From owner-freebsd-net@freebsd.org  Wed Oct  7 15:10:08 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19C109D12BC
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Wed,  7 Oct 2015 15:10:08 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E06BB9E2
 for <freebsd-net@freebsd.org>; Wed,  7 Oct 2015 15:10:07 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 05DE5211E1
 for <freebsd-net@freebsd.org>; Wed,  7 Oct 2015 11:10:07 -0400 (EDT)
Received: from web3 ([10.202.2.213])
 by compute3.internal (MEProxy); Wed, 07 Oct 2015 11:10:07 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=NjfD6/FhrXF6Z2p
 DfHw9OU8Duio=; b=PWwSIDpxq9ti+xDLro7/O7ofTc45gzVKrIFrzjc+/gGYB8c
 3zP6yI/RMmDJbPZAUWGT1+evDD5zi5tX/+yV0dmiPRiSKFfH7SZEhG2CwVh/L7rv
 Tv17UUyJgcTFyZHbV94lTQ51L/C2gizdhj86dez8tP4Qwl5oXCXRHuBgjgPg=
Received: by web3.nyi.internal (Postfix, from userid 99)
 id CC75D111902; Wed,  7 Oct 2015 11:10:06 -0400 (EDT)
Message-Id: <1444230606.4186557.403881505.01840524@webmail.messagingengine.com>
X-Sasl-Enc: 2gEf8i7A9E+1+QPn2Bx5sHshV5XEENufcD8BtbPlXvna 1444230606
From: Mark Felder <feld@FreeBSD.org>
To: "Dr. Rolf Jansen" <rj@obsigna.com>
Cc: freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-bd1c65cb
In-Reply-To: <242ED31C-C8C1-403C-8676-42DA2F256134@obsigna.com>
References: <1444226262.4164898.403785985.524883DA@webmail.messagingengine.com>
 <56152CCD.3010302@madpilot.net>
 <1444228604.4174170.403845001.7FAB35BB@webmail.messagingengine.com>
 <242ED31C-C8C1-403C-8676-42DA2F256134@obsigna.com>
Subject: Re: Struggling with IPFW on CURRENT
Date: Wed, 07 Oct 2015 10:10:06 -0500
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2015 15:10:08 -0000



On Wed, Oct 7, 2015, at 09:43, Dr. Rolf Jansen wrote:
>=20
>=20
> You definitely need net.inet.ip.fw.one_pass=3D0 for statefule IPFW+NAT for
> the IPv4 traffic. IPv6 does not pass NAT anyway and is not affected.
>=20
> I assume, that you have gateway_enable=3D"YES" and
> ipv6_gateway_enable=3D"YES" in your /etc/rc.conf =E2=80=94 sometimes this=
 becomes
> forgotten.
>=20
> Best regards
>=20
> Rolf
>=20

Yes, I do have those. My firewall has been fully functioning in pf for
years, but options for QoS in FreeBSD are poor. OpenBSD's QoS in their
newer pf is great. I've heard enough about dummynet to want to try it
out, but getting the most basic configuration working so I can convert
the rest of my firewall ruleset has been rather painful so far.  It
seems I've been missing this rather important sysctl setting because the
traffic hasn't been flowing through my ruleset the way I expected it to.

Thanks for your input!

--=20
  Mark Felder
  ports-secteam member
  feld@FreeBSD.org