Re: traffic shaping freebsd
amending my remark... UID matching is problematic. Why are you trying to classify packets based on that? On Sunday, September 11, 2011, Michael Sierchio wrote: > You don't seem to have any rules that match packets. This won't work. > > On Sunday, September 11, 2011, alexus wrote: >> su-4.2# grep pipe /etc/ipfw.rules >> pipe flush >> pipe 1 config bw 1Mbit/s mask dst-port www >> pipe 2 config bw 1Mbit/s mask src-port www >> pipe 3 config bw 1Mbit/s mask dst-port 3128 >> add 3128 pipe 3 tcp from any to any src-port 3128 uid root >> add 8381 pipe 1 tcp from any to any dst-port www uid daemon >> add 8382 pipe 2 tcp from any to any src-port www uid daemon >> su-4.2# >> >> >> su-4.2# ipfw show | grep -E 'pipe 1|pipe 2' && ipfw pipe show 1 ; ipfw >> pipe show 2 >> 08381 11190815447 pipe 1 tcp from any to any dst-port 80 uid daemon >> 08382 14394 16926849 pipe 2 tcp from any 80 to any uid daemon >> 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >>mask: 0x00 0x/0x -> 0x/0x >> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp >> 0 tcp 64.237.55.83/64730 69.10.58.25/8011190 815447 0 0 0 >> 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >>mask: 0x00 0x/0x -> 0x/0x >> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp >> 0 tcp 69.10.58.25/80 64.237.55.83/64730 14394 16926849 0 0 10 >> su-4.2# ipfw show | grep -E 'pipe 1|pipe 2' && ipfw pipe show 1 ; ipfw >> pipe show 2 >> 08381 11218817225 pipe 1 tcp from any to any dst-port 80 uid daemon >> 08382 14434 16979213 pipe 2 tcp from any 80 to any uid daemon >> 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >>mask: 0x00 0x/0x -> 0x/0x >> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp >> 0 tcp 64.237.55.83/64730 69.10.58.25/8011218 817225 0 0 0 >> 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >>mask: 0x00 0x/0x -> 0x/0x >> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp >> 0 tcp 69.10.58.25/80 64.237.55.83/64730 14434 16979213 0 0 10 >> su-4.2# >> >> as you see ipfw rules matches as count is increasing, yet pipe i'm not >> seeing any difference at all, its like it matched first time and >> that's it... >> >> yet pipe shows different output >> >> su-4.2# ipfw show | grep 'pipe 3' && ipfw pipe show 3 >> 03128 37483 71276160 pipe 3 tcp from any 3128 to any uid root >> 3: 1.000 Mbit/s0 ms 50 sl. 4 queues (64 buckets) droptail >>mask: 0x00 0x/0x -> 0x/0x0c38 >> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp >> 0 ip 0.0.0.0/0 0.0.0.0/105616 2383 00 0 >> 16 ip 0.0.0.0/0 0.0.0.0/1032 8 9398 0 0 0 >> 32 ip 0.0.0.0/0 0.0.0.0/20964143167 0 0 0 >> 48 ip 0.0.0.0/0 0.0.0.0/56 2 7074 0 0 0 >> su-4.2# !! >> ipfw show | grep 'pipe 3' && ipfw pipe show 3 >> 03128 39285 74616912 pipe 3 tcp from any 3128 to any uid root >> 3: 1.000 Mbit/s0 ms 50 sl. 4 queues (64 buckets) droptail >>mask: 0x00 0x/0x -> 0x/0x0c38 >> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp >> 0 ip 0.0.0.0/0 0.0.0.0/10561920651 00 0 >> 16 ip 0.0.0.0/0 0.0.0.0/10643641781 0 0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: traffic shaping freebsd
You don't seem to have any rules that match packets. This won't work. On Sunday, September 11, 2011, alexus wrote: > su-4.2# grep pipe /etc/ipfw.rules > pipe flush > pipe 1 config bw 1Mbit/s mask dst-port www > pipe 2 config bw 1Mbit/s mask src-port www > pipe 3 config bw 1Mbit/s mask dst-port 3128 > add 3128 pipe 3 tcp from any to any src-port 3128 uid root > add 8381 pipe 1 tcp from any to any dst-port www uid daemon > add 8382 pipe 2 tcp from any to any src-port www uid daemon > su-4.2# > > > su-4.2# ipfw show | grep -E 'pipe 1|pipe 2' && ipfw pipe show 1 ; ipfw > pipe show 2 > 08381 11190815447 pipe 1 tcp from any to any dst-port 80 uid daemon > 08382 14394 16926849 pipe 2 tcp from any 80 to any uid daemon > 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >mask: 0x00 0x/0x -> 0x/0x > BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp > 0 tcp 64.237.55.83/64730 69.10.58.25/8011190 815447 00 0 > 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >mask: 0x00 0x/0x -> 0x/0x > BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp > 0 tcp 69.10.58.25/80 64.237.55.83/64730 14394 16926849 00 10 > su-4.2# ipfw show | grep -E 'pipe 1|pipe 2' && ipfw pipe show 1 ; ipfw > pipe show 2 > 08381 11218817225 pipe 1 tcp from any to any dst-port 80 uid daemon > 08382 14434 16979213 pipe 2 tcp from any 80 to any uid daemon > 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >mask: 0x00 0x/0x -> 0x/0x > BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp > 0 tcp 64.237.55.83/64730 69.10.58.25/8011218 817225 00 0 > 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail >mask: 0x00 0x/0x -> 0x/0x > BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp > 0 tcp 69.10.58.25/80 64.237.55.83/64730 14434 16979213 00 10 > su-4.2# > > as you see ipfw rules matches as count is increasing, yet pipe i'm not > seeing any difference at all, its like it matched first time and > that's it... > > yet pipe shows different output > > su-4.2# ipfw show | grep 'pipe 3' && ipfw pipe show 3 > 03128 37483 71276160 pipe 3 tcp from any 3128 to any uid root > 3: 1.000 Mbit/s0 ms 50 sl. 4 queues (64 buckets) droptail >mask: 0x00 0x/0x -> 0x/0x0c38 > BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp > 0 ip 0.0.0.0/0 0.0.0.0/105616 2383 00 0 > 16 ip 0.0.0.0/0 0.0.0.0/1032 8 9398 00 0 > 32 ip 0.0.0.0/0 0.0.0.0/20964143167 00 0 > 48 ip 0.0.0.0/0 0.0.0.0/56 2 7074 00 0 > su-4.2# !! > ipfw show | grep 'pipe 3' && ipfw pipe show 3 > 03128 39285 74616912 pipe 3 tcp from any 3128 to any uid root > 3: 1.000 Mbit/s0 ms 50 sl. 4 queues (64 buckets) droptail >mask: 0x00 0x/0x -> 0x/0x0c38 > BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp > 0 ip 0.0.0.0/0 0.0.0.0/10561920651 00 0 > 16 ip 0.0.0.0/0 0.0.0.0/10643641781 00 0 > 32 ip 0.0.0.0/0 0.0.0.0/10724353920 00 0 > 48 ip 0.0.0.0/0 0.0.0.0/2104 3 595 00 0 > su-4.2# > > why is it seeing source ip/port as 0/0 and dest 0/? i dont understand > that at all > > On Sun, Sep 11, 2011 at 7:06 PM, Michael Sierchio wrote: >> On Sun, Sep 11, 2011 at 3:38 PM, alexus wrote: >>> thanks, but did u actually tried it? >> >> If what you're asking is, "does traffic shaping work?" the answer is >> yes. There are some provisos - you must create an outbound pipe and >> an inbound pipe that accurately reflect the observed network >> performance (not what your ISP told you). This is because when you >> create queues of different weights, the weights are only imposed when >> one or more queues are full. >> >> See http://info.iet.unipi.it/~luigi/dummynet/ >> >> The place to start is to find out what kind of upload and download >> throughput you get, then create pipes that are 95% of those observed >> values (one up, one down), then instantiate queues with different >> weights on each pipe, then cre
Re: traffic shaping freebsd
su-4.2# grep pipe /etc/ipfw.rules pipe flush pipe 1 config bw 1Mbit/s mask dst-port www pipe 2 config bw 1Mbit/s mask src-port www pipe 3 config bw 1Mbit/s mask dst-port 3128 add 3128 pipe 3 tcp from any to any src-port 3128 uid root add 8381 pipe 1 tcp from any to any dst-port www uid daemon add 8382 pipe 2 tcp from any to any src-port www uid daemon su-4.2# su-4.2# ipfw show | grep -E 'pipe 1|pipe 2' && ipfw pipe show 1 ; ipfw pipe show 2 08381 11190815447 pipe 1 tcp from any to any dst-port 80 uid daemon 08382 14394 16926849 pipe 2 tcp from any 80 to any uid daemon 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x/0x -> 0x/0x BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 tcp 64.237.55.83/64730 69.10.58.25/8011190 815447 00 0 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x/0x -> 0x/0x BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 tcp 69.10.58.25/80 64.237.55.83/64730 14394 16926849 00 10 su-4.2# ipfw show | grep -E 'pipe 1|pipe 2' && ipfw pipe show 1 ; ipfw pipe show 2 08381 11218817225 pipe 1 tcp from any to any dst-port 80 uid daemon 08382 14434 16979213 pipe 2 tcp from any 80 to any uid daemon 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x/0x -> 0x/0x BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 tcp 64.237.55.83/64730 69.10.58.25/8011218 817225 00 0 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x/0x -> 0x/0x BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 tcp 69.10.58.25/80 64.237.55.83/64730 14434 16979213 00 10 su-4.2# as you see ipfw rules matches as count is increasing, yet pipe i'm not seeing any difference at all, its like it matched first time and that's it... yet pipe shows different output su-4.2# ipfw show | grep 'pipe 3' && ipfw pipe show 3 03128 37483 71276160 pipe 3 tcp from any 3128 to any uid root 3: 1.000 Mbit/s0 ms 50 sl. 4 queues (64 buckets) droptail mask: 0x00 0x/0x -> 0x/0x0c38 BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 0.0.0.0/105616 2383 00 0 16 ip 0.0.0.0/0 0.0.0.0/1032 8 9398 00 0 32 ip 0.0.0.0/0 0.0.0.0/20964143167 00 0 48 ip 0.0.0.0/0 0.0.0.0/56 2 7074 00 0 su-4.2# !! ipfw show | grep 'pipe 3' && ipfw pipe show 3 03128 39285 74616912 pipe 3 tcp from any 3128 to any uid root 3: 1.000 Mbit/s0 ms 50 sl. 4 queues (64 buckets) droptail mask: 0x00 0x/0x -> 0x/0x0c38 BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 0.0.0.0/10561920651 00 0 16 ip 0.0.0.0/0 0.0.0.0/10643641781 00 0 32 ip 0.0.0.0/0 0.0.0.0/10724353920 00 0 48 ip 0.0.0.0/0 0.0.0.0/2104 3 595 00 0 su-4.2# why is it seeing source ip/port as 0/0 and dest 0/? i dont understand that at all On Sun, Sep 11, 2011 at 7:06 PM, Michael Sierchio wrote: > On Sun, Sep 11, 2011 at 3:38 PM, alexus wrote: >> thanks, but did u actually tried it? > > If what you're asking is, "does traffic shaping work?" the answer is > yes. There are some provisos - you must create an outbound pipe and > an inbound pipe that accurately reflect the observed network > performance (not what your ISP told you). This is because when you > create queues of different weights, the weights are only imposed when > one or more queues are full. > > See http://info.iet.unipi.it/~luigi/dummynet/ > > The place to start is to find out what kind of upload and download > throughput you get, then create pipes that are 95% of those observed > values (one up, one down), then instantiate queues with different > weights on each pipe, then create rules that match packets according > to which pipe they should go in. Also consider that the sysctl > variable, net.inet.ip.fw.one_pass, might need to be 0 and not 1, > depending on whether queued packets need further processing. > -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: traffic shaping freebsd
On Sun, Sep 11, 2011 at 3:38 PM, alexus wrote: > thanks, but did u actually tried it? If what you're asking is, "does traffic shaping work?" the answer is yes. There are some provisos - you must create an outbound pipe and an inbound pipe that accurately reflect the observed network performance (not what your ISP told you). This is because when you create queues of different weights, the weights are only imposed when one or more queues are full. See http://info.iet.unipi.it/~luigi/dummynet/ The place to start is to find out what kind of upload and download throughput you get, then create pipes that are 95% of those observed values (one up, one down), then instantiate queues with different weights on each pipe, then create rules that match packets according to which pipe they should go in. Also consider that the sysctl variable, net.inet.ip.fw.one_pass, might need to be 0 and not 1, depending on whether queued packets need further processing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re[2]: traffic shaping freebsd
Здравствуйте, alexus. That is my article. I have wrote it when I configure my VPN server to shape home users. If questions - ask. Вы писали 12 сентября 2011 г., 1:38:30: a> thanks, but did u actually tried it? i'd prefer an example from a live a> system if possible a> its just its not working for me, so maybe i'm doing something off, so a> thats why i wanted to see a working example from someone's system a> 2011/9/11 Коньков Евгений : >> Здравствуйте, alexus. >> >> Вы писали 12 сентября 2011 г., 1:18:10: >> >> a> can someone provide a real (working) live example of traffic shaping with >> ipfw >> a> i just can't get mine to work no matter what... >> >> >> you can try this >> http://translate.google.com.ua/translate?hl=ru&sl=ru&tl=en&u=http%3A%2F%2Fkes.net.ua%2Fsoftdev%2Fadvanced_firewall.html >> >> -- >> С уважением, >> Коньков mailto:kes-...@yandex.ru >> >> -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: traffic shaping freebsd
thanks, but did u actually tried it? i'd prefer an example from a live system if possible its just its not working for me, so maybe i'm doing something off, so thats why i wanted to see a working example from someone's system 2011/9/11 Коньков Евгений : > Здравствуйте, alexus. > > Вы писали 12 сентября 2011 г., 1:18:10: > > a> can someone provide a real (working) live example of traffic shaping with > ipfw > a> i just can't get mine to work no matter what... > > > you can try this > http://translate.google.com.ua/translate?hl=ru&sl=ru&tl=en&u=http%3A%2F%2Fkes.net.ua%2Fsoftdev%2Fadvanced_firewall.html > > -- > С уважением, > Коньков mailto:kes-...@yandex.ru > > -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: traffic shaping freebsd
