----- Original Message ----- 
From: "Nelis Lamprecht" <[EMAIL PROTECTED]>
To: "FreeBSD Questions Mail List" <[EMAIL PROTECTED]>
Sent: Friday, June 04, 2004 7:43 AM
Subject: ipnat and ipfw dummynet

Sorry, I failed to point out my current network configuration.

I have 2 internal networks which use NAT, one class C ( )
and one rfc1918 ( ).

The internal interface(bge1) is configured with the class c network and
I have added a route to bge1 for All traffic on the network internally is routed via the gateway to get to
the network.

Hope that makes sense.


On Fri, 2004-06-04 at 14:43, Nelis Lamprecht wrote:
> Hi,
> I'm interested to hear how people utilise dummynet in a NAT environment.
> How does one create a pipe for a NAT network without effecting the
> actual LAN speed ? For example, on the gateway:
> $fwcmd add pipe 1 ip from to any out
> $fwcmd add pipe 2 ip from any to in
> $fwcmd pipe 1 config bw 128Kbit/s
> $fwcmd pipe 2 config bw 128Kbit/s
> The above example would be fine if were only talking to
> the internet but unfortunately it also effects the machines from talking
> to each other internally. The only interface you can specify is the
> internal interface(bge1) because this is the only time that ipfw will
> see the addresses before they are passed to NAT(ipnat) and will not be
> seen on the external interface(bge0). So basically the above example
> should be written as:
> $fwcmd add pipe 1 ip from to any out via bge1
> $fwcmd add pipe 2 ip from any to in via bge1
> This however will also give an internal LAN speed of
> 128Kbit/s which is to say quite humorous ;-)
> What is the solution to this ? ..I'm obviously missing something. The
> internal interface is not firewalled.
> Many thanks,
Nelis Lamprecht


Nelis, this may help. Remember, that ipfw goes through the rulesets until it
finds a match and will stop at that point. So, to provide rate limiting as
well as allowing traffic on the lan to go all out, place allow rules before
the pipes to specifically allow traffic between your lan ip ranges

#Rate Limit Settings
$fwcmd pipe 1 config bw 128Kbit/s
$fwcmd pipe 2 config bw 128Kbit/s

#Unrestricted LAN Access Allows
$fwcmd add allow ip from to
$fwcmd add allow ip from to 192.168.0/24

#Rate Limit Rules
$fwcmd add pipe 1 ip from to any out
$fwcmd add pipe 2 ip from any to in

Hope it helps. It's been awhile since I've done any rate limiting, but as I
recall, that should do the trick.


Micheal Patterson
TSG Network Administration

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to