From owner-freebsd-questions Mon Jul 23 1: 3: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 9678E37B406 for ; Mon, 23 Jul 2001 01:03:05 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f6N82l837403; Mon, 23 Jul 2001 01:02:53 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Gideon" , Subject: RE: FBSD box between cisco and clients Date: Mon, 23 Jul 2001 01:02:46 -0700 Message-ID: <002501c1134d$dbfd3aa0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <007101c11320$2159d0a0$020101c8@Liquidsoul.my.domain> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I don't want to sound mean but you don't understand bandwidth limiting and what you think that your going to be able to do won't work. Let me explain. This is a connection to the Internet - and unless I'm greatly mistaken and your doing something very different than 99.9% of the people out there are doing, the vast majority of the traffic on the link to the Internet is coming FROM the ISP, not going TO the ISP. Your Cisco is probably connected to a Frame Relay of some such that's overloaded - and you think that if you limit bandwidth to some of your network abusers, that you can get the load back down on that link and make it usable again. These circuits, by the way, are FULL DUPLEX meaning that the volume of traffic on the outbound link has no effect on the volume of traffic on the inbound link. Unlike Ethernet where when the Ether gets saturated everyone is affected, an overloaded inbound link is completely unaffected by the volume of traffic that is placed on the outbound half of it. And, therein is your problem. Sure, you can bandwidth limit traffic going through your link TO the Internet - no problem. You don't need a FreeBSD box for that you can do it right on the Cisco - it supports it. But, you CANNOT limit bandwidth coming FROM the Internet UNTIL AFTER YOU HAVE ALREADY RECIEVED THE PACKETS. So, if for example a client on the inside opens a Real Video stream to a server at 256K, and you have him bandwidth limited down to 56K, then what is going to happen is that your inbound link from the Internet will STILL BE SATURATED with the 256K of traffic coming in from the remote server - and all that you will accomplish is throwing away 200K of the traffic that you already received for the client. That's how bandwidth limiting works, by the way - it throws away traffic until the threshold is reached. It works fine on outbound traffic because your Ethernet is so much faster than the serial line on the Cisco that tossing most of the traffic won't make any difference. And, lest some smartass here jumps in with "what about source quench" I have to sadly report that there are so many moronic networking admins out there that understand absolutely nothing about firewalling that have all ICMP locked down (because they think they are protecting against DoS attacks) that you cannot depend on it working most of the time. Bandwidth limiting and prioritization works great if you run your own WAN and have control over both ends of the circuit. But it's pointless on Internet connections unless you can get the ISP to do it. But of course if they do then they are wasting their own feed bandwidth so most won't. Sorry, your going to just have to bite the bullet and pay for that fractional T1. :-) Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Gideon >Sent: Sunday, July 22, 2001 7:35 PM >To: freebsd-questions@FreeBSD.ORG >Subject: FBSD box between cisco and clients > > >At this moment our network looks like this : > >Clients - Cisco Router - Internet > >I want to do the following > >Clients - FBSD - Cisco - Internet > >Every machine above including the clients have public ip's . The reason i >need to do this is i need to do bandwidth limiting with the freebsd box thus >the clients must not be able to access the cisco directly . also all the >machines above must be on one subnet . >I was wondering whot will be the best way of doing this ? Also sum >documentation references would be much appreciated . Also whot software >should i use for bandwidth capping ? IPFW or ALTQ or ne other ? > >Thank You In Advance > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message