From owner-freebsd-questions@FreeBSD.ORG Wed Sep 20 15:05:26 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 880B916A407 for ; Wed, 20 Sep 2006 15:05:26 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2BFF43D72 for ; Wed, 20 Sep 2006 15:05:19 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1GQ3dQ-000Erw-Ii by authid for ; Wed, 20 Sep 2006 18:05:12 +0300 Date: Wed, 20 Sep 2006 18:05:12 +0300 From: Odhiambo Washington To: freebsd-questions@freebsd.org Message-ID: <20060920150511.GB20244@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.13 (2006-08-11) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.13 (2006-08-11) Subject: Dummynet in an IPFilter setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 15:05:26 -0000 Hiya, Since freebsd-ipfw is "dead" and mostly for spammers, let me try my luck here once more ;) I am trying to prove a point to a customer - that he can save the cost of expensive routing hardware by just having a FreeBSD box on their LAN. Unfortunately, this also means that I need to spend days reading about IPFW, which, sincerely, is not one of those firewall implementations that is easy for me. I therefore need help to prove a point and keep a customer.. The scenario: I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two interfaces at the moment, external interface connected to the hostile Internet and internal interface connected to a switch for the LAN. The ISP gives 256Kbit/s on the external interface. Out of this, I need to dedicate/guarantee 128Kbit/s to just one machine. A streaming server has been introduced on the LAN, and it is considered a VIP host as far as bandwidth allocation is concerned. The problem is that p2p is also officially allowed on the LAN. I hate it but it is allowed. Period. No argument about it. I need to guarantee 128Kbit/s of the available bandwidth to the streaming host (server, if you can call it). My thinking/plan: 1. Add one more NIC to the FreeBSD box (it's also the router, firewall, _everything_ server) and put this on a separate IP block. To this NIC I will connect the VIP host, which needs the guaranteed bandwidth. I will therefore NAT traffic to/from it. 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, this means that: (a) They cannot go beyond 128Kbit/s (b) The VIP box will go above 128K/bit's in case the throttled LAN is not using all of the 128Kbit/s I need to control bandwidth on the external interface only, not on the LAN (internal interfaces). Is this rightful thinking or sheer imagination which is not practical? My problem: Most important is being dumb when it comes to IPFW and hence the pipes and all that pertains to it. Here is my ipfw configuration, in black and white (firewall_type="OPEN") # Outside interface network and netmask and ip oif="bfe0" iif="xl0" onet="62.8.68.0" omask="255.255.255.252" oip="62.8.68.22" # Inside interface network and netmask and ip iif="xl0" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.2" ipfw pipe 1 config bw 128Kbit/s # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${iip} to ${inet}:${imask} ${fwcmd} add pass all from ${inet}:${imask} to ${iip} # Throttle now ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state ${fwcmd} add 65000 pass all from any to any With this configuration, it seems like even LAN->LAN communication is being restricted to 128Kbit/s. I am not sure why, as simple as it looks! Can someone tell me why that is happening? Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no bandwidth limitation configuration, is it not true that I will have achieved my goal? I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and have a static route for the VIP box, with NAT for any connections to/from it. I'll really appreciate any help/advise towards a perfect configuration for the firewall, and how I can get this to work. Thanks in advance. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Minnie Mouse is a slow maze learner.