Date: Sat, 15 Jul 2000 11:43:07 -0400 (EDT) From: "Rick C. Petty" <rick@kris.kiwi-computer.com> To: freebsd-questions@freebsd.org Subject: natd & DUMMYNET Message-ID: <200007151543.LAA30005@kris.kiwi-computer.com>
next in thread | raw e-mail | index | archive | help
Hello, all!
I'm trying to setup ipfw to handle a bunch of machines behind a firewall
using natd, which I have working just fine. The problem is when I tried to
use DUMMYNET to bandwidth limit certain machines on the local network in
addition to the proper address translation with natd. When I enable the
following pipes, natd fails to "work" (outgoing pings from behind the
firewall don't return):
$fwcmd pipe 1 config bw 16Kbit/s delay 100ms
$fwcmd pipe 2 config bw 8Kbit/s delay 100ms
$fwcmd add 100 pipe 1 ip from 192.168.25.128 to any
$fwcmd add 200 pipe 2 ip from any to 192.168.25.128
Where 192.168.25.128 is the box behind the firewall I was running test
pings from. Other working rules include:
$fwcmd add divert natd all from any to any via ${natd_interface}
$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8
$fwcmd add 500 pass tcp from any to any established
$fwcmd 60000 add allow ip from any to any
And those seem to work just fine. Remember, it's only when I use the
aforementioned pipes that natd starts failing. I have tried many
combinations of rule numbers, such as the natd rule number being higher or
lower than the pipe rules, and it doesn't seem to change the behaviour.
These rules are located in a firewall script after a ipfw flush. I am
running 3.4-RELEASE with the following relevant options in my kernel
config:
options IPFIREWALL
options IPDIVERT
options DUMMYNET
The strange thing is that if I ping the firewall from the .25.128 machine,
I do get the added 100 ms delay both ways (avg. 300 ms total ping time vs
less than 1ms without the pipes), and watching my hub lights suggests that
packets get routed out the firewall and returned to the firewall, but not
reverse-translated back to the source machine...
I have searched the FAQ and read countless similar archive mailing lists
messages and have tried countless combinations of rules but to no avail.
Could someone please tell me what simple thing I'm doing wrong, or send me
a copy of ipfw commands/rules that correctly use natd(8) & dummynet(4)?
Thanks a bunch,
--Rick C. Petty, aka Snoopy rick@kiwi-computer.com
-----------------------------------------------------------------------
Principal Architect, KIWI Computer http://kiwi-computer.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007151543.LAA30005>