From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 29 22:58:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E55616A4CE for ; Mon, 29 Nov 2004 22:58:26 +0000 (GMT) Received: from out-1.mail.amis.net (out-1.mail.amis.net [212.18.32.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 403B943D5C for ; Mon, 29 Nov 2004 22:58:25 +0000 (GMT) (envelope-from matej.puntar@guest.arnes.si) Received: from localhost (in-3.mail.amis.net [212.18.32.22]) by out-1.mail.amis.net (Postfix) with ESMTP id 146E35B4DB7 for ; Mon, 29 Nov 2004 23:58:24 +0100 (CET) Received: from in-3.mail.amis.net ([127.0.0.1]) by localhost (in-3.mail.amis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18226-02 for ; Mon, 29 Nov 2004 23:58:21 +0100 (CET) Received: from piranha.amis.net (piranha.amis.net [212.18.32.3]) by in-3.mail.amis.net (Postfix) with ESMTP id 70072FB9B6 for ; Mon, 29 Nov 2004 23:58:21 +0100 (CET) Received: from [10.0.0.2] (cpe-213-157-234-39.ftth.amis.net [213.157.234.39]) by piranha.amis.net (Postfix) with ESMTP id 58FCCFD9F for ; Mon, 29 Nov 2004 23:58:21 +0100 (CET) Message-ID: <41AB954D.5060105@guest.arnes.si> Date: Mon, 29 Nov 2004 22:31:57 +0100 From: Matej User-Agent: Mozilla Thunderbird 0.9 (X11/20041122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at amis.net X-Spam-Status: No, hits=-5.587 required=5 tests=ALL_TRUSTED, AWL, BAYES_00, DNS_FROM_RFC_WHOIS X-Spam-Level: Subject: dummynet and NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 22:58:26 -0000 Hello Can you help me I would like to split upload and download bw dynamically and seperetly, between 5 users (equally) and a server. I need to reserve some bw e.g.: 128 Kbits download, 56 Kbits upload for the server (10.0.0.1) that is also the router and 5 users 10.0.0.2 - 10.0.0.6 and I also need to set priority traffic: smtp, imap, pop3, skype, http, ftp, ... in this order. I have 768 download, 128 upload. I can't get it to work. I don't know where to put pipes and queues definitions. I tryed a lot of thins but everything brakes NAT. net.inet.ip.fw.one_pass: 1 This are my firewall rules at the moment: ################ #/etc/firewall.rules ################ #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=rl0 ks="keep-state" ipfw -q -f flush $cmd 002 allow all from any to any via rl1 # exclude Lan traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 135 $skip all from any to any out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets # WWW $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 # SSH $cmd 421 allow tcp from any to me 22 in via $pif setup limit src-addr 1 # SMTP mail $cmd 422 allow tcp from any to me 25 in via $pif setup limit src-addr 1 # SSL IMAP $cmd 423 allow tcp from any to me 993 in via $pif setup limit src-addr 1 # SSL POP3 $cmd 424 allow tcp from any to me 995 in via $pif setup limit src-addr 1 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any ######################## end of rules ################## If you find any bad ideas in my firewall rules please comment. I already got tips for dynamic equally spliting bw from Martes Wigglesworth >Martes Wigglesworth wrote: >The answer from all documentation that I have read, would be simply >empliment a single pipe 1 of bw xKbit/s and configure dynamic pipes that >use the same pipe, hence splitting up the bandwidth dynamicly. Since >the queue is a copy of the first one, then all dynamic pipe have the >same queue weight, and will then have an equal segment of the bandwidth >of the pipe that they are attached to, in this case pipe 1. >Example: > >ipfw add queue 1 log ip from any to ${internaldudes} in recv ${extif} >ipfw queue 1 config pipe 1 mask dst-ip 0xffffffff >ipfw pipe 1 config bw 256Kbit/s > >In the above example, any ip traffic comming into a natd box with >interface ${extif} attached to the internet, and ${internaldudes} being >those ips that are behind the gateway. Whenever a host connects to the >box, and has traffic come to it from the internet, a dynamic queue will >drain bandwidth for pipe 1. Due to this functionality, the pipe 1 bw >will get devided between the pipes that are created. When there is no >client, then the queue is deleted. > >If you have multiple subnets, like me, then and you want to specify the >internal interfaces, then use the following, thanks to Nicolas, earlier >today: >${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in \{ recv ${if_m} or recv ${if_g} \} Thank you all MAtej