From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 10:15:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28AE737B401 for ; Mon, 16 Jun 2003 10:15:27 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8202143F75 for ; Mon, 16 Jun 2003 10:15:26 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id NAA23558; Mon, 16 Jun 2003 13:15:26 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3EEDFB2D.8070104@edgefocus.com> Date: Mon, 16 Jun 2003 10:15:25 -0700 From: Sean Hafeez Organization: EdgeFocus, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> <3EEDEF1D.9080107@edgefocus.com> <002401c33428$72b2c300$0100a8c0@GELLMAN> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sahafeez@edgefocus.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 17:15:27 -0000 Damn. I just had a brain fart. I have nodes (wireless AP's) on this network that I do not wanted limited. So based on the 1st matching rule if I: ipfw -f flush /sbin/natd -interface rl0 ipfw add divert natd all from any to any via rl0 ipfw add allow ip from any to 10.0.0.5 ipfw add allow ip from any to 10.0.0.6 ipfw add allow ip from 10.0.0.5 to any ipfw add allow ip from 10.0.0.6 to any ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s Will it work? I want to exclude a range or a single IP from the pipe and shape eveything that is not excluded. Ben Pfountz wrote: > My guess here, but... > > It has to do with you using the src-ip and dst-ip in creating a mask for > each pipe. When using src-ip as a mask, the dst-ip doesn't matter and > therefore shows as 0.0.0.0/0. > > Alot of the knowledge I have gained from dummynet came from trial and error. > I have not really written any of it down in a paper format, though I should. > > Ben > > > ----- Original Message ----- > From: "Sean Hafeez" > To: "Ben Pfountz" > Cc: > Sent: Monday, June 16, 2003 12:23 PM > Subject: Re: ipfw, dummynet and a large subnet to shape > > > >>Thanks. Just did that. I will see how it goes. I have one question: >> >>ipfw pipe show >> >>0001: 1.024 Mbit/s 0 ms 50 sl. 29 queues (256 buckets) droptail >> mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes >>Pkt/Byte Drp >> 32 ip 10.0.128.16/0 0.0.0.0/0 14 924 0 >> 0 0 >> 64 ip 10.0.128.32/0 0.0.0.0/0 1 70 0 >> 0 0 >>00002: 1.024 Mbit/s 0 ms 50 sl. 23 queues (256 buckets) droptail >> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes >>Pkt/Byte Drp >> 17 ip 0.0.0.0/0 10.0.128.16/0 7 658 0 >> 0 0 >> 33 ip 0.0.0.0/0 10.0.128.32/0 1 147 0 >> 0 0 >> 35 ip 0.0.0.0/0 10.0.128.34/0 1 147 0 >> 0 0 >> >> >>Sorry if it is hard to read - I just want to know why the IP's show up >>as 0.0.0.0/0 and does it matter? >> >>Is there any better docs on dummynet - the man page is not the best. I >>would be interested on seeing any work that anyone has does. Google does >>not really have alot of good stuff. >> >> >> >>Thanks! >> >> >> >> >>Ben Pfountz wrote: >> >>>You probably want something more like this: >>> >>>ipfw -f flush >>>/sbin/natd -interface rl0 >>>ipfw add divert natd all from any to any via rl0 >>>ipfw add pipe 1 ip from any to any in recv rl1 >>>ipfw add pipe 2 ip from any to any out xmit rl1 >>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s >>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s >>> >>>Remember that incoming packets are destined for your outside interface >> > until > >>>the firewall diverts the packets to natd. For this reason, your pipe >> > for > >>>packets coming in in rl0 would have always had a dst-ip of your outside >>>interface. >>> >>>Hope this helps. >>> >>>Ben >>> >>> >>>----- Original Message ----- >>>From: "Sean Hafeez" >>>To: >>>Sent: Monday, June 16, 2003 11:22 AM >>>Subject: ipfw, dummynet and a large subnet to shape >>> >>> >>> >>> >>>>i have been reading thru all the links on google and the man pages and >>>>facts and have come to realize that the information is quite - not >>>>right. >>>> >>>>here is what i need to do: >>>> >>>>i have a network - 10.0.0.0/22 that is nat'd. the external interface >>>>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. >>>>when i say everyone i mean each unique user (ie, 10.0.0.23 or >>>>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down >>>>and up. >>>> >>>>here is what i got. >>>> >>>>ipfw -f flush >>>>/sbin/natd -interface rl0 >>>>ipfw add 999 divert natd all from any to any via rl0 >>>>ipfw add pipe 1 ip from any to any in via rl1 >>>>ipfw add pipe 2 ip from any to any in via rl0 >>>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s >>>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s >>>> >>>>i have add: >>>> >>>>net.inet.ip.fw.one_pass=0 >>>>net.inet.ip.dummynet.hash_size=256 >>>>net.inet.ip.dummynet.max_chain_len=64 >>>> >>>>to sysctl.conf. >>>> >>>>does not seem to be working right. have i got this wrong? >>>> >>>>thanks! >>>> >>>>_______________________________________________ >>>>freebsd-ipfw@freebsd.org mailing list >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> >>>_______________________________________________ >>>freebsd-ipfw@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> >>_______________________________________________ >>freebsd-ipfw@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > > > >