From owner-freebsd-questions@FreeBSD.ORG Wed May 24 14:32:54 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E5F516A47C for ; Wed, 24 May 2006 14:32:54 +0000 (UTC) (envelope-from gderama@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BB7643D46 for ; Wed, 24 May 2006 14:32:53 +0000 (GMT) (envelope-from gderama@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so1259249wxd for ; Wed, 24 May 2006 07:32:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=X/Xa7oQ+uV6CRFxpgLxi5Oetgaf9NeN2KcCtBDSVpUTVI2IDWzqCQdU/uG9EEabyonwYk0J8NupnBrmn0pHchdItuOXJ30FqSRZWlD7tv83eQ7h8f64E+bP5G8TYpisBfMq84c309EsEcs/aDVAw3GobCjC5AlqCrY1vzED+yD8= Received: by 10.70.35.13 with SMTP id i13mr2157988wxi; Wed, 24 May 2006 07:32:53 -0700 (PDT) Received: by 10.70.43.2 with HTTP; Wed, 24 May 2006 07:32:53 -0700 (PDT) Message-ID: <63cefb5c0605240732j264748bwa358ba904164d3f1@mail.gmail.com> Date: Wed, 24 May 2006 08:32:53 -0600 From: G-der To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Traffic shaping with ipfw/DUMMYNET when using natd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gderama@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 14:33:06 -0000 I've been setting up ipfw and DUMMYNET to do some traffic shaping on my network. Right now to test things out I've basicly put everything into two categories. There's traffic from 10.0.10.10 which is lower priority (this is a download machine) and then there's everything else. The biggest problem I've runinto is that because natd gets the packets firs= t thing the only way to catch outgoing traffic is on the internal network interface. That is if you want to limit based on which internal machine is generating the traffic like in my case. After the divert rule for natd the src-ip field gets changed to my external ip address. This has a side effec= t of limiting all the traffic on that internal interface, even stuff that is not bound for the internet. I've tried playing around a little bit with the bridged, diverted, and diverted-output commands but can't get any of them to catch the packets. Is there a way to limit outgoing traffic based on which machine owns the traffic internally that doesn't have to be done on the internal interface? Would it be better practice to scan outgoing traffic before the divert rule= s for natd? extif=3D"rl0" intif=3D"rl1" #INCOMING TRAFFIC #Tested max incoming at 5914Kbit/s ${fwcmd} pipe 1 config bw 5800Kbit/s ${fwcmd} queue 1 config pipe 1 weight 2 #for torrent traffi= c ${fwcmd} queue 5 config pipe 1 weight 10 #for everything els= e ${fwcmd} add 1000 queue 1 ip from any to 10.0.10.10 in via ${extif} ${fwcmd} add 5000 queue 5 ip from any to any in via ${extif} #OUTGOING TRAFFIC #Tested max outgoing at 390Kbit/s ${fwcmd} pipe 2 config bw 360Kbit/s ${fwcmd} queue 6 config pipe 2 weight 2 ${fwcmd} queue 10 config pipe 2 weight 10 ${fwcmd} add 6000 queue 6 ip from 10.0.10.10 to any in via ${intif} ${fwcmd} add 8000 queue 10 ip from any to any in via ${intif} Here's the rules, I appreciate the assistance. Please cc me on reply, I'm not a regular subscriber. Thank you Gene Dinkey