Re: Dummynet on 64 bit systems
http://info.iet.unipi.it/~luigi/dummynet/#58be I wanted to do http://lmgtfy.com/?q=dummynet first, but it'll still help for other issues that might come up when using it on windows. On 5/7/2013 4:17 PM, Rama Varma wrote: Hello, I was interested in knowing if Dummynet is supported on Windows 7 x64. I tried on 32 bit Windows 7 and works good. If it should work on 64 bit Windoows 7, can you let me know the install procedure. Or do you have a digitally signed ipfw.sys ? Thanks Rama ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dummynet in 8.1
Re: freebsd-questions Digest, Vol 320, Issue 18, Message: 7 On Sun, 25 Jul 2010 13:56:04 +0200 Matias matiassu...@gmail.com wrote: I've read in the release notes that ipfw and dummynet have been improved. I've wonder if with 8.1 will it be possible to bridge a VLAN Trunk and filter VLAN tagged frames (actually, send packets to a dummynet queue for traffic shapping). I've tried this with 8.0 but seems like ipfw does not understand vlan tagged frames. Try the freebsd-ipfw list; they're likely too busy to read this one .. perhaps with more detail of what you want to do, and what you've tried. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dummynet lag
Is it normal to have +10msec ping times when pinging through dummynet (ipfw depends how exactly it's configured pipes)? If yes, why? If not, WTF? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet lag
On Aug 31, 2007, at 6:34 AM, [EMAIL PROTECTED] wrote: Is it normal to have +10msec ping times when pinging through dummynet (ipfw pipes)? If yes, why? If not, WTF? If your HZ is 100, then, yes, it's common for the packets to be delayed by 10+ msec. Set HZ to 1000 or higher and you'll have the latency drop to circa 1 ms. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet fragmenting packets
In response to Mike Murphree [EMAIL PROTECTED]: Having an issue on a 5.3 system using ipfw and dummynet to create a bandwidth limited and large latency pipe for a mpeg video stream. If I pass the packets between the two NICs without routing through a dummynet pipe, it's fine. If I route it through a pipe, it's fragmenting each packet (client requested 1468 byte packets) into two packets, the second packet with an offset of 1440 bytes. Does anyone have any idea why it's doing this, and have a solution to this problem? As a general rule, fragmenting occurs when packets move between different networks with different MTUs. I.e. the originating network has a larger MTU, so the packet must be broken up in order to pass it on to the network with the smaller MTU. Now that that's out of the way, I can see 3 possibilities as to why dummynet is fragmenting packets: 1) Dummynet has the wrong information about what the MTUs are on your networks and is fragmenting the packets needlessly. 2) Dummynet is altering the packets, they become larger and then no longer fit in the MTU. 3) The endpoints are doing path-MTU-discovery, but when you put dummynet between them you somehow break PMTUD. To narrow this down, you'll need to determine what the MTUs are on each network and whether they're being respected, is the total size of the reassembled fragments the same as when the packet came in, and whether or not PMTUD is in use, and whether something in dummynet or any related filtering rules is breaking it. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet Question
On Tuesday 26 September 2006 05:00, Sushant Sharma wrote: Hi all, I have installed dummynet on a machine-2 which I am using to introduce delay between the packets that I'll be sending from machine-1 to machine-3. I am using ping to confirm that ICMP/TCP packets are getting delayed. I know both UDP/TCP fall under ip, so UDP packets should also be getting delayed but just to confirm, do you guys know of any utility that I can use to check if UDP packets are also getting delayed. Use traceroute. Or you could run tcpdump on both ingress and egress interfaces and check the timestamps. netcat can send udp packets, bash can(if it's built this way) cat /dev/udp/192.168.0.1/snmp for example Or you could simply trust dummynet/ipfw. They work:) HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
In response to Odhiambo Washington [EMAIL PROTECTED]:
[snip]
The scenario:
I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
interfaces at the moment, external interface connected to the hostile
Internet and internal interface connected to a switch for the LAN.
The ISP gives 256Kbit/s on the external interface. Out of this, I
need to dedicate/guarantee 128Kbit/s to just one machine.
A streaming server has been introduced on the LAN, and it is considered
a VIP host as far as bandwidth allocation is concerned.
The problem is that p2p is also officially allowed on the LAN. I hate
it but it is allowed. Period. No argument about it.
I need to guarantee 128Kbit/s of the available bandwidth to the
streaming host (server, if you can call it).
My thinking/plan:
1. Add one more NIC to the FreeBSD box (it's also the router,
firewall, _everything_ server) and put this on a separate IP block.
To this NIC I will connect the VIP host, which needs the guaranteed
bandwidth. I will therefore NAT traffic to/from it.
2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
this means that:
(a) They cannot go beyond 128Kbit/s
(b) The VIP box will go above 128K/bit's in case the throttled
LAN is not using all of the 128Kbit/s
I need to control bandwidth on the external interface only, not on the
LAN (internal interfaces).
Is this rightful thinking or sheer imagination which is not practical?
Seems reasonable. See below ...
My problem:
Most important is being dumb when it comes to IPFW and hence the pipes
and all that pertains to it.
Here is my ipfw configuration, in black and white (firewall_type=OPEN)
# Outside interface network and netmask and ip
oif=bfe0
iif=xl0
onet=62.8.68.0
omask=255.255.255.252
oip=62.8.68.22
# Inside interface network and netmask and ip
iif=xl0
inet=10.0.0.0
imask=255.255.255.0
iip=10.0.0.2
ipfw pipe 1 config bw 128Kbit/s
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${iip} to ${inet}:${imask}
${fwcmd} add pass all from ${inet}:${imask} to ${iip}
# Throttle now
ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
^^
Is this direct cut/paste? If so, you've got a sticky $ key.
${fwcmd} add 65000 pass all from any to any
With this configuration, it seems like even LAN-LAN communication is
being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
Can someone tell me why that is happening?
Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
bandwidth limitation configuration, is it not true that I will have
achieved my goal?
I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
have a static route for the VIP box, with NAT for any connections
to/from it.
I'll really appreciate any help/advise towards a perfect configuration
for the firewall, and how I can get this to work.
Thanks in advance.
--
Bill Moran
Collaborative Fusion Inc.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
Odhiambo Washington wrote: I need to control bandwidth on the external interface only, not on the LAN (internal interfaces). Is this rightful thinking or sheer imagination which is not practical? If you're happy with IPFilter and need to ensure minimum bandwidth for some network segment, take a look at packet filter, you can take much of your knowledge with you and then set up queues that will ensure the minimum bandwidth. And you don't need extra interfaces. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
* On 20/09/06 11:16 -0400, Bill Moran wrote:
| In response to Odhiambo Washington [EMAIL PROTECTED]:
|
| [snip]
|
| The scenario:
|
| I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
| interfaces at the moment, external interface connected to the hostile
| Internet and internal interface connected to a switch for the LAN.
|
| The ISP gives 256Kbit/s on the external interface. Out of this, I
| need to dedicate/guarantee 128Kbit/s to just one machine.
|
| A streaming server has been introduced on the LAN, and it is considered
| a VIP host as far as bandwidth allocation is concerned.
| The problem is that p2p is also officially allowed on the LAN. I hate
| it but it is allowed. Period. No argument about it.
|
| I need to guarantee 128Kbit/s of the available bandwidth to the
| streaming host (server, if you can call it).
|
|
| My thinking/plan:
|
| 1. Add one more NIC to the FreeBSD box (it's also the router,
|firewall, _everything_ server) and put this on a separate IP block.
|To this NIC I will connect the VIP host, which needs the guaranteed
|bandwidth. I will therefore NAT traffic to/from it.
|
| 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
| this means that:
| (a) They cannot go beyond 128Kbit/s
| (b) The VIP box will go above 128K/bit's in case the throttled
| LAN is not using all of the 128Kbit/s
|
| I need to control bandwidth on the external interface only, not on the
| LAN (internal interfaces).
|
| Is this rightful thinking or sheer imagination which is not practical?
|
| Seems reasonable. See below ...
