----- Original Message ----- From: "Nelis Lamprecht" <[EMAIL PROTECTED]> To: "FreeBSD Questions Mail List" <[EMAIL PROTECTED]> Sent: Friday, June 04, 2004 7:43 AM Subject: ipnat and ipfw dummynet
Sorry, I failed to point out my current network configuration. I have 2 internal networks which use NAT, one class C ( 220.127.116.11/24 ) and one rfc1918 ( 192.168.1.0/24 ). The internal interface(bge1) is configured with the class c network and I have added a route to bge1 for 192.168.1.0/24. All traffic on the 18.104.22.168/24 network internally is routed via the gateway to get to the 192.168.1.0 network. Hope that makes sense. Nelis On Fri, 2004-06-04 at 14:43, Nelis Lamprecht wrote: > Hi, > > I'm interested to hear how people utilise dummynet in a NAT environment. > How does one create a pipe for a NAT network without effecting the > actual LAN speed ? For example, on the gateway: > > $fwcmd add pipe 1 ip from 192.168.1.0/24 to any out > $fwcmd add pipe 2 ip from any to 192.168.1.0/24 in > $fwcmd pipe 1 config bw 128Kbit/s > $fwcmd pipe 2 config bw 128Kbit/s > > The above example would be fine if 192.168.1.0/24 were only talking to > the internet but unfortunately it also effects the machines from talking > to each other internally. The only interface you can specify is the > internal interface(bge1) because this is the only time that ipfw will > see the addresses before they are passed to NAT(ipnat) and will not be > seen on the external interface(bge0). So basically the above example > should be written as: > > $fwcmd add pipe 1 ip from 192.168.1.0/24 to any out via bge1 > $fwcmd add pipe 2 ip from any to 192.168.1.0/24 in via bge1 > > This however will also give 192.168.1.0/24 an internal LAN speed of > 128Kbit/s which is to say quite humorous ;-) > > What is the solution to this ? ..I'm obviously missing something. The > internal interface is not firewalled. > > > Many thanks, -- Nelis Lamprecht -------------------- Nelis, this may help. Remember, that ipfw goes through the rulesets until it finds a match and will stop at that point. So, to provide rate limiting as well as allowing traffic on the lan to go all out, place allow rules before the pipes to specifically allow traffic between your lan ip ranges unhindered. #Rate Limit Settings $fwcmd pipe 1 config bw 128Kbit/s $fwcmd pipe 2 config bw 128Kbit/s #Unrestricted LAN Access Allows $fwcmd add allow ip from 192.168.1.0/24 to 22.214.171.124/24 $fwcmd add allow ip from 126.96.36.199/24 to 192.168.0/24 #Rate Limit Rules $fwcmd add pipe 1 ip from 192.168.1.0/24 to any out $fwcmd add pipe 2 ip from any to 192.168.1.0/24 in Hope it helps. It's been awhile since I've done any rate limiting, but as I recall, that should do the trick. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"