Dummynet in an IPFilter setup
Odhiambo Washington
wash at wananchi.com
Wed Sep 20 08:05:26 PDT 2006
Hiya,
Since freebsd-ipfw is "dead" and mostly for spammers, let me try my luck
here once more ;)
I am trying to prove a point to a customer - that he can save the cost
of expensive routing hardware by just having a FreeBSD box on their LAN.
Unfortunately, this also means that I need to spend days reading about
IPFW, which, sincerely, is not one of those firewall implementations
that is easy for me. I therefore need help to prove a point and keep
a customer..
The scenario:
I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
interfaces at the moment, external interface connected to the hostile
Internet and internal interface connected to a switch for the LAN.
The ISP gives 256Kbit/s on the external interface. Out of this, I
need to dedicate/guarantee 128Kbit/s to just one machine.
A streaming server has been introduced on the LAN, and it is considered
a VIP host as far as bandwidth allocation is concerned.
The problem is that p2p is also officially allowed on the LAN. I hate
it but it is allowed. Period. No argument about it.
I need to guarantee 128Kbit/s of the available bandwidth to the
streaming host (server, if you can call it).
My thinking/plan:
1. Add one more NIC to the FreeBSD box (it's also the router,
firewall, _everything_ server) and put this on a separate IP block.
To this NIC I will connect the VIP host, which needs the guaranteed
bandwidth. I will therefore NAT traffic to/from it.
2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
this means that:
(a) They cannot go beyond 128Kbit/s
(b) The VIP box will go above 128K/bit's in case the throttled
LAN is not using all of the 128Kbit/s
I need to control bandwidth on the external interface only, not on the
LAN (internal interfaces).
Is this rightful thinking or sheer imagination which is not practical?
My problem:
Most important is being dumb when it comes to IPFW and hence the pipes
and all that pertains to it.
Here is my ipfw configuration, in black and white (firewall_type="OPEN")
# Outside interface network and netmask and ip
oif="bfe0"
iif="xl0"
onet="62.8.68.0"
omask="255.255.255.252"
oip="62.8.68.22"
# Inside interface network and netmask and ip
iif="xl0"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.2"
ipfw pipe 1 config bw 128Kbit/s
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${iip} to ${inet}:${imask}
${fwcmd} add pass all from ${inet}:${imask} to ${iip}
# Throttle now
ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
${fwcmd} add 65000 pass all from any to any
With this configuration, it seems like even LAN->LAN communication is
being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
Can someone tell me why that is happening?
Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
bandwidth limitation configuration, is it not true that I will have
achieved my goal?
I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
have a static route for the VIP box, with NAT for any connections
to/from it.
I'll really appreciate any help/advise towards a perfect configuration
for the firewall, and how I can get this to work.
Thanks in advance.
-Wash
http://www.netmeister.org/news/learn2quote.html
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--
+======================================================================+
|\ _,,,---,,_ | Odhiambo Washington <wash at wananchi.com>
Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+======================================================================+
Minnie Mouse is a slow maze learner.
More information about the freebsd-questions
mailing list