# FreeBSD 10 ipfw bridge (two nic) no traffic



## kringson (Feb 18, 2014)

Hallo @all,

I'm new to this forum and I have a question about building a network bridge to shape traffic. My system is a FreeBSD 10 machine with two network cards and I will use this system in front of my firewall to shape the traffic in and out. First some Information about my configuration:

rc.conf

```
# Firewall
firewall_enable="Yes"
firewall_type="/etc/rc.firewall"
firewall_logging="YES"

# Network konfig
cloned_interfaces="bridge0"
ifconfig_bridge0="addm re0 stp re0 addm re1 stp re1 up"

# DHCP configuration
ifconfig_re0="dhcp"
ifconfig_re1="dhcp"
```

/etc/sysctl.conf

```
# Bridging options
# source http://www.freebsd.org/cgi/man.cgi?query=if_bridge&sektion=4&apropos=0&manpath=FreeBSD+10.0-RELEASE
#net.inet.ip.fw.enable=1
#net.link.ether.ipfw=1
net.link.bridge.ipfw=1
net.link.bridge.ipfw_arp=0
net.link.bridge.pfil_member=1
net.link.bridge.pfil_local_phys=1
net.link.bridge.log_stp=1
```

/etc/rc.firewall

```
#!/bin/sh
#firewall command

fwcmd="/sbin/ipfw -q"

#interfaces
IntLAN=re1
IntFW=re0

ks="keep-state"        # just too lazy to key this each time
sks="setup keep-state"
fw="skipto 5000"        # Means that Firewall rules are starting from number 5000
cs="skipto 3000"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
################################################################################
# Setup all Internet connections here
#
# download pipes are always have a null at the end
# upload pipes are always have a five at the end
#
################################################################################

# configuration for 16Mbit/s
$fwcmd pipe 10 config bw 8Mbit/s        # High
$fwcmd pipe 20 config bw 6Mbit/s        # Medium
$fwcmd pipe 30 config bw 2Mbit/s        # Low
$fwcmd pipe 100 config delay 200        # Delay for test ICMP

################################################################################
# add queues
################################################################################
# high performance
$fwcmd queue 10 config pipe 10 weight 90        # High with high weight

# medium performance
$fwcmd queue 20 config pipe 20 weight 60        # Medium with medium weight
# low performance
$fwcmd queue 30 config pipe 30 weight 40        # Meduim with medium weight

################################################################################
# classify the traffic
# high priority class
################################################################################

########################## high priority class #################################
$fwcmd add 01000 queue 10 ip from any to any out via ${IntFW} tcpflags ack iplen 52
$fwcmd add 01010 ${fw} ip from any to any out via ${IntFW} tcpflags ack iplen 52

# Remote Desktop's
$fwcmd add 01100 queue 10 tcp from any to any 3389 in via ${IntLAN}
$fwcmd add 01110 ${fw} tcp  from any to any 3389 in via ${IntLAN} ${sks}
$fwcmd add 01120 queue 10 udp from any 3389 to any in via ${IntFW}
$fwcmd add 01130 ${fw} udp from any 3389 to any in via ${IntFW} ${ks}

$fwcmd add 01140 queue 30 tcp from any to any 3389 in via ${IntFW}
$fwcmd add 01150 ${fw} tcp  from any to any 3389 in via ${IntFW} ${sks}
$fwcmd add 01160 queue 30 udp from any 3389 to any in via ${IntLAN}
$fwcmd add 01170 ${fw} udp from any 3389 to any in via ${IntLAN} ${ks}
#######################################################################################
# firewall rules
#######################################################################################
$fwcmd add 05000 check-state
$fwcmd add 05010 deny all from any to any frag
################################################################################
# some default rules
################################################################################
$fwcmd add 05100 allow tcp from any to me 22 ${sks}
```

Some more Information: My client is connected to the if interface re1 and the firewall is connected on if interface re0.

Now the problem: So this is the example with I do my tests. I will first shape the traffic that is using port for RDP (TCP/3389). When I enable the following lines:


```
$fwcmd add 01100 queue 10 tcp from any to any 3389 in via ${IntLAN}
$fwcmd add 01110 ${fw} tcp  from any to any 3389 in via ${IntLAN} ${sks}
```

I can't established the traffic through the bridge, when I disable the lines and reload the firewall script it is working without any interruption. I see by typing `ipfw -t list` that the rules and the queue are match but now traffic will go through the machine.

```
root@ps01:~ # ipfw -t list
01000                         queue 10 ip from any to any out via re0 tcpflags ack iplen 52
01010                         skipto 5000 ip from any to any out via re0 tcpflags ack iplen 52
01100 Tue Feb 18 14:16:12 2014 queue 10 tcp from any to any dst-port 3389 in via re1
01110                         skipto 5000 tcp from any to any dst-port 3389 in via re1 setup keep-state
01120 Tue Feb 18 14:16:15 2014 queue 10 udp from any 3389 to any in via re0
01130                         skipto 5000 udp from any 3389 to any in via re0 keep-state
01140                         queue 30 tcp from any to any dst-port 3389 in via re0
01150                         skipto 5000 tcp from any to any dst-port 3389 in via re0 setup keep-state
01160                         queue 30 udp from any 3389 to any in via re1
01170                         skipto 5000 udp from any 3389 to any in via re1 keep-state
05000                         check-state
05010                         deny ip from any to any frag
05100                         allow tcp from any to me dst-port 22 setup keep-state
05120 Tue Feb 18 14:16:16 2014 allow tcp from any to any established
10000 Tue Feb 18 14:16:15 2014 allow log ip from any to any keep-state
65535 Tue Feb 18 13:28:45 2014 deny ip from any to any
```

On my Client I see a SYN_SENT that's all. Does anybody know what is wrong in my configuration?
I test and search for the last three day for a solution and I hope anybody can help  :e 

Thanks a lot and I hope this is the right forum.
Arne Tiedemann alias Kringson


----------



## kringson (Feb 18, 2014)

Hello @all,

I found something but Im not finished with the configuration.
I add the following line to the /etc/sysctl.conf and I Change the tcp port to 80 for better Simulation with a big download.