Здравствуйте, alexus. Вы писали 12 сентября 2011 г., 1:18:10: a> can someone provide a real (working) live example of traffic shaping with ipfw a> i just can't get mine to work no matter what... you can try this http://translate.google.com.ua/translate?hl=ru&sl=ru&tl=en&u=http%3A%2F%2Fkes.net.ua%2Fsoftdev%2Fadvanced_firewall.html -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
traffic shaping freebsd
can someone provide a real (working) live example of traffic shaping with ipfw i just can't get mine to work no matter what... -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FreeBSD Traffic Shaping
Hi I'm trying to do traffic shaping with FreeBSD, here are my rules su-3.2# ipfw pipe show 1: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x/0x -> 0x/0x BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 tcp 64.237.55.83/60546 206.223.183.156/8035704818 2711309193 00 0 2: 1.000 Mbit/s0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x/0x -> 0x/0x BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp 0 tcp 206.223.183.156/80 64.237.55.83/60546 46186238 55031603690 00 585064 su-3.2# ipfw show 00100 50878094 8828324288 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 08025 7985221 2441309667 allow tcp from any to any dst-port 25 08110 2921293 144559774 allow tcp from any to any dst-port 110 0814320757811273485 allow tcp from any to any dst-port 143 08381 35704746 2711287847 pipe 1 tcp from any to any dst-port 80 uid daemon 08382 46186754 55032183316 pipe 2 tcp from any 80 to any uid daemon 08993 1304764 130695084 allow tcp from any to any dst-port 993 0899563797056234323 allow tcp from any to any dst-port 995 65000 124980086 87768197494 allow ip from any to any 65535 0 0 deny ip from any to any su-3.2# first of all why when I run ipfw pipe 1 show i get same source and destination ip, that doesnt seem like ever change yet total packets/bytes increasing and most important question, after donig all that I'm looking at my MRTG stats and I see i'm very well over 1Mbit/s limit. main services that i run on my box is web and mail what am I doing wrong? here is config file su-3.2# cat /etc/ipfw.rules flush pipe flush pipe 1 config bw 1Mbit/s mask src-port www pipe 2 config bw 1Mbit/s mask src-port www add 100 allow ip from any to any via lo0 add 200 deny ip from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any add 8381 pipe 1 tcp from any to any dst-port www uid daemon add 8382 pipe 2 tcp from any to any src-port www uid daemon add 8025 allow tcp from any to any dst-port smtp add 8110 allow tcp from any to any dst-port pop3 add 8143 allow tcp from any to any dst-port imap add 8993 allow tcp from any to any dst-port imaps add 8995 allow tcp from any to any dst-port pop3s add 65000 pass all from any to any su-3.2# uptime 6:06AM up 25 days, 3:48, 1 user, load averages: 0.04, 0.03, 0.00 su-3.2# uname -rp 7.2-RELEASE-p6 amd64 su-3.2# -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Traffic Shaping Bridge with Dummynet
I am trying to do traffic shaping using a bridge on FreeBSD 7.1. I have the bridge configured and it works fine. It looks like this: rest of network <-> xl0 <-> bridge0 <-> xl1 <-> side to be shaped It works with the following set of ipfw rules (pipes in but unlimited bw): network=10.10.10.0/24 limit=0 ipfw -q -f flush ipfw -q pipe 1000 config mask dst-ip 0x00ff bw $limit ipfw -q add pipe 1000 ip from any to $network via xl1 ipfw -q pipe 1001 config mask src-ip 0x00ff bw $limit ipfw -q add pipe 1001 ip from $network to any via xl1 ipfw -q add 6 allow all from any to any If I change the limit to 1Mbit/s (or anything else) it stops passing traffic. I used tcpdump and I can see the traffic on the bridge but I cannot see it after the bridge. However "ipfw -a list" shows the counts for the pipe going up, which doesn't make sense to me. I've tried adding: ipfw -q add allow all from any to any via bridge0 ipfw -q add allow all from any to any via xl0 before the pipes. I also tried moving the pipes to bridge0 and xl0. The docs on bridging (http://www.freebsd.org/doc/en/books/handbook/network-bridging.html) says "The bridge can be used as a traffic shaper with altq(4) or dummynet(4)." So what am I doing wrong? What else do I need to do to limit the bandwidth over a bridge? Thanks, Dan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: torrent client traffic shaping question
On Thu, 12 Mar 2009 16:24:37 +1100 (EST) Ian Smith wrote: > On Wed, 11 Mar 2009 12:42:23 + RW > > A traffic shaper could efficiently regulate downloads by proxying > > TCP. And even though PF does some limited TCP proxying, > > unfortunately dummynet and altq work at the IP level. > > I don't know why you say 'unfortunately' here? Because tcp is best controlled at the tcp-level You could get smoother, lower-latency transfers, and you're not dropping any packets that have already passed through the ISP bottleneck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: torrent client traffic shaping question
On Wed, 11 Mar 2009 12:42:23 + RW wrote: > On Wed, 11 Mar 2009 11:13:16 +0200 > Brent Clark wrote: > > > Hiya > > > > I got this question to ask, and I was hoping the TCP/IP gurus would be > > able to help me understand this. > > > > K you know how with traffic shapping you can control only the traffic > > leaving you, how it is that torrent clients say they can control the > > download as well as the upload. I would think the client can only > > control the upload. > > If the client reads from a TCP socket slower than the data is coming-in, > the buffers fill-up and the sliding-window algorithm in TCP causes the > sending side to slow down. Sure. > A traffic shaper could efficiently regulate downloads by proxying TCP. > And even though PF does some limited TCP proxying, unfortunately > dummynet and altq work at the IP level. I don't know why you say 'unfortunately' here? I can only talk about ipfw + dummynet from my own experience, but you can use dummynet pipes and their queue/s to shape any sort of IP(v4) traffic, in- or outbound, directed to/from any sort of flow ipfw can distinguish by any of the usual packet selectors (TCP, UDP, ICMP, raw IP or by any IP protocol or options; for TCP/UDP by src/dest ports as well as addresses, whatever) While it's true that shaping listen-only unacknowledged streaming UDP by dropping further packets once the inbound pipe's queue is full involves packet loss, many real-world UDP transfers (eg realaudio) will back off from sending more in the absense of some sort of specific or periodic acknowledgements. I'm not sure what happens with multicast traffic. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: torrent client traffic shaping question
On Wed, 11 Mar 2009 11:13:16 +0200 Brent Clark wrote: > Hiya > > I got this question to ask, and I was hoping the TCP/IP gurus would be > able to help me understand this. > > K you know how with traffic shapping you can control only the traffic > leaving you, how it is that torrent clients say they can control the > download as well as the upload. I would think the client can only > control the upload. If the client reads from a TCP socket slower than the data is coming-in, the buffers fill-up and the sliding-window algorithm in TCP causes the sending side to slow down. A traffic shaper could efficiently regulate downloads by proxying TCP. And even though PF does some limited TCP proxying, unfortunately dummynet and altq work at the IP level. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: torrent client traffic shaping question
Olivier Nicole wrote: Maybe torrent protocol includes something where by the client tells its peers to send data at a slower rate. Traffic shaping is done at IP or TCP level, while the up/down load speed is managed at the client level. Bests, Olivier Hi I posted the same Q on netfilters mailinglist. This was one of the answers I got If you read from socket at fixed rate, it's TCP receive buffer is emptied at same rate. TCP announces free buffer in receive window field, so congestion window on sender side is also adjusted, thus limiting send speed to the rate you read from socket on receiver side. Brent ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: torrent client traffic shaping question
Hi, > K you know how with traffic shapping you can control only the traffic > leaving you, how it is that torrent clients say they can control the > download as well as the upload. I would think the client can only > control the upload. Maybe torrent protocol includes something where by the client tells its peers to send data at a slower rate. Traffic shaping is done at IP or TCP level, while the up/down load speed is managed at the client level. Bests, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
torrent client traffic shaping question
Hiya I got this question to ask, and I was hoping the TCP/IP gurus would be able to help me understand this. K you know how with traffic shapping you can control only the traffic leaving you, how it is that torrent clients say they can control the download as well as the upload. I would think the client can only control the upload. TIA Brent Clark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: pf traffic shaping and perfomance
Hi Luke,
On Wed, 23 Apr 2008 12:40:04 -0700 (PDT), Luke Dean <[EMAIL PROTECTED]>
wrote:
>
>
> On Wed, 23 Apr 2008, Zbigniew Szalbot wrote:
>
>>
>> Hello,
>>
>> I would like to implement traffic shaping using pf. I know I need to
>> recompile kernel to be able to achieve this but I have a more general
>> question. I used to have pf with traffic shaping on a Pentium III 866
>> before and as soon as I activated it, the http response of the box was
>> noticably slower. Here are the defs I used then:
>>
>> #altq on $ext_if cbq bandwidth 512Kb queue { def, smtp, udp, http, \
>> #ssh, icmp }
>> #queue def bandwidth 13% cbq(default borrow red)
>> #queue smtp bandwidth 25% cbq(borrow red) priority 7
>> #queue udp bandwidth 10% cbq(borrow red)
>> #queue http bandwidth 40% cbq(borrow red)
>> #queue ssh bandwidth 10% cbq(borrow red)
>> ##{ ssh_interactive, ssh_bulk }
>> ##queue ssh_interactive priority 7
>> #queue ssh_bulk priority 0
>> #queue icmp bandwidth 2% cbq
>>
>> It is quite possible that I misconfigured the shaping (as seen above).
> What
>> would be suggested traffic shaping rules to allow smooth mail operation
>> (smtp taking up to 40% of allowed bandwidth) and http responses?
>>
>> If that matters, uname -v
>> FreeBSD 7.0-RELEASE #0
>>
>>
>> Many thanks in advance!
>
> I had the same problem with class-based queueing when I tried this. I
> suspect that the 512Kb in your initial queue definition is the limiting
> factor. I never did get it to work like I expected it to, however, so
> maybe I just don't understand it.
>
> Eventually I realized that I didn't actually want to chop up my bandwidth
> like this. What I really wanted to do was simply prioritize the traffic.
> The most important applications get first shot at the bandwidth, and the
> less important applications get choked when they need to be. I switched
> to priority queueing and I've been very happy with it.
Thanks! That gives me a clue! Would you mind sharing your defs? I'll be
reading the man anyway.
Zbigniew Szalbot
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf traffic shaping and perfomance
On Wed, 23 Apr 2008, Zbigniew Szalbot wrote:
Hello,
I would like to implement traffic shaping using pf. I know I need to
recompile kernel to be able to achieve this but I have a more general
question. I used to have pf with traffic shaping on a Pentium III 866
before and as soon as I activated it, the http response of the box was
noticably slower. Here are the defs I used then:
#altq on $ext_if cbq bandwidth 512Kb queue { def, smtp, udp, http, \
#ssh, icmp }
#queue def bandwidth 13% cbq(default borrow red)
#queue smtp bandwidth 25% cbq(borrow red) priority 7
#queue udp bandwidth 10% cbq(borrow red)
#queue http bandwidth 40% cbq(borrow red)
#queue ssh bandwidth 10% cbq(borrow red)
##{ ssh_interactive, ssh_bulk }
##queue ssh_interactive priority 7
#queue ssh_bulk priority 0
#queue icmp bandwidth 2% cbq
It is quite possible that I misconfigured the shaping (as seen above). What
would be suggested traffic shaping rules to allow smooth mail operation
(smtp taking up to 40% of allowed bandwidth) and http responses?
If that matters, uname -v
FreeBSD 7.0-RELEASE #0
Many thanks in advance!
I had the same problem with class-based queueing when I tried this. I
suspect that the 512Kb in your initial queue definition is the limiting
factor. I never did get it to work like I expected it to, however, so
maybe I just don't understand it.
Eventually I realized that I didn't actually want to chop up my bandwidth
like this. What I really wanted to do was simply prioritize the traffic.
The most important applications get first shot at the bandwidth, and the
less important applications get choked when they need to be. I switched
to priority queueing and I've been very happy with it.
