Date: Mon, 29 Nov 2004 22:31:57 +0100 From: Matej <matej.puntar@guest.arnes.si> To: freebsd-ipfw@freebsd.org Subject: dummynet and NAT Message-ID: <41AB954D.5060105@guest.arnes.si>
next in thread | raw e-mail | index | archive | help
Hello
Can you help me
I would like to split upload and download bw dynamically and seperetly,
between 5 users (equally) and a server.
I need to reserve some bw e.g.: 128 Kbits download, 56 Kbits upload for
the server (10.0.0.1) that is also the
router and 5 users 10.0.0.2 - 10.0.0.6 and I also need to set priority
traffic: smtp, imap, pop3, skype, http, ftp, ...
in this order. I have 768 download, 128 upload.
I can't get it to work. I don't know where to put pipes and queues
definitions.
I tryed a lot of thins but everything brakes NAT.
net.inet.ip.fw.one_pass: 1
This are my firewall rules at the moment:
################
#/etc/firewall.rules
################
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
ipfw -q -f flush
$cmd 002 allow all from any to any via rl1 # exclude Lan traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 135 $skip all from any to any out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918
private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918
private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918
private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for
doc's
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
interconnect
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E
multicast
# Authorized inbound packets
# WWW
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
# SSH
$cmd 421 allow tcp from any to me 22 in via $pif setup limit src-addr 1
# SMTP mail
$cmd 422 allow tcp from any to me 25 in via $pif setup limit src-addr 1
# SSL IMAP
$cmd 423 allow tcp from any to me 993 in via $pif setup limit src-addr 1
# SSL POP3
$cmd 424 allow tcp from any to me 995 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
######################## end of rules ##################
If you find any bad ideas in my firewall rules please comment.
I already got tips for dynamic equally spliting bw from Martes Wigglesworth
>Martes Wigglesworth wrote:
>The answer from all documentation that I have read, would be simply
>empliment a single pipe 1 of bw xKbit/s and configure dynamic pipes that
>use the same pipe, hence splitting up the bandwidth dynamicly. Since
>the queue is a copy of the first one, then all dynamic pipe have the
>same queue weight, and will then have an equal segment of the bandwidth
>of the pipe that they are attached to, in this case pipe 1.
>Example:
>
>ipfw add queue 1 log ip from any to ${internaldudes} in recv ${extif}
>ipfw queue 1 config pipe 1 mask dst-ip 0xffffffff
>ipfw pipe 1 config bw 256Kbit/s
>
>In the above example, any ip traffic comming into a natd box with
>interface ${extif} attached to the internet, and ${internaldudes} being
>those ips that are behind the gateway. Whenever a host connects to the
>box, and has traffic come to it from the internet, a dynamic queue will
>drain bandwidth for pipe 1. Due to this functionality, the pipe 1 bw
>will get devided between the pipes that are created. When there is no
>client, then the queue is deleted.
>
>If you have multiple subnets, like me, then and you want to specify the
>internal interfaces, then use the following, thanks to Nicolas, earlier
>today:
>${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in \{ recv
${if_m} or recv ${if_g} \}
Thank you all
MAtej
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41AB954D.5060105>