From owner-freebsd-ipfw@FreeBSD.ORG Sat May 24 04:39:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EB9A37B401 for ; Sat, 24 May 2003 04:39:34 -0700 (PDT) Received: from pasmtp.tele.dk (pasmtp.tele.dk [193.162.159.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37B3743F3F for ; Sat, 24 May 2003 04:39:33 -0700 (PDT) (envelope-from elector@elector.dk) Received: from electorw (cpe.atm0-0-0-2211007.0x50a0337e.arcnxx6.customer.tele.dk [80.160.51.126]) by pasmtp.tele.dk (Postfix) with ESMTP id 3087DB4EC; Sat, 24 May 2003 13:39:26 +0200 (CEST) Message-ID: <200305241341140515.0EB4D5DA@pasmtp.tele.dk> X-Mailer: Calypso Version 3.30.00.00 (4) Date: Sat, 24 May 2003 13:41:14 +0200 From: "Elector" To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Prioritizing traffic and NAT. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2003 11:39:34 -0000 Hi there, first time I post here. But I'm soon to be hairless, if I didn't= try something else, than just reconfigging and reconfigging without= getting anywhere... I'll try to draw my setup here. Hope it looks alright/understandable. WAN | | FreeBSD | | | | PC1 PC2 PC1 and PC2 are on a 10.0.0.0/8 private IP-net. Fairly simple setup, where the FreeBSD NAT's PC1 and PC2 to the Internet,= and that works just fine.The problem is that I run a FTP server and a= couple of other services on the FreeBSD box, and when users are= downloading like nutts from it, PC1 and PC2 (and the FreeBSD box for that= matter) can barely use the Internet. So I would like to priortize the= traffic, as in giving PC1 and PC2 higher priority to the Internet than the= FreeBSD box itself. First of all, I'm just trying to prioritize outgoing traffic and incomming= apart from eachother. I know saturating outgoing traffic will slow down= incomming to a crawl, but that's not the biggest problem right now. First= I just want to get this to work, then I can worry about the other things= later. :-) My problem is that the config below, doesn't seem to prioritize anything,= well allmost anything. It works on the internal LAN traffic, and I can set= the speeds to whatever I want there and it works, BUT on the WAN side it= doesn't seem to work at all - that is no prioritizing whatsoever. I really REALLY hope someone here has a good sugestion. --- ipfw config file --- #first flush the old rules -f flush #set up queue for traffic on a 2M/512K ADSL connection. #outgoing traffic is the major bottleneck here, and I set it a bit lower= than max, to avoid saturating the line pipe 10 config bw 500Kbit/s pipe 20 config bw 2Mbit/s #LAN traffic should still run at 100Mbit pipe 99 config bw 100Mbit/s #outgoing traffic should be prioritized, so that the LAN PC's has has= higher priority than the router-box. queue 10 config pipe 10 weight 100 queue 20 config pipe 10 weight 1 #incomming traffic should be prioritized, so that the LAN PC's has has= higher priority than the router-box. queue 30 config pipe 20 weight 100 queue 40 config pipe 20 weight 1 #LAN traffic should still run at 100Mbit queue 99 config pipe 99 weight 1 #enable NAT/PAT add 50 divert natd all from any to any via rl0 add 100 allow ip from 10.0.0.0/8 to 10.0.0.0/8 #LAN traffic should still run at 100Mbit add 150 queue 99 ip from me to any out via fxp0 add 151 queue 99 ip from any to me in via fxp0 #LAN traffic to the outside world should be highest prioritized =3D get all= the BW they need. add 200 queue 10 ip from 10.0.0.0/8 to any in via fxp0 add 201 queue 30 ip from any to 10.0.0.0/8 out via fxp0 #box traffic to the ouside world (runs a FTP server among others) should be= lowest prioritized =3D only use #the BW that arn't used by the LAN PC's. add 300 queue 20 ip from me to any out via rl0 add 301 queue 40 ip from any to me in via rl0 #allow all traffic - Cisco PIX in front of box takes care of the actual= firewalling add 999 allow all from any to any --------------