I'm sorry I can't help more with cbq, but unless you are able to make an
accurate guess about how much bandwidth each class will really need to be
using constantly, I think you'll find that you're reserving bandwidth
unnecessarily. If your goal really is to cut down on your bandwidth
usage, then please disregard this opinion.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pf traffic shaping and perfomance
Hello,
I would like to implement traffic shaping using pf. I know I need to
recompile kernel to be able to achieve this but I have a more general
question. I used to have pf with traffic shaping on a Pentium III 866
before and as soon as I activated it, the http response of the box was
noticably slower. Here are the defs I used then:
#altq on $ext_if cbq bandwidth 512Kb queue { def, smtp, udp, http, \
#ssh, icmp }
#queue def bandwidth 13% cbq(default borrow red)
#queue smtp bandwidth 25% cbq(borrow red) priority 7
#queue udp bandwidth 10% cbq(borrow red)
#queue http bandwidth 40% cbq(borrow red)
#queue ssh bandwidth 10% cbq(borrow red)
##{ ssh_interactive, ssh_bulk }
##queue ssh_interactive priority 7
#queue ssh_bulk priority 0
#queue icmp bandwidth 2% cbq
It is quite possible that I misconfigured the shaping (as seen above). What
would be suggested traffic shaping rules to allow smooth mail operation
(smtp taking up to 40% of allowed bandwidth) and http responses?
If that matters, uname -v
FreeBSD 7.0-RELEASE #0
Many thanks in advance!
Zbigniew Szalbot
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[OT] name resolution... ( was Re: FreeBSD Traffic Shaping )
On Thu, 03 Apr 2008 15:55:05 +1100
Terry Sposato <[EMAIL PROTECTED]> wrote:
> Norberto Meijome wrote:
> > On Wed, 2 Apr 2008 14:43:20 +0200
> > Mel <[EMAIL PROTECTED]> wrote:
> >
> >> I think you'll find that bursts are best counteracted like this:
> >> http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained#Tips.2FIdeas
> >
> > Mel, can you please confirm this link / FQDN ? no NS defined for the
> > domain...
> >
> > TIA,
> > B
>
>
> The above link works fine for me here.
> [EMAIL PROTECTED] ~]$ host www.probsd.net
> www.probsd.net has address 66.93.16.108
>
i hear you :D
It resolves ok when pointing against a US based Name server :
$ nslookup www.probsd.net ns1.octantis.com.au
Server: ns1.octantis.com.au
Address:207.44.188.147#53
Non-authoritative answer:
Name: www.probsd.net
Address: 66.93.16.108
It doesn't work when using my machine's named, which relies on Root name
servers to get the info. the US server also uses root servers for resolution.
US box is linux based, mine is FBSD 7, in AU.
I checked with wireshark and i never get any reply from their servers. they
seem to reply if I use my ISP's dns...
oh well
_
{Beto|Norberto|Numard} Meijome
"The only good bureaucrat is one with a pistol at his head.
Put it in his hand and it's goodbye to the Bill of Rights."
H.L. Mencken
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
Norberto Meijome wrote: On Wed, 2 Apr 2008 14:43:20 +0200 Mel <[EMAIL PROTECTED]> wrote: I think you'll find that bursts are best counteracted like this: http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained#Tips.2FIdeas Mel, can you please confirm this link / FQDN ? no NS defined for the domain... TIA, B The above link works fine for me here. [EMAIL PROTECTED] ~]$ host www.probsd.net www.probsd.net has address 66.93.16.108 -- Regards, Terry Sposato [EMAIL PROTECTED] http://www.sucked-in.com GnuPG Key : 0xB7643BC8 Fingerprint: EE92 D9E1 C98E 759F 5991 DFF6 70CE 8936 B764 3BC8 signature.asc Description: OpenPGP digital signature
Re: FreeBSD Traffic Shaping
On Wed, 2 Apr 2008 14:43:20 +0200
Mel <[EMAIL PROTECTED]> wrote:
> I think you'll find that bursts are best counteracted like this:
> http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained#Tips.2FIdeas
Mel, can you please confirm this link / FQDN ? no NS defined for the domain...
TIA,
B
_
{Beto|Norberto|Numard} Meijome
"At times, to be silent is to lie."
Miguel de Unamuno
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
> -Original Message- > From: Giorgos Keramidas [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2008 9:45 AM > To: Wojciech Puchar > Cc: Ted Mittelstaedt; [EMAIL PROTECTED]; > freebsd-questions@freebsd.org > Subject: Re: FreeBSD Traffic Shaping > > > On Wed, 2 Apr 2008 11:30:44 +0200 (CEST), Wojciech Puchar > <[EMAIL PROTECTED]> wrote: > >> The vast majority of people out there have asymmetrical bandwidth > >> limiting needs - that is, they have a pipe to the Internet and have a > >> lot more data coming from the Internet to them, than data going from > >> them to the Internet. Their desire is to somehow make it so that > >> certain kinds of incoming data meeting certain criteria are limited. > >> Their problem is that since they don't have control of the end > >> sending the data to them, they can't do this. > > > > but you ROUGHLY can do this with ipfw. > > by limiting at your end - the other end will slow down. > > Unless the sending endpoint just ignores your limited incoming pipe > characteristics and keeps flooding you with DNS or ICMP requests, until > you scream for help. > It's not just that. It's also stuff like kazza, and theres this shareware downloader out there I forget the name of which opens multiple connections to multiple sites, which also will not be limited. Oh and I also forgot online games too, some will ignore the limiters. (it's been my observation, that is) And, things like incoming e-mail spammers, the spam handshakes that their spam networks send are too short, and will come in full-bore. The other problem is that because the limiting works by delaying traffic so that the tcp sliding window is exceeded, if the sender and recipient put up large enough tcp receive windows they should be able to defeat it. This used to be standard advice for windows 2K and under as the registry could be modded to change those parameters. (since the defaults were too small for the Internet) Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, April 02, 2008 4:51 AM > To: freebsd-questions@freebsd.org > Subject: Re: FreeBSD Traffic Shaping > > > As far as I know, every carrier bills by 95th percentile. You better call your carrier and confirm this. The last carrier we had in that did this did in fact NOT bill by peak, they billed by average. However, the contract language SEEMED to say peak. We were naturally concerned about this after the first month due to our graphs indicating that we had exceeded the peak. However, the carrier (AT&T) did not bill a surcharge. After that we regularly peaked over the designated MBs during the contract term with no billing surcharge. The last 2 months of the contract we got nailed with very high surcharge fees for the last 2 month use period. Needless to say we did not renew the contract and the matter is in litigation now. We never got a satisfactory answer from anyone there as to what calculation they used to determine how the surcharge was calculated. Of course it was our dumb fault. In the future if we ever sign any of those bandwidth contracts again we will require the carrier to supply in the contract the mathematical formula they use to calculate whether or not a surcharge applies. We will then read the formula and determine for ourself whether it means peak or average. > This particular server is colocated and the bandwidth average is > 2.35mbps while the 95th is 3.7mbps. > > I don't want my clients to have to compete for bandwidth - if 1000 > users share a 3mbps fixed pipe, they will each get 3k/sec -. Rather I > want to guarantee a fixed output for each client. This ensures > adequate speed for everyone AND flattens out my peaks. > Except that during the vallys of your utilization your clients will be limited as well - meaning that if for example your bandwidth from 2-3am is only .5Mbps, 3Mbps would be available - and if one of your clients happened to want to use 3Mps, his transfer will be pushed forward out of the 2-3am time period and into the 2-8am period. Meanwhile your carrier gets away scott-free because they didn't have to supply you with the 3.5Mbs during the night, even though you were entitled to it. Anyway, I'm sure your going to do what you feel like and damn the advice everyone is giving - hopefully it works out for you. I personally think these kinds of contracts are devices to make the carrier a windfall they don't deserve, and I hope that you manage to "beat" the contract and extract your last available byte without penalty - because the more people that manage to do this the less lurative these dumb contracts will be and the less incentive the carriers will have to offer them - but I think in your case your up against a telco who has a lot of experience screwing over customers, and they will find out some way to apply the surcharge no matter what you do. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, April 02, 2008 4:38 AM > To: freebsd-questions@freebsd.org > Subject: RE: FreeBSD Traffic Shaping > > > I can now confirm that these two commands do exactly what I mentioned > originally. > > All outbound connections towards any host port 80 will have a maximum > bandwidth of 100Kbit/s individually ( output ) > > ipfw pipe 2 config mask all bw 100Kbit/s > ipfw add 10 pipe 2 tcp from localip to any 80 > > Problem solved :) > Are you sure about this? If your serving webpages, your listening on port 80 The tcp initiator uses a source port randomly chosen above 80 and a destination port on your host of 80 Your host responds with traffic with a source port of 80 and a destination port of the initiator's choosing. You don't want to limit destination port 80 traffic since your not sending it. I would suggest after deployment that you carefully look at your access lists and keep an eye on your utilization graphs to make sure it's doing what you think it's supposed to be doing. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, April 02, 2008 4:22 AM > To: freebsd-questions@freebsd.org > Subject: Re: FreeBSD Traffic Shaping > > > I think you guys went a bit on a tangent here. What I am trying to do > is limit the outbound bandwidth of my services and this should be > perfectly possible as I control the output. > Considering you didn't say that in your original post I don't see why your complaining about a tangent. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
On Wed, 2 Apr 2008 11:30:44 +0200 (CEST), Wojciech Puchar <[EMAIL PROTECTED]> wrote: >> The vast majority of people out there have asymmetrical bandwidth >> limiting needs - that is, they have a pipe to the Internet and have a >> lot more data coming from the Internet to them, than data going from >> them to the Internet. Their desire is to somehow make it so that >> certain kinds of incoming data meeting certain criteria are limited. >> Their problem is that since they don't have control of the end >> sending the data to them, they can't do this. > > but you ROUGHLY can do this with ipfw. > by limiting at your end - the other end will slow down. Unless the sending endpoint just ignores your limited incoming pipe characteristics and keeps flooding you with DNS or ICMP requests, until you scream for help. > but of course in case of say ping flood or similar things you can't Bingo. That's precisely one of the things Ted meant, when he wrote that `it cannot be done properly, unless you have dedicated T1 circuits whose endpoints *are* under your control' :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
As far as I know, every carrier bills by 95th percentile. This particular server is colocated and the bandwidth average is 2.35mbps while the 95th is 3.7mbps. I don't want my clients to have to compete for bandwidth - if 1000 users share a 3mbps fixed pipe, they will each get 3k/sec -. Rather I want to guarantee a fixed output for each client. This ensures adequate speed for everyone AND flattens out my peaks. Quoting Mel <[EMAIL PROTECTED]>: On Wednesday 02 April 2008 14:21:38 [EMAIL PROTECTED] wrote: Also, the reason for this need is that some services use burst-bandwidth and I have many peaks and lows throughout the day. This means that my carrier who bills me by the 95th percentile is having a field day. He bills by the second or average hour like most people? It's not as black and white as it seems - you also get higher average when the number of connections increases, not just the bandwidth they consume. I think you'll find that bursts are best counteracted like this: http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained#Tips.2FIdeas This seperates 'downloads' from 'webpages', 'normal mails' from 'attachments' and you can then tune accordingly, if you have/get some graph. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
On Wednesday 02 April 2008 14:21:38 [EMAIL PROTECTED] wrote: > Also, the reason for this need is that some services use > burst-bandwidth and I have many peaks and lows throughout the day. > This means that my carrier who bills me by the 95th percentile is > having a field day. He bills by the second or average hour like most people? It's not as black and white as it seems - you also get higher average when the number of connections increases, not just the bandwidth they consume. I think you'll find that bursts are best counteracted like this: http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained#Tips.2FIdeas This seperates 'downloads' from 'webpages', 'normal mails' from 'attachments' and you can then tune accordingly, if you have/get some graph. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
I can now confirm that these two commands do exactly what I mentioned originally. All outbound connections towards any host port 80 will have a maximum bandwidth of 100Kbit/s individually ( output ) ipfw pipe 2 config mask all bw 100Kbit/s ipfw add 10 pipe 2 tcp from localip to any 80 Problem solved :) Hmm, I've tried ipfw pipe 2 config mask all bw 100Kbit/s ipfw add 10 pipe 2 tcp from localip to any 80 it appears to be working but I don't have enough connections on right now to find out if it really gives 100kbit/sec to each or if it shares the bw will come back with an update :) I gave port 80 as an example but I need this configuration for limiting other services as well. If you have a 100mbps connection and only one client, you want him to only use 50kbps, not the full pipe. If you have 200 clients, they still get 50kbps each. Is this feature that I need so complicated that it can't be implemented easily into FreeBSD or is it that not many people need it ? It sounds quite useful to me :) I have personally tried that before and it did not worked as described, in fact it didn't work at all to limit anything on FBSD6. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Cowart Sent: Tuesday, April 01, 2008 7:55 PM To: [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Traffic Shaping [EMAIL PROTECTED] wrote: I am trying to limit the bandwidth available to some connections and I'm not sure FreeBSD can handle this. Maybe some of you can help. Here's what I need to have exactly. No matter what the number of connections, each connection should have at most/least 50kbps guaranteed outbound on port 80. I've tried dummynet but it doesn't do what I need because if I define a pipe with 1mbps and if I have 1000 connections, each connection will have less than 50kbps. Any way to do this in FreeBSD ? The ipfw(8) man page describes a "mask" configuration parameter. # /sbin/ipfw pipe 1 config mask src-ip 0x bw 56Kbit/s This creates a separate dynamic pipe per source ip address. Each pipe has a dedicated 56kbps. The man page implies that the mask can combine fields, so to uniquely identify "each connection", you would mask all bits of source and destination IP and ports. It looks like the "all" keyword might do just the trick. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
