IPFW - Delay question(getting x2 the delay)

L

lovepony

Hello.

I just started out trying to build a small wan emulator running freebsd.

I have a small ALIX box with 3 network interfaces , 1 for management and 2 in bridge mode.
Now my problem is when i add 700 ms delay on my bridge interface i get 1400 ms delay when i ping.
I'm guessing this is because I'm hitting both the interfaces in the bridge.

so now my question is , how do i fix this?
 
I guess you do not have layer3/layer2 separation in you ruleset. Then bridging is active and layer2 filtering is active (using sysctl sysctl net.link.ether.ipfw=1) all packets going trough ipfw will have 4 passes now (2 passes on IN and 2 passes on OUT).

In you case this ruleset:
Code: 
ipfw pipe 1 config delay 1400
ipfw add 1000 pipe 1 all from any to any in recv em0
ipfw add 1100 allow all from any to any
will pass traffic into rule 1000 two times - first on layer2 pass, and second on layer3 pass.

Use separation in you ruleset or put everywhere where you need to work with ethernet traffic keyword "layer2".
Code: 
ipfw pipe 1 config delay 1400
ipfw add 1000 pipe 1 all from any to any in recv em0 layer2
ipfw add 1100 allow all from any to any
 
terminus said:
I guess you do not have layer3/layer2 separation in you ruleset. Then bridging is active and layer2 filtering is active (using sysctl sysctl net.link.ether.ipfw=1) all packets going trough ipfw will have 4 passes now (2 passes on IN and 2 passes on OUT).

In you case this ruleset:
Code: 
ipfw pipe 1 config delay 1400
ipfw add 1000 pipe 1 all from any to any in recv em0
ipfw add 1100 allow all from any to any
will pass traffic into rule 1000 two times - first on layer2 pass, and second on layer3 pass.

Use separation in you ruleset or put everywhere where you need to work with ethernet traffic keyword "layer2".
Code: 
ipfw pipe 1 config delay 1400
ipfw add 1000 pipe 1 all from any to any in recv em0 layer2
ipfw add 1100 allow all from any to any
Click to expand...

Thank you very much , this is maybe a stupid question but em0 = my bridge interface?
 
em0 = my bridge interface?
Click to expand...

Yes, in this example I assume that you have bridge0 constructed from em0 and em1 interfaces, and need to create 1400ms delay on all traffic that passes through system received from em0 side.

Show current ipfw rules you are using and output from:
Code: 
sysctl -a | grep ether.ipfw
sysctl -a | grep one_pass
in case you still have troubles with delays.
 
i might be wrong, but ping basically is round-trip-time. which means that you measure the time for the packet going + the response packet back. they will both pass your rules and thus each of them will be delayed, right?
i might be also missing something, in case you use "in recv INTF" this might only match one direction, right? but u don't specify if your rules are built like that.
 
You must log in or register to reply here.
Back
Top