RE: ALTQ on GIF Interface - how much trouble to impliment?
Well, I'm not sure FAQ will help you because you probably aready read
it. But since you ask these things... :=) ... I suppose you need to use
traffic queueing on your internal (LAN) interfaces.
http://www.openbsd.org/faq/pf/queueing.html has examples of doing that.
Also, http://www.openbsd.org/faq/pf/tagging.html has examples of using
tagging. But the general idea is straightforward:
pass in on $int_if to $central_office_net tag VPN keep state
pass in on $int_if to $central_office_net proto tcp tag port { 80, 443 }
VPN_HTTP keep state
pass in on $int_if to $central_office_net proto tcp tag port { 3306,
1443 } VPN_DB keep state
...
pass in on $int_if tagged VPN_HTTP keep state queue XXX
pass in on $int_if tagged VPN_DB keep state queue YYY
pass in on $int_if tagged VPN keep state queue XXX
I think limiting "out" traffic on internal interface is meaningless - I
would limit it as "in" traffic on another VPN endpoint instead.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of J. Buck Caldwell
Sent: Monday, May 01, 2006 6:33 AM
To: freebsd-pf@freebsd.org; freebsd-net@freebsd.org
Subject: ALTQ on GIF Interface - how much trouble to impliment?
I'm in desperate need to do some traffic prioritization using pf and
ALTQ over a GIF tunnel. I asked this question some time ago on
freebsd-stable, and was told to use tags - but either I'm doing it
wrong, or it just doesn't work (probably, I'm doing it wrong). Either
way, supporting ALTQ over GIF would be a far preferable solution.
Here's the problem. I have a corporate office with a 4.5mb/sec
connection, and several branches with 3m-down/768k-up cable connections.
Each endpoint has a FreeBSD 5.4 or 6.x (migrating all to 6.x) box
providing NAT, DNS, DHCP etc - and connecting to the other endpoints via
GIF tunnels, encrypted point-to-point with IPSec. While prioritizing the
actual tunnel traffic (via "pass out quick on $ext_if queue(gif_out,
pri_out) proto { ipencap, esp } all keep state") does actually send the
GIF/IPSEC traffic out at a higher priority, what I need to do is to
actually prioritize the traffic inside the tunnel.
For example - the tunnel carries between the branches and the corporate
office, such as Lotus Notes, telnet/ssh sessions, and database queries.
What I need to do is prioritize the traffic so that, say, Notes traffic
goes out before Web traffic, but the database traffic is highest
priority (just under empty ACKs and such).
Currently, ALTQ support is not available in the GIF interface driver.
How difficult would it be to implement? I've done a little reading of
the man pages and source code, and while I am a decent Windows
programmer (C, not visual basic, get that look off your face), I've
never done any coding for FreeBSD, and wouldn't know quite where to
start.
If this is something that can be done relatively easily, I would be
willing to test, and possibly to help code, but I'll need pointers.
Otherwise, I'd love to get some help on figuring out how tagging works
so I can get it operating correctly.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Current problem reports assigned to you
Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description --- o [2006/01/30] kern/92552 net A serious bug in most network drivers fro f [2006/02/12] kern/93220 net [inet6] nd6_lookup: failed to add route f 2 problems total. Non-critical problems S Submitted Tracker Resp. Description --- o [2003/07/11] kern/54383 net [nfs] [patch] NFS root configurations wit o [2006/04/03] kern/95267 net packet drops periodically appear 2 problems total. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
haiku bounties for usb stack
Haiku Bounties: www.haikubounties.org Is looking for developers to take up their code bounties for a usb stack. Please drop by the site and apply if interested! _ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Having a problem with getting ipfw fwd to work with vlans and bge - 6.1-RC1 amd64