I think you guys went a bit on a tangent here. What I am trying to do is limit the outbound bandwidth of my services and this should be perfectly possible as I control the output. Also, the reason for this need is that some services use burst-bandwidth and I have many peaks and lows throughout the day. This means that my carrier who bills me by the 95th percentile is having a field day. For the services that my server offers it's not imperative that they get rid of the client in 1 second instead of 5 for example. In this sense, stretching out 1MB of traffic over 10 seconds is more beneficial towards my 95th than if I stretch it over 2 seconds for example. Quoting Mel <[EMAIL PROTECTED]>: On Wednesday 02 April 2008 09:27:21 [EMAIL PROTECTED] wrote: I gave port 80 as an example but I need this configuration for limiting other services as well. If you have a 100mbps connection and only one client, you want him to only use 50kbps, not the full pipe. If you have 200 clients, they still get 50kbps each. Is this feature that I need so complicated that it can't be implemented easily into FreeBSD or is it that not many people need it ? It sounds quite useful to me :) It isn't as useful as you think. I can easily generate 200 clients being only one person. That's why the focus in bandwidth shapers lies on the type of traffic and the origin/destination rather then the state and they divide the bandwidth within those pipes between the states. Secondly - bit besides the point, but not many people think about it - if you have 100% available and limit a single person to 5%, you're more likely to end up at the 100%, simply because it takes more time for that person to get what he wants. So if there's no financial/legal issues involved, it's better to get rid of the clients as fast as possible. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
On Wednesday 02 April 2008 09:27:21 [EMAIL PROTECTED] wrote: > I gave port 80 as an example but I need this configuration for > limiting other services as well. > > If you have a 100mbps connection and only one client, you want him to > only use 50kbps, not the full pipe. If you have 200 clients, they > still get 50kbps each. > > Is this feature that I need so complicated that it can't be > implemented easily into FreeBSD or is it that not many people need it > ? It sounds quite useful to me :) It isn't as useful as you think. I can easily generate 200 clients being only one person. That's why the focus in bandwidth shapers lies on the type of traffic and the origin/destination rather then the state and they divide the bandwidth within those pipes between the states. Secondly - bit besides the point, but not many people think about it - if you have 100% available and limit a single person to 5%, you're more likely to end up at the 100%, simply because it takes more time for that person to get what he wants. So if there's no financial/legal issues involved, it's better to get rid of the clients as fast as possible. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
On Wednesday 02 April 2008 10:55:58 Ted Mittelstaedt wrote: > The vast majority of people out there have asymmetrical bandwidth > limiting needs - that is, they have a pipe to the Internet and > have a lot more data coming from the Internet to them, than data > going from them to the Internet. Their desire is to somehow make > it so that certain kinds of incoming data meeting certain criteria > are limited. Their problem is that since they don't have control of > the end sending the data to them, they can't do this. That's only true for locally generated traffic. Since you can limit the outgoing pipe of the internal interface, in a NAT situation, you can in practical terms limit/prioritize incoming traffic. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
loss and almost any other traffic stream (including P2P) with 1-10% loss. In short, the bandwidth limiting code really has little practical value when implemented in FreeBSD that is why few do it. :) i do on my 300 users network. works VERY well. i use queues to equally divide available bandwidth in both directions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
On Wed, Apr 02, 2008 at 12:55:58AM -0800, Ted Mittelstaedt wrote: > It is that it's impossible to limit INCOMING bandwidth from the > Internet. The fact is you can limit incoming TCP with little to no packet loss and almost any other traffic stream (including P2P) with 1-10% loss. > In short, the bandwidth limiting code really has little > practical value when implemented in FreeBSD that is why few do > it. :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
The vast majority of people out there have asymmetrical bandwidth limiting needs - that is, they have a pipe to the Internet and have a lot more data coming from the Internet to them, than data going from them to the Internet. Their desire is to somehow make it so that certain kinds of incoming data meeting certain criteria are limited. Their problem is that since they don't have control of the end sending the data to them, they can't do this. but you ROUGHLY can do this with ipfw. by limiting at your end - the other end will slow down. but of course in case of say ping flood or similar things you can't ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, April 01, 2008 11:27 PM > To: freebsd-questions@freebsd.org > Subject: RE: FreeBSD Traffic Shaping > > > I gave port 80 as an example but I need this configuration for > limiting other services as well. > > If you have a 100mbps connection and only one client, you want him to > only use 50kbps, not the full pipe. If you have 200 clients, they > still get 50kbps each. > > Is this feature that I need so complicated that it can't be > implemented easily into FreeBSD or is it that not many people need it > ? It sounds quite useful to me :) > It isn't that it's complicated or cannot be implemented easily. It is that it's impossible to limit INCOMING bandwidth from the Internet. The vast majority of people out there have asymmetrical bandwidth limiting needs - that is, they have a pipe to the Internet and have a lot more data coming from the Internet to them, than data going from them to the Internet. Their desire is to somehow make it so that certain kinds of incoming data meeting certain criteria are limited. Their problem is that since they don't have control of the end sending the data to them, they can't do this. The fewer number of people not in this boat are quite often looking to run bandwidth restrictions on private T1s - and the routers needed for these kinds of circuits usually have limiting code built in. Since they have control of both ends of the pipe they can use the limit code. And the people not falling into these groups are mostly website hosters looking to restrict outbound bandwidth - and for that, they use an apache mod file (bandwidth_mod, http://www.ivn.cl/apache/ for example) that works much better. In short, the bandwidth limiting code really has little practical value when implemented in FreeBSD that is why few do it. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
Hmm, I've tried ipfw pipe 2 config mask all bw 100Kbit/s ipfw add 10 pipe 2 tcp from localip to any 80 it appears to be working but I don't have enough connections on right now to find out if it really gives 100kbit/sec to each or if it shares the bw will come back with an update :) I gave port 80 as an example but I need this configuration for limiting other services as well. If you have a 100mbps connection and only one client, you want him to only use 50kbps, not the full pipe. If you have 200 clients, they still get 50kbps each. Is this feature that I need so complicated that it can't be implemented easily into FreeBSD or is it that not many people need it ? It sounds quite useful to me :) I have personally tried that before and it did not worked as described, in fact it didn't work at all to limit anything on FBSD6. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Cowart Sent: Tuesday, April 01, 2008 7:55 PM To: [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Traffic Shaping [EMAIL PROTECTED] wrote: I am trying to limit the bandwidth available to some connections and I'm not sure FreeBSD can handle this. Maybe some of you can help. Here's what I need to have exactly. No matter what the number of connections, each connection should have at most/least 50kbps guaranteed outbound on port 80. I've tried dummynet but it doesn't do what I need because if I define a pipe with 1mbps and if I have 1000 connections, each connection will have less than 50kbps. Any way to do this in FreeBSD ? The ipfw(8) man page describes a "mask" configuration parameter. # /sbin/ipfw pipe 1 config mask src-ip 0x bw 56Kbit/s This creates a separate dynamic pipe per source ip address. Each pipe has a dedicated 56kbps. The man page implies that the mask can combine fields, so to uniquely identify "each connection", you would mask all bits of source and destination IP and ports. It looks like the "all" keyword might do just the trick. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
I gave port 80 as an example but I need this configuration for limiting other services as well. If you have a 100mbps connection and only one client, you want him to only use 50kbps, not the full pipe. If you have 200 clients, they still get 50kbps each. Is this feature that I need so complicated that it can't be implemented easily into FreeBSD or is it that not many people need it ? It sounds quite useful to me :) I have personally tried that before and it did not worked as described, in fact it didn't work at all to limit anything on FBSD6. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Cowart Sent: Tuesday, April 01, 2008 7:55 PM To: [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Traffic Shaping [EMAIL PROTECTED] wrote: I am trying to limit the bandwidth available to some connections and I'm not sure FreeBSD can handle this. Maybe some of you can help. Here's what I need to have exactly. No matter what the number of connections, each connection should have at most/least 50kbps guaranteed outbound on port 80. I've tried dummynet but it doesn't do what I need because if I define a pipe with 1mbps and if I have 1000 connections, each connection will have less than 50kbps. Any way to do this in FreeBSD ? The ipfw(8) man page describes a "mask" configuration parameter. # /sbin/ipfw pipe 1 config mask src-ip 0x bw 56Kbit/s This creates a separate dynamic pipe per source ip address. Each pipe has a dedicated 56kbps. The man page implies that the mask can combine fields, so to uniquely identify "each connection", you would mask all bits of source and destination IP and ports. It looks like the "all" keyword might do just the trick. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD Traffic Shaping
I have personally tried that before and it did not worked as described, in fact it didn't work at all to limit anything on FBSD6. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Cowart Sent: Tuesday, April 01, 2008 7:55 PM To: [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Traffic Shaping [EMAIL PROTECTED] wrote: > I am trying to limit the bandwidth available to some connections and > I'm not sure FreeBSD can handle this. Maybe some of you can help. > Here's what I need to have exactly. > > No matter what the number of connections, each connection should have > at most/least 50kbps guaranteed outbound on port 80. > > I've tried dummynet but it doesn't do what I need because if I define > a pipe with 1mbps and if I have 1000 connections, each connection will > have less than 50kbps. > > Any way to do this in FreeBSD ? The ipfw(8) man page describes a "mask" configuration parameter. # /sbin/ipfw pipe 1 config mask src-ip 0x bw 56Kbit/s This creates a separate dynamic pipe per source ip address. Each pipe has a dedicated 56kbps. The man page implies that the mask can combine fields, so to uniquely identify "each connection", you would mask all bits of source and destination IP and ports. It looks like the "all" keyword might do just the trick. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
[EMAIL PROTECTED] wrote: > I am trying to limit the bandwidth available to some connections and I'm > not sure FreeBSD can handle this. Maybe some of you can help. Here's what I > need to have exactly. > > No matter what the number of connections, each connection should have at > most/least 50kbps guaranteed outbound on port 80. > > I've tried dummynet but it doesn't do what I need because if I define a > pipe with 1mbps and if I have 1000 connections, each connection will have > less than 50kbps. > > Any way to do this in FreeBSD ? The ipfw(8) man page describes a "mask" configuration parameter. # /sbin/ipfw pipe 1 config mask src-ip 0x bw 56Kbit/s This creates a separate dynamic pipe per source ip address. Each pipe has a dedicated 56kbps. The man page implies that the mask can combine fields, so to uniquely identify "each connection", you would mask all bits of source and destination IP and ports. It looks like the "all" keyword might do just the trick. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp5KnNOvP2bP.pgp Description: PGP signature
Re: FreeBSD Traffic Shaping
On Wednesday 02 April 2008 00:18:36 [EMAIL PROTECTED] wrote: > I've tried dummynet but it doesn't do what I need because if I define > a pipe with 1mbps and if I have 1000 connections, each connection will > have less than 50kbps. > > Any way to do this in FreeBSD ? No, unfortunately your ISP gives you bandwidth, not FreeBSD. You can give yourself the illusion of guarenteed bandwidth using HFSC and pf altq, but at 500% of max bandwidth it is nothing more then an illusion. That's aside from the fact that HFSC only allows 75% of capacity to be designated as 'realtime'. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping
On Tue, 1 Apr 2008, [EMAIL PROTECTED] wrote: I am trying to limit the bandwidth available to some connections and I'm not sure FreeBSD can handle this. Maybe some of you can help. Here's what I need to have exactly. No matter what the number of connections, each connection should have at most/least 50kbps guaranteed outbound on port 80. I've tried dummynet but it doesn't do what I need because if I define a pipe with 1mbps and if I have 1000 connections, each connection will have less than 50kbps. Any way to do this in FreeBSD ? I can't think of any way to dynamically allocate a new pipe for each individual connection with any firewall software I've used. Have you considered getting your web server to do the limiting for you? I think "mod_bandwidth" for Apache is designed to do what you're asking, but I've never used it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD Traffic Shaping
I am trying to limit the bandwidth available to some connections and I'm not sure FreeBSD can handle this. Maybe some of you can help. Here's what I need to have exactly. No matter what the number of connections, each connection should have at most/least 50kbps guaranteed outbound on port 80. I've tried dummynet but it doesn't do what I need because if I define a pipe with 1mbps and if I have 1000 connections, each connection will have less than 50kbps. Any way to do this in FreeBSD ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Traffic shaping with ipfw/DUMMYNET when using natd
On Wed, May 24, 2006 at 08:32:53AM -0600, G-der wrote: > I've been setting up ipfw and DUMMYNET to do some traffic shaping on my > network. Right now to test things out I've basicly put everything into two > categories. There's traffic from 10.0.10.10 which is lower priority (this > is a download machine) and then there's everything else. > > The biggest problem I've runinto is that because natd gets the packets first > thing the only way to catch outgoing traffic is on the internal network > interface. That is if you want to limit based on which internal machine is > generating the traffic like in my case. After the divert rule for natd the > src-ip field gets changed to my external ip address. This has a side effect > of limiting all the traffic on that internal interface, even stuff that is > not bound for the internet. > > I've tried playing around a little bit with the bridged, diverted, and > diverted-output commands but can't get any of them to catch the packets. > > Is there a way to limit outgoing traffic based on which machine owns the > traffic internally that doesn't have to be done on the internal interface? > Would it be better practice to scan outgoing traffic before the divert rules > for natd? I do it on the internal nic. I just have the internal traffic skip those rules. You could do it on the external nic, but this is more complex. You should remeber that the diverd rule changes the ip adress. Scanning outgoing traffic before the divert rule and incomming afther it should work to. -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Traffic shaping with ipfw/DUMMYNET when using natd
I've been setting up ipfw and DUMMYNET to do some traffic shaping on my
network. Right now to test things out I've basicly put everything into two
categories. There's traffic from 10.0.10.10 which is lower priority (this
is a download machine) and then there's everything else.
