Date: Thu, 18 Sep 2003 05:49:09 -0700 From: Luigi Rizzo <rizzo@icir.org> To: "Thomas S. Crum - 1WISP, Inc." <tscrum@1wisp.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: throttling bandwidth on different ports Message-ID: <20030918054908.A58676@xorpc.icir.org> In-Reply-To: <010401c37ddb$9f1f8a20$5e01a8c0@1wispadmin>; from tscrum@1wisp.com on Thu, Sep 18, 2003 at 07:54:30AM -0400 References: <010401c37ddb$9f1f8a20$5e01a8c0@1wispadmin>
next in thread | previous in thread | raw e-mail | index | archive | help
if you want per-service differentiation then you should have multiple queues (with different weights) point to the mask on the queue to include the port numbers. Something like this (ipfw2 syntax) # do the address check only once ipfw -c add 1000 skipt0 1010 not src-ip 192.168.1.0/24,66.255.6.0/24 ipfw -c add 1000 queue 30 proto tcp src-port 80,443 // web ipfw -c add 1000 queue 31 src-port 53 // dns ipfw -c add 1000 queue 32 // all the rest from these hosts ipfw -c add 1010 ... // other traffic # you can have different masks on the queues ipfw queue 30 config weight 10 pipe 1 mask src-ip- 0xffffffff ipfw queue 31 config weight 5 pipe 1 ipfw queue 32 config weight 1 pipe 1 mask src-ip 0x000000ff ipfw pipe 1 config bw 200kbit/s cheers luigi On Thu, Sep 18, 2003 at 07:54:30AM -0400, Thomas S. Crum - 1WISP, Inc. wrote: > Hi List, > > I thank anyone, in advance, who might offer some light to my question below. > > At our office, we have a T1 circuit that I am trying to divy up bandwidth as > you see below. I would like to give a greater amount of pipe to "web" > associated ports and allow the rest of the traffic to fall into a default > queue, both up and down. > > When I run this config it seems that the "web" > associated ports are simply falling into the default queue, which of course > slows everything to a crawl since the default queues are so small. > > Is it possible to queue tcp traffic as I am attempting to do? > > Can anyone give me some insight as to why this is happening and offer a > solution that will accomplish what I am attempting. > > I am running dummynet as a bridge behind my router and in front of > everyhting elese on freebsd. My config is below. > > ################### > > # TOM'S PLAYGROUND > > # DO THIS CAUSE THEY SAY ITS GOOD > add check-state > > # BLOCK BAD IP'S > #add deny ip from 192.168.1.27 to any > #add deny ip from any to 192.168.1.27 > > # Keep those nasty viruses, worms and critters away. > add deny udp from any to any 8998 > add deny tcp from any to any 135 > add deny udp from any to any 69 > add deny tcp from any to any 4444 > add deny tcp from any to any 707 > add deny tcp from any to any 137 > add deny udp from any to any 137 > add deny tcp from any to any 138 > add deny udp from any to any 138 > add deny tcp from any to any 139 > add deny udp from any to any 139 > add deny tcp from any to any 593 > add deny udp from any to any 593 > > # GIVE ME FULL PIPE WHEN SSH FROM OUTSIDE > add allow tcp from 66.255.6.221 to any 22 > add allow tcp from any to 66.255.6.221 22 > > # ALLOW LOCAL IP'S TO PASS W/ EACH OTHER > add allow ip from 192.168.1.0/24 to 192.168.1.0/24 > add allow ip from 192.168.1.0/24 to 66.255.6.0/24 > add allow ip from 66.255.6.0/24 to 66.255.6.0/24 > add allow ip from 66.255.6.0/24 to 192.168.1.0/24 > > # MAILSERVER "DUPLEX" > add queue 10 ip from any to 66.255.6.131 > add queue 11 ip from 66.255.6.131 to any > queue 10 config weight 1 pipe 10 mask src-ip 0xffffffff > queue 11 config weight 1 pipe 10 mask dst-ip 0xffffffff > pipe 10 config bw 50Kbit/s > > # EVERYBODY "DOWN 80, 443 AND 53 PORT" 80/20 > add queue 30 tcp from any to 192.168.1.0/24 80 > add queue 30 tcp from any to 66.255.6.0/24 80 > add queue 30 tcp from any to 192.168.1.0/24 53 > add queue 30 tcp from any to 66.255.6.0/24 53 > add queue 30 udp from any to 192.168.1.0/24 53 > add queue 30 udp from any to 66.255.6.0/24 53 > add queue 30 tcp from any to 192.168.1.0/24 443 > add queue 30 tcp from any to 66.255.6.0/24 443 > add queue 30 udp from any to 192.168.1.0/24 443 > add queue 30 udp from any to 66.255.6.0/24 443 > queue 30 config weight 1 pipe 30 mask dst-ip 0xffffffff > pipe 30 config bw 960Kbit/s > > # EVERYBODY "DOWN ALL PORTS" > add queue 31 ip from any to 192.168.1.0/24 > add queue 31 ip from any to 66.255.6.0/24 > queue 31 config weight 1 pipe 31 mask dst-ip 0xffffffff > pipe 31 config bw 240Kbit/s > > # EVERYBODY "UP 80, 443 AND 53 PORT" 60/40 > add queue 32 tcp from 192.168.1.0/24 80 to any > add queue 32 tcp from 66.255.6.0/24 80 to any > add queue 32 tcp from 192.168.1.0/24 53 to any > add queue 32 tcp from 66.255.6.0/24 53 to any > add queue 32 udp from 192.168.1.0/24 53 to any > add queue 32 udp from 66.255.6.0/24 53 to any > add queue 32 tcp from 192.168.1.0/24 443 to any > add queue 32 tcp from 66.255.6.0/24 443 to any > add queue 32 udp from 192.168.1.0/24 443 to any > add queue 32 udp from 66.255.6.0/24 443 to any > queue 32 config weight 1 pipe 32 mask src-ip 0xffffffff > pipe 32 config bw 150Kbit/s > > # EVERYBODY "UP ALL PORTS" > add queue 33 ip from 192.168.1.0/24 to any > add queue 33 ip from 66.255.6.0/24 to any > queue 33 config weight 1 pipe 33 mask src-ip 0xffffffff > pipe 33 config bw 100Kbit/s > > # THIS SHOULD MAKE DHCP WORK? PS. IT DID. > add queue 250 ip from any to any > queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff > pipe 250 config bw 10Kbit/s > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030918054908.A58676>