Thanks, Bill for that verification.
| My problem:
|
|
| Most important is being dumb when it comes to IPFW and hence the pipes
| and all that pertains to it.
|
| Here is my ipfw configuration, in black and white (firewall_type=OPEN)
|
|
| # Outside interface network and netmask and ip
| oif=bfe0
| iif=xl0
| onet=62.8.68.0
| omask=255.255.255.252
| oip=62.8.68.22
|
| # Inside interface network and netmask and ip
| iif=xl0
| inet=10.0.0.0
| imask=255.255.255.0
| iip=10.0.0.2
|
| ipfw pipe 1 config bw 128Kbit/s
|
| # Allow any traffic to or from my own net.
| ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
| ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
|
| # Throttle now
| ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif}
state
|^^
|
| Is this direct cut/paste? If so, you've got a sticky $ key.
Yes, it was a paste in the process of modifying ;)
Noted with thanks.
|
| ${fwcmd} add 65000 pass all from any to any
|
|
| With this configuration, it seems like even LAN-LAN communication is
| being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
| Can someone tell me why that is happening?
|
| Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
| bandwidth limitation configuration, is it not true that I will have
| achieved my goal?
|
| I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
| have a static route for the VIP box, with NAT for any connections
| to/from it.
|
|
| I'll really appreciate any help/advise towards a perfect configuration
| for the firewall, and how I can get this to work.
|
| Thanks in advance.
Bill, you did not say anything on my problem with intra-LAN traffic.
Does that mean this configuration is okay, and should not at all affect
traffic within the LAN?
Best regards,
Odhiambo Washington
Systems Admin,
Wananchi Online Ltd.
Are you hosting your domain name with the leaders??:
See http://webhosting.info/webhosts/tophosts/Country/KE
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--+-
Odhiambo WASHINGTON. WANANCHI ONLINE LTD (Nairobi, KE)
http://www.wananchi.com/email/ . 1ere Etage, Laptrust Plaza, Loita St.,
Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI
--+-
Many are the plans in a man's heart,
but it is the Lord's purpose that prevails.
Proverbs 19:21
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
* On 20/09/06 17:16 +0200, Erik Norgaard wrote: | Odhiambo Washington wrote: | | I need to control bandwidth on the external interface only, not on the | LAN (internal interfaces). | | Is this rightful thinking or sheer imagination which is not practical? | | If you're happy with IPFilter and need to ensure minimum bandwidth for | some network segment, take a look at packet filter, you can take much of | your knowledge with you and then set up queues that will ensure the | minimum bandwidth. And you don't need extra interfaces. That is the way to go ultimately, but I am still a newbie with PF. I would not want to transfer my newbie-ness into a customers network ;) I am happy with IPFilter, yes, but I am gradually shifting to PF, but I have to graduate before I can put that out there. At the moment, I just want to solve an immediate problem which has presented itself. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ A university is what a college becomes when the faculty loses interest in students. -- John Ciardi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
In response to Odhiambo Washington [EMAIL PROTECTED]:
* On 20/09/06 11:16 -0400, Bill Moran wrote:
| In response to Odhiambo Washington [EMAIL PROTECTED]:
|
| [snip]
|
| The scenario:
|
| I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
| interfaces at the moment, external interface connected to the hostile
| Internet and internal interface connected to a switch for the LAN.
|
| The ISP gives 256Kbit/s on the external interface. Out of this, I
| need to dedicate/guarantee 128Kbit/s to just one machine.
|
| A streaming server has been introduced on the LAN, and it is considered
| a VIP host as far as bandwidth allocation is concerned.
| The problem is that p2p is also officially allowed on the LAN. I hate
| it but it is allowed. Period. No argument about it.
|
| I need to guarantee 128Kbit/s of the available bandwidth to the
| streaming host (server, if you can call it).
|
|
| My thinking/plan:
|
| 1. Add one more NIC to the FreeBSD box (it's also the router,
|firewall, _everything_ server) and put this on a separate IP block.
|To this NIC I will connect the VIP host, which needs the guaranteed
|bandwidth. I will therefore NAT traffic to/from it.
|
| 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
| this means that:
| (a) They cannot go beyond 128Kbit/s
| (b) The VIP box will go above 128K/bit's in case the throttled
| LAN is not using all of the 128Kbit/s
|
| I need to control bandwidth on the external interface only, not on the
| LAN (internal interfaces).
|
| Is this rightful thinking or sheer imagination which is not practical?
|
| Seems reasonable. See below ...
Thanks, Bill for that verification.
| My problem:
|
|
| Most important is being dumb when it comes to IPFW and hence the pipes
| and all that pertains to it.
|
| Here is my ipfw configuration, in black and white (firewall_type=OPEN)
|
|
| # Outside interface network and netmask and ip
| oif=bfe0
| iif=xl0
| onet=62.8.68.0
| omask=255.255.255.252
| oip=62.8.68.22
|
| # Inside interface network and netmask and ip
| iif=xl0
| inet=10.0.0.0
| imask=255.255.255.0
| iip=10.0.0.2
|
| ipfw pipe 1 config bw 128Kbit/s
|
| # Allow any traffic to or from my own net.
| ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
| ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
|
| # Throttle now
| ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif}
state
|^^
|
| Is this direct cut/paste? If so, you've got a sticky $ key.
Yes, it was a paste in the process of modifying ;)
Noted with thanks.
|
| ${fwcmd} add 65000 pass all from any to any
|
|
| With this configuration, it seems like even LAN-LAN communication is
| being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
| Can someone tell me why that is happening?
|
| Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
| bandwidth limitation configuration, is it not true that I will have
| achieved my goal?
|
| I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
| have a static route for the VIP box, with NAT for any connections
| to/from it.
|
|
| I'll really appreciate any help/advise towards a perfect configuration
| for the firewall, and how I can get this to work.
|
| Thanks in advance.
Bill, you did not say anything on my problem with intra-LAN traffic.
Does that mean this configuration is okay, and should not at all affect
traffic within the LAN?
I assumed that any problems you were seeing were a result of the typo.
Seems to me that the config you propose will do what you want, but I
haven't spent a lot of time thinking about it.
Besides, these kind of configs rarely work perfectly on the first try,
it usually takes a bit of tweaking after you implement them, as a result
of unforseen consequences. I think you've got a good starting point
and you should just monitor the set up for a while after implementation.
--
Bill Moran
Collaborative Fusion Inc.
IMPORTANT: This message contains confidential information and is
intended only for the individual named. If the reader of this
message is not an intended recipient (or the individual
responsible for the delivery of this message to an intended
recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please
notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure
Re: dummynet problems
I don't use dummynet myself, but surely it would be easier to help you
if you described what the actual problem is?
Well, actual problem description:
FreeBSD-5.3 router;
rl0 - internal interface
rl1 - external.
rl1 is connected to ADSL modem from provider;
The link bandwidth is 64kbps.