Hello, I have setup a new firewall and I'm having trouble with it. Perhaps the bge is to blame, perhaps its something else. I'll explain my setup, problem and the workaround to get it going. Box connects to 2 Internal Lans and 2 External Wans. Vlans are mixed untagged and tagged on a single bge0 Vlan Network Desc 1 10.255.1.0/24 Admin Lan - No Vlan Tagging 2 10.255.2.0/24 VoIP Lan 90067.xxx.xxx.128/27 Internet A - Default Route - Going to be pure VoIP only - thus 10.255.2 boxes get 1:1 NAT to 67.xxx.xxx 902208.xxx.xxx.48/28 Internet B - Web Services 1st problem I ran into was pings from vlan 2 through natd to vlan 900 were not coming back. I could see the packet enter vlan2 - leave and return on vlan900 - but go nowhere. I tried a tcpdump on bge0 and the pings started coming back. Leading me to putting promisc on my ifconfig bge0 Now I'm trying to setup up a simple web server on an IP from vlan 902 in combination with fwd rule # 999 to route packets from a vlan902 address back to the router on that internet connection. I try to ping from the outside and can see the icmp echo request. But the replies keep getting sent out vlan900 to the other internet router. Hopefully somebody can point me in the right direction. If its the bge, then I can replace it with some em. If its an issue with mixing native vlan and tagged, I can tag everything, If its not me, then who can help getting the code fixed? I have put my ifconfig, ipfw rules and natd.conf's below. Thanks -Jon - [EMAIL PROTECTED] ~]# ifconfig -a bge0: flags=28943 mtu 1500 options=18 inet6 fe80::215:f2ff:fed0:d898%bge0 prefixlen 64 scopeid 0x1 inet 10.255.1.254 netmask 0xff00 broadcast 10.255.1.255 ether 00:15:f2:d0:d8:98 media: Ethernet autoselect (100baseTX ) status: active bge1: flags=8802 mtu 1500 options=1b ether 00:15:f2:40:d8:35 media: Ethernet autoselect (none) status: no carrier plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 vlan2: flags=8843 mtu 1500 inet6 fe80::215:f2ff:fed0:d898%vlan2 prefixlen 64 scopeid 0x5 inet 10.255.2.1 netmask 0xff00 broadcast 10.255.2.255 ether 00:15:f2:d0:d8:98 media: Ethernet autoselect (100baseTX ) status: active vlan: 2 parent interface: bge0 vlan900: flags=8843 mtu 1500 inet6 fe80::215:f2ff:fed0:d898%vlan900 prefixlen 64 scopeid 0x6 inet 67.xxx.xxx.158 netmask 0xffe0 broadcast 67.xxx.xxx.159 inet 67.xxx.xxx.130 netmask 0x broadcast 67.xxx.xxx.130 inet 67.xxx.xxx.131 netmask 0x broadcast 67.xxx.xxx.131 inet 67.xxx.xxx.132 netmask 0x broadcast 67.xxx.xxx.132 inet 67.xxx.xxx.133 netmask 0x broadcast 67.xxx.xxx.133 inet 67.xxx.xxx.134 netmask 0x broadcast 67.xxx.xxx.134 inet 67.xxx.xxx.135 netmask 0x broadcast 67.xxx.xxx.135 inet 67.xxx.xxx.136 netmask 0x broadcast 67.xxx.xxx.136 inet 67.xxx.xxx.137 netmask 0x broadcast 67.xxx.xxx.137 inet 67.xxx.xxx.138 netmask 0x broadcast 67.xxx.xxx.138 inet 67.xxx.xxx.139 netmask 0x broadcast 67.xxx.xxx.139 inet 67.xxx.xxx.140 netmask 0x broadcast 67.xxx.xxx.140 inet 67.xxx.xxx.141 netmask 0x broadcast 67.xxx.xxx.141 inet 67.xxx.xxx.142 netmask 0x broadcast 67.xxx.xxx.142 inet 67.xxx.xxx.143 netmask 0x broadcast 67.xxx.xxx.143 inet 67.xxx.xxx.144 netmask 0x broadcast 67.xxx.xxx.144 inet 67.xxx.xxx.145 netmask 0x broadcast 67.xxx.xxx.145 inet 67.xxx.xxx.146 netmask 0x broadcast 67.xxx.xxx.146 inet 67.xxx.xxx.147 netmask 0x broadcast 67.xxx.xxx.147 inet 67.xxx.xxx.148 netmask 0x broadcast 67.xxx.xxx.148 inet 67.xxx.xxx.149 netmask 0x broadcast 67.xxx.xxx.149 inet 67.xxx.xxx.150 netmask 0x broadcast 67.xxx.xxx.150 inet 67.xxx.xxx.151 netmask 0x broadcast 67.xxx.xxx.151 inet 67.xxx.xxx.152 netmask 0x broadcast 67.xxx.xxx.152 inet 67.xxx.xxx.153 netmask 0x broadcast 67.xxx.xxx.153 inet 67.xxx.xxx.154 netmask 0x broadcast 67.xxx.xxx.154 inet 67.xxx.xxx.155 netmask 0x broadcast 67.xxx.xxx.155 inet 67.xxx.xxx.156 netmask 0x broadcast 67.xxx.xxx.156 inet 67.xxx.xxx.157 netmask 0x broadcast 67.xxx.xxx.157 ether 00:15:f2:d0:d8:98 media: Ethernet autoselect (100baseTX ) status: active vlan: 900 parent interface: bge0 vlan902: flags=8843 mtu 1500 inet6 fe80::215:f2ff:fed0:d898%vlan902 prefixlen 64 scopeid 0x7 inet 208.xxx.xxx.48 netmask 0xff00
