- Original Message -
From: Nelis Lamprecht [EMAIL PROTECTED]
To: FreeBSD Questions Mail List [EMAIL PROTECTED]
Sent: Friday, June 04, 2004 7:43 AM
Subject: ipnat and ipfw dummynet
Sorry, I failed to point out my current network configuration.
I have 2 internal networks which use NAT, one class C ( 192.96.48.0/24 )
and one rfc1918 ( 192.168.1.0/24 ).
The internal interface(bge1) is configured with the class c network and
I have added a route to bge1 for 192.168.1.0/24. All traffic on the
192.96.48.0/24 network internally is routed via the gateway to get to
the 192.168.1.0 network.
Hope that makes sense.
Nelis
On Fri, 2004-06-04 at 14:43, Nelis Lamprecht wrote:
Hi,
I'm interested to hear how people utilise dummynet in a NAT environment.
How does one create a pipe for a NAT network without effecting the
actual LAN speed ? For example, on the gateway:
$fwcmd add pipe 1 ip from 192.168.1.0/24 to any out
$fwcmd add pipe 2 ip from any to 192.168.1.0/24 in
$fwcmd pipe 1 config bw 128Kbit/s
$fwcmd pipe 2 config bw 128Kbit/s
The above example would be fine if 192.168.1.0/24 were only talking to
the internet but unfortunately it also effects the machines from talking
to each other internally. The only interface you can specify is the
internal interface(bge1) because this is the only time that ipfw will
see the addresses before they are passed to NAT(ipnat) and will not be
seen on the external interface(bge0). So basically the above example
should be written as:
$fwcmd add pipe 1 ip from 192.168.1.0/24 to any out via bge1
$fwcmd add pipe 2 ip from any to 192.168.1.0/24 in via bge1
This however will also give 192.168.1.0/24 an internal LAN speed of
128Kbit/s which is to say quite humorous ;-)
What is the solution to this ? ..I'm obviously missing something. The
internal interface is not firewalled.
Many thanks,
--
Nelis Lamprecht
Nelis, this may help. Remember, that ipfw goes through the rulesets until it
finds a match and will stop at that point. So, to provide rate limiting as
well as allowing traffic on the lan to go all out, place allow rules before
the pipes to specifically allow traffic between your lan ip ranges
unhindered.
#Rate Limit Settings
$fwcmd pipe 1 config bw 128Kbit/s
$fwcmd pipe 2 config bw 128Kbit/s
#Unrestricted LAN Access Allows
$fwcmd add allow ip from 192.168.1.0/24 to 192.96.48.0/24
$fwcmd add allow ip from 192.96.48.0/24 to 192.168.0/24
#Rate Limit Rules
$fwcmd add pipe 1 ip from 192.168.1.0/24 to any out
$fwcmd add pipe 2 ip from any to 192.168.1.0/24 in
Hope it helps. It's been awhile since I've done any rate limiting, but as I
recall, that should do the trick.
--
Micheal Patterson
TSG Network Administration
405-917-0600
Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
