Date: Mon, 16 Jun 2003 11:59:06 -0400 From: "Ben Pfountz" <netprince@vt.edu> To: <sahafeez@edgefocus.com>, <freebsd-ipfw@freebsd.org> Subject: Re: ipfw, dummynet and a large subnet to shape Message-ID: <001101c33420$37493bd0$6511a8c0@benspiece> References: <3EEDE099.9080603@edgefocus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You probably want something more like this: ipfw -f flush /sbin/natd -interface rl0 ipfw add divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s Remember that incoming packets are destined for your outside interface until the firewall diverts the packets to natd. For this reason, your pipe for packets coming in in rl0 would have always had a dst-ip of your outside interface. Hope this helps. Ben ----- Original Message ----- From: "Sean Hafeez" <sahafeez@edgefocus.com> To: <freebsd-ipfw@freebsd.org> Sent: Monday, June 16, 2003 11:22 AM Subject: ipfw, dummynet and a large subnet to shape > i have been reading thru all the links on google and the man pages and > facts and have come to realize that the information is quite - not > right. > > here is what i need to do: > > i have a network - 10.0.0.0/22 that is nat'd. the external interface > is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. > when i say everyone i mean each unique user (ie, 10.0.0.23 or > 10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down > and up. > > here is what i got. > > ipfw -f flush > /sbin/natd -interface rl0 > ipfw add 999 divert natd all from any to any via rl0 > ipfw add pipe 1 ip from any to any in via rl1 > ipfw add pipe 2 ip from any to any in via rl0 > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > i have add: > > net.inet.ip.fw.one_pass=0 > net.inet.ip.dummynet.hash_size=256 > net.inet.ip.dummynet.max_chain_len=64 > > to sysctl.conf. > > does not seem to be working right. have i got this wrong? > > thanks! > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c33420$37493bd0$6511a8c0>