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} pipe 1 config bw 64Kbit/s queue 10KBytes
${fwcmd} queue 4 config pipe 1 weight 1 mask dst-ip 0x buckets
10 queue 9 gred 0.002/7/21/0.1
${fwcmd} add 780 queue 4 log logamount 10 tcp from any to
192.168.0.30/32 out via rl0
${fwcmd} queue 10 config pipe 1 weight 100 mask dst-ip 0x
queue 9 gred 0.002/7/21/0.1
${fwcmd} add 790 queue 10 log logamount 10 tcp from any to
192.168.0.99/32 out via rl0
${fwcmd} queue 25 config pipe 1 weight 30 mask dst-ip 0x
buckets 15 queue 10 gred 0.002/7/21/0.1
${fwcmd} queue 20 config pipe 1 weight 100 mask dst-ip 0x
buckets 100 queue 9 gred 0.002/7/21/0.1
${fwcmd} queue 30 config pipe 1 weight 20 mask dst-ip 0x
buckets 100 queue 9 gred 0.002/7/21/0.1
${fwcmd} queue 40 config pipe 1 weight 10 mask dst-ip 0x
buckets 100 queue 9 gred 0.002/7/21/0.1
${fwcmd} add 891 queue 20 log logamount 10 tcp from any 5190 to
192.168.0.1/25 out via rl0
${fwcmd} add 892 queue 25 log logamount 10 tcp from any to 192.168.0.6
out via rl0
${fwcmd} add 893 queue 25 log logamount 10 tcp from any to
192.168.0.29 out via rl0
${fwcmd} add 894 queue 25 log logamount 10 tcp from any to
192.168.0.62 out via rl0
${fwcmd} add 895 queue 25 log logamount 10 tcp from any to
192.168.0.27 out via rl0
${fwcmd} add 898 queue 30 log logamount 10 tcp from any
25,110,43,53,119,123,143,953 to
192.168.0.1/25{1-3,5,7-26,28,31-61,63-98,100} out via rl0
${fwcmd} add 897 queue 40 log logamount 10 tcp from any
80,443,3128,21,20 to 192.168.0.1/25{1-3,5,7-26,28,31-61,63-98,100}
out via rl0
ipfw pipe show:
1: 99.000 Kbit/s0 ms 10 KB 0 queues (1 buckets) droptail
mask: 0x00 0x/0x - 0x/0x
q4: weight 1 pipe 19 sl. 1 queues (10 buckets)
GRED w_q 0.001999 min_th 7 max_th 21 max_p 0.01
mask: 0x00 0x/0x - 0x/0x
BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
2 ip 0.0.0.0/0192.168.0.30/0 2198 1821083 00 43
q00010: weight 100 pipe 19 sl. 1 queues (64 buckets)
GRED w_q 0.001999 min_th 7 max_th 21 max_p 0.01
mask: 0x00 0x/0x - 0x/0x
BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
51 ip 0.0.0.0/0192.168.0.99/09 813 00 0
q00020: weight 100 pipe 19 sl. 13 queues (100 buckets)
GRED w_q 0.001999 min_th 7 max_th 21 max_p 0.01
mask: 0x00 0x/0x - 0x/0x
BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
2 ip 0.0.0.0/0192.168.0.30/0 42 6662 00 0
5 ip 0.0.0.0/0 192.168.0.1/0 36 6054 00 0
13 ip 0.0.0.0/0 192.168.0.9/0 37 5021 00 0
15 ip 0.0.0.0/0192.168.0.11/0 6116333 00 0
25 ip 0.0.0.0/0192.168.0.53/0 23 3463 00 0
29 ip 0.0.0.0/0192.168.0.85/0 20123807 00 0
33 ip 0.0.0.0/0192.168.0.61/0 65 6704 00 0
34 ip 0.0.0.0/0192.168.0.62/0 16639971 00 0
38 ip 0.0.0.0/0192.168.0.94/0 36 7726 00 0
39 ip 0.0.0.0/0192.168.0.35/0 15162681 00 0
47 ip 0.0.0.0/0192.168.0.71/0 20717475 00 0
88 ip 0.0.0.0/0192.168.0.16/0 25 4751 00 0
98 ip 0.0.0.0/0192.168.0.26/0 44 8235 00 0
q00025: weight 30 pipe 1 10 sl. 2 queues (15 buckets)
GRED w_q 0.001999 min_th 7 max_th 21 max_p 0.01
mask: 0x00 0x/0x - 0x/0x
BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
5 ip 0.0.0.0/0 192.168.0.6/0 1093 518028 00 51
14 ip 0.0.0.0/0192.168.0.62/0 3604 2254945 4 3098 50
q00030: weight 20 pipe 19 sl. 8 queues (100 buckets)
GRED w_q 0.001999 min_th 7 max_th 21 max_p 0.01
mask: 0x00 0x/0x - 0x/0x
BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
15 ip 0.0.0.0/0192.168.0.11/0 20 1081 00 0
33 ip 0.0.0.0/0192.168.0.61/0 14224203 00 0
38 ip 0.0.0.0/0192.168.0.94/0 21 1008 00 0
39 ip 0.0.0.0/0192.168.0.35/0 21 3090 00 0
53 ip 0.0.0.0/0192.168.0.77/0 848
Re: dummynet problems
Sergey Lapin [EMAIL PROTECTED] writes:
Hi, all!
Here I have a problem with dummynet. System is FreeBSD-5.3-STABLE month ago.
we have very small bandwidth from LAN.
rl0 is internal interface.
ipfw rukes are (fwcmd=/sbin/ipfw):
${fwcmd} pipe 1 config bw 60Kbit/s
${fwcmd} add 778 pipe 1 tcp from any
25,43,53,80,110,119,123,143,953,5190 to 192.168.0.0/25 out via rl0
${fwcmd} queue 1 config pipe 1 weight 100 mask dst-ip 0x queue 5
${fwcmd} add 790 queue 1 log logamount 10 tcp from any to 192.168.0.99
out via rl0
${fwcmd} queue 2 config pipe 1 weight 100 mask dst-ip 0x0fff
buckets 150 queue 10
${fwcmd} queue 3 config pipe 1 weight 30 mask dst-ip 0x0fff
buckets 150 queue 10
${fwcmd} queue 4 config pipe 1 weight 70 mask dst-ip 0x0fff
buckets 150 queue 10
${fwcmd} add 791 queue 2 log logamount 10 tcp from any 5190 to
192.168.0.0/25 out via rl0
${fwcmd} add 795 queue 3 log logamount 10 tcp from any 80,3128,21,20
to 192.168.0.0/25 out via rl0
${fwcmd} add 792 queue 4 log logamount 10 tcp from any
25,110,43,53,119,123,143,953 to 192.168.0.0/25 out via rl0
Thanks a lot!
I don't use dummynet myself, but surely it would be easier to help you
if you described what the actual problem is?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet problem, kernel options checked
Lucas wrote: [ ... ] Is there any way I could check if it really compiled? I vaguely remember something containing the word dummynet flashing by while compiling. If you check `dmesg`, you should see a line like: DUMMYNET initialized (011031) However, your problem sounds like your kernel and world are out-of-sync. If you've updated your sources and reinstalled the kernel, you'll also need to reinstall the world, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet problem, kernel options checked
Lucas wrote: [ ... ] Is there any way I could check if it really compiled? I vaguely remember something containing the word dummynet flashing by while compiling. If you check `dmesg`, you should see a line like: DUMMYNET initialized (011031) However, your problem sounds like your kernel and world are out-of-sync. If you've updated your sources and reinstalled the kernel, you'll also need to reinstall the world, too. I didn't install any sources when installing freebsd, I was in a hurry and didn't bother, then I installed the sources from ftp because it would be easier then fiddling with cdroms, but only installed sys.. I know, dumb. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet bw cumulative limit
I've changed the list to questions@ On Wed, Nov 10, 2004 at 01:08:04PM -0500, Bob Ababurko wrote: HEllo all- We are interested in limiting the bandwidth of a newly setup connection. We are on a 100 Mb/s switch port and want to keep it to 1 Mb/s for now. Forgive my ignorance, but do they measure this cumulative(inbound + outbound)?I would assume so, but I would like to confirm this since the rate for overage is not within the budget for now. The firewall rules determen what dummynets monitors. If you combine inbound and outbound then it monitors that. You can also just monitor http traffic. Its up to you. Assuming the conservative, how does the dummynet config have to be setup fpor thsi to occur?...or can it be configured for both inbound and ^ I don't understand the question. outbound? Right now, I have the below config and since I have not put the box on the network yet, I have not been able to look at the MRTG to figure the answer. I am thinking that this config may limit to 1 meg in both directionsI am just not looking forward to overage fees right off the bat! btw, this config is for the priority of the udp/tcp acks in both directions. I am not sure if this is going to work so any comments on it would be appreciated. There is no real priority only a weithed ruby round You want you're fxp0 to limit in + out to 1MBit/s rigth? ipfw -f flush ipfw pipe 1 config bw 1000kbits/s ipfw queue 1 config pipe 1 weight 100 ipfw queue 2 config pipe 1 weight 1 mask all ipfw queue 3 config pipe 1 weight 100 ipfw queue 4 config pipe 1 weight 1 mask all ipfw add 100 queue 1 udp from any to any out via fxp0 ipfw add 101 skipto 1000 udp from any to any out via fxp0 ipfw add 100 queue 3 udp from any to any in via fxp0 ipfw add 101 skipto 1000 udp from any to any in via fxp0 ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack ipfw add 110 queue 3 tcp from any to any in via fxp0 tcpflags ack ipfw add 111 skipto 1000 tcp from any to in out via fxp0 tcpflags ack I've also tried with this, but was not pleased with this. A number of packets where to big than I expected. You migth want to give iplen a try instead. ipfw add queue 2 ip from any to any out via fxp0 ipfw add queue 4 ip from any to any out via fxp0 ^^^ this is wrong. ipfw add 1000 allow all from any to any Except for you mistake, everything looks ok. -- Alex Please copy the original recipients, otherwise I may not read your reply. WWW: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
yeah, I also didn't notice his return address at first. That already explains much :). I think I actually sorta, kinda got it working. I'll do some tests and update if my observations are valid. Drew Tomlinson wrote: On 10/28/2004 9:30 AM [EMAIL PROTECTED] wrote: Why don't you guys stop torturing yourself and wasting $1000s worth of your time and get yourself some real bandwidth management software? Its cheaper in the long run. FWIW, I've taken this suggestion with a grain of salt, based upon the general tone of this person's previous posts on a variety of subjects. I suggest you search the archives and draw your own conclusion. Drew Well kinda, sorta is the best you can hope for. Enjoy! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
