Cannot get ipfw to limit a jail's bandwidth

Status
Not open for further replies.

briarknit

Cadet
Joined
Jan 22, 2016
Messages
5
I have seen numerous forum posts as well as blog posts about how to use ipfw to limit bandwidth on FreeBSD. I have also seen a few on how to use them with freenas, however those ones are usually forum posts that are unanswered. I am trying to use ipfw to limit one of my jails' incoming bandwidth over WAN (leaving LAN traffic untouched). Here is some info:

  • My freenas server has an IP of 192.168.1.100 on my local network
  • The particular jail I am trying to limit has an internal (IP was assigned automatically by freenas, not my router) of 192.168.1.3.
  • My freenas also appears to have an internal ip of 192.168.1.1 that it uses for the inter-network between Freenas and the jails (those IPs are not accessible outside of freenas, 192.168.1.1 would just take me to my router).
After reading much about ipfw, I have tried the following.

  • Enabling ipfw via the loader.conf on the root shell (not jail shell).
  • Created a pipe and assigned it to my jail using the following:

    ipfw pipe 1 config bw 20Mbps
    ipfw pipe 1 ip from not 192.168.1.0/24 to 192.168.1.3
The idea being I want to limit all incoming traffic to that jail that is not from my network to a max of 20Mbps. However, as soon as I run that second line the bandwidth of my jail drops to next to nothing. When I turn it off it shoots back up to my max speed of 150Mbps (downloading files to sync with my remote server).

What am I doing wrong here? I noticed that if I change pipe 1's bandwidth limit to unlimited (0), it works just fine as if nothing as wrong. As soon as I put a limit on it, even if that limit is something like 20000Mbps, it still basically shuts off that jail to the outside world.

Any ideas or has anyone done this successfully?
 

Irina Liakh

Cadet
Joined
May 18, 2016
Messages
9
Any ideas
The first one is:

Since you shape non-192.168.1.0/24 traffic, I suppose you use NAT for your jail.
If you do it by ipfw means as well, and if your NAT rules have greater rule numbers, and if your net.inet.ip.fw.one_pass equals to default value "1", then packets shaped with "ipfw N pipe" rule never reach "ipfw N nat" rule.

If so, you have to do either:
sysctl net.inet.ip.fw.one_pass=0
ipfw disable one_pass

The reason of why your scheme does work with unlimited bandwidth probably is ipfw does some optimization and skips sending packets to a pipe that have no any limits.
 
Status
Not open for further replies.
Top