The biggest problem I've runinto is that because natd gets the packets first
thing the only way to catch outgoing traffic is on the internal network
interface. That is if you want to limit based on which internal machine is
generating the traffic like in my case. After the divert rule for natd the
src-ip field gets changed to my external ip address. This has a side effect
of limiting all the traffic on that internal interface, even stuff that is
not bound for the internet.
I've tried playing around a little bit with the bridged, diverted, and
diverted-output commands but can't get any of them to catch the packets.
Is there a way to limit outgoing traffic based on which machine owns the
traffic internally that doesn't have to be done on the internal interface?
Would it be better practice to scan outgoing traffic before the divert rules
for natd?
extif="rl0"
intif="rl1"
#INCOMING TRAFFIC
#Tested max incoming at 5914Kbit/s
${fwcmd} pipe 1 config bw 5800Kbit/s
${fwcmd} queue 1 config pipe 1 weight 2 #for torrent traffic
${fwcmd} queue 5 config pipe 1 weight 10#for everything else
${fwcmd} add 1000 queue 1 ip from any to 10.0.10.10 in via ${extif}
${fwcmd} add 5000 queue 5 ip from any to any in via ${extif}
#OUTGOING TRAFFIC
#Tested max outgoing at 390Kbit/s
${fwcmd} pipe 2 config bw 360Kbit/s
${fwcmd} queue 6 config pipe 2 weight 2
${fwcmd} queue 10 config pipe 2 weight 10
${fwcmd} add 6000 queue 6 ip from 10.0.10.10 to any in via ${intif}
${fwcmd} add 8000 queue 10 ip from any to any in via ${intif}
Here's the rules, I appreciate the assistance. Please cc me on reply, I'm
not a regular subscriber.
Thank you
Gene Dinkey
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPFW traffic shaping questions
Hello, I have few questions for ipfw gurus.. 1) can I see what packets are matching my pipes/queues ? I'm using "ipfw pipe show" for example but there is always only one host so if I'm testing some rules I can't tell if they work or not (maybe there is some other way how to "trace" such things ?) 2) how to correctly setup ul/dl limits for clients ? I have 4096/256 line and I want primarily control upload because when someone starts uploading too much line become unusable for low latency apps (games, ip phone, audio broadcasting). I have created queues to limit upload, but then also download was affected and slowdown was very big. I have tried to add rule for ACK packets - no effect (I'm not network guru maybe this is not enough for speeding up download). Now I'm thinking that maybe I have wrong rules because as I remember pipes and queues are managed diferently then other ipfw rules and even when I put unlimited pipe for "ACK out" it is then limited by second rule for "all out" - pipes/queues are not "first match wins" right ? 3) this is similar to 1) - is there some tool for monitoring how packet "flows" through rules ? And I don't mean using "ipfw log" :-) ... Any advice or web tutorial for network-lama (ie. me :-) ) appreciated. Thanks & Happy New Year Pavel D. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dummynet traffic shaping question (TCP-ACK prioritization)
(question at the end)
I have a server that sits on a medium speed link (10Mbit, full duplex) that
under certain network loads starts to show what looks like TCP-ACK delay
problems. At full upstream saturation the downstream speed is reduced.
I modded the firewall rules to prioritize TCP-ACKs into one queue and all
other outgoing traffic into another queue. Something like this:
${fwcmd} pipe 1 config
${fwcmd} queue 1 config pipe 1 weight 100
${fwcmd} queue 2 config pipe 1 weight 1
# Route all outgoing TCP traffic with the ACK flag through the high priority
queue
${fwcmd} add queue 1 tcp from any to any out via ${ext_if} tcpflags ack
iplen 0-80
# Route all other (established) outgoing TCP traffic through the low
priority queue
${fwcmd} add queue 2 tcp from any to any out via ${ext_if} established
Looking at the output of 'ipfw show' seems to indicate the queues are
getting the packets they should get:
00100 1738731 69778250 queue 1 tcp from any to any out via em0 tcpflags
ack iplen 0-80
00200 5133634 7689253633 queue 2 tcp from any to any out via em0 established
Even though everything looks OK, the results have not been what I hoped for
(same problem with downstream speed during full upstream saturation).
My question is: Do I need to tell the pipe how fat it is (${fwcmd} pipe 1
config bw 10Mbit/s) to get the queue prioritization to work properly, or is
it OK to leave out the speed and just let it run full tilt?
/Daniel Eriksson
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFilter and traffic shaping
On Fri, Feb 04, 2005 at 09:28:00AM +0300, Odhiambo Washington wrote: > Is there a way to do traffic shaping using IPFilter, akin to what > ipfw+dummynet does? FreeBSD 5.x here. Seeing as you're running 5.x, you've also got the choice of PF for firewalling. That's the OpenBSD fork of ipf with all sorts of goodies like CARP and ALTQ added to it. Syntax is very much like IPF, with lots of nice touches for easily doing standard things, eg. like antispoofing rules. See: http://www.openbsd.org/faq/pf/ ALTQ will be able to do all of the traffic shaping you could desire. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 8 Dane Court Manor School Rd PGP: http://www.infracaninophile.co.uk/pgpkey Tilmanstone Tel: +44 1304 617253 Kent, CT14 0JL UK pgpnODVMtmU9f.pgp Description: PGP signature
IPFilter and traffic shaping
Hello users, Is there a way to do traffic shaping using IPFilter, akin to what ipfw+dummynet does? FreeBSD 5.x here. Thanks -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Keep America beautiful. Swallow your beer cans. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Traffic shaping
On Fri, 2004-07-02 at 07:35, Kevin A. Pieckiel wrote: > I want to do traffic shaping with a FreeBSD firewall. The firewall uses > IPF on FBSD 5.2.1-p8, and the only shaper I see in the ports is trickle. > This doesn't even integrate into the firewall, so it would be useless to > me for shaping traffic from other hosts on the protected network. > Besides, I can't allocate bandwidth the way I want to. > > I basically want to be able to "guarantee" certain services a certain > minimum level of bandwidth, but offering more if it is available. For > example, I want WWW traffic to have at LEAST 50% of outgoing bandwidth > under heavy load (leaving 50% for all other services). But I also want > to "guarantee" that interactive sessions (ssh) have 10% of the bandwidth. > (I'm just making these numbers up for this example.) That way, if I > crank up, say, NNTP services on a client and start sucking large files > from USENET, or if I start FTPing ISO images for the next FBSD release, > I could still surf the web and ssh to my favorite offsite computers > without much delay in response. Yet if I'm otherwise idle while NNTPing > or FTPing, I can use the full bandwidth of my connection for the file > transfers. > > I started looing at ALTQ, but wasn't sure how well it worked with FBSD. > I'm not even sure if it can offer the kind of QoS shaping I want; I was > more interested in if it even worked with FBSD. > > Are there any recommendations out there? Does anyone here have any > experience with a FBSD QoS traffic shaper? ALTQ would probably work, but most recommendations around here would be for DUMMYNET. You will need to recompile your kernel if the option isn't there already. With DUMMYNET, you can specify traffic through certain ports or certain ips get X bandwidth, or you can have it intelligently divide bandwidth in that if no one else is using their allotment, you can "borrow" their. I don't have the full details on how to set it up as I have fully jumped off that bridge yet, but I am sure someone else on this list could give more detail answers to a finer grained question. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Traffic shaping
I want to do traffic shaping with a FreeBSD firewall. The firewall uses IPF on FBSD 5.2.1-p8, and the only shaper I see in the ports is trickle. This doesn't even integrate into the firewall, so it would be useless to me for shaping traffic from other hosts on the protected network. Besides, I can't allocate bandwidth the way I want to. I basically want to be able to "guarantee" certain services a certain minimum level of bandwidth, but offering more if it is available. For example, I want WWW traffic to have at LEAST 50% of outgoing bandwidth under heavy load (leaving 50% for all other services). But I also want to "guarantee" that interactive sessions (ssh) have 10% of the bandwidth. (I'm just making these numbers up for this example.) That way, if I crank up, say, NNTP services on a client and start sucking large files from USENET, or if I start FTPing ISO images for the next FBSD release, I could still surf the web and ssh to my favorite offsite computers without much delay in response. Yet if I'm otherwise idle while NNTPing or FTPing, I can use the full bandwidth of my connection for the file transfers. I started looing at ALTQ, but wasn't sure how well it worked with FBSD. I'm not even sure if it can offer the kind of QoS shaping I want; I was more interested in if it even worked with FBSD. Are there any recommendations out there? Does anyone here have any experience with a FBSD QoS traffic shaper? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ideal ipfw traffic shaping rules for small DSL net
Kenji M wrote: Hello network gurus, I'm looking for a good baseline ipfw shaping policy configuration for people who are using small upstream DSL bandwidth. I have 3Mbit downstream and 768K upstream and I use a ipf for natting and ipfw with dummynet to do traffic shaping. Considering a 750KB upstream pipe, what size queues would be the most beneficial to balance http, ssh, and other chat protocols sitting behind the natted firewall? I'm looking for some sample configurations to study. Any pointers appreciated! -Kenji http://bsdvault.net/sections.php?op=viewarticle&artid=116 should get you started. Its a bit messy, but Im sure you can use it as a sample configuration and tweak it to fit your needs. -- R ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ideal ipfw traffic shaping rules for small DSL net
Hello network gurus, I'm looking for a good baseline ipfw shaping policy configuration for people who are using small upstream DSL bandwidth. I have 3Mbit downstream and 768K upstream and I use a ipf for natting and ipfw with dummynet to do traffic shaping. Considering a 750KB upstream pipe, what size queues would be the most beneficial to balance http, ssh, and other chat protocols sitting behind the natted firewall? I'm looking for some sample configurations to study. Any pointers appreciated! -Kenji -- + kenji morishige [EMAIL PROTECTED] http://www.kenjim.com + ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Latency problem with traffic shaping (ipfw/dummynet)
On Sun, 21 Mar 2004, Luigi Rizzo wrote: > On Sat, Mar 20, 2004 at 12:56:08PM -1000, Vincent Poy wrote: > ... > > > the above configuration means that if queue 1 is getting a bandwidth > > > X, then queue 2 will get 0.99X, queue 3 will get 0.98X, queue > > > 4 will get 0.97X. Hardly matching any reasonable definition of high-mid-low > > > priority! > > > > Hmm, I think I did it that way because 100 is the largest number > > and I didn't decide on how many queues I may add later so the numbers will > > change but does the weight number really mean 99%, 98%, 97% priority? So > > should it really be 66, 33, and 1? > > no, the weights mean exactly what i wrote above, and they > are weights not priorities. As to the values to use, > that's entirely up to you. Just as I thought. I rebooted and latencies have gone down. It seems that latency when the pipes are filled are always 50-100ms slower on boxes behind the FreeBSD box. One question though, with ipfw pipe show or ipfw queue show, is it supposed to show all traffic that matches the queue rule or just only one? Cheers, Vince - [EMAIL PROTECTED] - Vice President __ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[] [EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Latency problem with traffic shaping (ipfw/dummynet)
On Sat, Mar 20, 2004 at 12:56:08PM -1000, Vincent Poy wrote: ... > > the above configuration means that if queue 1 is getting a bandwidth > > X, then queue 2 will get 0.99X, queue 3 will get 0.98X, queue > > 4 will get 0.97X. Hardly matching any reasonable definition of high-mid-low > > priority! > > Hmm, I think I did it that way because 100 is the largest number > and I didn't decide on how many queues I may add later so the numbers will > change but does the weight number really mean 99%, 98%, 97% priority? So > should it really be 66, 33, and 1? no, the weights mean exactly what i wrote above, and they are weights not priorities. As to the values to use, that's entirely up to you. cheers luigi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Latency problem with traffic shaping (ipfw/dummynet)
On Sat, 20 Mar 2004, Luigi Rizzo wrote:
> cannot comment on the reason for the huge delay (but one
> way to check what is going on is to change the pipe's bandwidth
> and see if anything changes), but i see a big
> misunderstanding on weights vs. priorities in your
> configuration:
The delay only seems to be coming from machines behind the FreeBSD
box and not the FreeBSD box itself since every box has static IP's, only
the outgoing is via the FreeBSD box but the downstream is direct from the
modem through the switch and then the machines directly.
> > # Define our upload pipe
> > ${fwcmd} pipe 1 config bw 480Kbit/s
> > # Define a high-priority queue
> > ${fwcmd} queue 1 config pipe 1 weight 100
> > # Define a medium-high-priority queue
> > ${fwcmd} queue 2 config pipe 1 weight 99
> > # Define a medium-low-priority queue
> > ${fwcmd} queue 3 config pipe 1 weight 98
> > # Define a low-priority queue
> > ${fwcmd} queue 4 config pipe 1 weight 97
>
> the above configuration means that if queue 1 is getting a bandwidth
> X, then queue 2 will get 0.99X, queue 3 will get 0.98X, queue
> 4 will get 0.97X. Hardly matching any reasonable definition of high-mid-low
> priority!