yeah, I also didn't notice his return address at first. That already explains much :). I think I actually sorta, kinda got it working. I'll do some tests and update if my observations are valid. Drew Tomlinson wrote: On 10/28/2004 9:30 AM [EMAIL PROTECTED] wrote: Why don't you guys stop torturing yourself and wasting $1000s worth of your time and get yourself some real bandwidth management software? Its cheaper in the long run. FWIW, I've taken this suggestion with a grain of salt, based upon the general tone of this person's previous posts on a variety of subjects. I suggest you search the archives and draw your own conclusion. Drew ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
On Thu, 28 Oct 2004 17:18:19 -0400 (EDT), James Skinner [EMAIL PROTECTED] wrote: If you look further, you'll the wink (I was ribbing you). Similar to another one of threads. Obviously, you can dish it out, but can't take it. I have seen your past replys; you offer nothing but abuse. Do you sit around and wait for a newbie to ask a question so you can make him/her feel stupid for asking it? I entirely support this. Abusing a newbie and making him/her feel that she is a stupid wont get you anything. The only thing which may happen is, the newbie would just shy off leading to another Windows admin who does everything but knows nothing. BTW if you really wanna fight on your knowledge dare to do it with the gurus. Thx Something for you james, these guyz and not worth saying thanks and I mean it. So kindly stop thanking them. Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
I know it is about time for this thread to die, but I couldn't resist responding this once. On 10/28/2004 at 18:13 [EMAIL PROTECTED] wrote: I agree with some of that, but unless the person has the money to spend, then using dummnynet is acceptable. Not everyone can drop 10+ grand on a nokia firewall that has everything packaged into a nice gui. A commercial add-on for FreeBSD is $800. Half a weeks salary for a marginal programmer, and it actually works. Unless you live in Russia (or the Russian Federation or whatever the heck they call it now) and make $22/week I dont see the point of turturing yourself. The boss pays his sysadmin every week, no matter what. The Boss expects that the systems will runs with the least overall cost. Sometimes that means buying something, sometimes that means configuring what is there. There is always a point in learning. However there is not enough time in the world to learn everything, so you need to choose what you will learn. Just the fact that you know all the details of configuring something is valuable, because at sometime in the future your needs will change. Complex configuration is normally the cost of flexibility, so if you needs change all the time you are better of learning how to configure the free solution because in the long run the time spent learning configuration means you can jump in and reconfigure it as needed. If your needs rarely change then maybe you are better off learning something else with your time. (note that there are free things that are hard to configure without being flexable, but in generally free software is hard to configure because it is flexable) If your needs are such that you would need 10 commercial licenses, then by your numbers you are looking at $8000. For a company trying to deal with several offices this is possible. Now we are looking at a month or more worth of salary for our sysadmin. It is suddenly a lot easier to justify time spent learning. (in the case of hardware solutions it isn't unheard of for companies to have two of each machine, next to each other, but one off, just so any idiot can turn the spare on if things go wrong, we can easily add more licenses unless the legalese is right) If the commercial solution does what you need, and the free one doesn't, then you have to evaluate the cost of buying, vs the cost of implementing something. Managers should be good at this. Generally it will come down to buy, but there are exceptions. If your company is just on the edge justifying a full time sysadmin, but doesn't have 40/hours a week worth of stuff for him to do, then the sysadmin should be saving money by using free stuff wherever it works. If your company has hundreds of sysadmins, and is so complex that despite their best efforts nobody can really keep track of everything, then you should be more inclined to buying something that is easy to use. I'm sure there are more considerations too. Any argument for or against free software that ignores the above is flawed! Since you have stated a generalization that ignores the above, your argument is flawed, even if it is correct in nearly all cases. P.S. Note I'm using the term sysadmin, not programer. Programs can often admin, and sysadmins can often program, but the skill sets are different. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
In a message dated 10/29/04 8:26:51 AM Eastern Daylight Time, [EMAIL PROTECTED] writes: The boss pays his sysadmin every week, no matter what. The Boss expects that the systems will runs with the least overall cost. Sometimes that means buying something, sometimes that means configuring what is there. Unfortunately most ISPs don't know much about business, so I guess explaining the concept of opportunity costs to you would be a waste of time. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
The problem with dummynet is that once you do all the work and figure it all out, its still only marginally functional compared to something relatively inexpensive. So instead of buying the $3500 box that is everything you need, you've spend $800 on hardware, $2000 worth of time, and you still have something not nearly as good. One question, have you ever used dummynet? If so, I'm curious as to why you find it only marginal. Not to be rude, but if you've not used it, please stop trolling. -- Micheal Patterson TSG Network Administration 405-917-0600 One can tell by looking at the code that it won't scale. And I know more than 20 people who've been bitten on the butt by trying to use it, and then buying something when they hit the wall with it, or finding out it can't do what they need. The question is, have YOU used anything else? Or are you like the old woman who still washes her clothes in the river because those darned mechanical things aren't worth it? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
On 10/28/2004 9:30 AM [EMAIL PROTECTED] wrote: Why don't you guys stop torturing yourself and wasting $1000s worth of your time and get yourself some real bandwidth management software? Its cheaper in the long run. FWIW, I've taken this suggestion with a grain of salt, based upon the general tone of this person's previous posts on a variety of subjects. I suggest you search the archives and draw your own conclusion. Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, More! http://www.alchemistswarehouse.com smime.p7s Description: S/MIME Cryptographic Signature
Re: dummynet
Why don't you guys stop torturing yourself and wasting $1000s worth of your time and get yourself some real bandwidth management software? Its cheaper in the long run. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
Why don't you guys stop torturing yourself and wasting $1000s worth of your time and get yourself some real bandwidth management software? Its cheaper in the long run. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Funny, I thought that's what Dummynet did. It seems that you wouldn't want to steer a user into a horribly overpriced closed-source rate-limiting solutuion when it's available for free in the OS. BTW: Nice email addr. ;) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
In a message dated 10/28/04 12:52:14 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: Funny, I thought that's what Dummynet did. It seems that you wouldn't want to steer a user into a horribly overpriced closed-source rate-limiting solutuion when it's available for free in the OS. BTW: Nice email addr. ;) Ah, but its not really available for free, because the free ones don't work well, aren't supported and don't scale. Plus it seems that unless you value your time at $2./hr its already cost you more than the $800. to try to use the free stuff. Are you planning on completely rewriting it yourself using dummynet as the code base? What good is open source if the entire code base is nowhere near as good as what you can buy? You would really struggle with an inadequate open source solution rather than pay for something that works? And I wouldn't talk about email addresses, mr so liberal I can't function normally in society. AOL buffers the 99% of mails I have no interest in reading, I can just block the domains of lists I dont feel like dealing with at any given time without having to unsubscribe and subscribe, and it uses no disk space or bandwidth in the process. Its ideal (except for the darned reader). TM ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