/etc/sysctl.conf

```
net.link.bridge.pfil_bridge=1
```

and now I'm able to shape the traffic but the crasy thing is that when i start a download from my webserver the traffic use the hole bandwidth. when I reload the Firewall script the download is limited to the right bandwidth. When I start the second download it will be use the hole bandwidth and after I reload the Firewall script file it is limited to the right bandwidth and so on. ???
to see the full /etc/sysctl.conf file, here it is...

/etc/sysctl.conf

```
# Bridging options
# source http://www.freebsd.org/cgi/man.cgi?query=if_bridge&sektion=4&apropos=0&manpath=FreeBSD+10.0-RELEASE
#net.inet.ip.fw.enable=1
#net.link.ether.ipfw=1


net.link.bridge.ipfw=1
net.link.bridge.ipfw_arp=0

net.link.bridge.pfil_member=1
net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_local_phys=1

net.link.bridge.log_stp=1
```

to see the full Firewall script, here it is...

/etc/rc.firewall

```
#!/bin/sh
#firewall command

fwcmd="/sbin/ipfw -q"

#interfaces
IntBri0=bridge0

ks="keep-state"        # just too lazy to key this each time
sks="setup keep-state"
fw="skipto 5000"        # Means that Firewall rules are starting from number 5000
cs="skipto 3000"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
################################################################################
# Setup all Internet connections here
#
# download pipes are always have a null at the end
# upload pipes are always have a five at the end
#
################################################################################

# configuration for 16Mbit/s
$fwcmd pipe 10 config bw 8Mbit/s        # High
$fwcmd pipe 20 config bw 4Mbit/s        # Medium
$fwcmd pipe 30 config bw 4Mbit/s        # Low
$fwcmd pipe 40 config bw 20Mbit/s        # Low

################################################################################
# add queues
################################################################################
# high performance
$fwcmd queue 10 config pipe 10 weight 90        # High with high weight
$fwcmd queue 15 config pipe 40 weight 90        # High with high weight

# medium performance
$fwcmd queue 20 config pipe 20 weight 60        # Medium with medium weight

# low performance
$fwcmd queue 30 config pipe 30 weight 40        # Meduim with medium weight


################################################################################
# classify the traffic
# high priority class
################################################################################

# first some variables for this network
HighTCP=53,3389
HighUDP=53,3389
MediumTCP=80,443
MediumUDP=

# Networks
NetLocal=192.168.10.0/24

########################## high priority class #################################
$fwcmd add 01000 queue 10 ip from any to any out via re1 tcpflags ack iplen 52
$fwcmd add 01010 ${fw} ip from any to any out via re1 tcpflags ack iplen 52

# Remote Desktop's
# => out tcp
$fwcmd add 01100 queue 10 tcp from ${NetLocal} to any ${HighTCP} out via ${IntBri0}
$fwcmd add 01110 ${fw} tcp  from ${NetLocal} to any ${HighTCP} out via ${IntBri0} ${sks}
# in tcp <=
$fwcmd add 01120 queue 10 tcp from any ${HighTCP} to ${NetLocal} out via ${IntBri0}
$fwcmd add 01130 ${fw} tcp  from any ${HighTCP} to ${NetLocal} out via ${IntBri0} ${sks}

# => out udp
$fwcmd add 01140 queue 10 udp from ${NetLocal} to any ${HighUDP} out via ${IntBri0}
$fwcmd add 01150 ${fw} udp from ${NetLocal} to any ${HighUDP} out via ${IntBri0} ${ks}
# in udp <=
$fwcmd add 01160 queue 10 udp from any ${HighUDP} to ${NetLocal} out via ${IntBri0}
$fwcmd add 01170 ${fw} udp from any ${HighUDP} to ${NetLocal} out via ${IntBri0} ${ks}

########################## medium priority class ###############################
# Web traffic
$fwcmd add 02010 queue 20 tcp from ${NetLocal} to any ${MediumTCP} out via re1
$fwcmd add 02000 queue 20 tcp from any ${MediumTCP} to ${NetLocal} out via re1
$fwcmd add 02020 ${fw} tcp  from ${NetLocal} to any ${MediumTCP} out via re1
$fwcmd add 02030 ${fw} tcp  from ${NetLocal} to any ${MediumTCP} out via re1


########################## low priority class ##################################
# all other traffic
# => out ip
#$fwcmd add 03000 queue 30 ip from ${NetLocal} to any out via ${IntBri0}
#$fwcmd add 03010 queue 30 ip from any to ${NetLocal} out via ${IntBri0}
#$fwcmd add 03020 ${fw} ip from ${NetLocal} to any out via ${IntBri0}
#$fwcmd add 03030 ${fw} ip from any to ${NetLocal} out via ${IntBri0}

#######################################################################################
# firewall rules
#######################################################################################
$fwcmd add 05000 check-state
$fwcmd add 05010 deny all from any to any frag

################################################################################
# some default rules
################################################################################
$fwcmd add 05100 allow tcp from any to me 22 ${sks}


# Allow all TCP where established
$fwcmd add 05120 allow tcp from any to any established
#Allow all localhost connections
$fwcmd add 10000 allow ip from any to any ${ks}
```

I'm at the end can anybody please help me  :q


----------

