# IPFW limits.



## hac3ru (Mar 31, 2014)

Hello,

I have configured an ipfw.rules file. I am using it to limit the bandwidth for the network. I have recently installed mpd5 and OpenVPN in order to have VPN access. The problem is that I cannot limit the VPN traffic.... 
My ipfw.rules looks like this:
	
	



```
#General 
table 1 flush
table 1 add 172.23.0.0/20
table 1 add 173.23.0.0/23

table 2 flush
table 2 add 173.23.0.0/23
table 2 add 172.22.0.0/21

table 3 flush

# 3000 KB/s
table 4 flush
table 4 add 172.23.1.16
table 4 add 172.23.1.11
table 4 add 172.23.6.61
table 4 add 172.23.8.2
table 4 add 172.23.4.1

pipe 10 config bw 1MByte/s mask src-ip 0x000007ff
pipe 11 config bw 1MByte/s mask dst-ip 0x000007ff
pipe 12 config bw 3000KByte/s
pipe 13 config bw 3000KByte/s
pipe 14 config bw 10KByte/s
pipe 15 config bw 10KByte/s

add pass all from table(2) to table(2)
add pass all from table(1) to 127.0.0.1 8021 in  recv bge1
add pass all from 127.0.0.1 8021 to table(1) out xmit bge1

##3000 KB/s Limit
add pipe 12 all from table(4) to any in recv bge1
add pipe 13 all from any to table(4) out xmit bge1

# 10KB/s Limit
add pipe 14 all from table(3) to any in recv bge1
add pipe 15 all from any to table(3) out xmit bge1
```
This file should limit the 172.23.0.0/23 network (which represent OpenVPN and PPTP) to 1MB/s. Still, it is not doing this. When I download something from the internet or when I do a speedtest it goes through the roof.


----------



## gamanakis (Apr 1, 2014)

I would try to have the pipe rules before the pass ones. Also I would have the net.inet.ip.fw.one_pass set to 0. Also no traffic is being assigned to pipes 10 and 11.


----------



## hac3ru (Apr 1, 2014)

The thing is that it works for 172.23.0.0/20 network but it doesn't work on 173.23.0.0/23 network. I will try to set the pipes before the pass. What does net.inet.ip.fw.one_pass does?
The pipes 10 and 11 are assigned to table 1 but don't know what happened when I pasted.


----------



## gamanakis (Apr 1, 2014)

It forces the traffic to reenter the firewall (re-entry point is the next rule) after being processed by dummynet(pipes, queues). Could you post your complete rules ?


----------



## hac3ru (Apr 1, 2014)

Okay. I'll try that. Any other ideas? I don't have some other internet connection here right now so I can test if the limits work...
I just checked my /etc/sysctl.conf and I don't have `net.inet.ip.fw.one_pass[/file] at all. If I remember it right from reading [url=http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8]ipfw(8)[/url] it is set to 1 if not present in [file]/etc/sysctl.conf[/file]
[quote]
on exit from the pipe and if the sysctl(8) variable net.inet.ip.fw.one_pass is not set, the packet is passed again to the firewall code starting from the next rule.[/quote]

Tried what you said but it's not working. The VPN clients are not limited. When I run a speedtest it goes to 100mbps even if they were limited in [file]/etc/ipfw.rules[/file] to 3MB/s`


----------



## gamanakis (Apr 1, 2014)

If you run ipfw show, are you getting traffic on the respective rules?
If you are limiting on the "virtual ip" of OpenVPN then you should filter the traffic on the tun0 interface.


----------



## hac3ru (Apr 2, 2014)

ipfw show is showing no traffic through the VPN rules. 
How can I filter the traffic on that interface? I thought that traffic is being filtered only by IP.......?

//Never mind. I wasn't paying enough attention. Since I specified the bge1 interface, of course it won't touch the traffic on tun0 or ng0 interface. If I don't specify an interface, it will filter traffic on all the interfaces? Or can I write multiple interfaces separated by comma or something?


----------



## gamanakis (Apr 2, 2014)

That's right. If you don't specify an interface, it will filter the corresponding traffic on all interfaces. As far as I know you cannot write multiple interfaces separated by comma, you have to add different rules. It is always better to define the interface on which you want to filter the traffic. Otherwise unexpected things can occur.


----------



## hac3ru (Apr 2, 2014)

gamanakis said:
			
		

> That's right. If you don't specify an interface, it will filter the corresponding traffic on all interfaces. As far as I know you cannot write multiple interfaces separated by comma, you have to add different rules. It is always better to define the interface on which you want to filter the traffic. Otherwise unexpected things can occur.


One last question. I have set mpd5. As you may know, PPTP connections set up an interface for each connection so, if I have 2 clients connected through PPTP I'll have interfaces ng0 and ng1. If I'll have 4 clients, you guessed it, ng0, ng1, ng2, ng3. How can I pass traffic from this interfaces through ipfw without writing the rules manually? Any thoughts? Can I do something like 

```
add pipe 16 all from table(4) to any in recv ngX
```

Question: What's the order of the loaded rules?
If I have a pipe 10 with 100MB and another pipe 11 with 100Kb, looking like this:

```
add pipe 10 all from table(3) to any
add pipe 11 all from table(3) to any
```
Which one will be the "ruling" rule? )

//I just created two more pipes and one table for the VPN without specifying the interface. It shouldn't cause any problems with the other subnets since I specified the IPs to filter. 

Thank you for help. That's what happens when you're not reading your rules carefully, hehe


----------



## gamanakis (Apr 2, 2014)

For the multiple interfaces I think you could use "ng*" in place of the interface definition (e.g. via ng*)

Over the two rules, the first one would  be active (net.inet.ip.fw.one_pass=1). If net.inet.ip.fw.one_pass=0 then the second one would win.


----------



## hac3ru (Apr 2, 2014)

gamanakis said:
			
		

> For the multiple interfaces I think you could use "ng*" in place of the interface definition (e.g. via ng*)
> 
> Over the two rules, the first one would  be active (net.inet.ip.fw.one_pass=1). If net.inet.ip.fw.one_pass=0 then the second one would win.



net.inet.ip.fw.one_pass should be in /etc/sysctl.conf right? Because it is not present in my /etc/sysctl.conf. What is the default value for it if it is missing? 
Also, does this apply to /etc/pf.conf?


----------



## gamanakis (Apr 2, 2014)

The output of this line sysctl net.inet.ip.fw.one_pass is the default value and it can be defined in /etc/sysctl.conf. This applies only for ipfw as it defines the behaviour of the traffic after passing through dummynet. It has no use for pf.


----------



## hac3ru (Apr 2, 2014)

Thank you


----------

