Date: Sat, 5 Jun 2004 09:44:00 -0500 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: <nelis@8ball.co.za>, "FreeBSD Questions Mail List" <questions@freebsd.org> Subject: Re: ipnat and ipfw dummynet Message-ID: <032101c44b0b$8d1518b0$0201a8c0@dredster> References: <1086352973.9330.29.camel@nelis.brabys.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Nelis Lamprecht" <nelis@8ball.co.za> To: "FreeBSD Questions Mail List" <questions@freebsd.org> Sent: Friday, June 04, 2004 7:43 AM Subject: ipnat and ipfw dummynet Sorry, I failed to point out my current network configuration. I have 2 internal networks which use NAT, one class C ( 192.96.48.0/24 ) and one rfc1918 ( 192.168.1.0/24 ). The internal interface(bge1) is configured with the class c network and I have added a route to bge1 for 192.168.1.0/24. All traffic on the 192.96.48.0/24 network internally is routed via the gateway to get to the 192.168.1.0 network. Hope that makes sense. Nelis On Fri, 2004-06-04 at 14:43, Nelis Lamprecht wrote: > Hi, > > I'm interested to hear how people utilise dummynet in a NAT environment. > How does one create a pipe for a NAT network without effecting the > actual LAN speed ? For example, on the gateway: > > $fwcmd add pipe 1 ip from 192.168.1.0/24 to any out > $fwcmd add pipe 2 ip from any to 192.168.1.0/24 in > $fwcmd pipe 1 config bw 128Kbit/s > $fwcmd pipe 2 config bw 128Kbit/s > > The above example would be fine if 192.168.1.0/24 were only talking to > the internet but unfortunately it also effects the machines from talking > to each other internally. The only interface you can specify is the > internal interface(bge1) because this is the only time that ipfw will > see the addresses before they are passed to NAT(ipnat) and will not be > seen on the external interface(bge0). So basically the above example > should be written as: > > $fwcmd add pipe 1 ip from 192.168.1.0/24 to any out via bge1 > $fwcmd add pipe 2 ip from any to 192.168.1.0/24 in via bge1 > > This however will also give 192.168.1.0/24 an internal LAN speed of > 128Kbit/s which is to say quite humorous ;-) > > What is the solution to this ? ..I'm obviously missing something. The > internal interface is not firewalled. > > > Many thanks, -- Nelis Lamprecht -------------------- Nelis, this may help. Remember, that ipfw goes through the rulesets until it finds a match and will stop at that point. So, to provide rate limiting as well as allowing traffic on the lan to go all out, place allow rules before the pipes to specifically allow traffic between your lan ip ranges unhindered. #Rate Limit Settings $fwcmd pipe 1 config bw 128Kbit/s $fwcmd pipe 2 config bw 128Kbit/s #Unrestricted LAN Access Allows $fwcmd add allow ip from 192.168.1.0/24 to 192.96.48.0/24 $fwcmd add allow ip from 192.96.48.0/24 to 192.168.0/24 #Rate Limit Rules $fwcmd add pipe 1 ip from 192.168.1.0/24 to any out $fwcmd add pipe 2 ip from any to 192.168.1.0/24 in Hope it helps. It's been awhile since I've done any rate limiting, but as I recall, that should do the trick. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?032101c44b0b$8d1518b0$0201a8c0>