Date: Wed, 11 Aug 2004 13:57:33 -0400 From: "J. Seth Henry" <jshamlet@comcast.net> To: freebsd-questions@freebsd.org Subject: Using IPFW & DUMMYNET with an existing IPFILTER/IPNAT setup for QoS Message-ID: <200408111358.48176.jshamlet@comcast.net>
next in thread | raw e-mail | index | archive | help
Hello, I have an existing FreeBSD based router/internet gateway system that is using ipfilter & ipnat. It performs quite well, and my wife would be mightily irritated if I screwed it up. :) However, we have VoIP through Vonage, and a standard Comcast cable modem connection to the Internet. Most of the time, everything works well, but when I upload large files to the office via FTP, the sound gets choppy - to the point where we end up having to use our cell phones. So, I would like to set up IPFW & DUMMYNET to provide a basic QoS service. All I really need to do is reserve sufficient bandwidth for, or give highest priority to, the ATA - followed by ssh. I believe it needs at least 128kbps in each direction for adequate sound quality. I merely want to give ssh traffic a higher priority (or reserve bandwidth for) over everything else, so that I can still get into my systems even when an ftp session is running. First, a bit about my (fairly simple) network: <CM>--< external IF: fxp0 ROUTER internal IF: xl0 >---< SWITCH > The switch has its own management port, 2 SmartUPS with management cards, a Cisco ATA, and 5 PC's. To simplify management of IP addresses, I use isc-dhcp for both obtaining the router WAN address (dhclient), and for distributing fixed addresses to all of the network hosts (dhcpd) (except for the switch and UPS' - which don't support DHCP correctly) I don't yet manage local DNS services, so I simply distribute a fixed hosts file. The router is also a stratum 2 time server for the nework (all hosts that can synchronize their clocks to the router, not an external time server) via ntpd. Eventually, I plan to run a local DNS server - but I haven't gotten around to it yet. I would like to run my own to support my local naming scheme, without passing any information back up the tree, as well as caching DNS information should Comcast have a DNS problem. This, however, is a task for another day. So, we have: <ipf.rules> ################################################################# # Outside Interface ################################################################# pass in quick on fxp0 proto tcp from any to any port = 21 flags S keep frags keep state pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep frags keep state pass in quick on fxp0 proto tcp from any to any port = 23 flags S keep frags keep state pass in quick on fxp0 proto udp from any to any port = 68 keep state pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep frags keep state pass out quick on fxp0 proto tcp from any to any flags S keep frags keep state pass out quick on fxp0 proto udp from any to any keep state keep frags pass out quick on fxp0 proto icmp from any to any keep state block out quick on fxp0 all block in log quick on fxp0 all ################################################################# # Inside Interface ################################################################# pass in quick on xl0 all pass out quick on xl0 all ################################################################# # Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all <ipnat.rules> map fxp0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp rdr fxp0 0.0.0.0/0 port 21 -> 192.168.1.2 port 21 tcp rdr fxp0 0.0.0.0/0 port 22 -> 192.168.1.2 port 22 tcp #below is a irc identd port forwarding example #rdr fxp0 0.0.0.0/0 port 113 -> 192.168.1.5 port 113 tcp map fxp0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto map fxp0 192.168.1.254/24 -> 0/32 <dhcpd.conf> # dhcpd.conf # option definitions common to all supported networks... option domain-name "gambrl01.md.comcast.net"; option domain-name-servers 68.48.0.6, 68.48.0.12; default-lease-time 600; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates. ddns-update-style ad-hoc; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # Local systems are defined here, and use DHCP as a convenience host alexandria { hardware ethernet 00:30:48:21:8b:8a; fixed-address alexandria; } host switch { hardware ethernet 00:50:ba:ec:61:b3; fixed-address switch; } host net_ups { hardware ethernet 00:c0:b7:6a:00:dd; fixed-address net_ups; } host serv_ups { hardware ethernet 00:c0:b7:a3:a5:67; fixed-address serv_ups; } host vonage-ata { hardware ethernet 00:0d:29:0a:af:2e; fixed-address vonage-ata; } host office_pc { hardware ethernet 00:50:04:ae:90:16; fixed-address office_pc; } host den_pc { hardware ethernet 00:d0:b7:ab:cb:fd; fixed-address den_pc; } host bedroom_pc { hardware ethernet 00:e0:81:23:c2:fd; fixed-address bedroom_pc; } host spyglass { hardware ethernet 00:04:5a:95:47:aa; fixed-address spyglass; } # Guest IP space (for visiting laptops, temporary systems, etc) subnet 192.168.1.0 netmask 255.255.255.0 { default-lease-time 432000; max-lease-time 518400; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.1; option domain-name-servers 68.48.0.6, 68.48.0.12; option domain-name "gambrl01.md.comcast.net"; option time-servers 192.168.1.1; range 192.168.1.20 192.168.1.35; } <rc.conf> #Default overrides #Firewall/router configuration ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.rules" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" gateway_enable="YES" ipmon_enable="NO" ipmon_flags="-Dv -P /var/run/ipmon.pid /var/log/firewall.log" #firewall_enable="YES" #firewall_script="YES" #firewall_type="open" #firewall_logging="yes" hostname="router.gambrl01.md.comcast.net" defaultrouter="68.49.56.1" dhcp_program="/usr/local/sbin/dhclient" ifconfig_fxp0="DHCP" ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="NO" moused_type="auto" nfs_reserved_port_only="YES" sendmail_enable="NONE" sshd_enable="YES" usbd_enable="YES" xntpd_enable="YES" xntpd_flags="-c /etc/ntp.conf -p /var/run/ntpd.pid" xntpd_program="/usr/sbin/ntpd" saver="NO" inetd_enable="NO" dhcpd_enable=YES dhcpd_conf=/usr/local/etc/dhcpd.conf dhcpd_ifaces="xl0" At the moment, the kernel has been compiled for only IPFILTER/IPNAT support. I have a new kernel ready which has options for both IPFILTER & IPFW/DUMMYNET - but I haven't placed it in service just yet. I used these options: <router kernel configuration (relevant sections) > # IPFILTER/IPNAT options (routing & NAT) options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default options RANDOM_IP_ID options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN # IPFW/DUMMYNET options (QoS) options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options NMBCLUSTERS options HZ=1000 Is there a HOWTO on how to do this? Alternately, has someone done this - and could you share your setup info? Specifically, I want to learn how to integrate the QoS components of IPFW/DUMMYNET into a working IPFILTER/IPNAT setup - I would prefer not to start over with IPFW if possible. I'm a little fuzzy on how to plumb all of these pipes, though. Thanks, Seth Henry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408111358.48176.jshamlet>