Re: Packet loss with traffic shaper and routing
Hello! Erich Dollansky wrote: Hi, [EMAIL PROTECTED] wrote: At this moment, I'm getting more than 50% interrupts and 20% packets lost. you must have something very basic done the wrong way. > Hope so. So I can fix and learn from it! I would suggest to upgrade that box to 6.1. We tried 6.0-RELEASE. Please, keep reading... You need then a systematic approach. Run the GENERIC kernel and see what happens there. Ok, 15% interrupts. System worked fine. Then take all out you believe you do not need and see what happens then. Finally, switch to SMP and start the fine tuning. Kernel recompiled with SMP+IPFW+DUMMYNET and system running with firewall_type="OPEN". Low interrupts, great. As I inserted the bandwidth rules, the problem arose again! Interrupts getting at 80% and packets being lost. Do not use HT as it should slow down the machine. I switched it off but didn't notice any major difference. Anyway I left it disabled. If even the first step fails, check the connections including the network card if it is one. Erich I guess we found where the problem is. IPFW and dummynet seems to be the ones to blame here, or the way we are using them. For each MAC address we want to shape, we use 2 pipes and 2 rules, 1 for download and 1 for upload. I believe the problem is that the number of clients (MAC addresses) grew from 200 to around 1600, and this means lots of pipes and lots of rules. Anyone knows a better way to get this job done? Thanks! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
Ferdinand Goldmann wrote: [EMAIL PROTECTED] wrote: Hello. I did that and compiled the kernel. Then I restarted the system and enabled sysctl kern.polling.enable=1 It seems that it has no effect in the system. Maybe bge driver doesn't like polling? At least from a quick glance in the polling(4) manpage I cannot see that bge is among the supported devices. You're right. I read that too but I found something in Google (http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2003-08/0241.html) and wanted to give it a shot. If you want to use polling, I suppose that you need to enable it via ifconfig, too: polling If the driver has user-configurable polling(4) support, select the polling mode on the interface. It seems to be default when you enable polling, then you can switch it off and on with -polling and polling via ifconfig. At this moment, I'm getting more than 50% interrupts and 20% packets lost. I also disabled HT in BIOS and the interrupts are now passing 80% mark. Don't know what else to do. Aren't these cards supposed to work at 100Mbits or 1Gbit? They are failing with 12Mbits traffic on a 100Mbits LAN. Something is wrong and I am having a hard time trying to identify the problem. Thanks for the hints, anything else would be greatly appreciated. Several wild guesses from my own experiences here: - SMP + networking in 5.x does not work too well, using em(4) I experienced VERY poor performance (only ~5MB/s over a Gbit link) - Try upgrading to 6.x (as others have already suggested). I experienced all kind of weird problems with 5.x, and although there is no proof that the problems were actually related to 5.x, 6.x seems to work better. We did. Now we're running 6.0-RELEASE. - What's the value of nmbclusters? Have you checked netstat -m? Do you see memory requests for network memory denied? AFAIK, nmbclusters aren't informed properly on SMP systems. Memory requests are always 0. - 50% interrupts on such a fast machine is quite high. I currently experience about 30% interrupt load using two em(4) cards, shaping for about ~2000 clients on a 3.8GHz Xeon. Please, take a look in my previous post. I guess the problem lies with IPFW and dummynet. How do you shape your clients? Here we have (for each client): ipfw pipe 1 config bw 512Kbit/s ipfw pipe 2 config bw 512Kbit/s ipfw add pipe 1 ip from any to any mac any 00:11:22:33:44:55 in ipfw add pipe 2 ip from any to any mac 00:11:22:33:44:55 any out Kind regards Thank you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
