doesn't dummynet work with vlan?

M

maslakyavuz

Hello there,

I use freebsd8.2 FreeBSD 8.2. I added dummynet and the following to the kernel;

Code: 
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #print information about
options         IPFIREWALL_FORWARD      #enable trasparent proxy support     
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         HZ=1000
options         DUMMYNET
options         IPDIVERT
options         DEVICE_POLLING

I have four networks which seperate from each other with VLANs. I wish to limit bandwidth for every VLAN network using dummynet. I have two ethernet cards for that. One of them is WAN, the other one is inbound is tagged. VLAN works well. I configured a network to limit using dummynet; ipfw.sh:

Code: 
###
ipfw -f flush

ipfw pipe 11 config bw 2Mbit/s     # Vlan104
ipfw pipe 12 config bw 2Mbit/s     # 6.Port on the switch

ipfw add pipe 11 ip from any to 10.12.4.0/24  in via em0
ipfw add pipe 12 ip from 10.12.4.0/24 to any out xmit em0
###

em0 is for outside in the server. As a client my PC is in vlan104 namely I am behind the firewall. When I execute the ipfw.sh, I can't reach the internet.

Code: 
ipfw add pipe 12 ip from 10.12.4.0/24 to any out xmit em0

Above line works it actually limits but

Code: 
ipfw add pipe 11 ip from any to 10.12.4.0/24  in via em0

Above line doesn't work properly, it obstructs my http and ICMP requests. So I can't reach the internet.

When I remove
Code: 
ipfw add pipe 11 ip from any to 10.12.4.0/24  in via em0
from ipfw.sh I can either ping outbound or reach the internet.

I tried vlan104 instead of em0
Code: 
in via em0
That doesn't help me.

What can be the problem?

Thanks
 
Try adding a rule to pass and/or log some packets, only to check counters. I like a different approach for dummynet on routers: match only egress packets (the out keyword), but I also specify the ingress and egress interfaces (recv/xmit keywords), to make sure packets are sent to dummynet pipes/queues only once. I use:

Code: 
ipfw add 500 pipe 200 ip from 10.x.x.x to any out recv em0 xmit vlan200
 
Dummynet works fine with vlans. We use it on our main fibre router to limit each fibre site to 900 Mbps total (pipe) and 100 Mbps each (queue).

How it works with vlans depends on how the vlans are configured: tagged (as in separate vlan virtual interface in FreeBSD) or untagged (single physical interface in FreeBSD). If you are using tagged vlans, then you will have separate vlanX or em.X interfaces in FreeBSD. Use those interfaces in your rules, not the physical interface.
 
my problem continues

Ok my configuration is below;
Code: 
# cat rc.conf;
cloned_interfaces="vlan100 vlan101 vlan102 vlan103 vlan104 vlan105 vlan106"
# WAN
ifconfig_em0="inet 87.255.91.194  netmask 255.255.255.0"  # UST KART
# LAN                                                 
ifconfig_em1="UP"                                       # ALT KART
ifconfig_vlan100="inet 10.12.0.1/24 vlan 100 vlandev em1"
ifconfig_vlan101="inet 10.12.1.1/24 vlan 101 vlandev em1"
ifconfig_vlan102="inet 10.12.2.1/24 vlan 102 vlandev em1"
ifconfig_vlan103="inet 10.12.3.1/24 vlan 103 vlandev em1"
ifconfig_vlan104="inet 10.12.4.1/24 vlan 104 vlandev em1"
Code: 
# cat ipfw.sh
ipfw pipe 104 config bw 2Mbit/s     # Vlan104
ipfw add 500 pipe 104 ip from 10.12.4.0/24 to any out recv em0 xmit vlan104

I also used below one before;
Code: 
ipfw pipe 11 config bw 2Mbit/s     # Vlan104
ipfw pipe 12 config bw 2Mbit/s     # 
ipfw add pipe 11 ip from any to 10.12.4.0/24  in via em0
ipfw add pipe 12 ip from 10.12.4.0/24 to any out xmit em0
ipfw add pass ip from 10.12.4.0/24 to any
ipfw add pass ip from any to 10.12.4.0/24

But it is the same. it causes obstruct me to reach to internet. Actually it limits for bandwidth. I don't use a proxy server. I use NAT. If I remove the dummynet lines (above lines) everything is OK except limit. If I use outbound (xmit) and remove recv (inbound) I can reach the internet but I can't limit inbound traffic.
What should my configuration be?
 
