[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem with count, fwd with ipfw
Further to my previous email i've run iftop on the vlan and noticed the
source address being correct and the remote address being correct (not the
trans-proxy IP) so traffic should be counting.
I believe in my count or pipe rules I probably require the 'in via vlan1'
however it appears ipfw doesnt like vlan's as devices as it stops counting
traffic all together at this point.
I've tried adding:
ipfw add 1 count ip from 192.168.0.32/29 to any out via vlan1
ipfw add 1 count ip from any to 192.168.0.32/29 in via vlan1
I've also tried reversing the statements incase I had the in/out on the
wrong lines, also tried xmit and recv instead but it would appear nothing
counts when specifying vlans as devices.
FreeBSD firewall.unix.co.nz 6.0-STABLE FreeBSD 6.0-STABLE #3: Thu Dec 8
20:24:30 NZDT 2005
icepick@xxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/FIREWALL i386
Cheers
Barry
> Hi,
>
> I've got a rule either counting traffic for subnet ranges to work out how
> much traffic they using, obviously I'm using internal IP's in this
> example:
>
> # SMTP mail servers
> ipfw add 00076 count ip from any to 192.168.0.128/29 in
> ipfw add 00076 count ip from 192.168.0.128/29 to any out
>
> or in some cases pipes
>
> # Robs usage
> ipfw pipe 1 config bw 64KB
> ipfw pipe 2 config bw 64KB
> ipfw add 00086 pipe 1 ip from any to 192.168.0.33/28 in
> ipfw add 00086 pipe 2 ip from 192.168.0.33/28 to any out
>
> I'm wanting to add transparent proxy for all users subnets but still have
> the above rule tally the traffic so I added:
>
> # Trans-proxy
> ipfw add 31500 fwd 10.0.0.1,3128 tcp from 192.168.0.0/24 to any 80
>
> Download tests have proven that the trans-proxy takes preference and
> allows
> the user to download above their pipe rate and also shows that the pipes
> 76
> & 86 dont count port 80 traffic so I cant see how much they downloading.
> I've tried using /sbin/sysctl net.inet.ip.fw.one_pass=0 but this didn't
> help. I've also tried setting the rules 76 & 86 to "in via em1" which
> didnt
> count any traffic, so i tried the dummy "in via vlanX" which didnt count
> any
> traffic either.
>
> em0 is the interface connecting to my ISP and em1 is connected to a cisco
> 3500XL running vlans.
>
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=b<RXCSUM,TXCSUM,VLAN_MTU>
> inet6 fe80::206:5bff:fe0f:37ff%em0 prefixlen 64 scopeid 0x1
> inet 60.234.x.x netmask 0xfffffffc broadcast 60.234.x.x
> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:06:5b:0f:37:ff
> media: Ethernet 100baseTX <full-duplex>
> status: active
>
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=b<RXCSUM,TXCSUM,VLAN_MTU>
> inet6 fe80::206:5bff:fe0f:3800%em1 prefixlen 64 scopeid 0x2
> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:06:5b:0f:38:00
> media: Ethernet 1000baseTX <full-duplex>
> status: active
>
> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.0.34 netmask 0xfffffff0
> inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5
> ether 00:06:5b:0f:38:00
> media: Ethernet 1000baseTX <full-duplex>
> status: active
> vlan: 11 parent interface: em1
>
>
> vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.0.129 netmask 0xfffffff0
> inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5
> ether 00:06:5b:0f:38:00
> media: Ethernet 1000baseTX <full-duplex>
> status: active
> vlan: 12 parent interface: em1
>
> Any idea's would be much appreictated.
>
> Cheers
> Barry
>
> _______________________________________________
> freebsd-ipfw@xxxxxxxxxxx mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"
>
