From owner-freebsd-ipfw Mon Sep 16 14: 9: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F5F337B400 for ; Mon, 16 Sep 2002 14:09:06 -0700 (PDT) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D65D43E7B for ; Mon, 16 Sep 2002 14:09:05 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (nat-bhm1.attachmate.com [63.115.16.66]) (authenticated bits=0) by aker.amduat.net (8.12.5/8.12.5) with ESMTP id g8GL93Db045309 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 16 Sep 2002 14:09:04 -0700 (PDT) (envelope-from jbarrett@amduat.net) Message-ID: <3D864865.2030607@amduat.net> Date: Mon, 16 Sep 2002 14:08:53 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: MAC Layer Bandwidth Limiting Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If I wanted to do MAC layer bandwidth limiting would I want to do something like the following using IPFW2 or am I just way off? ipfw add 1000 pipe 1000 layer2 mac $MAC0 any ipfw add 1001 pipe 1001 layer2 mac any $MAC0 ipfw pipe 1000 bw 128Kbit/s ipfw pipe 1001 bw 768Kbit/s ipfw add 1010 pipe 1010 layer2 mac $MAC1 any ipfw add 1011 pipe 1011 layer2 mac any $MAC1 ipfw pipe 1010 bw 256Kbit/s ipfw pipe 1011 bw 512Kbit/s MAC0 is limited to 128kbit/s out and 768kbit/s in MAC1 is limited to 256kbit/s out and 512kbit/s in What I want is the ability to filter links at the MAC level as well as limit the bandwidth that particular link has. Traffic may not always be IP based so filtering on the IP address isn't sufficient. If this all makes sense and works then is it possible to use a MAC address mask in the pipe/queue mask. What I mean is can the limits be based on per MAC rather than per IP so that I can remove the need to have two pipes for each MAC like I do now? Something like this? ipfw add 1000 pipe 1128 layer2 mac $MAC0 any ipfw add 1001 pipe 2768 layer2 mac any $MAC0 ipfw add 1010 pipe 1256 layer2 mac $MAC0 any ipfw add 1011 pipe 2512 layer2 mac any $MAC0 ipfw add 1020 pipe 1128 layer2 mac $MAC2 any ipfw add 1021 pipe 2768 layer2 mac any $MAC2 ipfw pipe 1128 bw 128Kbit/s mask mac-src 0xffffffffffff ipfw pipe 1256 bw 256Kbit/s mask mac-src 0xffffffffffff ipfw pipe 1512 bw 512Kbit/s mask mac-src 0xffffffffffff ipfw pipe 1768 bw 768Kbit/s mask mac-src 0xffffffffffff ipfw pipe 2128 bw 128Kbit/s mask mac-dst 0xffffffffffff ipfw pipe 2256 bw 256Kbit/s mask mac-dst 0xffffffffffff ipfw pipe 2512 bw 512Kbit/s mask mac-dst 0xffffffffffff ipfw pipe 2768 bw 768Kbit/s mask mac-dst 0xffffffffffff MAC0 is limited to 128kbit/s out and 768kbit/s in MAC1 is limited to 256kbit/s out and 512kbit/s in MAC2 is limited to 128kbit/s out and 768kbit/s in Does any of this make sense or am I just way off in my own little world here? Now if all this works then I assume that the byte count field for rules xxx0 and xxx1 should be the total bytes in and out for the link. Is this correct? If I was going to use that field for accounting to determine the bytes transferred per month is there a way to read and zero the counts at the same time, or am I going to just have to let the few bytes that come in between read and zero just drop off? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message