Problem with count, fwd with ipfw
barry at unix.co.nz
barry at unix.co.nz
Wed Jan 11 20:59:16 PST 2006
Further to my previous email i've run iftop on the vlan and noticed the
source address being correct and the remote address being correct (not the
trans-proxy IP) so traffic should be counting.
I believe in my count or pipe rules I probably require the 'in via vlan1'
however it appears ipfw doesnt like vlan's as devices as it stops counting
traffic all together at this point.
I've tried adding:
ipfw add 1 count ip from 192.168.0.32/29 to any out via vlan1
ipfw add 1 count ip from any to 192.168.0.32/29 in via vlan1
I've also tried reversing the statements incase I had the in/out on the
wrong lines, also tried xmit and recv instead but it would appear nothing
counts when specifying vlans as devices.
FreeBSD firewall.unix.co.nz 6.0-STABLE FreeBSD 6.0-STABLE #3: Thu Dec 8
20:24:30 NZDT 2005
icepick at firewall.unix.co.nz:/usr/obj/usr/src/sys/FIREWALL i386
Cheers
Barry
> Hi,
>
> I've got a rule either counting traffic for subnet ranges to work out how
> much traffic they using, obviously I'm using internal IP's in this
> example:
>
> # SMTP mail servers
> ipfw add 00076 count ip from any to 192.168.0.128/29 in
> ipfw add 00076 count ip from 192.168.0.128/29 to any out
>
> or in some cases pipes
>
> # Robs usage
> ipfw pipe 1 config bw 64KB
> ipfw pipe 2 config bw 64KB
> ipfw add 00086 pipe 1 ip from any to 192.168.0.33/28 in
> ipfw add 00086 pipe 2 ip from 192.168.0.33/28 to any out
>
> I'm wanting to add transparent proxy for all users subnets but still have
> the above rule tally the traffic so I added:
>
> # Trans-proxy
> ipfw add 31500 fwd 10.0.0.1,3128 tcp from 192.168.0.0/24 to any 80
>
> Download tests have proven that the trans-proxy takes preference and
> allows
> the user to download above their pipe rate and also shows that the pipes
> 76
> & 86 dont count port 80 traffic so I cant see how much they downloading.
> I've tried using /sbin/sysctl net.inet.ip.fw.one_pass=0 but this didn't
> help. I've also tried setting the rules 76 & 86 to "in via em1" which
> didnt
> count any traffic, so i tried the dummy "in via vlanX" which didnt count
> any
> traffic either.
>
> em0 is the interface connecting to my ISP and em1 is connected to a cisco
> 3500XL running vlans.
>
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=b<RXCSUM,TXCSUM,VLAN_MTU>
> inet6 fe80::206:5bff:fe0f:37ff%em0 prefixlen 64 scopeid 0x1
> inet 60.234.x.x netmask 0xfffffffc broadcast 60.234.x.x
> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:06:5b:0f:37:ff
> media: Ethernet 100baseTX <full-duplex>
> status: active
>
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=b<RXCSUM,TXCSUM,VLAN_MTU>
> inet6 fe80::206:5bff:fe0f:3800%em1 prefixlen 64 scopeid 0x2
> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:06:5b:0f:38:00
> media: Ethernet 1000baseTX <full-duplex>
> status: active
>
> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.0.34 netmask 0xfffffff0
> inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5
> ether 00:06:5b:0f:38:00
> media: Ethernet 1000baseTX <full-duplex>
> status: active
> vlan: 11 parent interface: em1
>
>
> vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.0.129 netmask 0xfffffff0
> inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5
> ether 00:06:5b:0f:38:00
> media: Ethernet 1000baseTX <full-duplex>
> status: active
> vlan: 12 parent interface: em1
>
> Any idea's would be much appreictated.
>
> Cheers
> Barry
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list