Date: Wed, 20 Sep 2006 11:36:07 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: Odhiambo Washington <odhiambo.raburu@wananchi.com> Cc: freebsd-questions@freebsd.org Subject: Re: Dummynet in an IPFilter setup Message-ID: <20060920113607.d819c759.wmoran@collaborativefusion.com> In-Reply-To: <20060920152157.GD20244@ns2.wananchi.com> References: <20060920150511.GB20244@ns2.wananchi.com> <20060920111619.de01afb3.wmoran@collaborativefusion.com> <20060920152157.GD20244@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Odhiambo Washington <odhiambo.raburu@wananchi.com>:
> * On 20/09/06 11:16 -0400, Bill Moran wrote:
> | In response to Odhiambo Washington <wash@wananchi.com>:
> |
> | [snip]
> |
> | > The scenario:
> | >
> | > I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
> | > interfaces at the moment, external interface connected to the hostile
> | > Internet and internal interface connected to a switch for the LAN.
> | >
> | > The ISP gives 256Kbit/s on the external interface. Out of this, I
> | > need to dedicate/guarantee 128Kbit/s to just one machine.
> | >
> | > A streaming server has been introduced on the LAN, and it is considered
> | > a VIP host as far as bandwidth allocation is concerned.
> | > The problem is that p2p is also officially allowed on the LAN. I hate
> | > it but it is allowed. Period. No argument about it.
> | >
> | > I need to guarantee 128Kbit/s of the available bandwidth to the
> | > streaming host (server, if you can call it).
> | >
> | >
> | > My thinking/plan:
> | >
> | > 1. Add one more NIC to the FreeBSD box (it's also the router,
> | > firewall, _everything_ server) and put this on a separate IP block.
> | > To this NIC I will connect the VIP host, which needs the guaranteed
> | > bandwidth. I will therefore NAT traffic to/from it.
> | >
> | > 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
> | > this means that:
> | > (a) They cannot go beyond 128Kbit/s
> | > (b) The VIP box will go above 128K/bit's in case the throttled
> | > LAN is not using all of the 128Kbit/s
> | >
> | > I need to control bandwidth on the external interface only, not on the
> | > LAN (internal interfaces).
> | >
> | > Is this rightful thinking or sheer imagination which is not practical?
> |
> | Seems reasonable. See below ...
>
> Thanks, Bill for that verification.
>
>
> | > My problem:
> | >
> | >
> | > Most important is being dumb when it comes to IPFW and hence the pipes
> | > and all that pertains to it.
> | >
> | > Here is my ipfw configuration, in black and white (firewall_type="OPEN")
> | >
> | >
> | > # Outside interface network and netmask and ip
> | > oif="bfe0"
> | > iif="xl0"
> | > onet="62.8.68.0"
> | > omask="255.255.255.252"
> | > oip="62.8.68.22"
> | >
> | > # Inside interface network and netmask and ip
> | > iif="xl0"
> | > inet="10.0.0.0"
> | > imask="255.255.255.0"
> | > iip="10.0.0.2"
> | >
> | > ipfw pipe 1 config bw 128Kbit/s
> | >
> | > # Allow any traffic to or from my own net.
> | > ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
> | > ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
> | >
> | > # Throttle now
> | > ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
> | ^^
> |
> | Is this direct cut/paste? If so, you've got a sticky $ key.
>
> Yes, it was a paste "in the process of modifying" ;)
> Noted with thanks.
>
> |
> | > ${fwcmd} add 65000 pass all from any to any
> | >
> | >
> | > With this configuration, it seems like even LAN->LAN communication is
> | > being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
> | > Can someone tell me why that is happening?
> | >
> | > Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
> | > bandwidth limitation configuration, is it not true that I will have
> | > achieved my goal?
> | >
> | > I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
> | > have a static route for the VIP box, with NAT for any connections
> | > to/from it.
> | >
> | >
> | > I'll really appreciate any help/advise towards a perfect configuration
> | > for the firewall, and how I can get this to work.
> | >
> | > Thanks in advance.
>
>
> Bill, you did not say anything on my problem with intra-LAN traffic.
> Does that mean this configuration is okay, and should not at all affect
> traffic within the LAN?
I assumed that any problems you were seeing were a result of the typo.
Seems to me that the config you propose will do what you want, but I
haven't spent a lot of time thinking about it.
Besides, these kind of configs rarely work perfectly on the first try,
it usually takes a bit of tweaking after you implement them, as a result
of unforseen consequences. I think you've got a good starting point
and you should just monitor the set up for a while after implementation.
--
Bill Moran
Collaborative Fusion Inc.
****************************************************************
IMPORTANT: This message contains confidential information and is
intended only for the individual named. If the reader of this
message is not an intended recipient (or the individual
responsible for the delivery of this message to an intended
recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please
notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The
sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a
result of e-mail transmission.
****************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060920113607.d819c759.wmoran>