In a message dated 10/28/04 12:52:14 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: Funny, I thought that's what Dummynet did. It seems that you wouldn't want to steer a user into a horribly overpriced closed-source rate-limiting solutuion when it's available for free in the OS. BTW: Nice email addr. ;) Ah, but its not really available for free, because the free ones don't work well, aren't supported and don't scale. Plus it seems that unless you value your time at $2./hr its already cost you more than the $800. to try to use the free stuff. Are you planning on completely rewriting it yourself using dummynet as the code base? What good is open source if the entire code base is nowhere near as good as what you can buy? You would really struggle with an inadequate open source solution rather than pay for something that works? And I wouldn't talk about email addresses, mr so liberal I can't function normally in society. AOL buffers the 99% of mails I have no interest in reading, I can just block the domains of lists I dont feel like dealing with at any given time without having to unsubscribe and subscribe, and it uses no disk space or bandwidth in the process. Its ideal (except for the darned reader). TM ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I agree with some of that, but unless the person has the money to spend, then using dummnynet is acceptable. Not everyone can drop 10+ grand on a nokia firewall that has everything packaged into a nice gui. Regarding the email addr: If you look further, you'll the wink (I was ribbing you). Similar to another one of threads. Obviously, you can dish it out, but can't take it. I have seen your past replys; you offer nothing but abuse. Do you sit around and wait for a newbie to ask a question so you can make him/her feel stupid for asking it? Thx ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:58 PM Subject: Re: dummynet In a message dated 10/28/04 12:52:14 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: Funny, I thought that's what Dummynet did. It seems that you wouldn't want to steer a user into a horribly overpriced closed-source rate-limiting solutuion when it's available for free in the OS. BTW: Nice email addr. ;) Ah, but its not really available for free, because the free ones don't work well, aren't supported and don't scale. Plus it seems that unless you value your time at $2./hr its already cost you more than the $800. to try to use the free stuff. Are you planning on completely rewriting it yourself using dummynet as the code base? What good is open source if the entire code base is nowhere near as good as what you can buy? You would really struggle with an inadequate open source solution rather than pay for something that works? snip TM I'm just curious to know if you're ever actually looked at the hardware options to see what OS they function on. I think you'd be surprised to find that many of the more popular ones, are running on some flavor of either BSD or Linux. On the support issue, dummynet is supported by it's developer, Luigi Rizzo and he literally begs you to contact him directly if you locate a bug in the subsystem, need some questions answered and even offers his support under contract if you prefer. 3. Support If you have found some bug, please report it to me by email, but don't forget to include information on which version of FreeBSD and dummynet you are using, your rules (ipfw show; ipfw pipe show), your configuration (bridge or router) etc. If you have a simple question, again just email me and i generally try to reply as soon as possible. Again, please supply details! For more complex things (like i have no time to learn how to use it, i just want this work done), or customizations and additions of new features to dummynet/ipfw, I am available (through my department) for doing support on a contract basis. Email [EMAIL PROTECTED] for discussing details. As far as being nowhere as good as you can buy, take a WatchGuard Firebox X1000 for example, they're pretty popular because they work. People that use them always tell me they prefer them to any *Nix based solution. By that statement, I know they've not really looked into that unit because the developers plainly state that it runs on a Linux hardened kernel. It terminates vpn connections, both ipsec and pptp, rate limits, nats and firewalls. All of the very same features you can do with Linux or FreeBSD using the appropriate packages. -- Micheal Patterson Senior Communications Systems Engineer 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
In a message dated 10/28/04 5:18:03 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I agree with some of that, but unless the person has the money to spend, then using dummnynet is acceptable. Not everyone can drop 10+ grand on a nokia firewall that has everything packaged into a nice gui. A commercial add-on for FreeBSD is $800. Half a weeks salary for a marginal programmer, and it actually works. Unless you live in Russia (or the Russian Federation or whatever the heck they call it now) and make $22/week I dont see the point of turturing yourself. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
In a message dated 10/28/04 6:07:18 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: As far as being nowhere as good as you can buy, take a WatchGuard Firebox X1000 for example, they're pretty popular because they work. People that use them always tell me they prefer them to any *Nix based solution. By that statement, I know they've not really looked into that unit because the developers plainly state that it runs on a Linux hardened kernel. It terminates vpn connections, both ipsec and pptp, rate limits, nats and firewalls. All of the very same features you can do with Linux or FreeBSD using the appropriate packages. --- I never said anything about the O/S not being able to do it... works is a relative term. Most of the linux firewall/bwmgt boxes are just the same marginal stuff in the native O/S with a front end. Its better than nothing, but no better than dummynet, so no sense bringing them up. Allot's stuff runs on linux, etinc's stuff runs on both linux and freebsd. So it certainly can be done on un*x. The problem with dummynet is that once you do all the work and figure it all out, its still only marginally functional compared to something relatively inexpensive. So instead of buying the $3500 box that is everything you need, you've spend $800 on hardware, $2000 worth of time, and you still have something not nearly as good. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
I think most commecrial vendors use some kind of QOS from FreeBSD or Linux anyway. Besides I don't think that buying a $1000 device for better quiality of my $14/month Vonage line is a good idea. James Skinner wrote: Why don't you guys stop torturing yourself and wasting $1000s worth of your time and get yourself some real bandwidth management software? Its cheaper in the long run. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Funny, I thought that's what Dummynet did. It seems that you wouldn't want to steer a user into a horribly overpriced closed-source rate-limiting solutuion when it's available for free in the OS. BTW: Nice email addr. ;) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 5:39 PM Subject: Re: dummynet In a message dated 10/28/04 6:07:18 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: As far as being nowhere as good as you can buy, take a WatchGuard Firebox X1000 for example, they're pretty popular because they work. People that use them always tell me they prefer them to any *Nix based solution. By that statement, I know they've not really looked into that unit because the developers plainly state that it runs on a Linux hardened kernel. It terminates vpn connections, both ipsec and pptp, rate limits, nats and firewalls. All of the very same features you can do with Linux or FreeBSD using the appropriate packages. --- I never said anything about the O/S not being able to do it... works is a relative term. Most of the linux firewall/bwmgt boxes are just the same marginal stuff in the native O/S with a front end. Its better than nothing, but no better than dummynet, so no sense bringing them up. Allot's stuff runs on linux, etinc's stuff runs on both linux and freebsd. So it certainly can be done on un*x. The problem with dummynet is that once you do all the work and figure it all out, its still only marginally functional compared to something relatively inexpensive. So instead of buying the $3500 box that is everything you need, you've spend $800 on hardware, $2000 worth of time, and you still have something not nearly as good. One question, have you ever used dummynet? If so, I'm curious as to why you find it only marginal. Not to be rude, but if you've not used it, please stop trolling. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
thanx man, but this doesn't work.
it seems wrong too
${fwcmd} add pipe 1 { tcp or udp } from ${oip} to any 21
wouldn't this be the right way ?
${fwcmd} add pipe 1 tcp from ${oip} 21 to any out via ${oif}
NetAdmin wrote:
try this, it works for me.
${fwcmd} add pipe 1 { tcp or udp } from ${oip} to any 21
${fwcmd} pipe 1 config mask src-ip 0x00ff bw 128Kbit/s queue
20Kbytes
You can set the 128Kbit/s to anything but I'm not sure I'd use 2Kbit/s.
You may need to play with the 0x00ff. Just install whatmask from
/usr/ports/net-mgmt/whatmask
Regards
On Sun, 2004-10-17 at 23:49, synrat wrote:
yeah it kinda seems broken. i can see the pipes being
hit by traffic, but no bandwidth limitation is done whatsoever.
