using pf for packet filtering and ipfw's dummynet for bandwidth limiting at the same time
- by krdx
I would like to ask if it's fine to use pf for all packet filtering (including using altq for traffic shaping) and ipfw's dummynet for bandwidth limiting certain IPs or subnets at the same time.
I am using FreeBSD 10 and I couldn't find a definitive answer to this. Googling returns such results as:
It works
It doesn't work
Might work but it's not stable and not recommended
It can work as long as you load the kernel modules in the right order
It used to work but with recent FreeBSD versions it doesn't
You can make it work provided you use a patch from pfsense
Then there's a mention that this patch might had been merged back to FreeBSD, but I can't find it.
One certain thing is that pfsense uses both firewalls simultaneously so the question is, is it possible with stock FreeBSD 10 (and where to obtain the patch if it's still necessary).
For reference here's a sample of what I have for now and how I load things
/etc/rc.conf
ifconfig_vtnet0="inet 80.224.45.100 netmask 255.255.255.0 -rxcsum -txcsum"
ifconfig_vtnet1="inet 10.20.20.1 netmask 255.255.255.0 -rxcsum -txcsum"
defaultrouter="80.224.45.1"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
pf_enable="YES"
pf_rules="/etc/pf.conf"
/etc/pf.conf
WAN1="vtnet0"
LAN1="vtnet1"
set skip on lo0
set block-policy return
scrub on $WAN1 all fragment reassemble
scrub on $LAN1 all fragment reassemble
altq on $WAN1 hfsc bandwidth 30Mb queue { q_ssh, q_default }
queue q_ssh bandwidth 10% priority 2 hfsc (upperlimit 99%)
queue q_default bandwidth 90% priority 1 hfsc (default upperlimit 99%)
nat on $WAN1 from $LAN1:network to any -> ($WAN1)
block in all
block out all
antispoof quick for $WAN1
antispoof quick for $LAN1
pass in on $WAN1 inet proto icmp from any to $WAN1 keep state
pass in on $WAN1 proto tcp from any to $WAN1 port www
pass in on $WAN1 proto tcp from any to $WAN1 port ssh
pass out quick on $WAN1 proto tcp from $WAN1 to any port ssh queue q_ssh keep state
pass out on $WAN1 keep state
pass in on $LAN1 from $LAN1:network to any keep state
/etc/ipfw.rules
ipfw -q -f flush
ipfw -q add 65534 allow all from any to any
ipfw -q pipe 1 config bw 2048KBit/s
ipfw -q pipe 2 config bw 2048KBit/s
ipfw -q add pipe 1 ip from any to 10.20.20.4 via vtnet1 out
ipfw -q add pipe 2 ip from 10.20.20.4 to any via vtnet1 in
