# bandwidth throttling?



## Jago (Apr 9, 2010)

Hello folks

I have a 8.0 system that has 2 IPs:


```
ifconfig em1
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
       ether 00:25:90:01:32:93
       inet 192.168.1.126 netmask 0xffffff00 broadcast 192.168.1.255
       inet 192.168.1.127 netmask 0xffffff00 broadcast 192.168.1.255
       media: Ethernet autoselect (1000baseT <full-duplex>)
       status: active
```

The .126 is used by the host for various obvious things and I have a jail on the same machine running off the .127 IP. Is there a quick and easy way to have the jail host throttle bandwidth usage of everything going to and out of the .127 jail? I don't really need anything fancy, I just want to set hard limits for the entire jail globally, like "don't use more than 500KB/s downstream and more than 150KB/s upstream".

What would be the best way for doing this? My understanding is that to do this with PF, I would need ALTQ, meaning I have to use a custom kernel and that IPFW with dummynet should have similar functionality but should also work with GENERIC?

Thanks!


----------



## phoenix (Apr 9, 2010)

Yes, you can use ipfw+dummynet with the GENERIC kernel, as these can be loaded as kernel modules (kldload ipfw; kldload dummynet).   One thing to note, though:  the ipfw kernel module has a default deny rule, so you can't (easily) load it via a remote login.


----------



## varda (Apr 20, 2010)

It is possible to recompile just ipfw with default to accept rule. It needs to add in /etc/make.conf:
	
	



```
CFLAGS+= -DIPFIREWALL -DIPFIREWALL_NAT -DIPFIREWALL_FORWARD -DIPFIREWALL_DEFAULT_TO_ACCEPT -DIPSTEALTH -DIPDIVERT -DDUMMYNET
```
and then run make something like:

```
cd /usr/src/sys/modules/ipfw 
make clean && make cleandir && make obj && make depend && make all && make install && make clean && make cleandir
```

Also you can to play with net.inet.ip.fw.default_to_accept="1" in /boot/loader.conf

You want to try on local machine first before run on remote


----------

