Hi,
I want to achieve dynamic traffic shaping, routing with NAT using ipfw and also to block IP-s by MAC address.
Here is my rule:
Everything works fine with shaping without MAC filtering.
If I want to add layer2 filtering with the following code, added before NAT rules:
Then the traffic shaping will not work properly anymore. It will shape traffic but not with 512/256, so is not working in parameters.
Where I am wrong. I asume after evaluating layer2 rules the firewall will continue with next rules.
I want to achieve dynamic traffic shaping, routing with NAT using ipfw and also to block IP-s by MAC address.
Here is my rule:
Code:
#!/bin/sh
cmd="/sbin/ipfw -q"
# external interface
wan_if="em0"
# internal interface
lan_if="em1"
b_down="512Kbit/s"
b_up="256Kbit/s"
conn_limit="limit src-addr 1000"
$cmd table 1 add 192.168.11.0/24 1
$cmd table 2 add 10.0.0.0/24
# nat
$cmd nat 1 config if $wan_if reset
$cmd add 50 nat 1 all from 192.168.11.0/24 to any via $wan_if out
$cmd add 60 nat 1 all from any to me via $wan_if in
# download pipe
$cmd pipe 10 config bw $b_down queue 8Kbytes
$cmd queue 1 config sched 5 weight 10 pipe 10 queue 6 mask dst-ip 0x000000ff
$cmd queue 2 config sched 5 weight 1 pipe 10 queue 6 mask dst-ip 0x000000ff
# upload pipe ack
$cmd pipe 20 config bw 128Kbit/s queue 4Kbytes mask src-ip 0x000000ff
# upload all
$cmd pipe 21 config bw $b_up queue 8Kbytes mask src-ip 0x000000ff
$cmd queue 3 config sched 5 weight 10 pipe 21 queue 6 mask dst-ip 0x000000ff
$cmd queue 4 config sched 5 weight 1 pipe 21 queue 6 mask dst-ip 0x000000ff
# download rules
$cmd add 700 queue 1 tcp from any to any out xmit $lan_if tcpflags ack iplen 0-52
$cmd add 710 skipto 7000 tcp from any to any out xmit $lan_if tcpflags ack iplen 0-52
$cmd add 720 queue 2 ip from any to "table(1)" out xmit $lan_if $conn_limit
# upload rules
$cmd add 800 pipe 20 tcp from any to any in recv $lan_if tcpflags ack iplen 0-52
$cmd add 810 skipto 8000 tcp from any to any in recv $lan_if tcpflags ack iplen 0-52
$cmd add 910 queue 2 ip from any to "table(1)" in recv $lan_if
$cmd add 920 queue 4 ip from "table(1)" to any in via $lan_if
Everything works fine with shaping without MAC filtering.
If I want to add layer2 filtering with the following code, added before NAT rules:
Code:
# allow using MAC
$cmd add 13 allow ip from any to any layer2 mac-type arp
$cmd add 14 allow ip from any to any MAC any "08:00:27:75:ba:cf" in via $lan_if
$cmd add 15 deny ip from any to any layer2 in via $lan_if
$cmd add 16 allow ip from any to any layer2 via $wan_if
Then the traffic shaping will not work properly anymore. It will shape traffic but not with 512/256, so is not working in parameters.
Where I am wrong. I asume after evaluating layer2 rules the firewall will continue with next rules.