[EMAIL PROTECTED] wrote: Hello! Erich Dollansky wrote: Hi, [EMAIL PROTECTED] wrote: At this moment, I'm getting more than 50% interrupts and 20% packets lost. you must have something very basic done the wrong way. > Hope so. So I can fix and learn from it! I would suggest to upgrade that box to 6.1. We tried 6.0-RELEASE. Please, keep reading... You need then a systematic approach. Run the GENERIC kernel and see what happens there. Ok, 15% interrupts. System worked fine. Then take all out you believe you do not need and see what happens then. Finally, switch to SMP and start the fine tuning. Kernel recompiled with SMP+IPFW+DUMMYNET and system running with firewall_type="OPEN". Low interrupts, great. As I inserted the bandwidth rules, the problem arose again! Interrupts getting at 80% and packets being lost. Do not use HT as it should slow down the machine. I switched it off but didn't notice any major difference. Anyway I left it disabled. If even the first step fails, check the connections including the network card if it is one. Erich I guess we found where the problem is. IPFW and dummynet seems to be the ones to blame here, or the way we are using them. For each MAC address we want to shape, we use 2 pipes and 2 rules, 1 for download and 1 for upload. I believe the problem is that the number of clients (MAC addresses) grew from 200 to around 1600, and this means lots of pipes and lots of rules. Anyone knows a better way to get this job done? for 1600 hosts are you runing 1600 rules? That would do it.. In all versions of FreeBSD you can use the skipto rule to make sure that only a few rules are run for any address. Use it to to a binary search for the right pipe.' carefully using 'skipto' and 'table' can make it efficient to do very complex filters like that. in 7.0 you can use the 'tablearg' operator to ensure that only 1 rule is run per host . I don't know if it is in 6.1.. if not you may be able to simply apply the diffs. Thanks! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
Julian Elischer wrote: [EMAIL PROTECTED] wrote: Hello! Erich Dollansky wrote: Hi, [EMAIL PROTECTED] wrote: At this moment, I'm getting more than 50% interrupts and 20% packets lost. you must have something very basic done the wrong way. > Hope so. So I can fix and learn from it! I would suggest to upgrade that box to 6.1. We tried 6.0-RELEASE. Please, keep reading... You need then a systematic approach. Run the GENERIC kernel and see what happens there. Ok, 15% interrupts. System worked fine. Then take all out you believe you do not need and see what happens then. Finally, switch to SMP and start the fine tuning. Kernel recompiled with SMP+IPFW+DUMMYNET and system running with firewall_type="OPEN". Low interrupts, great. As I inserted the bandwidth rules, the problem arose again! Interrupts getting at 80% and packets being lost. Do not use HT as it should slow down the machine. I switched it off but didn't notice any major difference. Anyway I left it disabled. If even the first step fails, check the connections including the network card if it is one. Erich I guess we found where the problem is. IPFW and dummynet seems to be the ones to blame here, or the way we are using them. For each MAC address we want to shape, we use 2 pipes and 2 rules, 1 for download and 1 for upload. I believe the problem is that the number of clients (MAC addresses) grew from 200 to around 1600, and this means lots of pipes and lots of rules. Anyone knows a better way to get this job done? for 1600 hosts are you runing 1600 rules? No. For 1600 hosts we're running 3200 rules... (and also 3200 pipes). That would do it.. In