Date: Wed, 20 Sep 2006 11:16:19 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: Odhiambo Washington <wash@wananchi.com> Cc: freebsd-questions@freebsd.org Subject: Re: Dummynet in an IPFilter setup Message-ID: <20060920111619.de01afb3.wmoran@collaborativefusion.com> In-Reply-To: <20060920150511.GB20244@ns2.wananchi.com> References: <20060920150511.GB20244@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Odhiambo Washington <wash@wananchi.com>:
[snip]
> The scenario:
>
> I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
> interfaces at the moment, external interface connected to the hostile
> Internet and internal interface connected to a switch for the LAN.
>
> The ISP gives 256Kbit/s on the external interface. Out of this, I
> need to dedicate/guarantee 128Kbit/s to just one machine.
>
> A streaming server has been introduced on the LAN, and it is considered
> a VIP host as far as bandwidth allocation is concerned.
> The problem is that p2p is also officially allowed on the LAN. I hate
> it but it is allowed. Period. No argument about it.
>
> I need to guarantee 128Kbit/s of the available bandwidth to the
> streaming host (server, if you can call it).
>
>
> My thinking/plan:
>
> 1. Add one more NIC to the FreeBSD box (it's also the router,
> firewall, _everything_ server) and put this on a separate IP block.
> To this NIC I will connect the VIP host, which needs the guaranteed
> bandwidth. I will therefore NAT traffic to/from it.
>
> 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
> this means that:
> (a) They cannot go beyond 128Kbit/s
> (b) The VIP box will go above 128K/bit's in case the throttled
> LAN is not using all of the 128Kbit/s
>
> I need to control bandwidth on the external interface only, not on the
> LAN (internal interfaces).
>
> Is this rightful thinking or sheer imagination which is not practical?
Seems reasonable. See below ...
> My problem:
>
>
> Most important is being dumb when it comes to IPFW and hence the pipes
> and all that pertains to it.
>
> Here is my ipfw configuration, in black and white (firewall_type="OPEN")
>
>
> # Outside interface network and netmask and ip
> oif="bfe0"
> iif="xl0"
> onet="62.8.68.0"
> omask="255.255.255.252"
> oip="62.8.68.22"
>
> # Inside interface network and netmask and ip
> iif="xl0"
> inet="10.0.0.0"
> imask="255.255.255.0"
> iip="10.0.0.2"
>
> ipfw pipe 1 config bw 128Kbit/s
>
> # Allow any traffic to or from my own net.
> ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
> ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
>
> # Throttle now
> ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
^^
Is this direct cut/paste? If so, you've got a sticky $ key.
> ${fwcmd} add 65000 pass all from any to any
>
>
> With this configuration, it seems like even LAN->LAN communication is
> being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
> Can someone tell me why that is happening?
>
> Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
> bandwidth limitation configuration, is it not true that I will have
> achieved my goal?
>
> I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
> have a static route for the VIP box, with NAT for any connections
> to/from it.
>
>
> I'll really appreciate any help/advise towards a perfect configuration
> for the firewall, and how I can get this to work.
>
> Thanks in advance.
--
Bill Moran
Collaborative Fusion Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060920111619.de01afb3.wmoran>