Bandwidth limitation by time of day using ipfw
This article describes how to change the speed of users under NAT, according to the time of day using the scheduler daemon.
The FreeBSD 8.1 system is used, but this option for changing the speed is also available on all other versions where ipfw and cron exist, which means on almost all FreeBSD branches and releases.
I will not discuss how to compile the kernel in detail, I will only say that it should contain the following instructions activating the use of the firewall and the DUMMYNET shaper:
')
There are many ways to change the speed over time, but I will describe only 2 that I use myself. They are not perfect, but for a local network of 10-20 people, without a white external IP address and with a total bandwidth of 20 Mbps, the channel will work fine.
Here we use the method of replacing the working config with cron.
So suppose we have 2 files for different time periods:
firewall.conf-01-09 - firewall for the time from 01:00 to 09:00
firewall.conf-09-01 - firewall for the time from 09:00 to 01:00
from 01:00 to 09:00, we will give users high speed, and at all other times, it is from 09:00 to 01:00, the declared speed.
We put these 2 files in for example in / home / admin / firewall.
Next, we create the sh script, just in case, which will lower and raise all the interfaces through which ipfw works, and do / etc / netstart (this can not be done, but you can immediately execute the firewall script, but personally for me and for some there were all kinds of unusual errors, no buffer space available, etc., which was solved by a simple / etc / netstart). It will look like this in the script:
Save this script with the name firesh-01-09.sh, make a similar script for daytime from 09:00 to 01:00 and finally open cron (/ etc / crontab) in which we write what, when and from what user run:
Now at 01:00 and at 09:00 your rules will be copied to /etc/firewall.conf, new interfaces will be re-read and interfaces re-elevated.
This method is certainly much simpler,but somehow I didn’t get accustomed to it very well, but I love the good old proven and therefore use the first method.
The second method consists of a simple sh script, in which a specific pipe is given a speed, and then re-read by time, it looks like this:
The actual procedure for running the config in time from cron remains the same as in the first method, only the / etc / netstart command is not allowed here, since we are working with one config file firewall.conf, which is already loaded into memory, and using this command will be read again config from /etc/firewall.conf, in which you have described the standard rules.
Information for DUMMYNET
Manual on how to compile the kernel
IPFW
Detailed manual for DUMMYNET
The FreeBSD 8.1 system is used, but this option for changing the speed is also available on all other versions where ipfw and cron exist, which means on almost all FreeBSD branches and releases.
I will not discuss how to compile the kernel in detail, I will only say that it should contain the following instructions activating the use of the firewall and the DUMMYNET shaper:
')
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options DUMMYNET
options HZ=1000There are many ways to change the speed over time, but I will describe only 2 that I use myself. They are not perfect, but for a local network of 10-20 people, without a white external IP address and with a total bandwidth of 20 Mbps, the channel will work fine.
So the first way
Here we use the method of replacing the working config with cron.
So suppose we have 2 files for different time periods:
firewall.conf-01-09 - firewall for the time from 01:00 to 09:00
firewall.conf-09-01 - firewall for the time from 09:00 to 01:00
from 01:00 to 09:00, we will give users high speed, and at all other times, it is from 09:00 to 01:00, the declared speed.
We put these 2 files in for example in / home / admin / firewall.
Next, we create the sh script, just in case, which will lower and raise all the interfaces through which ipfw works, and do / etc / netstart (this can not be done, but you can immediately execute the firewall script, but personally for me and for some there were all kinds of unusual errors, no buffer space available, etc., which was solved by a simple / etc / netstart). It will look like this in the script:
#!/bin/sh
cp /home/admin/firewall/firewall.conf-01-09 /etc/firewall.conf
sh /etc/firewall.conf
ifconfig rl0 down
ifconfig rl1 down
ifconfig rl0 up
ifconfig rl1 up
/etc/netstartSave this script with the name firesh-01-09.sh, make a similar script for daytime from 09:00 to 01:00 and finally open cron (/ etc / crontab) in which we write what, when and from what user run:
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
#minute hour mday month wday who command
# Firewalls
0 1 * * * root sh /home/admin/firewall/firesh-01-09.sh
0 9 * * * root sh /home/admin/firewall/firesh-09-01.shNow at 01:00 and at 09:00 your rules will be copied to /etc/firewall.conf, new interfaces will be re-read and interfaces re-elevated.
Second way
This method is certainly much simpler,
The second method consists of a simple sh script, in which a specific pipe is given a speed, and then re-read by time, it looks like this:
# Day firewall, 09:00 - 01:00
# Admins
ipfw pipe 230 config bw 0Mbit/s
ipfw pipe 130 config bw 0Mbit/s
# Users
ipfw pipe 107 config bw 5Mbit/s
ipfw add pipe 1107 ip from 192.168.0.107 to any out
ipfw pipe 1107 config bw 5Mbit/s
# VPN Users
ipfw pipe 246 config bw 1Mbit/s
ipfw pipe 128 config bw 5Mbit/s
ipfw add pipe 1128 ip from 192.168.0.128 to any out
ipfw pipe 1128 config bw 5Mbit/s
ipfw pipe 102 config bw 0Mbit/s
# Test users
ipfw pipe 35 config bw 0Mbit/s
ipfw pipe 36 config bw 0Mbit/s
ipfw pipe 37 config bw 0Mbit/s
ipfw pipe 38 config bw 0Mbit/s
ifconfig rl0 down
ifconfig rl1 down
ifconfig rl0 up
ifconfig rl1 upThe actual procedure for running the config in time from cron remains the same as in the first method, only the / etc / netstart command is not allowed here, since we are working with one config file firewall.conf, which is already loaded into memory, and using this command will be read again config from /etc/firewall.conf, in which you have described the standard rules.
Information for DUMMYNET
Manual on how to compile the kernel
IPFW
Detailed manual for DUMMYNET
Source: https://habr.com/ru/post/129439/
All Articles