all versions of FreeBSD you can use the skipto rule to make sure that only a few rules are run for any address. Use it to to a binary search for the right pipe.' carefully using 'skipto' and 'table' can make it efficient to do very complex filters like that. Sorry, but I didn't realized how to use that as we have to shape each user individually, i.e., each MAC address on the LAN has its own download and upload speeds. Could you clarify how to improve the situation with the tools you mentioned? Thanks. in 7.0 you can use the 'tablearg' operator to ensure that only 1 rule is run per host . I don't know if it is in 6.1.. if not you may be able to simply apply the diffs. Thanks! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
[EMAIL PROTECTED] wrote: Julian Elischer wrote: [EMAIL PROTECTED] wrote: Hello! Erich Dollansky wrote: Hi, [EMAIL PROTECTED] wrote: At this moment, I'm getting more than 50% interrupts and 20% packets lost. you must have something very basic done the wrong way. > Hope so. So I can fix and learn from it! I would suggest to upgrade that box to 6.1. We tried 6.0-RELEASE. Please, keep reading... You need then a systematic approach. Run the GENERIC kernel and see what happens there. Ok, 15% interrupts. System worked fine. Then take all out you believe you do not need and see what happens then. Finally, switch to SMP and start the fine tuning. Kernel recompiled with SMP+IPFW+DUMMYNET and system running with firewall_type="OPEN". Low interrupts, great. As I inserted the bandwidth rules, the problem arose again! Interrupts getting at 80% and packets being lost. Do not use HT as it should slow down the machine. I switched it off but didn't notice any major difference. Anyway I left it disabled. If even the first step fails, check the connections including the network card if it is one. Erich I guess we found where the problem is. IPFW and dummynet seems to be the ones to blame here, or the way we are using them. For each MAC address we want to shape, we use 2 pipes and 2 rules, 1 for download and 1 for upload. I believe the problem is that the number of clients (MAC addresses) grew from 200 to around 1600, and this means lots of pipes and lots of rules. Anyone knows a better way to get this job done? for 1600 hosts are you runing 1600 rules? No. For 1600 hosts we're running 3200 rules... (and also 3200 pipes). That would do it.. In all versions of FreeBSD you can use the skipto rule to make sure that only a few rules are run for any address. Use it to to a binary search for the right pipe.' carefully using 'skipto' and 'table' can make it efficient to do very complex filters like that. Sorry, but I didn't realized how to use that as we have to shape each user individually, i.e., each MAC address on the LAN has its own download and upload speeds. Could you clarify how to improve the situation with the tools you mentioned? Assuming you can not use "tablearg" yet (it will make this REALLY EASY) then if you have 30 IPs you want to shape from 1.1.1.1 to 1.1.1.30 then consider: ipfw add 1000 skipto 2000 ip from any to 1.1.1.16/28 ipfw add 1010 skipto 1020 ip from any to 1.1.1.8/29 ipfw add 1012 skipto 1026 ip from any to 1.1.1.4./30 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1013 [anything] ip from any to 1.1.1.1 Thanks. in 7.0 you can use the 'tablearg' operator to ensure that only 1 rule is run per host . I don't know if it is in 6.1.. if not you may be able to simply apply the diffs. Thanks! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
Julian Elischer wrote: [EMAIL PROTECTED] wrote: Julian Elischer wrote: oops sent to early will resend with full example of binary triage, Could you clarify how to improve the situation with the tools you mentioned? Assuming you can not use "tablearg" yet (it will make this REALLY EASY) then if you have 30 IPs you want to shape from 1.1.1.1 to 1.1.1.30 then consider: ipfw add 1000 skipto 2000 ip from any to 1.1.1.16/28 ipfw add 1010 skipto 1020 ip from any to 1.1.1.8/29 ipfw add 1012 skipto 1026 ip from any to 1.1.1.4./30 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1013 [anything] ip from any to 1.1.1.1 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
