dummynet and NAT

[Matej]

Hello

Can you help me
I would like to split upload and download bw dynamically and seperetly, 
between 5 users (equally) and a server.
I need to reserve some bw e.g.: 128 Kbits download, 56 Kbits upload for 
the server (10.0.0.1) that is also the
router and 5 users 10.0.0.2 - 10.0.0.6 and I also need to set priority 
traffic: smtp, imap, pop3,  skype, http, ftp, ...
in this order. I have 768 download, 128 upload.

I can't get it to work. I don't know where to put pipes and queues 
definitions.
I tryed a lot of thins but everything brakes NAT.

net.inet.ip.fw.one_pass: 1

This are my firewall rules at the moment:
################
#/etc/firewall.rules
################
#!/bin/sh

cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"

ipfw -q -f flush

$cmd 002 allow all from any to any via rl1  # exclude Lan traffic
$cmd 003 allow all from any to any via lo0  # exclude loopback traffic

$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state

# Authorized outbound packets
$cmd 135 $skip all from any to any out via $pif $ks


# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 
private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 
private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 
private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for 
doc's
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster 
interconnect
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D & E 
multicast

# Authorized inbound packets
# WWW
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
# SSH
$cmd 421 allow tcp from any to me 22 in via $pif setup limit src-addr 1
# SMTP mail
$cmd 422 allow tcp from any to me 25 in via $pif setup limit src-addr 1
# SSL IMAP
$cmd 423 allow tcp from any to me 993 in via $pif setup limit src-addr 1
# SSL POP3
$cmd 424 allow tcp from any to me 995 in via $pif setup limit src-addr 1

$cmd 450 deny log ip from any to any

# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any

######################## end of rules  ##################


If you find any bad ideas in my firewall rules please comment.

I already got tips for dynamic equally spliting bw from Martes Wigglesworth

 >Martes Wigglesworth wrote:
 >The answer from all documentation that I have read, would be simply
 >empliment a single pipe 1 of bw xKbit/s and configure dynamic pipes that
 >use the same pipe, hence splitting up the bandwidth dynamicly.  Since
 >the queue is a copy of the first one, then all dynamic pipe have the
 >same queue weight, and will then have an equal segment of the bandwidth
 >of the pipe that they are attached to, in this case pipe 1. 
 >Example:
 >
 >ipfw add queue 1 log ip from any to ${internaldudes} in recv ${extif}
 >ipfw queue 1 config pipe 1 mask dst-ip 0xffffffff
 >ipfw pipe 1 config bw 256Kbit/s
 >
 >In the above example, any ip traffic comming into a natd box with
 >interface ${extif} attached to the internet, and ${internaldudes} being
 >those ips that are behind the gateway.  Whenever a host connects to the
 >box, and has traffic come to it from the internet, a dynamic queue will
 >drain bandwidth for pipe 1.  Due to this functionality, the pipe 1 bw
 >will get devided between the pipes that are created. When there is no
 >client, then the queue is deleted.
 >
 >If you have multiple subnets, like me, then and you want to specify the
 >internal interfaces, then use the following, thanks to Nicolas, earlier
 >today:
 >${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in \{ recv 
${if_m} or recv ${if_g} \}


Thank you all

MAtej