I tried specifying dedicated port based pipes, that didn't work,
I tried using queues for port specification while specifying pipes
with the the same port numbers, that didn't work. I tried connecting
pipes to the queues, no result as well.
for example, to limit outgoing ftp, I tried this,
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
no effect.
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
${fwcmd} add queue 6 tcp from ${oip} 21 to any out
no effect.
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
${fwcmd} add queue 6 tcp from ${oip} 21 to any out
${fwcmd} queue 6 config pipe 6
setsockopt error.
I guess it craps out when trying to bind queue to the pipe. Why ?? who
knows I really can't make much sense from what I've read about
dummynet in ipfw and dummynet man pages, if anyone knows of a good
manual, please let me know.
Drew Tomlinson wrote:
On 10/11/2004 5:47 PM synrat wrote:
Can someone tell me about a good way to troubleshoot pipes/queues or
point me in the rigtt direction. I'm trying to restrict outgoing ftp
traffic and create some pipes for VOIP. dummynet and pipe rules load
fine ( and are in the kernel ) but seem to have no effect. I did read
the manual pages 20 times over. I tried adding pipes before doing
config bw on them, but that didn't make any difference.
thanx a lot in advance.
I have tried using DUMMYNET also and don't see any effect. If you find
an answer, please let me know. It's my goal to give highest priority to
ssh connection, next highest priority to the traffic originating on
machine bigdaddy port 8080, and then all remaining traffic gets passed
when there's nothing else going on. I have DSL with a 128K uplink.
Here is my rule set in case someone can find my error:
# Flush before we define
$fwcmd -f queue flush
$fwcmd -f pipe flush
$fwcmd pipe 1 config queue 128Kbyte
$fwcmd queue 1 config pipe 1 weight 85 queue 8Kbyte
$fwcmd queue 2 config pipe 1 weight 1 queue 112Kbyte
$fwcmd queue 3 config pipe 1 weight 100 queue 8Kbyte
$fwcmd add queue 1 ip from bigdaddy 8080 to any out via $oif
$fwcmd add queue 3 ip from any 22 to any out via $oif
$fwcmd add queue 2 ip from not bigdaddy not 8080 to any out via $oif
$fwcmd add queue 2 ip from bigdaddy not 8080 to any out via $oif
And I have these options compiled into my kernel:
options IPFIREWALL
options DUMMYNET
options HZ=1000
Thanks,
Drew
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
On 10/11/2004 5:47 PM synrat wrote: Can someone tell me about a good way to troubleshoot pipes/queues or point me in the rigtt direction. I'm trying to restrict outgoing ftp traffic and create some pipes for VOIP. dummynet and pipe rules load fine ( and are in the kernel ) but seem to have no effect. I did read the manual pages 20 times over. I tried adding pipes before doing config bw on them, but that didn't make any difference. thanx a lot in advance. I have tried using DUMMYNET also and don't see any effect. If you find an answer, please let me know. It's my goal to give highest priority to ssh connection, next highest priority to the traffic originating on machine bigdaddy port 8080, and then all remaining traffic gets passed when there's nothing else going on. I have DSL with a 128K uplink. Here is my rule set in case someone can find my error: # Flush before we define $fwcmd -f queue flush $fwcmd -f pipe flush $fwcmd pipe 1 config queue 128Kbyte $fwcmd queue 1 config pipe 1 weight 85 queue 8Kbyte $fwcmd queue 2 config pipe 1 weight 1 queue 112Kbyte $fwcmd queue 3 config pipe 1 weight 100 queue 8Kbyte $fwcmd add queue 1 ip from bigdaddy 8080 to any out via $oif $fwcmd add queue 3 ip from any 22 to any out via $oif $fwcmd add queue 2 ip from not bigdaddy not 8080 to any out via $oif $fwcmd add queue 2 ip from bigdaddy not 8080 to any out via $oif And I have these options compiled into my kernel: options IPFIREWALL options DUMMYNET options HZ=1000 Thanks, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, More! http://www.alchemistswarehouse.com smime.p7s Description: S/MIME Cryptographic Signature
Re: dummynet
yeah it kinda seems broken. i can see the pipes being
hit by traffic, but no bandwidth limitation is done whatsoever.
I tried specifying dedicated port based pipes, that didn't work,
I tried using queues for port specification while specifying pipes
with the the same port numbers, that didn't work. I tried connecting
pipes to the queues, no result as well.
for example, to limit outgoing ftp, I tried this,
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
no effect.
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
${fwcmd} add queue 6 tcp from ${oip} 21 to any out
no effect.
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
${fwcmd} add queue 6 tcp from ${oip} 21 to any out
${fwcmd} queue 6 config pipe 6
setsockopt error.
I guess it craps out when trying to bind queue to the pipe. Why ?? who
knows I really can't make much sense from what I've read about
dummynet in ipfw and dummynet man pages, if anyone knows of a good
manual, please let me know.
Drew Tomlinson wrote:
On 10/11/2004 5:47 PM synrat wrote:
Can someone tell me about a good way to troubleshoot pipes/queues or
point me in the rigtt direction. I'm trying to restrict outgoing ftp
traffic and create some pipes for VOIP. dummynet and pipe rules load
fine ( and are in the kernel ) but seem to have no effect. I did read
the manual pages 20 times over. I tried adding pipes before doing
config bw on them, but that didn't make any difference.
thanx a lot in advance.
I have tried using DUMMYNET also and don't see any effect. If you find
an answer, please let me know. It's my goal to give highest priority to
ssh connection, next highest priority to the traffic originating on
machine bigdaddy port 8080, and then all remaining traffic gets passed
when there's nothing else going on. I have DSL with a 128K uplink.
Here is my rule set in case someone can find my error:
# Flush before we define
$fwcmd -f queue flush
$fwcmd -f pipe flush
$fwcmd pipe 1 config queue 128Kbyte
$fwcmd queue 1 config pipe 1 weight 85 queue 8Kbyte
$fwcmd queue 2 config pipe 1 weight 1 queue 112Kbyte
$fwcmd queue 3 config pipe 1 weight 100 queue 8Kbyte
$fwcmd add queue 1 ip from bigdaddy 8080 to any out via $oif
$fwcmd add queue 3 ip from any 22 to any out via $oif
$fwcmd add queue 2 ip from not bigdaddy not 8080 to any out via $oif
$fwcmd add queue 2 ip from bigdaddy not 8080 to any out via $oif
And I have these options compiled into my kernel:
options IPFIREWALL
options DUMMYNET
options HZ=1000
Thanks,
Drew
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
try this, it works for me.
${fwcmd} add pipe 1 { tcp or udp } from ${oip} to any 21
${fwcmd} pipe 1 config mask src-ip 0x00ff bw 128Kbit/s queue
20Kbytes
You can set the 128Kbit/s to anything but I'm not sure I'd use 2Kbit/s.
You may need to play with the 0x00ff. Just install whatmask from
/usr/ports/net-mgmt/whatmask
Regards
On Sun, 2004-10-17 at 23:49, synrat wrote:
yeah it kinda seems broken. i can see the pipes being
hit by traffic, but no bandwidth limitation is done whatsoever.
I tried specifying dedicated port based pipes, that didn't work,
I tried using queues for port specification while specifying pipes
with the the same port numbers, that didn't work. I tried connecting
pipes to the queues, no result as well.
for example, to limit outgoing ftp, I tried this,
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
no effect.
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
${fwcmd} add queue 6 tcp from ${oip} 21 to any out
no effect.
${fwcmd} add pipe 6 tcp from ${oip} 21 to any out xmit ${oif}
${fwcmd} pipe 6 config bw $2Kbit/s
${fwcmd} add queue 6 tcp from ${oip} 21 to any out
${fwcmd} queue 6 config pipe 6
setsockopt error.
I guess it craps out when trying to bind queue to the pipe. Why ?? who
knows I really can't make much sense from what I've read about
dummynet in ipfw and dummynet man pages, if anyone knows of a good
manual, please let me know.