Julian Elischer wrote: [EMAIL PROTECTED] wrote: That would do it.. In all versions of FreeBSD you can use the skipto rule to make sure that only a few rules are run for any address. Use it to to a binary search for the right pipe.' carefully using 'skipto' and 'table' can make it efficient to do very complex filters like that. Sorry, but I didn't realized how to use that as we have to shape each user individually, i.e., each MAC address on the LAN has its own download and upload speeds. Could you clarify how to improve the situation with the tools you mentioned? Assuming you can not use "tablearg" yet (it will make this REALLY EASY) then if you have 30 IPs you want to shape from 1.1.1.1 to 1.1.1.30 then, consider the following example using IP addresses. ipfw add 1000 skipto 2000 ip from any to 1.1.1.16/28 ipfw add 1010 skipto 1020 ip from any to 1.1.1.8/29 ipfw add 1012 skipto 1016 ip from any to 1.1.1.4./30 ipfw add 1013 [anything] ip from any to 1.1.1.1 ipfw add 1014 [anything] ip from any to 1.1.1.2 ipfw add 1015 [anything] ip from any to 1.1.1.3 ipfw add 1021 anything] ip from any to 1.1.1.4 ipfw add 1022 [anything] ip from any to 1.1.1.5 ipfw add 1023 [anything] ip from any to 1.1.1.6 ipfw add 1024 [anything] ip from any to 1.1.1.7 ipfw add 1032 skipto 1051 ip from any to 1.1.1.12./30 ipfw add 1040 [anything] ip from any to 1.1.1.8 ipfw add 1041 [anything] ip from any to 1.1.1.9 ipfw add 1042 [anything] ip from any to 1.1.1.10 ipfw add 1043 [anything] ip from any to 1.1.1.11 ipfw add 1051 [anything] ip from any to 1.1.1.12 ipfw add 1052 [anything] ip from any to 1.1.1.13 ipfw add 1053 [anything] ip from any to 1.1.1.14 ipfw add 1054 [anything] ip from any to 1.1.1.15 ipfw add 1110 skipto 1132 ip from any to 1.1.1.24/29 ipfw add 1112 skipto 1121 ip from any to 1.1.1.20./30 ipfw add 1113 [anything] ip from any to 1.1.1.1 ipfw add 1114 [anything] ip from any to 1.1.1.2 ipfw add 1115 [anything] ip from any to 1.1.1.3 ipfw add 1121 anything] ip from any to 1.1.1.4 ipfw add 1122 [anything] ip from any to 1.1.1.5 ipfw add 1123 [anything] ip from any to 1.1.1.6 ipfw add 1124 [anything] ip from any to 1.1.1.7 ipfw add 1132 skipto 1151 ip from any to 1.1.1.28./30 ipfw add 1140 [anything] ip from any to 1.1.1.8 ipfw add 1141 [anything] ip from any to 1.1.1.9 ipfw add 1142 [anything] ip from any to 1.1.1.10 ipfw add 1143 [anything] ip from any to 1.1.1.11 ipfw add 1151 [anything] ip from any to 1.1.1.12 ipfw add 1152 [anything] ip from any to 1.1.1.13 ipfw add 1153 [anything] ip from any to 1.1.1.14 ipfw add 1154 [anything] ip from any to 1.1.1.15 now this example shows a binary search in IP space, written (including bugs) by hand but if you are willing to write a suitable perl script, you can generate a binary search in MAC address space just as easily. just sort them into order and search.. I'm not going to try it by had, but for 1600 hosts you should only need to go through 15 rules per host on average, instead of 1600 rules per host. that should cut down your ipfw cpu usage by 1/100 freebsd.org" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
oops, forgot to fix my cut-n- pastes.. corrected triage below.. Julian Elischer wrote: Julian Elischer wrote: [EMAIL PROTECTED] wrote: That would do it.. In all versions of FreeBSD you can use the skipto rule to make sure that only a few rules are run for any address. Use it to to a binary search for the right pipe.' carefully using 'skipto' and 'table' can make it efficient to do very complex filters like that. Sorry, but I didn't realized how to use that as we have to shape each user individually, i.e., each MAC address on the LAN has its own download and upload speeds. Could you clarify how to improve the