Weaseal
08-01-2008, 04:16 PM
I am trying to limit clients on the network to 256Kbit/s down and 85Kbit/s up for internet use. We use FreeBSD 7.0-p3 as our gateway.
The bandwidth limiting is working, but it's working too well. It's not only limiting clients' access to the internet, but also to the server itself! For example, a client copying a file to/from the samba share on the FreeBSD gateway, he's still limited to 256Kbit/s / 85Kbit/s! We don't want this, we only want to limit their access on the other side of the FreeBSD gateway!
Here's the firewall rules:
$ cat /etc/firewall
#!/bin/sh -
#
# Setup system for ipfw(4) firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - allows anyone in; safety net
# limiter - allows our clients and limits their bandwidth. should block all others
############
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
setup_loopback
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
if [ -n "${firewall_nat_interface}" ]; then
${fwcmd} nat 123 config if ${firewall_nat_interface} log
${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
fi
;;
esac
esac
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open. You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any
# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 65000 pass all from any to any
;;
esac
############
# Bandwidth capping rules
case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any
# Allow everything via the LAN interface
${fwcmd} add 400 allow all from any to any via nfe0
# Centrul - principal
${fwcmd} pipe 4001 config bw 3000Kbit/s
${fwcmd} pipe 4002 config bw 1000Kbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any
# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any
# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any
# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any
# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any
# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any
# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any
# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any
# Centrul - c8
${fwcmd} pipe 15 config bw 3000Kbit/s
${fwcmd} pipe 16 config bw 1000Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any
# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any
And here's ifconfig:$ ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:4c:4d:0d:68
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:92:0b:ae:ef
inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
192.168.1.0/24 is the 'internet' (it's where our router is anyway which goes to the internet) and 192.168.2.0/24 is the internal network.
Any ideas as to why it is behaving this way?
The bandwidth limiting is working, but it's working too well. It's not only limiting clients' access to the internet, but also to the server itself! For example, a client copying a file to/from the samba share on the FreeBSD gateway, he's still limited to 256Kbit/s / 85Kbit/s! We don't want this, we only want to limit their access on the other side of the FreeBSD gateway!
Here's the firewall rules:
$ cat /etc/firewall
#!/bin/sh -
#
# Setup system for ipfw(4) firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - allows anyone in; safety net
# limiter - allows our clients and limits their bandwidth. should block all others
############
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
setup_loopback
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
if [ -n "${firewall_nat_interface}" ]; then
${fwcmd} nat 123 config if ${firewall_nat_interface} log
${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
fi
;;
esac
esac
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open. You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any
# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 65000 pass all from any to any
;;
esac
############
# Bandwidth capping rules
case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any
# Allow everything via the LAN interface
${fwcmd} add 400 allow all from any to any via nfe0
# Centrul - principal
${fwcmd} pipe 4001 config bw 3000Kbit/s
${fwcmd} pipe 4002 config bw 1000Kbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any
# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any
# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any
# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any
# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any
# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any
# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any
# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any
# Centrul - c8
${fwcmd} pipe 15 config bw 3000Kbit/s
${fwcmd} pipe 16 config bw 1000Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any
# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any
And here's ifconfig:$ ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:4c:4d:0d:68
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:92:0b:ae:ef
inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
192.168.1.0/24 is the 'internet' (it's where our router is anyway which goes to the internet) and 192.168.2.0/24 is the internal network.
Any ideas as to why it is behaving this way?