Okay, so traffic comes in on the vlan interface, gets NAT'd as it goes out the public interface (em0). And you want to use dummynet to rate-limit the traffic on a per-vlan basis. Correct?

So, something like the following would be your generic, starting rules, to allow traffic via NAT:
Code: 
ipfw add 500 allow ip from 10.12.4.0/24 to any in recv vlan104
ipfw add 501 nat 104 ip from 10.12.4.0/24 to any out xmit em0
ipfw add 502 nat 104 ip from any to <public_IP> in recv em0
ipfw add 502 allow ip from any to 10.12.4.0/24 out xmit vlan104

So, you change your vlan104 rules to do the rate-limiting:
Code: 
ipfw pipe 104 bw 2Mbit/s
ipfw add 500 pipe 104 from 10.12.4.0/24 to any in recv vlan104
ipfw add 501 nat 104 ip from 10.12.4.0/24 to any out xmit em0
ipfw add 502 nat 104 ip from any to <public_IP> in recv em0
ipfw add 502 pipe 104 from any to 10.12.4.0/24 out xmit vlan104
 
Ok. I am going to try it. It may be help. I use PF for NAT.

My pf.conf is:
Code: 
ext_if="em0"    # external interface name
int_if="em1"    # internal interface name
nat on $ext_if from !$ext_if to any -> $ext_if

How can I do what you said using pf? I am also going to try NAT with IPFW.
 
You really shouldn't mix PF and IPFW together. You are introducing a lot of extra latency and processin, as every packet is now processed twice (once by each packet filter).

Pick one, and do everything with it. Either PF+ALTQ for NAT/queuing, or IPFW+Dummynet for same.
 
phoenix said:
You really shouldn't mix PF and IPFW together. You are introducing a lot of extra latency and processin, as every packet is now processed twice (once by each packet filter).

Pick one, and do everything with it. Either PF+ALTQ for NAT/queuing, or IPFW+Dummynet for same.
Click to expand...

Technically, IPFW can work with pf, I used pf for NAT and IPFW for filtering and queueing with success on a single machine. Few 2 Mbps pipes shouldn't kill current x86 hardware.
 
Ok

My rc.conf is:

I have two ethernet cards, em0 is WAN and em1 is LAN, and assigned VLANs.

Code: 
# cat rc.conf;
cloned_interfaces="vlan100 vlan101 vlan102 vlan103 vlan104 vlan105 vlan106"
# WAN
ifconfig_em0="inet 87.255.91.194  netmask 255.255.255.0"  # UST KART
# LAN                                                 
ifconfig_em1="UP"                                       # ALT KART
ifconfig_vlan100="inet 10.12.0.1/24 vlan 100 vlandev em1"
ifconfig_vlan101="inet 10.12.1.1/24 vlan 101 vlandev em1"
ifconfig_vlan102="inet 10.12.2.1/24 vlan 102 vlandev em1"
ifconfig_vlan103="inet 10.12.3.1/24 vlan 103 vlandev em1"
ifconfig_vlan104="inet 10.12.4.1/24 vlan 104 vlandev em1"
############################

I want to limit vlan104 to 2 Mbps and vlan103 to 1 Mbps.
How can I do that? And I use PF for NAT

pf.conf:
Code: 
#####
ext_if="em0"    # external interface name
int_if="em1"    # internal interface name
nat on $ext_if from !$ext_if to any -> $ext_if
####
 
You must log in or register to reply here.
Back
Top