Dummynet in an IPFilter setup

Odhiambo Washington odhiambo.raburu at wananchi.com
Wed Sep 20 08:22:08 PDT 2006 

* On 20/09/06 11:16 -0400, Bill Moran wrote:
| In response to Odhiambo Washington <wash at wananchi.com>:
| 
| [snip]
| 
| > The scenario:
| > 
| > I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two 
| > interfaces at the moment, external interface connected to the hostile
| > Internet and internal interface connected to a switch for the LAN.
| > 
| > The ISP gives 256Kbit/s on the external interface. Out of this, I
| > need to dedicate/guarantee 128Kbit/s to just one machine.
| > 
| > A streaming server has been introduced on the LAN, and it is considered
| > a VIP host as far as bandwidth allocation is concerned.
| > The problem is that p2p is also officially allowed on the LAN. I hate
| > it but it is allowed. Period. No argument about it.
| > 
| > I need to guarantee 128Kbit/s of the available bandwidth to the 
| > streaming host (server, if you can call it).
| > 
| > 
| > My thinking/plan:
| > 
| > 1. Add one more NIC to the FreeBSD box (it's also the router, 
| >   firewall, _everything_ server) and put this on a separate IP block.
| >   To this NIC I will connect the VIP host, which needs the guaranteed
| >   bandwidth. I will therefore NAT traffic to/from it.
| > 
| > 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, 
| >    this means that:
| >    (a) They cannot go beyond 128Kbit/s
| >    (b) The VIP box will go above 128K/bit's in case the throttled
| >        LAN is not using all of the 128Kbit/s
| > 
| > I need to control bandwidth on the external interface only, not on the
| > LAN (internal interfaces).
| > 
| > Is this rightful thinking or sheer imagination which is not practical?
| 
| Seems reasonable.  See below ...

Thanks, Bill for that verification.


| > My problem:
| > 
| > 
| > Most important is being dumb when it comes to IPFW and hence the pipes
| > and all that pertains to it.
| > 
| > Here is my ipfw configuration, in black and white (firewall_type="OPEN")
| > 
| > 
| >         # Outside interface network and netmask and ip
| >         oif="bfe0"
| >         iif="xl0"
| >         onet="62.8.68.0"
| >         omask="255.255.255.252"
| >         oip="62.8.68.22"
| > 
| >         # Inside interface network and netmask and ip
| >         iif="xl0"
| >         inet="10.0.0.0"
| >         imask="255.255.255.0"
| >         iip="10.0.0.2"
| > 
| >         ipfw pipe 1 config bw 128Kbit/s
| > 
| >         # Allow any traffic to or from my own net.
| >         ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
| >         ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
| > 
| >         # Throttle now
| >         ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
|                                    ^^
| 
| Is this direct cut/paste? If so, you've got a sticky $ key.

Yes, it was a paste "in the process of modifying" ;)
Noted with thanks.

| 
| >         ${fwcmd} add 65000 pass all from any to any
| > 
| > 
| > With this configuration, it seems like even LAN->LAN communication is 
| > being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
| > Can someone tell me why that is happening?
| > 
| > Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
| > bandwidth limitation configuration, is it not true that I will have 
| > achieved my goal?
| > 
| > I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
| > have a static route for the VIP box, with NAT for any connections 
| > to/from it.
| > 
| > 
| > I'll really appreciate any help/advise towards a perfect configuration
| > for the firewall, and how I can get this to work.
| > 
| > Thanks in advance.


Bill, you did not say anything on my problem with intra-LAN traffic. 
Does that mean this configuration is okay, and should not at all affect 
traffic within the LAN?


 

	Best regards,
	Odhiambo Washington
	Systems Admin,
	Wananchi Online Ltd.

Are you hosting your domain name with the leaders??: 
See http://webhosting.info/webhosts/tophosts/Country/KE


DISCLAIMER: See http://www.wananchi.com/bms/terms.php
----------------------------------+-----------------------------------------
 Odhiambo WASHINGTON			. WANANCHI ONLINE LTD (Nairobi, KE)
 http://www.wananchi.com/email/		. 1ere Etage, Laptrust Plaza, Loita St.,
 Mobile: (+254) 722 743 223		. # 10286, 00100 NAIROBI
----------------------------------+-----------------------------------------
Many are the plans in a man's heart,
but it is the Lord's purpose that prevails.
        Proverbs 19:21

More information about the freebsd-questions mailing list