Date: Thu, 12 Jan 2006 18:02:29 +1300 (NZDT) From: barry@unix.co.nz To: "Barry Murphy" <barry@unix.co.nz> Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with count, fwd with ipfw Message-ID: <50069.222.154.96.238.1137042149.squirrel@www.unix.co.nz> In-Reply-To: <049101c6170c$f634a710$5038c80a@clear.co.nz> References: <049101c6170c$f634a710$5038c80a@clear.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Further to my previous email i've run iftop on the vlan and noticed the source address being correct and the remote address being correct (not the trans-proxy IP) so traffic should be counting. I believe in my count or pipe rules I probably require the 'in via vlan1' however it appears ipfw doesnt like vlan's as devices as it stops counting traffic all together at this point. I've tried adding: ipfw add 1 count ip from 192.168.0.32/29 to any out via vlan1 ipfw add 1 count ip from any to 192.168.0.32/29 in via vlan1 I've also tried reversing the statements incase I had the in/out on the wrong lines, also tried xmit and recv instead but it would appear nothing counts when specifying vlans as devices. FreeBSD firewall.unix.co.nz 6.0-STABLE FreeBSD 6.0-STABLE #3: Thu Dec 8 20:24:30 NZDT 2005 icepick@firewall.unix.co.nz:/usr/obj/usr/src/sys/FIREWALL i386 Cheers Barry > Hi, > > I've got a rule either counting traffic for subnet ranges to work out how > much traffic they using, obviously I'm using internal IP's in this > example: > > # SMTP mail servers > ipfw add 00076 count ip from any to 192.168.0.128/29 in > ipfw add 00076 count ip from 192.168.0.128/29 to any out > > or in some cases pipes > > # Robs usage > ipfw pipe 1 config bw 64KB > ipfw pipe 2 config bw 64KB > ipfw add 00086 pipe 1 ip from any to 192.168.0.33/28 in > ipfw add 00086 pipe 2 ip from 192.168.0.33/28 to any out > > I'm wanting to add transparent proxy for all users subnets but still have > the above rule tally the traffic so I added: > > # Trans-proxy > ipfw add 31500 fwd 10.0.0.1,3128 tcp from 192.168.0.0/24 to any 80 > > Download tests have proven that the trans-proxy takes preference and > allows > the user to download above their pipe rate and also shows that the pipes > 76 > & 86 dont count port 80 traffic so I cant see how much they downloading. > I've tried using /sbin/sysctl net.inet.ip.fw.one_pass=0 but this didn't > help. I've also tried setting the rules 76 & 86 to "in via em1" which > didnt > count any traffic, so i tried the dummy "in via vlanX" which didnt count > any > traffic either. > > em0 is the interface connecting to my ISP and em1 is connected to a cisco > 3500XL running vlans. > > em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=b<RXCSUM,TXCSUM,VLAN_MTU> > inet6 fe80::206:5bff:fe0f:37ff%em0 prefixlen 64 scopeid 0x1 > inet 60.234.x.x netmask 0xfffffffc broadcast 60.234.x.x > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:06:5b:0f:37:ff > media: Ethernet 100baseTX <full-duplex> > status: active > > em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=b<RXCSUM,TXCSUM,VLAN_MTU> > inet6 fe80::206:5bff:fe0f:3800%em1 prefixlen 64 scopeid 0x2 > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:06:5b:0f:38:00 > media: Ethernet 1000baseTX <full-duplex> > status: active > > vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.0.34 netmask 0xfffffff0 > inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5 > ether 00:06:5b:0f:38:00 > media: Ethernet 1000baseTX <full-duplex> > status: active > vlan: 11 parent interface: em1 > > > vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.0.129 netmask 0xfffffff0 > inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5 > ether 00:06:5b:0f:38:00 > media: Ethernet 1000baseTX <full-duplex> > status: active > vlan: 12 parent interface: em1 > > Any idea's would be much appreictated. > > Cheers > Barry > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50069.222.154.96.238.1137042149.squirrel>