Drew Tomlinson wrote:
On 10/11/2004 5:47 PM synrat wrote:
Can someone tell me about a good way to troubleshoot pipes/queues or
point me in the rigtt direction. I'm trying to restrict outgoing ftp
traffic and create some pipes for VOIP. dummynet and pipe rules load
fine ( and are in the kernel ) but seem to have no effect. I did read
the manual pages 20 times over. I tried adding pipes before doing
config bw on them, but that didn't make any difference.
thanx a lot in advance.
I have tried using DUMMYNET also and don't see any effect. If you find
an answer, please let me know. It's my goal to give highest priority to
ssh connection, next highest priority to the traffic originating on
machine bigdaddy port 8080, and then all remaining traffic gets passed
when there's nothing else going on. I have DSL with a 128K uplink.
Here is my rule set in case someone can find my error:
# Flush before we define
$fwcmd -f queue flush
$fwcmd -f pipe flush
$fwcmd pipe 1 config queue 128Kbyte
$fwcmd queue 1 config pipe 1 weight 85 queue 8Kbyte
$fwcmd queue 2 config pipe 1 weight 1 queue 112Kbyte
$fwcmd queue 3 config pipe 1 weight 100 queue 8Kbyte
$fwcmd add queue 1 ip from bigdaddy 8080 to any out via $oif
$fwcmd add queue 3 ip from any 22 to any out via $oif
$fwcmd add queue 2 ip from not bigdaddy not 8080 to any out via $oif
$fwcmd add queue 2 ip from bigdaddy not 8080 to any out via $oif
And I have these options compiled into my kernel:
options IPFIREWALL
options DUMMYNET
options HZ=1000
Thanks,
Drew
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
NetAdmin for the FoxChat.Net IRC Network.
The FoxSurfer Group
signature.asc
Description: This is a digitally signed message part
Re: dummynet
On Mon, Oct 11, 2004 at 08:47:56PM -0400, synrat wrote: Can someone tell me about a good way to troubleshoot pipes/queues or point me in the rigtt direction. I'm trying to restrict outgoing ftp traffic and create some pipes for VOIP. dummynet and pipe rules load fine ( and are in the kernel ) but seem to have no effect. I did read the manual pages 20 times over. I tried adding pipes before doing config bw on them, but that didn't make any difference. thanx a lot in advance. You're example seems to be correct. You can use the log keyword to diagnose you're situation. See the manual ipfw for this. I'll bet you just didn't compile DUMMYNET in to you're kernel. There are no loadable modules for dummynet. See the handbook on how to do this. www.freebsd.org/handbook -- Alex Please copy the original recipients, otherwise I may not read your reply. WWW: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
There seems to be a problem with you're adress. Please fix this. Received: from tcp-daemon.smtp17.wxs.nl by smtp17.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) id [EMAIL PROTECTED] (original mail from [EMAIL PROTECTED]) ; Tue, 12 Oct 2004 15:00:48 +0200 (CEST) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 12 Oct 2004 14:57:03 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i9CCv3QX001809; Tue, 12 Oct 2004 14:57:03 +0200 Received: (from [EMAIL PROTECTED]) by alex.lan (8.12.10/8.12.10/Submit) id i9CCv2vb001808; Tue, 12 Oct 2004 14:57:02 +0200 Content-return: prohibited Your message cannot be delivered to the following recipients: Recipient address: [EMAIL PROTECTED] Reason: Illegal host/domain name found -- Alex Please copy the original recipients, otherwise I may not read your reply. WWW: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet
This is what I have on one of my subnet IP's. Did it this way to keep
my kids from sucking up all the upstream from p2p clients and webcam
with their friends. There may be a better way to do it and I'm almost
sure there is, but this seems to do what I need it to do. Hope it
helps.
inwr2 = subnet IP/24 Example - 172.16.0.0/24
iif2 = inside interface nic Example - ed0
if [ -n ${natd_interface} ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
${fwcmd} add 150 skipto 2 ip from any to any bridged
${fwcmd} add 151 pipe 1 { tcp or udp } from ${inwr2} to any 80-65000
via ${iif2}
${fwcmd} pipe 1 config mask src-ip 0x00ff bw 128Kbit/s queue
20Kbytes
${fwcmd} add 152 pipe 2 all from ${inwr2} to any out via ${iif2}
${fwcmd} pipe 2 config mask src-ip 0x00ff bw 768Kbit/s queue
20Kbytes
${fwcmd} add 153 pipe 3 all from any to ${inwr2} in via ${iif2}
${fwcmd} pipe 3 config mask dst-ip 0x00ff bw 1280Kbit/s queue
20Kbytes
#ipfw show
00151 112861 101818182 pipe 1 { tcp or udp } from 172.16.0.0/24 to
any dst-port 80-65000 via ed0
0015241312 pipe 2 ip from 172.16.0.0/24 to
any out via ed0
00153 62 10299pipe 3 ip from any to
172.16.0.0/24 in via ed0
On Mon, 2004-10-11 at 20:47, synrat wrote:
Can someone tell me about a good way to troubleshoot pipes/queues or
point me in the rigtt direction. I'm trying to restrict outgoing ftp
traffic and create some pipes for VOIP. dummynet and pipe rules load
fine ( and are in the kernel ) but seem to have no effect. I did read
the manual pages 20 times over. I tried adding pipes before doing
config bw on them, but that didn't make any difference.
thanx a lot in advance.
something like this :
# APPLIES TO INCOMING PACKETS (DOWNLOADS)
${fwcmd} pipe 1 config bw 1300Kbit/s
${fwcmd} pipe 3 config bw 100Kbit/s
${fwcmd} queue 1 config weight 5 pipe 1
${fwcmd} add queue 1 ip from any to 192.168.1.4
${fwcmd} queue 2 config weight 5 pipe 1
${fwcmd} add queue 2 ip from any to 192.168.1.3
${fwcmd} queue 3 config weight 10 pipe 3
${fwcmd} add queue 3 udp from any to 192.168.1.2
# APPLIES TO OUTGOING PACKETS (UPLOADS)
${fwcmd} pipe 2 config bw 1000Kbit/s
${fwcmd} pipe 4 config bw 100Kbit/s
${fwcmd} queue 4 config weight 5 pipe 2
${fwcmd} add queue 4 ip from 192.168.1.4 to any
${fwcmd} queue 5 config weight 5 pipe 2
${fwcmd} add queue 5 ip from 192.168.1.3 to any
${fwcmd} queue 6 config weight 10 pipe 4
${fwcmd} add queue 6 udp from 192.168.1.2 to any
THIS IS FOR OUTGOING FTP
${fwcmd} add pipe 7 tcp from 216.254.116.226 21 to any out via
${oif}
${fwcmd} pipe 7 config bw 3Kbit/s
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
NetAdmin for the FoxChat.Net IRC Network.
The FoxSurfer Group
signature.asc
Description: This is a digitally signed message part
Re: Dummynet+Firewall+One_pass question
On Thu, Apr 22, 2004 at 04:25:53PM -0300, Marcelo Pinheiro wrote:
Hi,
I am very new to FreeBSD, and I have a quite simple question: How does IPFW
work when I use PIPES, divert and some other Firewall rules?
What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before
a divert with one_pass set to 1, the packet passes through the pipe, but
does not pass through the divert and that makes total sense. However if I
set one_pass to 1 and set the pipe after the divert using the internal IP
address ( RFC 1918 ) it works that does not make any sense, at least to
me. :)
man ipfw gives me:
pipe pipe_nr
Pass packet to a dummynet(4) ``pipe'' (for bandwidth
limitation, delay, etc.). See the TRAFFIC SHAPER (DUMMYNET)
CONFIGURATION Section for further information. The search terminates;
however, on exit from the pipe and if the sysctl(8) variable
net.inet.ip.fw.one_pass is not set, the packet is passed again to the
firewall code starting from the next rule.
