Date: Mon, 26 Jan 2009 11:16:18 +0100 (CET) From: "Sebastian Mellmann" <sebastian.mellmann@net.t-labs.tu-berlin.de> To: "Ian Smith" <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW DUMMYNET: Several pipes after each other Message-ID: <38577.130.149.220.164.1232964978.squirrel@anubis.getmyip.com> In-Reply-To: <20090125153358.X90458@sola.nimnet.asn.au> References: <20090122120027.4E186106570D@hub.freebsd.org> <20090125153358.X90458@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith wrote: On Thu, 22 Jan 2009 08:10:09 +0100 (CET) > > > > So far I've got those rules: > > > > in_if="em0" > > out_if="em1" > > management_if="em2" > > in_ip="100.100.100.1" > > out_ip="200.200.200.1" > > management_ip="172.16.0.201" > > client1_subnet="192.168.5.0/26" > > client2_subnet="192.168.6.0/26" > > server_subnet="192.168.7.0/24" > > > > download_bandwidth="6144Kbit/s" > > upload_bandwidth="1024Kbit/s" > > delay="0" > > queue_size="10" > > 10 slots ie packets is likely too small a queue size at these rates. > You want to check the dropped packet stats from 'ipfw pipe show' re > that; see the section in ipfw(8) about calculating sizes / delays. > I had a look at the ipfw howto on the freebsd site [1], but I'm not 100% sure how to choose a "good" value for the queue size. If I choose the default (50 packets) it means that it takes approx. 100ms (600kbits / 6144kbits) to fill the queue. So the question is: Which value to choose for the queue? > I suggest using 'in recv' and 'out xmit' rather than via for these, for > the sake of clarity. 'in recv' and 'in via' come to the same thing, as > only the receive interface is known on inbound packets, but 'out via' > applies to packets that were *received* on the specified interface as > well as those going out on that interface after routing, which can lead > to surprising results sometimes, and being more specific never hurts .. Thanks for the hint. I'll change that. > > But when I have a look at the pipes with 'ipfw show' I can only see > > packets go through the pipe 50 and nothing goes through the other pipes > > (which makes sense actually since IPFW work that way?). > > IPFW works that way if you (likely) have net.inet.ip.fw.one_pass=1 .. so > that packets exiting from pipes aren't seen by the firewall again. If > you set one_pass=0, packets are reinjected into the firewall at the rule > following the pipe (or queue) action, which is what you want to do here. Actually this is also described in the manpage of ipfw(8). Shame on me ;-) > And you'll surely need a much larger queue for this pipe, at 100Mbit/s. > As already asked above: How do I know the queue is large or small enough for my needs? > cheers, Ian Regards, Sebastian [1] http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38577.130.149.220.164.1232964978.squirrel>