Hmm, I think I did it that way because 100 is the largest number
and I didn't decide on how many queues I may add later so the numbers will
change but does the weight number really mean 99%, 98%, 97% priority? So
should it really be 66, 33, and 1?
Cheers,
Vince - [EMAIL PROTECTED] - Vice President __
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ]
WurldLink Corporation / / / / | / | __] ]
San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[]
[EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Latency problem with traffic shaping (ipfw/dummynet)
cannot comment on the reason for the huge delay (but one
way to check what is going on is to change the pipe's bandwidth
and see if anything changes), but i see a big
misunderstanding on weights vs. priorities in your
configuration:
> # Define our upload pipe
> ${fwcmd} pipe 1 config bw 480Kbit/s
> # Define a high-priority queue
> ${fwcmd} queue 1 config pipe 1 weight 100
> # Define a medium-high-priority queue
> ${fwcmd} queue 2 config pipe 1 weight 99
> # Define a medium-low-priority queue
> ${fwcmd} queue 3 config pipe 1 weight 98
> # Define a low-priority queue
> ${fwcmd} queue 4 config pipe 1 weight 97
the above configuration means that if queue 1 is getting a bandwidth
X, then queue 2 will get 0.99X, queue 3 will get 0.98X, queue
4 will get 0.97X. Hardly matching any reasonable definition of high-mid-low
priority!
cheers
luigi
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Latency problem with traffic shaping (ipfw/dummynet)
On this subject, I have one of my own... I have a
6.016Mbps/608kbps ADSL connection with 8 static IP's from my ISP. I'm
using the FreeBSD box to basically limit my upstream bandwidth to 480kbps
so that the downloads would work while uploading. In my kernel, I do have
the following options:
options IPFIREWALL #firewall
options IPDIVERT#divert sockets
options DUMMYNET
options BRIDGE
options HZ=1000
options NMBCLUSTERS=65536
The 8 IP's I'm using is 208.204.244.224-231 on a /24 block with
the gateway on the other side at my ISP being 208.204.244.1. The FreeBSD
machine is 208.204.244.224 and I do have gateway ip forwarding enabled. My
problem is that while as far as speeds are concerned, it's working
correctly on both the .224 (FreeBSD box) as well as the .225-.231 boxes
behind it. The issue is that tracerouting from any box other than the
FreeBSD box shows latencies of 1000+ms after the FreeBSD router beginning
with hop 2 when the upstream pipe is being used while the FreeBSD box
shows the latency at 40-50ms which is correct under traffic load. Anyone
knows what's causing this or is this the way it's supposed to work? All
the machines are pointing to .224 (FreeBSD box) as the gateway. All local
traffic doesn't go through dummynet's queues. This is how I have ipfw
configured.
setup_loopback
# Traffic Shaping for DSL connection 6.016Mbps/608Kbps
# Make packets exiting dummynet not continue down the chain
# If this is not enabled, then packets leaving an early
# queue might enter a later queue if the conditions for
# the later queue are met, which would be completely
# devastating to all the prioritizing we're doing
${fwcmd} enable one_pass
# Add rules so that local routable IP LAN traffic does not use natd
${fwcmd} add 39 divert natd all from 10.0.0.0/8 to any via ${natd_interface}
${fwcmd} add 40 divert natd all from 172.16.0.0/12 to any via ${natd_interface}
${fwcmd} add 41 divert natd all from 192.168.0.0/16 to any via
${natd_interface}
${fwcmd} add 42 divert natd all from 208.201.244.224/29 to 10.0.0.0/8 via
${natd_interface}
${fwcmd} add 43 divert natd all from 208.201.244.224/29 to 172.16.0.0/12 via
${natd_interface}
${fwcmd} add 44 divert natd all from 208.201.244.224/29 to 192.168.0.0/16 via
${natd_interface}
${fwcmd} add 45 divert natd all from any to 10.0.0.0/8 via ${natd_interface}
${fwcmd} add 46 divert natd all from any to 172.16.0.0/12 via ${natd_interface}
${fwcmd} add 47 divert natd all from any to 192.168.0.0/16 via
${natd_interface}
${fwcmd} add 48 divert natd all from any to 208.201.244.224/29 via
${natd_interface}
${fwcmd} add 49 skipto 100 ip from 208.201.244.224/29 to any
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Route LAN and RFC1918 networks without Traffic Shaping
${fwcmd} add 63000 allow all from any to 10.0.0.0/8 out
${fwcmd} add 63001 allow all from any to 172.16.0.0/12 out
${fwcmd} add 63002 allow all from any to 192.168.0.0/16 out
${fwcmd} add 63003 allow all from any to 208.201.244.224/29 out
# Define our upload pipe
${fwcmd} pipe 1 config bw 480Kbit/s
# Define a high-priority queue
${fwcmd} queue 1 config pipe 1 weight 100
# Define a medium-high-priority queue
${fwcmd} queue 2 config pipe 1 weight 99
# Define a medium-low-priority queue
${fwcmd} queue 3 config pipe 1 weight 98
# Define a low-priority queue
${fwcmd} queue 4 config pipe 1 weight 97
# Assign outgoing empty/small ACK packets to the high-priority queue
${fwcmd} add 63004 set 0 queue 1 tcp from any to any tcpflags ack iplen 0-80
out
# Assign outgoing UDP (DNS/gaming) and SSH traffic to the medium-high-priority queue
${fwcmd} add 63005 set 0 queue 2 tcp from any to any 22,23 out
${fwcmd} add 63006 set 0 queue 2 udp from any to any not 80,443 out
# Assign outgoing HTTP/HTTPS WEB traffic to the medium-low-priority queue
${fwcmd} add 63007 set 0 queue 3 all from any to any 80,443 out
# Assign all other outgoing traffic to the low-priority queue
${fwcmd} add 63008 set 0 queue 4 all from any to any out
# End of Traffic Shaping
${fwcmd} add 65000 pass all from any to any
This is what the latencies look like on the machines behind the
FreeBSD router when there is a upload:
Tracing route to wurldlink.net [66.193.144.22]
over a maximum of 30 hops:
1<1 ms<1 ms<1 ms adsl-208-201-244-224.sonic.net [208.201.244.224]
2 915 ms 933 ms 1025 ms adsl-208-201-244-1.sonic.net [208.201.244.1]
3 1082 ms 1015
Re: FreeBSD Traffic Shaping?
On Fri, 6 Feb 2004, Dan Pelleg wrote: > Vincent Poy writes: > > > >That's the part where it becomes difficult since even though I > > have 8 IP's, it's still on a /24 mask so only the 8 IP's in that /24 are > > actually local. > > Use a /27 mask. a /27 would work except it'll be 32 IP's with 24 of them that would need the traffic shaping. So hopefully this would work: ipfw add queue 1 ip from any to any out xmit xl0 or just ipfw add queue 1 followed by: ipfw pipe 1 config bw 384Kbit/s ipfw queue 1 config pipe 1 weight 30 mask all ipfw pass from 192.168.0.0/16 to any ipfw pass from 209.204.138.224 to any ipfw pass from 209.204.138.225 to any ipfw pass from 209.204.138.226 to any ipfw pass from 209.204.138.227 to any ipfw pass from 209.204.138.228 to any ipfw pass from 209.204.138.229 to any ipfw pass from 209.204.138.230 to any ipfw pass from 209.204.138.231 to any ipfw queue 1 from any to any Now just have to figure out how to make it so that ack's would have priority. Thanks! Cheers, Vince - [EMAIL PROTECTED] - Vice President __ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[] [EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
Vincent Poy writes: > > That's the part where it becomes difficult since even though I > have 8 IP's, it's still on a /24 mask so only the 8 IP's in that /24 are > actually local. > Use a /27 mask. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
On 6 Feb 2004, Dan Pelleg wrote: > Vincent Poy <[EMAIL PROTECTED]> writes: > > > > > After reading ipfw(8), I hope I have it correct that it's > > like this: > > > > ipfw add queue 1 ip from any to any out xmit xl0 > > Shouldn't "ipfw add queue 1" be enough? Don't know, that was what I was told to do by Luigi many years ago except it was for PPPoE so I didn't have a static IP at all as that one was interface specific. > > ipfw pipe 1 config bw 384Kbit/s > > ipfw queue 1 config pipe 1 weight 30 mask all > > > > Now I'm just confused how to do the IP portion so that: > > > > 192.168.0.0 255.255.0.0 > > 209.204.138.224-231 > > are not included > > > > but everything else in 209.204.x.x is as well as any undefined IP. > > the first match wins. So: > > pass from 192.168.0.0/16 to any > pass from 209.204.138.224/29 to any > queue 1 from any to any > > alternatively, use a "skipto" rule. Whatever fits in your ruleset better. A question on the /29 one, as my ISP seems to give the 8 IP's from a /24 netmask, wouldn't the /29 actually filter out .224 and .231 from working or does it basically excluse that range. Cheers, Vince - [EMAIL PROTECTED] - Vice President __ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[] [EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
On 6 Feb 2004, Dan Pelleg wrote: > Vincent Poy <[EMAIL PROTECTED]> writes: > > > On 6 Feb 2004, Dan Pelleg wrote: > > > > > Vincent Poy <[EMAIL PROTECTED]> writes: > > > > > > > Greetings all: > > > > > > > > I have a ADSL connection where the upstream pipe is smaller than > > > > the downstream with it at 1.5Mbps/384kbps now and will be upgrading to > > > > 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it > > > > fills the upstream to full capacity and the downstream would lag as the > > > > ACKs can't be send back in time. I was told that with traffic shaping or > > > > fair queue routing would solve this issue but I only have one NIC > > > > interface as I am running FreeBSD on a fully loaded notebook with a > > > > Pentium 4M-2.6Ghz CPU, 2GB RAM and 60GB 7200RPM HDD with a 10/100 3COM xl0 > > > > built in NIC. The problem is that I have 8 static IP's with my ISP so > > > > that the LAN IP's, x.x.x.224-.231 netmask 255.255.255.0 are all locally on > > > > the LAN so I want those to use the full speed of the connection without > > > > traffic shaping. The NIC also has the 192.168.x.x netmask 255.255.0.0 > > > > addresses for the local LAN as well so how do I setup traffic shaping in > > > > this scenario so that only traffic that actually uses x.x.x.1 from the > > > > x.x.x.224 IP that isn't local LAN traffic actually use traffic shaping or > > > > fair queue routing while LAN traffic will just use the full speed. I > > > > already have these options in the KERNEL config. > > > > > > > > options IPFIREWALL > > > > options IPDIVERT > > > > options DUMMYNET > > > > options BRIDGE > > > > > > > > Thanks for your help in advance! > > > > > > See ipfw(8). You can match rules by interface or address mask, so you don't > > > need to touch LAN traffic. > > > > That's the part I'm confused about. Since I only have one > > interface, I assume I have to do it by address mask but how would one > > define it as for example, > > > > 10.0.0.224-231 would not use the traffic shaper but 10.0.0.1-223 as well > > as 10.0.0.232-254 would? > > > > Whatever rule you have for shaping, you condition it on "from > 10.0.0.224/28" (or whatever the appropriate mask is). Or use the negation > of the condition and have a special case for non-capped traffic (so > internet traffic falls through to the next rule). That's the part where it becomes difficult since even though I have 8 IP's, it's still on a /24 mask so only the 8 IP's in that /24 are actually local. > > > Correct, the problem when you upload on an assymetric link has to do with > > > acknowledgment packets that downloading apps need to send back to the > > > remote server, and they have to wait in the upload queue (which is > > > saturated). You need to prioritize those. One way to do this is to filter > > > on small iplen. This has been discussed in the mailing lists in the past > > > (try the archive of the ipfw@ list). Just remember you can only shape > > > outbound packets (ie, leaving your computer). Doesn't matter if they're up > > > or down the DSL line, just that they go out (shaping incoming traffic makes > > > no sense). > > > > True. But when you have the shaping, do you actually set it to > > the speed of the line or do you set it to like 5% below the speed of the > > line and on the acknowledgement packets, does traffic shaping actually > > reserve some space for that to go back or does it just queue it a certain > > way? Thanks. > > You need to handle the ack packets specially in your rules, it will not > reserve bandwidth for them unless you tell it to. > > With ipfw, there are two ways to do this. Again I'm only talking about > packets leaving your computer and heading to the internet (so condition the > rules appropriately) > > 1. two pipes, one with static allocation (say 95% of bw, or whatever works > for you), other can have unlimited bw. Non-ack packets go to the capped > pipe, ack packets go to the other one. > > alternatively, > > 2. one pipe (unlimited bw), two queues in that pipe, one queue has a much > much higher weight. Non-ack packets go to one pipe (low weight), ack > packets to the other. This approach actually lets you use the entire > available bandw
Re: FreeBSD Traffic Shaping?