Here are some sample rules:
# INTERNAL NETWORK
${fwcmd} pipe 1000 config bw 1024Kbit/s
${fwcmd} pipe 1001 config bw 1024Kbit/s
${fwcmd} add divert natd all from 10.0.0.0/8 to any
${fwcmd} add divert natd all from any to 200.x.x.x
${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8
If I set the way above, it works fine, even if the one_pass is set to 1 (
one ). The divert changes the packet header to my external IP, and my real
question is: How in the world the pipe works if the header is changed to
200, instead of 10?
THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the
pipe, but does not pass through the divert:
# INTERNAL NETWORK
${fwcmd} pipe 1000 config bw 1024Kbit/s
${fwcmd} pipe 1001 config bw 1024Kbit/s
${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8
${fwcmd} add divert natd all from 10.0.0.0/8 to any
${fwcmd} add divert natd all from any to 200.x.x.x
I deeply appreciate any ideas.
Thats because the packes that meet the pipe rules are also allowed and
thus never meet the divert rule.
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet and adsl
On Thu, Mar 18, 2004 at 11:57:28AM +0100, Francis GUDIN wrote: Hello everybody, I'm in the process of setting up a bandwidth control with ipfw and dummynet. My connection is done through pppoe on adsl. In ipfw(8), i found the following: If a device name is specified instead of a numeric value, as in ipfw pipe 1 config bw tun0 then the transmit clock is supplied by the specified device. At the moment only the tun(4) device supports this functionality, for use in conjunction with ppp(8). Having two different bandwidth available (up- and downstream), would this option work ? Or, is only symetric bw case taken into account 'bw tun0' means that the pipe will transmit a new packet when the device's (tun0 in this case) transmit queue becomes empty. In any case the question is irrelevant here because tun0's queue is drained by the userland process reading from /dev/tun0 and writing onto the output link. With a serial line and no buffering you could hope that this matches the outbound bandwidth, but with pppoe on adsl you basically see the ethernet speed on transmission. cheers luigi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet and adsl
On Thursday, 18 March 2004 at 8:08:49 -0800, Luigi Rizzo wrote : On Thu, Mar 18, 2004 at 11:57:28AM +0100, Francis GUDIN wrote: Hello everybody, I'm in the process of setting up a bandwidth control with ipfw and dummynet. My connection is done through pppoe on adsl. In ipfw(8), i found the following: If a device name is specified instead of a numeric value, as in ipfw pipe 1 config bw tun0 then the transmit clock is supplied by the specified device. At the moment only the tun(4) device supports this functionality, for use in conjunction with ppp(8). Having two different bandwidth available (up- and downstream), would this option work ? Or, is only symetric bw case taken into account 'bw tun0' means that the pipe will transmit a new packet when the device's (tun0 in this case) transmit queue becomes empty. In any case the question is irrelevant here because tun0's queue is drained by the userland process reading from /dev/tun0 and writing onto the output link. With a serial line and no buffering you could hope that this matches the outbound bandwidth, but with pppoe on adsl you basically see the ethernet speed on transmission. cheers luigi Thank you ! Things are much clearer to me, now. Back to work ! BR, Francis. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet Pipes
Hi, Check this out pipe 1 config bw 512kbit/s queue 1 config pipe 1 add 150 queue 1 all from 78.77.76.21 to any pipe 2 config bw 512kbit/s queue 2 config pipe 2 add 151 queue 2 all from any to 78.77.76.21 Regards SSR From: Colin Watson [EMAIL PROTECTED] Reply-To: Colin Watson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Dummynet Pipes Date: Fri, 12 Sep 2003 15:04:16 +0100 I've got a question about dummynet pipes, basically I've installed two rules per user to control their traffic flow: add 150 pipe 15 ip from 78.77.76.21 to any out pipe 15 config bw 512Kbit/s queue 10 add 160 pipe 16 ip from any to 78.77.76.21 in pipe 16 config bw 512Kbit/s queue 10 However, the first (outbound traffic) rule is not kicking in. And the users can upload at whatever capcity is on the backbone. Just wondering if I've configured it correctly, or if something is missing - Any help appericated. Colin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Attention NRIs! Banking worries? http://server1.msn.co.in/msnspecials/nriservices/index.asp Get smart tips. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet Pipes
On Fri, Sep 12, 2003 at 03:04:16PM +0100, Colin Watson wrote: I've got a question about dummynet pipes, basically I've installed two rules per user to control their traffic flow: add 150 pipe 15 ip from 78.77.76.21 to any out pipe 15 config bw 512Kbit/s queue 10 add 160 pipe 16 ip from any to 78.77.76.21 in pipe 16 config bw 512Kbit/s queue 10 However, the first (outbound traffic) rule is not kicking in. And the users can upload at whatever capcity is on the backbone. Just wondering if I've configured it correctly, or if something is missing - Any help appericated. First, would you please ajust you mailer so that your lines are less then 72 chars? Its looks ok to me. What it the output of 'ipfw s'? -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet and ipfw
On Sun, 5 Jan 2003, master wrote: Hi all i have a little problem with ipfw i have try the following command : ipfw add 100 pipe 1 ip from 192.168.1.5 to any and i have no more network then i try a ping and get ping : sendto : No buffer space invalide any idea how can i fix this? Yes, you need to configure the pipe to *do* something.. otherwise it's a pipe that just collects packets :-) you can do it in two commands like this: ipfw add 100 pipe 1 ip from 192.168.1.5 to any ipfw config pipe 1 bw 0 'bw 0' means tuse unlimited bandwidth (ie, all your availible bandwidth). You can change this to a different amount, eg to limit to 5Kbytes/s: ipfw add 100 pipe 1 ip from 192.168.1.5 to any ipfw config pipe 1 bw 5KBytes/s Packets should then flow through naturally. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Dummynet ports
Ummm Instead of having a new machine, you *can* setup a jail environment specifically for ftp, divert(with nat) everything ftp'ish to the jail's ip address and just bandwidth limit the jail. -D -Original Message- From: Fernando Gleiser [mailto:[EMAIL PROTECTED]] Sent: 04 October 2002 21:46 To: greg Cc: [EMAIL PROTECTED] Subject: Re: Dummynet ports On Fri, 4 Oct 2002, greg wrote: So if i did something like use wu-ftpd and use the passive ports directive in /etc/ftpaccess then i would be able to control the passive ports used and then pipe them with dummynet? Yes. And no :). By doing that you can limit the bandwidth used by people who access *your* ftp, but you can't control which ephemeral port will bew chosen by a *remote* ftpd (ie, ftp.freebsd.org) because that is daemon/OS dependant. The best solution I've found is to install a dedicated proxy server for FTP/HTTP and then limit the traffic for that proxy server. But you need an extra machine for that. Fer Does this sound right? Thanks in advance greg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Dummynet ports
On Fri, 4 Oct 2002, greg wrote: I have dummynet working fine for controlling bandwidth. My question is can i control bandwidth on certain ports ie, ftp? Yes you can. with http you say 'ipfw add pipe 1 tcp from any 80 to dest' and the configure the pipe. With FTP it is a bit more complicated, because of the way FTP work. You need to add a rule for active mode FTP and another for passive mode. with active mode it's easy, just replace 80 with 20 in the example and you are done. With passive it is not that easy because the server uses an ephemeral port, and the range for that ephemeral port depends on things like operating system, ftp server and the like. Ftp is bad, kay? ftp is brain damaged, mmmkay? :) Learnin how to set up FTP (both incoming and outgoing) through a firewall, without opening it too much is one of the passage rites for the serious firewall sysadmin. Fer Instead of slowing the entire box down? -g To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Dummynet ports
On Fri, 4 Oct 2002, greg wrote: So if i did something like use wu-ftpd and use the passive ports directive in /etc/ftpaccess then i would be able to control the passive ports used and then pipe them with dummynet? Yes. And no :). By doing that you can limit the bandwidth used by people who access *your* ftp, but you can't control which ephemeral port will bew chosen by a *remote* ftpd (ie, ftp.freebsd.org) because that is daemon/OS dependant. The best solution I've found is to install a dedicated proxy server for FTP/HTTP and then limit the traffic for that proxy server. But you need an extra machine for that. Fer Does this sound right? Thanks in advance greg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
