I am trying to limit clients on the network to 256Kbit/s down and 85Kbit/s up for internet use. We use FreeBSD 7.0-p3 as our gateway.
The bandwidth limiting is working, but it's working too well. It's not only limiting clients' access to the internet, but also to the server itself! For example, a client copying a file to/from the samba share on the FreeBSD gateway, he's still limited to 256Kbit/s / 85Kbit/s! We don't want this, we only want to limit their access on the other side of the FreeBSD gateway!
Here's the firewall rules:
Code:
$ cat /etc/firewall
#!/bin/sh -
#
# Setup system for ipfw(4) firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - allows anyone in; safety net
# limiter - allows our clients and limits their bandwidth. should block all others
############
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
setup_loopback
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
if [ -n "${firewall_nat_interface}" ]; then
${fwcmd} nat 123 config if ${firewall_nat_interface} log
${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
fi
;;
esac
esac
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open. You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any
# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 65000 pass all from any to any
;;
esac
############
# Bandwidth capping rules
case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any
# Allow everything via the LAN interface
${fwcmd} add 400 allow all from any to any via nfe0
# Centrul - principal
${fwcmd} pipe 4001 config bw 3000Kbit/s
${fwcmd} pipe 4002 config bw 1000Kbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any
# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any
# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any
# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any
# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any
# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any
# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any
# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any
# Centrul - c8
${fwcmd} pipe 15 config bw 3000Kbit/s
${fwcmd} pipe 16 config bw 1000Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any
# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any
And here's ifconfig:
Code:
$ ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:4c:4d:0d:68
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:92:0b:ae:ef
inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
192.168.1.0/24 is the 'internet' (it's where our router is anyway which goes to the internet) and 192.168.2.0/24 is the internal network.
Any ideas as to why it is behaving this way?