situation with the tools you mentioned? Assuming you can not use "tablearg" yet (it will make this REALLY EASY) then if you have 30 IPs you want to shape from 1.1.1.1 to 1.1.1.30 then, consider the following example using IP addresses. ipfw add 1000 skipto 1110 ip from any to 1.1.1.16/28 ipfw add 1010 skipto 1032 ip from any to 1.1.1.8/29 ipfw add 1012 skipto 1021 ip from any to 1.1.1.4./30 ipfw add 1013 [anything] ip from any to 1.1.1.0 ipfw add 1014 [anything] ip from any to 1.1.1.1 ipfw add 1015 [anything] ip from any to 1.1.1.2 ipfw add 1016 [anything] ip from any to 1.1.1.3 ipfw add 1021 anything] ip from any to 1.1.1.4 ipfw add 1022 [anything] ip from any to 1.1.1.5 ipfw add 1023 [anything] ip from any to 1.1.1.6 ipfw add 1024 [anything] ip from any to 1.1.1.7 ipfw add 1032 skipto 1051 ip from any to 1.1.1.12./30 ipfw add 1040 [anything] ip from any to 1.1.1.8 ipfw add 1041 [anything] ip from any to 1.1.1.9 ipfw add 1042 [anything] ip from any to 1.1.1.10 ipfw add 1043 [anything] ip from any to 1.1.1.11 ipfw add 1051 [anything] ip from any to 1.1.1.12 ipfw add 1052 [anything] ip from any to 1.1.1.13 ipfw add 1053 [anything] ip from any to 1.1.1.14 ipfw add 1054 [anything] ip from any to 1.1.1.15 ipfw add 1110 skipto 1132 ip from any to 1.1.1.24/29 ipfw add 1112 skipto 1121 ip from any to 1.1.1.20./30 ipfw add 1113 [anything] ip from any to 1.1.1.16 ipfw add 1114 [anything] ip from any to 1.1.1.17 ipfw add 1115 [anything] ip from any to 1.1.1.18 ipfw add 1116 [anything] ip from any to 1.1.1.19 ipfw add 1121 anything] ip from any to 1.1.1.20 ipfw add 1122 [anything] ip from any to 1.1.1.21 ipfw add 1123 [anything] ip from any to 1.1.1.22 ipfw add 1124 [anything] ip from any to 1.1.1.23 ipfw add 1132 skipto 1151 ip from any to 1.1.1.28./30 ipfw add 1140 [anything] ip from any to 1.1.1.24 ipfw add 1141 [anything] ip from any to 1.1.1.25 ipfw add 1142 [anything] ip from any to 1.1.1.26 ipfw add 1143 [anything] ip from any to 1.1.1.27 ipfw add 1151 [anything] ip from any to 1.1.1.28 ipfw add 1152 [anything] ip from any to 1.1.1.29 ipfw add 1153 [anything] ip from any to 1.1.1.30 ipfw add 1154 [anything] ip from any to 1.1.1.31 now this example shows a binary search in IP space, written (including bugs) by hand but if you are willing to write a suitable perl script, you can generate a binary search in MAC address space just as easily. just sort them into order and search.. I'm not going to try it by had, but for 1600 hosts you should only need to go through 15 rules per host on average, instead of 1600 rules per host. that should cut down your ipfw cpu usage by 1/100 freebsd.org" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Packet loss with traffic shaper and routing
On 2006-05-01T22:12:00-0300, [EMAIL PROTECTED] wrote: > Please, take a look in my previous post. > I guess the problem lies with IPFW and dummynet. > How do you shape your clients? > > Here we have (for each client): > > ipfw pipe 1 config bw 512Kbit/s > ipfw pipe 2 config bw 512Kbit/s > ipfw add pipe 1 ip from any to any mac any 00:11:22:33:44:55 in > ipfw add pipe 2 ip from any to any mac 00:11:22:33:44:55 any out I am no ipfw or dummynet expert, but I read some of your other posts and noticed that you are using 3200 rules and 3200 pipes, and are matching the mac address. Do you have to match the mac, or can you do this by IP address? According to the IPFW man page, if you specify a mask with your pipe configuration, you can match on every bit which would dynamically create the pipes based on the size of the parent pipe. I think it would be something like... ipfw pipe 1 config bw 512kbit/s mask src-ip 0x ipfw pipe 2 config bw 512kbit/s mask dst-ip 0x ipfw add pipe 1 ip from any to any in ipfw add pipe 2 ip from any to any out Like I said, I am no expert, but figured I would spew this to the list anyway. -- Mike Oliver, KI4OFU [see complete headers for contact information] pgpBuC45hWQDT.pgp Description: PGP signature
