From owner-freebsd-ipfw  Wed Apr 17 14:19:25 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from great4.greatschools.net (great4.greatschools.net [199.4.104.154])
	by hub.freebsd.org (Postfix) with ESMTP id 19D6737B405
	for <freebsd-ipfw@freebsd.org>; Wed, 17 Apr 2002 14:19:17 -0700 (PDT)
Received: from dh8.office.greatschools.net (dh8.office.greatschools.net [199.4.104.139])
	by great4 (8.11.3/8.11.6) with ESMTP id g3FJQl679709
	for <freebsd-ipfw@freebsd.org>; Mon, 15 Apr 2002 12:26:49 -0700 (PDT)
	(envelope-from jdd@greatschools.net)
Date: Mon, 15 Apr 2002 12:26:47 -0700
Mime-Version: 1.0 (Apple Message framework v481)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Subject: traffic shaper not quite right
From: John David Duncan <jdd@greatschools.net>
To: freebsd-ipfw@freebsd.org
Content-Transfer-Encoding: 7bit
Message-Id: <BA4DB830-50A6-11D6-AEAA-00039352626A@greatschools.net>
X-Mailer: Apple Mail (2.481)
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Hello,

I have an office with a 500Kbit/s partial T1 connection and two internal 
subnets (one of which is NAT firewalled).   On the non-routing subnet I 
have a user who listens to streaming audio from shoutcast.net.  I try to 
limit this whole segment with a 320Kbit/s queue on incoming traffic 
(rule 490), but the queue doesn't seem to do the right thing:  the T1 is 
still saturated; the MRTG-type graphs continue to show  flatline 500Kbps 
utilization; the bucket for the shoutcast user (bucket 49) does not show 
any dropped any packets.

Is something wrong with the configuration?  Can anyone help?  It is a 
complex
set of rules because there are three interfaces on the router.

- JD

fxp0 is at inet 199.4.104.158 	[routable subnet]
dc0 is at inet 64.165.109.140    [T1]
dc1 is at inet 192.168.1.1       [NAT subnet]

kern.clockrate: { hz = 100, tick = 10000, tickadj = 5, profhz = 1024, 
stathz = 128 }
net.inet.ip.fw.one_pass: 0


#ipfw show
# Rules 100,200,900,1000 are Anti-IP-spoofing:

00100        0           0 deny ip from 199.4.104.128/27 to any in recv 
dc0
00200        3         120 deny ip from 192.168.0.0/16 to any in recv dc0
00300     4636      129808 allow igmp from any to 224.0.0.0/24
00400        0           0 allow udp from any to 224.0.0.0/24

# 400 Kbps pipe:  routing subnet <--> internet
00450  1407393   235757596 pipe 3 ip from 199.4.104.128/27 to not 
192.168.0.0/16 in recv fxp0
00470  4315861  2430690170 pipe 4 ip from not 192.168.0.0/16 to 
199.4.104.128/27 out xmit fxp0

# 320 Kbps queue: internet --> NAT subnet
00490   522572   566492862 queue 1 ip from not 199.4.104.128/27 to any 
out xmit dc1

00500      559       28248 unreach port tcp [...] setup
00600        0           0 unreach port udp [...]

# natd -u -m -s -a 199.4.104.129
00700  3511249  2088173616 divert 8668 ip from any to any via dc0
00800       58       19269 allow udp from [...]
00900        0           0 deny log logamount 100 ip from not 
199.4.104.128/27 to any in recv fxp0
01000        0           0 deny log logamount 100 ip from not 
192.168.0.0/16 to any in recv dc1
65535 25608836 20535828203 allow ip from any to any


bash-2.05# ipfw pipe show
00003: 400.000 Kbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
   0 tcp    199.4.104.139/49749   199.4.104.158/22    2357011 376527402  
0    0 918
00004: 400.000 Kbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
   0 tcp    192.168.1.107/4081    199.4.104.154/25    6480903 2769629456  
0    0  10
00010: 320.000 Kbit/s    0 ms  10 KB 0 queues (1 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
q00001: weight 5 pipe 10   50 sl. 15 queues (64 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0x0000ffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
   2 ip           0.0.0.0/0             0.0.1.2/0       53     7088  0    
0   0
  38 ip           0.0.0.0/0           0.0.1.102/0     12676  9377918  
0    0   0
  40 ip           0.0.0.0/0           0.0.1.104/0     2129  1354742  0    
0   0
  41 ip           0.0.0.0/0           0.0.1.105/0       23     3995  0    
0   0
  43 ip           0.0.0.0/0           0.0.1.107/0     13243 11747508  
0    0   0
  46 ip           0.0.0.0/0           0.0.1.110/0     10123  8827868  
0    0   0
  49 ip           0.0.0.0/0           0.0.1.113/0     402263 473946687  4 
4541   0
  50 ip           0.0.0.0/0           0.0.1.114/0     16602 10231616  
0    0  64
  52 ip           0.0.0.0/0           0.0.1.116/0     3497  3299405  0    
0   0
  54 ip           0.0.0.0/0           0.0.1.118/0     4283  3470449  0    
0   0
  56 ip           0.0.0.0/0           0.0.1.120/0     4064  3523496  0    
0   0
  57 ip           0.0.0.0/0           0.0.1.121/0     14342 16914636  
0    0   0
  58 ip           0.0.0.0/0           0.0.1.122/0     24860 18228508  
0    0   0
  59 ip           0.0.0.0/0           0.0.1.123/0     17697 15428527  
0    0   0
  63 ip           0.0.0.0/0           0.0.1.255/0     4824   366624  0    
0   0





-------------------------------------------
John David Duncan
Systems Administrator
GreatSchools, Inc.     (415) 977-0700 x115


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message