A committed data rate (CDR) is when an ISP caps your service at a static value which is most often done as a function of expense. So you’re contracted for colo and have a half rack somewhere for 1200/month and your data rate is 100/Mbps and your ISP is going to configure your CDR at 5 Mbps. So you get colo with 5 Mbps for 1700/month and your ISP has to do some CDR configuring.
Before you ask you can absolutely do this with the Cisco, Juniper, 3com, or other vendor system. However, maybe you have Cisco edge devices and, like me, want some hightly configurable quad Xeons as your internal routers. So how do we do this? For me it was with ipfw on FreeBSD.
To use ipfw and DUMMYNET with FreeBSD you’re going to need to recompile your kernel with the following options:
options BRIDGE
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT
options DUMMYNET
options NMBCLUSTERS
options HZ=1000
These options will enable ipfw and DUMMYNET as well as allowing firewall logging. I won’t go over compiling your own kernel – you can find that info in the FreeBSD handbook. Reboot with your new firewall-friendly kernel and let’s get cracking.
First you’re going to need to define the bandwidth limits you want to impose. Lets say you want to create 1 Mbps rate, a 2 Mbps rate, and a 4 Mbps rate. You would execute the following:
ipfw pipe 1 config bw 2Mbit/s
ipfw pipe 2 config bw 4Mbit/s
ipfw pipe 3 config bw 8Mbit/s
See the syntax? ipfw pipe [pipe#] config bw [rate x 2]
It’s very easy to create these CDR values. Be aware that if you create a CDR this way the pipe reserves half it’s bandwidth for traffic the opposite direction which can be confusing. If you want the end-user to be able to transmit data at 1Mbps both ways you need an incoming pipe at 2Mbps and an outgoing pipe at 2 Mbps. This is because DUMMYNET was not intended for the purpose of creating these CDRs – it was meant as a network simulation package.
So now we have 3 CDRs and we need to apply them – this is done using the ipfw command line. Lets look at some examples:
ipfw add 500 pipe 1 ip from 10.0.0.11 to any out
ipfw add 500 pipe 1 ip from any to 10.0.0.11 in
ipfw add 501 pipe 2 ip from 192.168.0.23 to 192.168.0.12 out
ipfw add 501 pipe 2 ip from 192.168.0.12 to 192.168.0.23 in
in the above examples note that I have included both the in and out rules for 10.0.0.11 in firewall rule 500, I do this so I can delete it without affecting other rules, and not that there is both an inbound and an outbound rule. In rule 501 I provide an example of CDRs between 2 hosts on the same subnet.
You can view your CDR in action using “ipfw list” which will display all active firewall rules. In the above example rules 500 and 501 would be displayed. You can view the CDR contents using “ipfw pipe show” or “ipfw pipe [pipe#] show” which will list connections, the CDR rate, and provide some statistics about dropped packets.
2 comments
Comments feed for this article
October 22, 2008 at 4:34 pm
New entries on the Projects page « Devon Kerr’s Projects
[...] Rate Limiting with DUMMYNET on FreeBSD [...]
October 22, 2008 at 4:36 pm
Enforcing Committed Data Rates with ipfw and DUMMYNET « Devon Kerr’s Projects
[...] Rate Limiting with DUMMYNET on FreeBSD [...]