Vincent Poy <[EMAIL PROTECTED]> writes: > > After reading ipfw(8), I hope I have it correct that it's > like this: > > ipfw add queue 1 ip from any to any out xmit xl0 Shouldn't "ipfw add queue 1" be enough? > ipfw pipe 1 config bw 384Kbit/s > ipfw queue 1 config pipe 1 weight 30 mask all > > Now I'm just confused how to do the IP portion so that: > > 192.168.0.0 255.255.0.0 > 209.204.138.224-231 > are not included > > but everything else in 209.204.x.x is as well as any undefined IP. the first match wins. So: pass from 192.168.0.0/16 to any pass from 209.204.138.224/29 to any queue 1 from any to any alternatively, use a "skipto" rule. Whatever fits in your ruleset better. -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
Vincent Poy <[EMAIL PROTECTED]> writes: > On 6 Feb 2004, Dan Pelleg wrote: > > > Vincent Poy <[EMAIL PROTECTED]> writes: > > > > > Greetings all: > > > > > > I have a ADSL connection where the upstream pipe is smaller than > > > the downstream with it at 1.5Mbps/384kbps now and will be upgrading to > > > 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it > > > fills the upstream to full capacity and the downstream would lag as the > > > ACKs can't be send back in time. I was told that with traffic shaping or > > > fair queue routing would solve this issue but I only have one NIC > > > interface as I am running FreeBSD on a fully loaded notebook with a > > > Pentium 4M-2.6Ghz CPU, 2GB RAM and 60GB 7200RPM HDD with a 10/100 3COM xl0 > > > built in NIC. The problem is that I have 8 static IP's with my ISP so > > > that the LAN IP's, x.x.x.224-.231 netmask 255.255.255.0 are all locally on > > > the LAN so I want those to use the full speed of the connection without > > > traffic shaping. The NIC also has the 192.168.x.x netmask 255.255.0.0 > > > addresses for the local LAN as well so how do I setup traffic shaping in > > > this scenario so that only traffic that actually uses x.x.x.1 from the > > > x.x.x.224 IP that isn't local LAN traffic actually use traffic shaping or > > > fair queue routing while LAN traffic will just use the full speed. I > > > already have these options in the KERNEL config. > > > > > > options IPFIREWALL > > > options IPDIVERT > > > options DUMMYNET > > > options BRIDGE > > > > > > Thanks for your help in advance! > > > > See ipfw(8). You can match rules by interface or address mask, so you don't > > need to touch LAN traffic. > > That's the part I'm confused about. Since I only have one > interface, I assume I have to do it by address mask but how would one > define it as for example, > > 10.0.0.224-231 would not use the traffic shaper but 10.0.0.1-223 as well > as 10.0.0.232-254 would? > Whatever rule you have for shaping, you condition it on "from 10.0.0.224/28" (or whatever the appropriate mask is). Or use the negation of the condition and have a special case for non-capped traffic (so internet traffic falls through to the next rule). > > Correct, the problem when you upload on an assymetric link has to do with > > acknowledgment packets that downloading apps need to send back to the > > remote server, and they have to wait in the upload queue (which is > > saturated). You need to prioritize those. One way to do this is to filter > > on small iplen. This has been discussed in the mailing lists in the past > > (try the archive of the ipfw@ list). Just remember you can only shape > > outbound packets (ie, leaving your computer). Doesn't matter if they're up > > or down the DSL line, just that they go out (shaping incoming traffic makes > > no sense). > > True. But when you have the shaping, do you actually set it to > the speed of the line or do you set it to like 5% below the speed of the > line and on the acknowledgement packets, does traffic shaping actually > reserve some space for that to go back or does it just queue it a certain > way? Thanks. > You need to handle the ack packets specially in your rules, it will not reserve bandwidth for them unless you tell it to. With ipfw, there are two ways to do this. Again I'm only talking about packets leaving your computer and heading to the internet (so condition the rules appropriately) 1. two pipes, one with static allocation (say 95% of bw, or whatever works for you), other can have unlimited bw. Non-ack packets go to the capped pipe, ack packets go to the other one. alternatively, 2. one pipe (unlimited bw), two queues in that pipe, one queue has a much much higher weight. Non-ack packets go to one pipe (low weight), ack packets to the other. This approach actually lets you use the entire available bandwidth for either kind of traffic if there is no other demand for it. It also frees you from having to specify the maximum bandwidth, which can change when you, say, upgrade your DSL, or even take the laptop to a wifi cafe. -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
On Fri, 6 Feb 2004, Vincent Poy wrote: > On 6 Feb 2004, Dan Pelleg wrote: > > > Vincent Poy <[EMAIL PROTECTED]> writes: > > > > > Greetings all: > > > > > > I have a ADSL connection where the upstream pipe is smaller than > > > the downstream with it at 1.5Mbps/384kbps now and will be upgrading to > > > 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it > > > fills the upstream to full capacity and the downstream would lag as the > > > ACKs can't be send back in time. I was told that with traffic shaping or > > > fair queue routing would solve this issue but I only have one NIC > > > interface as I am running FreeBSD on a fully loaded notebook with a > > > Pentium 4M-2.6Ghz CPU, 2GB RAM and 60GB 7200RPM HDD with a 10/100 3COM xl0 > > > built in NIC. The problem is that I have 8 static IP's with my ISP so > > > that the LAN IP's, x.x.x.224-.231 netmask 255.255.255.0 are all locally on > > > the LAN so I want those to use the full speed of the connection without > > > traffic shaping. The NIC also has the 192.168.x.x netmask 255.255.0.0 > > > addresses for the local LAN as well so how do I setup traffic shaping in > > > this scenario so that only traffic that actually uses x.x.x.1 from the > > > x.x.x.224 IP that isn't local LAN traffic actually use traffic shaping or > > > fair queue routing while LAN traffic will just use the full speed. I > > > already have these options in the KERNEL config. > > > > > > options IPFIREWALL > > > options IPDIVERT > > > options DUMMYNET > > > options BRIDGE > > > > > > Thanks for your help in advance! > > > > See ipfw(8). You can match rules by interface or address mask, so you don't > > need to touch LAN traffic. > > That's the part I'm confused about. Since I only have one > interface, I assume I have to do it by address mask but how would one > define it as for example, > > 10.0.0.224-231 would not use the traffic shaper but 10.0.0.1-223 as well > as 10.0.0.232-254 would? > > > Correct, the problem when you upload on an assymetric link has to do with > > acknowledgment packets that downloading apps need to send back to the > > remote server, and they have to wait in the upload queue (which is > > saturated). You need to prioritize those. One way to do this is to filter > > on small iplen. This has been discussed in the mailing lists in the past > > (try the archive of the ipfw@ list). Just remember you can only shape > > outbound packets (ie, leaving your computer). Doesn't matter if they're up > > or down the DSL line, just that they go out (shaping incoming traffic makes > > no sense). > > True. But when you have the shaping, do you actually set it to > the speed of the line or do you set it to like 5% below the speed of the > line and on the acknowledgement packets, does traffic shaping actually > reserve some space for that to go back or does it just queue it a certain > way? Thanks. After reading ipfw(8), I hope I have it correct that it's like this: ipfw add queue 1 ip from any to any out xmit xl0 ipfw pipe 1 config bw 384Kbit/s ipfw queue 1 config pipe 1 weight 30 mask all Now I'm just confused how to do the IP portion so that: 192.168.0.0 255.255.0.0 209.204.138.224-231 are not included but everything else in 209.204.x.x is as well as any undefined IP. Cheers, Vince - [EMAIL PROTECTED] - Vice President __ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[] [EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
On 6 Feb 2004, Dan Pelleg wrote: > Vincent Poy <[EMAIL PROTECTED]> writes: > > > Greetings all: > > > > I have a ADSL connection where the upstream pipe is smaller than > > the downstream with it at 1.5Mbps/384kbps now and will be upgrading to > > 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it > > fills the upstream to full capacity and the downstream would lag as the > > ACKs can't be send back in time. I was told that with traffic shaping or > > fair queue routing would solve this issue but I only have one NIC > > interface as I am running FreeBSD on a fully loaded notebook with a > > Pentium 4M-2.6Ghz CPU, 2GB RAM and 60GB 7200RPM HDD with a 10/100 3COM xl0 > > built in NIC. The problem is that I have 8 static IP's with my ISP so > > that the LAN IP's, x.x.x.224-.231 netmask 255.255.255.0 are all locally on > > the LAN so I want those to use the full speed of the connection without > > traffic shaping. The NIC also has the 192.168.x.x netmask 255.255.0.0 > > addresses for the local LAN as well so how do I setup traffic shaping in > > this scenario so that only traffic that actually uses x.x.x.1 from the > > x.x.x.224 IP that isn't local LAN traffic actually use traffic shaping or > > fair queue routing while LAN traffic will just use the full speed. I > > already have these options in the KERNEL config. > > > > options IPFIREWALL > > options IPDIVERT > > options DUMMYNET > > options BRIDGE > > > > Thanks for your help in advance! > > See ipfw(8). You can match rules by interface or address mask, so you don't > need to touch LAN traffic. That's the part I'm confused about. Since I only have one interface, I assume I have to do it by address mask but how would one define it as for example, 10.0.0.224-231 would not use the traffic shaper but 10.0.0.1-223 as well as 10.0.0.232-254 would? > Correct, the problem when you upload on an assymetric link has to do with > acknowledgment packets that downloading apps need to send back to the > remote server, and they have to wait in the upload queue (which is > saturated). You need to prioritize those. One way to do this is to filter > on small iplen. This has been discussed in the mailing lists in the past > (try the archive of the ipfw@ list). Just remember you can only shape > outbound packets (ie, leaving your computer). Doesn't matter if they're up > or down the DSL line, just that they go out (shaping incoming traffic makes > no sense). True. But when you have the shaping, do you actually set it to the speed of the line or do you set it to like 5% below the speed of the line and on the acknowledgement packets, does traffic shaping actually reserve some space for that to go back or does it just queue it a certain way? Thanks. Cheers, Vince - [EMAIL PROTECTED] - Vice President __ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[] [EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Traffic Shaping?
Vincent Poy <[EMAIL PROTECTED]> writes: > Greetings all: > > I have a ADSL connection where the upstream pipe is smaller than > the downstream with it at 1.5Mbps/384kbps now and will be upgrading to > 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it > fills the upstream to full capacity and the downstream would lag as the > ACKs can't be send back in time. I was told that with traffic shaping or > fair queue routing would solve this issue but I only have one NIC > interface as I am running FreeBSD on a fully loaded notebook with a > Pentium 4M-2.6Ghz CPU, 2GB RAM and 60GB 7200RPM HDD with a 10/100 3COM xl0 > built in NIC. The problem is that I have 8 static IP's with my ISP so > that the LAN IP's, x.x.x.224-.231 netmask 255.255.255.0 are all locally on > the LAN so I want those to use the full speed of the connection without > traffic shaping. The NIC also has the 192.168.x.x netmask 255.255.0.0 > addresses for the local LAN as well so how do I setup traffic shaping in > this scenario so that only traffic that actually uses x.x.x.1 from the > x.x.x.224 IP that isn't local LAN traffic actually use traffic shaping or > fair queue routing while LAN traffic will just use the full speed. I > already have these options in the KERNEL config. > > options IPFIREWALL > options IPDIVERT > options DUMMYNET > options BRIDGE > > Thanks for your help in advance! > > See ipfw(8). You can match rules by interface or address mask, so you don't need to touch LAN traffic. Correct, the problem when you upload on an assymetric link has to do with acknowledgment packets that downloading apps need to send back to the remote server, and they have to wait in the upload queue (which is saturated). You need to prioritize those. One way to do this is to filter on small iplen. This has been discussed in the mailing lists in the past (try the archive of the ipfw@ list). Just remember you can only shape outbound packets (ie, leaving your computer). Doesn't matter if they're up or down the DSL line, just that they go out (shaping incoming traffic makes no sense). -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD Traffic Shaping?
