Traffic shaping with ipfw/DUMMYNET when using natd
Alex de Kruijff
freebsd at akruijff.dds.nl
Thu May 25 14:06:51 PDT 2006
On Wed, May 24, 2006 at 08:32:53AM -0600, G-der wrote:
> I've been setting up ipfw and DUMMYNET to do some traffic shaping on my
> network. Right now to test things out I've basicly put everything into two
> categories. There's traffic from 10.0.10.10 which is lower priority (this
> is a download machine) and then there's everything else.
>
> The biggest problem I've runinto is that because natd gets the packets first
> thing the only way to catch outgoing traffic is on the internal network
> interface. That is if you want to limit based on which internal machine is
> generating the traffic like in my case. After the divert rule for natd the
> src-ip field gets changed to my external ip address. This has a side effect
> of limiting all the traffic on that internal interface, even stuff that is
> not bound for the internet.
>
> I've tried playing around a little bit with the bridged, diverted, and
> diverted-output commands but can't get any of them to catch the packets.
>
> Is there a way to limit outgoing traffic based on which machine owns the
> traffic internally that doesn't have to be done on the internal interface?
> Would it be better practice to scan outgoing traffic before the divert rules
> for natd?
I do it on the internal nic. I just have the internal traffic skip those
rules. You could do it on the external nic, but this is more complex.
You should remeber that the diverd rule changes the ip adress. Scanning
outgoing traffic before the divert rule and incomming afther it should
work to.
--
Alex
Please copy the original recipients, otherwise I may not read your reply.
Howtos based on my personal use, including information about
setting up a firewall and creating traffic graphs with MRTG
http://alex.kruijff.org/FreeBSD/
More information about the freebsd-questions
mailing list