From owner-freebsd-net@FreeBSD.ORG Wed Mar 16 22:33:13 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 170D616A4CE for ; Wed, 16 Mar 2005 22:33:13 +0000 (GMT) Received: from mail.latnet.lv (esbens.latnet.lv [159.148.19.115]) by mx1.FreeBSD.org (Postfix) with SMTP id A7AA143D3F for ; Wed, 16 Mar 2005 22:33:11 +0000 (GMT) (envelope-from martins.dzelde@latrude.lv) Received: (qmail 30657 invoked by uid 103); 16 Mar 2005 22:33:10 -0000 Received: from 159.148.34.93 by esbens (envelope-from , uid 64011) with qmail-scanner-1.23st (spamassassin: 2.64. perlscan: 1.23st. Clear:RC:1(159.148.34.93):. Processed in 0.675469 secs); 16 Mar 2005 22:33:10 -0000 Received: from unknown (HELO me2.latrude.lv) (159.148.34.93) by esbens.latnet.lv with SMTP; 16 Mar 2005 22:33:09 -0000 Date: Thu, 17 Mar 2005 00:33:03 +0200 To: freebsd-net@freebsd.org From: "Martins Dzelde" Organization: Latrude Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.51 (Win32, build 3798) Subject: once again: rules for natd+ipfw+dummynet X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2005 22:33:13 -0000 hi, i've been searching the web and reading manuals and i cannot figure if i am setting up my freebsd box correctly. And now i have many question, hope somen out there have answers for some of them. So, the system I am aiming to: +(> |[Internet Antenna](> | real ip address: x.x.x.94 | routed network: x.x.x.64/255.255.255.224 + | | + | [FreeBSD box] | rl2 -> x.x.x.93 ^connected to antenna | rl1 -> no ip address, bridging rl2,rl1 (?) to local network >connected to LAN | rl0 -> 192.168.29.1 (sharing rl2 with natd+dhcp for 192.168.29.0/255.255.255.0) >connected to LAN | + | [LAN] | few real&virtual ip addreses with special bandwidth |/\/\/+ Currently the system described above is working but somehow all the traffic is consumed completly and I have no ideas if the traffic is goes withing the real ip address zone (x.x.x.64/27) since there are some servers running there or the traffic is consumed in the virtual network (192.168.29.0/24). Or maybe there is a virus in a computer flooding all the net! so the problems & questions: 1) how to correctly build euqualy weighted traffic shaping for the network (x.x.x.64/27) and for (192.168.29.0/24) with few ip address exception for both networks; 2) how to prevent from flooding network with some kind of virus; 3) which program to use to monitor that everything is shaping correctly, should i better use iftop, bandwidthd or ipfm ? 4) can i do access control per mac address with ipfw, how ? or should i use arp tables? the currents script for rules are: #external interface EXTIF=rl2 NATIF=rl0 ipfw pipe 1 config bw 8192kbit/s # queue for a server using real ip ipfw queue 1 config pipe 1 weight 30 ipfw add 350 queue 1 ip from x.x.x.66/32 to any out via $EXTIF ipfw add 351 queue 1 ip from any to x.x.x.66/32 in via $EXTIF # queue for real ip zone ipfw queue 2 config pipe 1 weight 30 ipfw add 400 queue 2 ip from x.x.x.64/27 to any out via $EXTIF ipfw add 401 queue 2 ip from any to x.x.x.64/27 in via $EXTIF # shape traffic equally ipfw queue 2 config pipe 1 mask src-ip 0xffffe0 ipfw queue 2 config pipe 1 mask dst-ip 0xffffe0 # queue for 192.168.29.1/24 ipfw queue 3 config pipe 1 weight 30 ipfw add 500 queue 2 ip from 192.168.29.0/24 to any out via $EXTIF ipfw add 501 queue 2 ip from any to 192.168.29.0/24 in via $EXTIF # shape traffic equally ipfw queue 3 config pipe 1 mask src-ip 0xffff00 ipfw queue 3 config pipe 1 mask dst-ip 0xffff00 i feel there are many mistekes in the script above... so, please, help. and another question: what flags should i enable or disable using sysctl ? sysctl net.inet.ip.fw.enable=1 sysctl net.link.ether.ipfw=1 sysctl net.link.ether.bridge.enable=1 sysctl net.link.ether.bridge.config="rl2 rl1" ## <-- should i add rl0 (192.168...) too ? sysctl net.link.ether.bridge.ipfw=1 sysctl net.inet.ip.fw.one_pass=0 # should i set this to 1 ? Hope you have an answer for at least one question. Thanks, Martins.