From owner-freebsd-questions@FreeBSD.ORG Wed Sep 20 15:17:13 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3746516A4D8 for ; Wed, 20 Sep 2006 15:17:13 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F03943E08 for ; Wed, 20 Sep 2006 15:16:32 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 20 Sep 2006 11:16:17 -0400 id 00056422.45115B41.0001450F Received: from Internal Mail-Server (206.210.89.202) by mx01 (envelope-from wmoran@collaborativefusion.com) with AES256-SHA encrypted SMTP; 20 Sep 2006 11:15:16 -0400 Date: Wed, 20 Sep 2006 11:16:19 -0400 From: Bill Moran To: Odhiambo Washington Message-Id: <20060920111619.de01afb3.wmoran@collaborativefusion.com> In-Reply-To: <20060920150511.GB20244@ns2.wananchi.com> References: <20060920150511.GB20244@ns2.wananchi.com> Organization: Collaborative Fusion X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Dummynet in an IPFilter setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 15:17:13 -0000 In response to Odhiambo Washington : [snip] > The scenario: > > I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two > interfaces at the moment, external interface connected to the hostile > Internet and internal interface connected to a switch for the LAN. > > The ISP gives 256Kbit/s on the external interface. Out of this, I > need to dedicate/guarantee 128Kbit/s to just one machine. > > A streaming server has been introduced on the LAN, and it is considered > a VIP host as far as bandwidth allocation is concerned. > The problem is that p2p is also officially allowed on the LAN. I hate > it but it is allowed. Period. No argument about it. > > I need to guarantee 128Kbit/s of the available bandwidth to the > streaming host (server, if you can call it). > > > My thinking/plan: > > 1. Add one more NIC to the FreeBSD box (it's also the router, > firewall, _everything_ server) and put this on a separate IP block. > To this NIC I will connect the VIP host, which needs the guaranteed > bandwidth. I will therefore NAT traffic to/from it. > > 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, > this means that: > (a) They cannot go beyond 128Kbit/s > (b) The VIP box will go above 128K/bit's in case the throttled > LAN is not using all of the 128Kbit/s > > I need to control bandwidth on the external interface only, not on the > LAN (internal interfaces). > > Is this rightful thinking or sheer imagination which is not practical? Seems reasonable. See below ... > My problem: > > > Most important is being dumb when it comes to IPFW and hence the pipes > and all that pertains to it. > > Here is my ipfw configuration, in black and white (firewall_type="OPEN") > > > # Outside interface network and netmask and ip > oif="bfe0" > iif="xl0" > onet="62.8.68.0" > omask="255.255.255.252" > oip="62.8.68.22" > > # Inside interface network and netmask and ip > iif="xl0" > inet="10.0.0.0" > imask="255.255.255.0" > iip="10.0.0.2" > > ipfw pipe 1 config bw 128Kbit/s > > # Allow any traffic to or from my own net. > ${fwcmd} add pass all from ${iip} to ${inet}:${imask} > ${fwcmd} add pass all from ${inet}:${imask} to ${iip} > > # Throttle now > ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state ^^ Is this direct cut/paste? If so, you've got a sticky $ key. > ${fwcmd} add 65000 pass all from any to any > > > With this configuration, it seems like even LAN->LAN communication is > being restricted to 128Kbit/s. I am not sure why, as simple as it looks! > Can someone tell me why that is happening? > > Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no > bandwidth limitation configuration, is it not true that I will have > achieved my goal? > > I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and > have a static route for the VIP box, with NAT for any connections > to/from it. > > > I'll really appreciate any help/advise towards a perfect configuration > for the firewall, and how I can get this to work. > > Thanks in advance. -- Bill Moran Collaborative Fusion Inc.