From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 09:58:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0DB137B401 for ; Mon, 16 Jun 2003 09:58:18 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC9FD43FBF for ; Mon, 16 Jun 2003 09:58:17 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from zidane.cc.vt.edu (IDENT:mirapoint@evil-zidane [10.1.1.13]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h5GGwHKH123827 for ; Mon, 16 Jun 2003 12:58:17 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BNM09333; Mon, 16 Jun 2003 12:58:12 -0400 (EDT) Received: (qmail 29709 invoked from network); 16 Jun 2003 16:58:24 -0000 Received: from gellmann.vpec.vt.edu (HELO GELLMAN) (BinsFriend@128.173.89.135) by tunnel-client.princenet with RC4-MD5 encrypted SMTP; 16 Jun 2003 16:58:19 -0000 Message-ID: <002401c33428$72b2c300$0100a8c0@GELLMAN> From: "Ben Pfountz" To: References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> <3EEDEF1D.9080107@edgefocus.com> Date: Mon, 16 Jun 2003 12:57:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 16:58:19 -0000 My guess here, but... It has to do with you using the src-ip and dst-ip in creating a mask for each pipe. When using src-ip as a mask, the dst-ip doesn't matter and therefore shows as 0.0.0.0/0. Alot of the knowledge I have gained from dummynet came from trial and error. I have not really written any of it down in a paper format, though I should. Ben ----- Original Message ----- From: "Sean Hafeez" To: "Ben Pfountz" Cc: Sent: Monday, June 16, 2003 12:23 PM Subject: Re: ipfw, dummynet and a large subnet to shape > Thanks. Just did that. I will see how it goes. I have one question: > > ipfw pipe show > > 0001: 1.024 Mbit/s 0 ms 50 sl. 29 queues (256 buckets) droptail > mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 32 ip 10.0.128.16/0 0.0.0.0/0 14 924 0 > 0 0 > 64 ip 10.0.128.32/0 0.0.0.0/0 1 70 0 > 0 0 > 00002: 1.024 Mbit/s 0 ms 50 sl. 23 queues (256 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 17 ip 0.0.0.0/0 10.0.128.16/0 7 658 0 > 0 0 > 33 ip 0.0.0.0/0 10.0.128.32/0 1 147 0 > 0 0 > 35 ip 0.0.0.0/0 10.0.128.34/0 1 147 0 > 0 0 > > > Sorry if it is hard to read - I just want to know why the IP's show up > as 0.0.0.0/0 and does it matter? > > Is there any better docs on dummynet - the man page is not the best. I > would be interested on seeing any work that anyone has does. Google does > not really have alot of good stuff. > > > > Thanks! > > > > > Ben Pfountz wrote: > > You probably want something more like this: > > > > ipfw -f flush > > /sbin/natd -interface rl0 > > ipfw add divert natd all from any to any via rl0 > > ipfw add pipe 1 ip from any to any in recv rl1 > > ipfw add pipe 2 ip from any to any out xmit rl1 > > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > > > Remember that incoming packets are destined for your outside interface until > > the firewall diverts the packets to natd. For this reason, your pipe for > > packets coming in in rl0 would have always had a dst-ip of your outside > > interface. > > > > Hope this helps. > > > > Ben > > > > > > ----- Original Message ----- > > From: "Sean Hafeez" > > To: > > Sent: Monday, June 16, 2003 11:22 AM > > Subject: ipfw, dummynet and a large subnet to shape > > > > > > > >>i have been reading thru all the links on google and the man pages and > >>facts and have come to realize that the information is quite - not > >>right. > >> > >>here is what i need to do: > >> > >>i have a network - 10.0.0.0/22 that is nat'd. the external interface > >>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. > >>when i say everyone i mean each unique user (ie, 10.0.0.23 or > >>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down > >>and up. > >> > >>here is what i got. > >> > >>ipfw -f flush > >>/sbin/natd -interface rl0 > >>ipfw add 999 divert natd all from any to any via rl0 > >>ipfw add pipe 1 ip from any to any in via rl1 > >>ipfw add pipe 2 ip from any to any in via rl0 > >>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > >>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > >> > >>i have add: > >> > >>net.inet.ip.fw.one_pass=0 > >>net.inet.ip.dummynet.hash_size=256 > >>net.inet.ip.dummynet.max_chain_len=64 > >> > >>to sysctl.conf. > >> > >>does not seem to be working right. have i got this wrong? > >> > >>thanks! > >> > >>_______________________________________________ > >>freebsd-ipfw@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >> > >> > > > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >