ipfw pipes

R

romeor

Hello again.
I've got a server with freebsd and 3 IFs.
2 for 2 lans and 1 for internet access
all i want to do is:
between lans: 100 mbit
from lan 1 to internet 5 mbits
from lan 2 to internet 2 mbits.

what pipes config could handle this? i'm trying for a more than 3 days, but until now i could successfuly do it only for 1 lan. if i add another one, speed between lans is not 100 mbit, it is like from some lan-> out
 
Code: 
ipfw -f flush
ipfw -f pipe flush
ipfw -f nat flush
ks="keep-state"
lan1="192.168.2.0/24"
lan2="192.168.3.0/24"


ipfw add check-state
ipfw add allow ip from any to any via lo0

NatIP="10.10.10.103"
ipfw nat 1 config ip ${NatIP} log \
redirect_port tcp 192.168.2.10:22 10022
ipfw add nat 1 ip from 192.168.2.0/24 to any
ipfw add nat 1 ip from 192.168.3.0/24 to any
ipfw add nat 1 ip from any to ${NatIP}

####### This host firewall #############

# only secured incomming connections
ipfw add allow ip from any to me established
# allow ssh to me
ipfw add allow tcp from any to me 22 $ks
# allow icmp
ipfw add allow icmp from any to me
# allow udp dns
ipfw add allow udp from any 53 to me
################END ATM##############

############# PIPES #################
# From LAN1 - > OUT
ipfw pipe 1 config bw 2Mbit/s
ipfw pipe 2 config bw 2Mbit/s
# Internal unlimited pipe
ipfw pipe 3 config bw 100Mbit/s
ipfw pipe 4 config bw 100Mbit/s
ipfw pipe 5 config bw 100Mbit/s
ipfw pipe 6 config bw 100Mbit/s

# From LAN2 - > OUT
ipfw pipe 7 config bw 1Mbit/s
ipfw pipe 8 config bw 1Mbit/s
########### END PIPES ##############

####### INTERNAL SPEED ##########
ipfw add pipe 3 all from ${lan1} to ${lan2} out
ipfw add pipe 4 all from ${lan2} to ${lan1} in
ipfw add pipe 6 all from ${lan1} to ${lan2} in
ipfw add pipe 5 all from ${lan2} to ${lan1} out
#################################

######### LAN1 Firewall #############
ipfw add pipe 1 all from ${lan1} to any out via em1
ipfw add pipe 2 all from any to ${lan1} in via em1

ipfw add allow ip from any to ${lan1} established
ipfw add allow icmp from any to ${lan1}
ipfw add allow udp from any 53 to ${lan1}


######## END LAN1 ################

####### LAN2 Firewall ##############
# speed-cut to 1 mbit
ipfw add pipe 7 all from any to ${lan2} in via em1
ipfw add pipe 8 all from ${lan2} to any out via em1

ipfw add allow ip from any to ${lan2} established

ipfw add allow icmp from any to ${lan2}
ipfw add allow udp from any 53 to ${lan2}

####### END LAN2 ##################

########## Denies ##############
#ipfw add deny all from any to ${lan1}
#ipfw add deny all from any to ${lan2}
ipfw add deny all from any to me
net.inet.ip.fw.one_pass=1

with such config i disable any incomming connection to the host or to lans, if they are not established.
the result i managed to get:
from lan1 to lan2 (and wise-versa) it is 100 mbits up and down
to lan1 and to lan2 from Out (download for lans) i get right speeds.
to out from lan1 and lan2 (upload for lans) i get 100 mbits :(
i think it is because of
ipfw add allow ip from any to me established
rule as in ipfw show i see that after connectiong to out ftp and start downloading, traffic runs via this rule :(
 
No need to get snarky about the "help", not everything is known to everybody here. And if you don't post the solution, it still won't be known to anybody else, so you're actually perpetuating the problem.
 
not a problem with me :)
the config should be like this:


Code: 
#!/bin/sh
ipfw -f flush
ipfw -f pipe flush
ipfw -f nat flush
ks="keep-state"
lan1="192.168.2.0/24"
lan2="192.168.3.0/24"


ipfw add check-state
ipfw add allow ip from any to any via lo0

NatIP="10.10.10.103"
ipfw nat 1 config ip ${NatIP} log \
redirect_port tcp 192.168.2.10:22 10022
ipfw add nat 1 ip from 192.168.2.0/24 to any
ipfw add nat 1 ip from 192.168.3.0/24 to any
ipfw add nat 1 ip from any to ${NatIP}

####### This host firewall #############

# only secured incomming connections
ipfw add allow ip from any to me established
# allow ssh to me
ipfw add allow tcp from any to me 22 $ks
# allow icmp
ipfw add allow icmp from any to me
# allow udp dns
ipfw add allow udp from any 53 to me
################END ATM##############

############# PIPES #################
# From LAN1 - > OUT
ipfw pipe 1 config bw 2Mbit/s
ipfw pipe 2 config bw 2Mbit/s
# Internal unlimited pipe
ipfw pipe 3 config bw 100Mbit/s
ipfw pipe 4 config bw 100Mbit/s
ipfw pipe 5 config bw 100Mbit/s
ipfw pipe 6 config bw 100Mbit/s
# From LAN2 - > OUT
ipfw pipe 7 config bw 2Mbit/s
ipfw pipe 8 config bw 2Mbit/s
########### END PIPES ##############

####### INTERNAL SPEED ##########
ipfw add pipe 3 all from ${lan1} to ${lan2} out
ipfw add pipe 4 all from ${lan2} to ${lan1} in
ipfw add pipe 6 all from ${lan1} to ${lan2} in
ipfw add pipe 5 all from ${lan2} to ${lan1} out
#################################

######### LAN1 Firewall #############
ipfw add pipe 1 all from ${lan1} to any in via em0
ipfw add pipe 2 all from any to ${lan1} out via em0
ipfw add allow ip from any to ${lan1} established via em1

ipfw add allow tcp from any to 192.168.2.10 22
ipfw add allow icmp from any to ${lan1}
ipfw add allow udp from any 53 to ${lan1}


######## END LAN1 ################

####### LAN2 Firewall ##############
# speed-cut to 1 mbit
ipfw add pipe 7 all from ${lan2} to any in via em2
ipfw add pipe 8 all from any to ${lan2} out via em2
ipfw add allow all from any to ${lan2} established via em1

ipfw add allow icmp from any to ${lan2}
ipfw add allow udp from any 53 to ${lan2}

####### END LAN2 ##################

########## Denies ##############
ipfw add deny all from any to ${lan1} via em1
ipfw add deny all from any to ${lan2} via em1
ipfw add deny all from any to me

works like a charm and could be some kind of template for ppl who want to have:
1. 2 lans behind nat with only established traffic to pass by to them from the internet (ie no torrents for outbound connections)
2. full 100 mbit speed between lan nets. (we dont really want to slow office connection down, do we?)
3. 2 shaped with managed speed pipes for both of them to go out of nat
4. some redirected and allowd ports.

firewall's default rule is to accept


but im not 100% sure that it should be THAT large :) there should be some workaround to make it smaller, but i definitely know, that it should be 1 pipe per up or down traffic, otherwise it'll be only half-of-the-pipe-size, as another halt will be reserved for opposite traffic direction.
 
BTW, where did net.inet.ip.dummynet.max_chain_len go in FreeBSD 8.1? It's still mentioned in man ipfw, which I don't think has been rewritten as it doesn't mention new functionality (e.g. net.inet.ip.dummynet.fsk_count).
 
You must log in or register to reply here.
Back
Top