Greetings all: I have a ADSL connection where the upstream pipe is smaller than the downstream with it at 1.5Mbps/384kbps now and will be upgrading to 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it fills the upstream to full capacity and the downstream would lag as the ACKs can't be send back in time. I was told that with traffic shaping or fair queue routing would solve this issue but I only have one NIC interface as I am running FreeBSD on a fully loaded notebook with a Pentium 4M-2.6Ghz CPU, 2GB RAM and 60GB 7200RPM HDD with a 10/100 3COM xl0 built in NIC. The problem is that I have 8 static IP's with my ISP so that the LAN IP's, x.x.x.224-.231 netmask 255.255.255.0 are all locally on the LAN so I want those to use the full speed of the connection without traffic shaping. The NIC also has the 192.168.x.x netmask 255.255.0.0 addresses for the local LAN as well so how do I setup traffic shaping in this scenario so that only traffic that actually uses x.x.x.1 from the x.x.x.224 IP that isn't local LAN traffic actually use traffic shaping or fair queue routing while LAN traffic will just use the full speed. I already have these options in the KERNEL config. options IPFIREWALL options IPDIVERT options DUMMYNET options BRIDGE Thanks for your help in advance! Cheers, Vince - [EMAIL PROTECTED] - Vice President __ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[] [EMAIL PROTECTED] - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FW: [5.2.1-RC, IPFW] Traffic Shaping
oops, sent to wrong list -Original Message- From: Lee Dilkie [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 8:00 AM To: 'Bjorn Eikeland'; 'Jaco van Tonder'; '[EMAIL PROTECTED]' Subject: RE: [5.2.1-RC, IPFW] Traffic Shaping > > There isnt much you can really do as to shape incomming > traffic, however > you can limit how fast you accept the incomming data. (At > least this is > what im used to from my little experience with linux.) > > I tried* the following rule, and in theroy it sounds up to the job: > ipfw add pipe 1 tcp from not me to me smtp > > *)when I say tried I really mean ipfw didnt complain, but no traffic > actually saw it. > > Obviously you can replace 'me' with your actual ip and 'smtp' > with 25, but > I find its easier to read english. > > Feel free to try that though :) I'm running IPFW on 4.9 and inbound traffic shaping does work, I've verified that. my rule section... ipfw -f pipe flush # do pipes first or later rules will tigger and pipes won't be used # newfiechick in/out ipfw pipe 1 config bw 100Kbit/s ipfw pipe 2 config bw 60Kbit/s # sendmail limits in/out ipfw pipe 3 config bw 80Kbit/s ipfw pipe 4 config bw 80Kbit/s # testing #ipfw pipe 5 config bw 80Kbit/s #ipfw pipe 6 config bw 80Kbit/s # bandwidth throttling #ipfw add pipe 1 ip from any to newfiechick in #ipfw add pipe 2 ip from newfiechick to any out ipfw add pipe 3 tcp from any to spock smtp in ipfw add pipe 3 tcp from any to spock pop3 in ipfw add pipe 4 tcp from spock to any smtp out ipfw add pipe 4 tcp from spock pop3 to any out #ipfw add pipe 5 udp from any to 206.51.1.220 in #ipfw add pipe 6 udp from 206.51.1.220 to any out These come before any deny/allow rules. The commented out testing rule was to an internet phone and i was able to turn down the b/w and affect the voice quality in either direction so I'm confident that this works. -lee > > > Hi all, > > > > I am using FreeBSD 5.2.1-RC + IPFW2 + DUMMYNET to do > traffic shaping. > > This works well for my setup. > > I have the following configuration: > > The machine has 2 NIC's, xl0, dc0. The kernel is configured to do > > bridging. The bridged > > packets is passed to IPFW (net.link.ether.bridge.ipfw=1). > > > > I shape traffic this way: > > The bridge is setup between a router and an internal mail server. > > I am limiting bandwith using the following rules: > > pipe 1 config bw 16KBytes/s > > pipe 2 config bw 12KBytes/s > > > > and then: > > > > add pipe 1 tcp from any to any 25 (limit incoming traffic > towards smtp) > > add pipe 2 tcp from any 110 to any (limit outgoing traffic > from pop3) > > > > Yesterday, while browsing through Absolute BSD by Michael > Lucas I read > > an interesting part: > > You cannot shape incoming traffic the way that I do at the moment. > > > > Now, my question: > > How can I limit the incoming traffic towards my smtp server > properly? > > > > Any advice would be apreciated. > > > > Thank you, > > Regards > > Jaco van Tonder > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [5.2.1-RC, IPFW] Traffic Shaping
Ok, so miss read the question a bit... (Was thinking the bridge was the mail server too - used to my own hardware shortage :) But still, I think you'll get it working by swapping 'me' with the ip of your mail server. Can also use subnet to allow your own net unlimited access. There isnt much you can really do as to shape incomming traffic, however you can limit how fast you accept the incomming data. (At least this is what im used to from my little experience with linux.) I tried* the following rule, and in theroy it sounds up to the job: ipfw add pipe 1 tcp from not me to me smtp *)when I say tried I really mean ipfw didnt complain, but no traffic actually saw it. Obviously you can replace 'me' with your actual ip and 'smtp' with 25, but I find its easier to read english. Feel free to try that though :) Hi all, I am using FreeBSD 5.2.1-RC + IPFW2 + DUMMYNET to do traffic shaping. This works well for my setup. I have the following configuration: The machine has 2 NIC's, xl0, dc0. The kernel is configured to do bridging. The bridged packets is passed to IPFW (net.link.ether.bridge.ipfw=1). I shape traffic this way: The bridge is setup between a router and an internal mail server. I am limiting bandwith using the following rules: pipe 1 config bw 16KBytes/s pipe 2 config bw 12KBytes/s and then: add pipe 1 tcp from any to any 25 (limit incoming traffic towards smtp) add pipe 2 tcp from any 110 to any (limit outgoing traffic from pop3) Yesterday, while browsing through Absolute BSD by Michael Lucas I read an interesting part: You cannot shape incoming traffic the way that I do at the moment. Now, my question: How can I limit the incoming traffic towards my smtp server properly? Any advice would be apreciated. Thank you, Regards Jaco van Tonder ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [5.2.1-RC, IPFW] Traffic Shaping
There isnt much you can really do as to shape incomming traffic, however you can limit how fast you accept the incomming data. (At least this is what im used to from my little experience with linux.) I tried* the following rule, and in theroy it sounds up to the job: ipfw add pipe 1 tcp from not me to me smtp *)when I say tried I really mean ipfw didnt complain, but no traffic actually saw it. Obviously you can replace 'me' with your actual ip and 'smtp' with 25, but I find its easier to read english. Feel free to try that though :) Hi all, I am using FreeBSD 5.2.1-RC + IPFW2 + DUMMYNET to do traffic shaping. This works well for my setup. I have the following configuration: The machine has 2 NIC's, xl0, dc0. The kernel is configured to do bridging. The bridged packets is passed to IPFW (net.link.ether.bridge.ipfw=1). I shape traffic this way: The bridge is setup between a router and an internal mail server. I am limiting bandwith using the following rules: pipe 1 config bw 16KBytes/s pipe 2 config bw 12KBytes/s and then: add pipe 1 tcp from any to any 25 (limit incoming traffic towards smtp) add pipe 2 tcp from any 110 to any (limit outgoing traffic from pop3) Yesterday, while browsing through Absolute BSD by Michael Lucas I read an interesting part: You cannot shape incoming traffic the way that I do at the moment. Now, my question: How can I limit the incoming traffic towards my smtp server properly? Any advice would be apreciated. Thank you, Regards Jaco van Tonder ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[5.2.1-RC, IPFW] Traffic Shaping
Hi all, I am using FreeBSD 5.2.1-RC + IPFW2 + DUMMYNET to do traffic shaping. This works well for my setup. I have the following configuration: The machine has 2 NIC's, xl0, dc0. The kernel is configured to do bridging. The bridged packets is passed to IPFW (net.link.ether.bridge.ipfw=1). I shape traffic this way: The bridge is setup between a router and an internal mail server. I am limiting bandwith using the following rules: pipe 1 config bw 16KBytes/s pipe 2 config bw 12KBytes/s and then: add pipe 1 tcp from any to any 25 (limit incoming traffic towards smtp) add pipe 2 tcp from any 110 to any (limit outgoing traffic from pop3) Yesterday, while browsing through Absolute BSD by Michael Lucas I read an interesting part: You cannot shape incoming traffic the way that I do at the moment. Now, my question: How can I limit the incoming traffic towards my smtp server properly? Any advice would be apreciated. Thank you, Regards Jaco van Tonder ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic shaping/rate limiting
On Sat, Dec 06, 2003 at 05:22:17PM +, Rus Foster wrote: > Hi, > Is there a good document I could look at for traffic shaping/rate > limiting on FreeBSD. Googling hasn't chucked up anything obvious The ipfw manual is quite useful and if you try searching through the freebsd-questions archive for 'dummynet' you should get some results that include some example ipfw rulesets for traffic shaping. There's also 'altq' for traffic shaping, although I don't know a lot about it. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
traffic shaping/rate limiting
Hi, Is there a good document I could look at for traffic shaping/rate limiting on FreeBSD. Googling hasn't chucked up anything obvious Cheers Rus -- w: http://www.jvds.com | JVDS Tech Channel: e: [EMAIL PROTECTED]| http://tech.jvds.com t: +44 7919 373537 | Talk about Tech t: 1-888-327-6330 | email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FW: Dummynet/Traffic Shaping problem
I would use trafshow (in ports/packages). It has a command line ncurser display, and will show each connection, and the speed. Run this in one window, and in the other you can play with the pipes. Cheers, Paul Hamilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of abdul Sent: Wednesday, 21 May 2003 12:00 AM To: [EMAIL PROTECTED] Subject: Dummynet/Traffic Shaping problem Hi all, Sorry I am repeating this message again. I am still coiled up in it. IS IT POSSIBLE TO ENABLE A FASTER CONNECTION TO SOME SITES USED FOR OFFICIAL DUTIES? MY PROBLEM? I have a 128kb Internet access which gets very slow during peak hours. I want to reserve/dedicate a protion (say 64kb) of this link to to some urls which we use for official duties (eg 193.114.79.76) OR limit general Internet usage to just a portion (say 64kb), hence making the remainder exclusively available for such official duties. This is what I did: ipfw pipe 10 config bw 64kbit/s queue 15kbytes ipfw queue 10 config weight 60 pipe 10 ipfw queue 10 ip from any to 193.114.79.76 I did not notice any change. Is this configuration okay for my problem? Or can anyone help me with a better one? How can I confirm if a configuration is working properly? Thanks Abdul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Traffic shaping - current best practice?
> I recall seeing in the man page that DUMMYNET has RED and GRED > algorithms built in - I don't know any more detail than that though... It also Has W2FQ+ (or something like that) fair queueing, although I havn't tried to set it up in a while, last time I used it, it worked great. Ken To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Traffic shaping - current best practice?
From: "Fernando Gleiser" <[EMAIL PROTECTED]> > You need a "fair sharing" queueing discipline, something like CBQ. I don't > know if you can do that with dummynet. I know for sure ALTQ works great for > this. It supports a bunch of queueing disciplines (CBQ, RED, WFQ and > others). I recall seeing in the man page that DUMMYNET has RED and GRED algorithms built in - I don't know any more detail than that though... --- Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Traffic shaping - current best practice?
On 18 Sep 2002, Kirk Strauser wrote: > > I'm looking for a solution that would allow the non-paying hosts to have > full use of the bandwidth as long as the paying hosts are idle, but which > would ensure that the paying customers have their full bandwidth available > any time they need it. You need a "fair sharing" queueing discipline, something like CBQ. I don't know if you can do that with dummynet. I know for sure ALTQ works great for this. It supports a bunch of queueing disciplines (CBQ, RED, WFQ and others). you can download it at http://www.csl.sony.co.jp/person/kjc/kjc/software.html There is an effort to integrate it into -CURRENT, but I don't remember the URL. > > I've used both ipfw and ipfilter. I have no particular preference, although > a solution that supports bridging would be a bonus (which I think will limit > me to ipfw, but I'm not certain). No if you use ALTQ. ALTQ is firewall-agnostic =0). Hope this helps. Fer > > Any suggestions? > -- > Kirk Strauser > The Strauser Group - http://www.strausergroup.com/ > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Traffic shaping - current best practice?
At 2002-09-18T20:08:23Z, Byron Schlemmer <[EMAIL PROTECTED]> writes: > Best practice? Well I'm not sure what that would be but to accomplish most > of this see 'man dummynet'. Very easy to setup and highly > configurable. The only problem I see is that I know you can use dummynet to limit a connection, but I don't know that it can be used to guarantee bandwidth availability. I'm looking for something closer to a quality-of-service configuration, but I'm not sure how to do that. > Also /usr/share/doc/en/articles/filtering-bridges and > /usr/share/doc/en/books/handbook/bridging.html might prove insightful. > Hope that helps some. It does - thanks. -- Kirk Strauser The Strauser Group - http://www.strausergroup.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Traffic shaping - current best practice?
On 18 Sep 2002, Kirk Strauser wrote: > I know that someone asks this question every now and then, but it's the kind > of thing that can change over time, so I ask again: > > I want to use a FreeBSD firewall to provide bandwidth guarantees to > customers. Specifically, several hosts will be sharing a 512Kbps pipe. > Some of those hosts are no-cost (read: no service commitment on my part), > but I may be taking on clients who would be paying for a guaranteed rate > (said rate being substantially less than 512Kbps). > > I'm looking for a solution that would allow the non-paying hosts to have > full use of the bandwidth as long as the paying hosts are idle, but which > would ensure that the paying customers have their full bandwidth available > any time they need it. > > I've used both ipfw and ipfilter. I have no particular preference, although > a solution that supports bridging would be a bonus (which I think will limit > me to ipfw, but I'm not certain). > > Any suggestions? Best practice? Well I'm not sure what that would be but to accomplish most of this see 'man dummynet'. Very easy to setup and highly configurable. Also /usr/share/doc/en/articles/filtering-bridges and /usr/share/doc/en/books/handbook/bridging.html might prove insightful. Hope that helps some. - byron To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Traffic shaping - current best practice?
I know that someone asks this question every now and then, but it's the kind of thing that can change over time, so I ask again: I want to use a FreeBSD firewall to provide bandwidth guarantees to customers. Specifically, several hosts will be sharing a 512Kbps pipe. Some of those hosts are no-cost (read: no service commitment on my part), but I may be taking on clients who would be paying for a guaranteed rate (said rate being substantially less than 512Kbps). I'm looking for a solution that would allow the non-paying hosts to have full use of the bandwidth as long as the paying hosts are idle, but which would ensure that the paying customers have their full bandwidth available any time they need it. I've used both ipfw and ipfilter. I have no particular preference, although a solution that supports bridging would be a bonus (which I think will limit me to ipfw, but I'm not certain). Any suggestions? -- Kirk Strauser The Strauser Group - http://www.strausergroup.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
