questions mailing list