From owner-freebsd-net@FreeBSD.ORG Fri Jul 1 07:59:51 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5104E106566C for ; Fri, 1 Jul 2011 07:59:51 +0000 (UTC) (envelope-from mikemacleod@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 10A5A8FC0A for ; Fri, 1 Jul 2011 07:59:50 +0000 (UTC) Received: by gwb15 with SMTP id 15so1564849gwb.13 for ; Fri, 01 Jul 2011 00:59:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=yiFpVBCsPVd9gYr0xxJJrZ/VtYRt1K8PqqWe/gIw/gw=; b=vjmBqKjahLaOsyPx9Ky18jHe7xVPVsKa2KDOT2OZu4k1Qiq9fxqXctkJToAb7G0I2G krVHZ2fJmJhmJcMbYZtxf648vt2zl0e/2aGyDMHBtR6uX6XwW4xCIpP1p4rKZn3KasSs KYb6KOPo41yBrwkF5d5QzDcD6MeJZ7gwNoU+k= Received: by 10.91.159.5 with SMTP id l5mr2662335ago.100.1309507190130; Fri, 01 Jul 2011 00:59:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.84.1 with HTTP; Fri, 1 Jul 2011 00:59:30 -0700 (PDT) In-Reply-To: <4E0D593B.7090206@freebsd.org> References: <4E0D593B.7090206@freebsd.org> From: Michael MacLeod Date: Fri, 1 Jul 2011 03:59:30 -0400 Message-ID: To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: Bridging Two Tunnel Interfaces For ALTQ X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2011 07:59:51 -0000 On Fri, Jul 1, 2011 at 1:20 AM, Julian Elischer wrote: > On 6/29/11 11:28 AM, Michael MacLeod wrote: > >> I use pf+ALTQ to achieve some pretty decent traffic shaping results at >> home. >> However, recently signed up to be part of an IPv6 trial with my ISP, and >> they've given me a second (dual-stacked) PPPoE login with which to test >> with. The problem is that the second login lacks my static IP or my routed >> /29. I can have both tunnels up simultaneously, but that becomes a pain to >> traffic shape since I can't have them both assigned to the same ALTQ. >> >> ... unless there is some way for me to turn the ng interfaces (I'm using >> mpd5) into ethernet interfaces that could be assigned to an if_bridge. I >> could easily disable IPv4 on the IPv6 tunnel, which would clean up any >> routing issues, assign both tunnels to the bridge, and put the ALTQ on the >> bridge. It just might have the effect I'm looking for. Bonus points if the >> solution can be extended to allow it to work with a gif tunnel as well, so >> that users of 6in4 tunnels could use it (my ISPs IPv6 beta won't let me do >> rDNS delegation, so I might want to try a tunnel from he.net instead). >> >> I spent some time this morning trying to make netgraph do this with the >> two >> ng interfaces, but didn't have any luck. Google didn't turn up anyone >> trying >> to do anything similar that I could find; closest I got was this: >> http://lists.freebsd.org/**pipermail/freebsd-net/2004-** >> November/005598.html >> >> This is all assuming that the best way to use ALTQ on multiple outbound >> connections is with a bridge. If there is another or more elegant >> solution, >> I'd love to hear it. >> > > rather than trying to shoehorn ng into if_bridge, why not use the netgraph > bridge itility, > or maybe one of the many other netgraph nodes that can split traffic. > fofr example the ng_bpf filter can filter traffic on an almost arbitrary > manner that you program using > the bpf filter language. Julian, thanks for responding. I'm not particularly concerned about how I accomplish my goal, so long as I can accomplish it. I was thinking about using if_bridge or ng_bridge because I have past experience with software bridges in BSD and linux. Unfortunately, ng_bridge requires a node that has an ether hook. I spent a bit of time looking at the mpd5 documentation, and there's actually a config option to have mpd generate an extra tee node between the ppp and the iface nodes. These nodes are connected together using inet hooks. If I could find a netgraph node that can take inet in one side and ether on the other, I believe I'd be set. The nice thing (near as I can tell) about using ethernet based nodes would be that pretty much everything can talk to an ethernet interface (tcpdump, etc) and that ethernet should be fairly easy to fake; just assign a fake MAC to the ether nodes (which is what the ng_ether node does, pretty much) and the bridge will take care of making sure traffic for tunnel 0 doesn't go to tunnel 1, etc. I haven't read up very much about ng_bpf yet, but it seems like a pretty heavy tool for the job, and wouldn't the data have to enter userspace for parsing by the bpf script? Also, I've never written anything in bpf. It's not a huge hurdle, I hope, but it's certainly more involved than a six line ngctl incantation that turns my iface nodes into eiface nodes suitable for bridging. As I said, I'm not particularly concerned with the means, just the end itself really. If there were an elegant way to create a virtual ALTQ that I could then build sub-queues that were actually attached to the tunnels in pf that would also satisfy my end goal, without any netgraph mucking at all. I just haven't found any evidence that ALTQ has any ability to do that. I just have two tunnels, one using IPv4 and one using IPv6, that share the same bandwidth resource. I want a way to shape traffic based on the pool of bandwidth, not the tunnels running through the pool.