> ... may I have to form them to something like that?
>
> # mpd-rule += "100 divert natd ip from any to any in via rl0",
> # mpd-rule += "110 divert natd ip from any to any out via rl0",
There are several problems:
- mpd numerates ipfw rules automatically, so you can't specify rules number.
- mpd binds RADIUS-given rules strictly to the clients interface by adding " via ngX" to the end of rule, so yo can't use "via rl0" there.
One of ways to make RADIUS to use some global ipfw rules (if really neded) is to make that rules use some ipfw table and define them in some system startup script. Then mpd will be able to add user's IP into that ipfw table specified by RADIUS attributes.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
But How do I get it solved if I want to Limit users Bandwidth if PPPoE Server is a Gateway and the Clients want to get their Internet over the PPPoE Gateway?
Because those rules:
mpd-table += "1=11.1.11.1",
mpd-table += "1=1.2.3.4",
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to table\\(%t1\\) in",
mpd-rule += "2=pipe %p5 all from table\\(%t1\\) to any out",
mpd-rule += "100=allow all from any to any",
do only limit traffic between PPPoE Server and Client but not traffic like internet because of natd ?!
Thx,
Leander
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You do not need any tables to create per-user shapes. All you need is:
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to any in",
mpd-rule += "2=pipe %p5 all from any to any out",
mpd-rule += "100=allow all from any to any",
There will be no conflict with natd as soon as shapes work on downstream ngX interfaces and natd works on upstream rl0.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For example I usually use this rule profile on the mpd Server side in /etc/rc.firewall to share Internet with my PPPoE Clients:
[...]
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 100 divert natd ip from any to any in via rl0
${fwcmd} add 110 divert natd ip from any to any out via rl0
${fwcmd} add 65000 pass all from any to any
;;
[...]
this worked fine so far for sharing internet ... but Bandwidthlimitation is not working for the clients internet useage.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What for do you need that tables? As I understand you need to shape all user's traffic to 10/20Kbytes/s.
So all you should do is nothing else, then just:
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to any in",
mpd-rule += "2=pipe %p5 all from any to any out",
mpd-rule += "100=allow all from any to any",
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Guy, you are becoming a bit annoying. Or describe better what do you want or read what have I written to you!
I gave you example how to limit ONE user to the defined speeds. All ipfw rules applied _strictly_ to the _user's_interface_, so they affecting only ONE user. So to limit each user to the different speed you should just make it for each user with different speeds. You don't need to use any tables.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 divert natd all from any to table\\(%t1\\) in",
mpd-rule += "2=pipe %p5 divert natd all from table\\(%t1\\) to any out",
and in rc.firewall:
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
#${fwcmd} add 100 divert natd ip from any to any in via rl0
#${fwcmd} add 110 divert natd ip from any to any out via rl0
${fwcmd} add allow all from any to any
;;
??
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
But I also don't get it working ... I just don't know if 10.0.0.0 is supposed to be the REAL interface broadcast IP from rl0 where my Internet is comming into FreeBSD or if that is the Virtual PPPoE Server address, because you never mentioned what addresses you're talking about.
It would be cool if you could give me a little more information about what IP addresses I have to fill in. I just spent a whole night trying and reading and trying again ;)
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add divert natd ip from any to any in via rl0
${fwcmd} add divert natd ip from any to any out via rl0
# ${fwcmd} add allow all from any to any
;;
startup:
set console self 127.0.0.1 5005
set console user admin blub
set console open
log +radius2
default:
load PPPoE_server
PPPoE_server:
create bundle template B1
set ipcp ranges 11.1.11.1/32 80.50.80.10
set ipcp dns 145.253.2.203 195.202.32.79
set ipcp yes vjcomp
set iface route default
create link template L1 pppoe
set link enable multilink
set link action bundle B1
set link disable chap pap eap
set link enable chap
load radius
set pppoe service "*"
set link keep-alive 90 120
create link template ath0 L1
set pppoe iface ath0
set link enable incoming
create link template rl0 L1
set pppoe iface rl0
set link enable incoming
That example is not an exact solution, it just a syntax example.
To shape user to the defined speed with ng_car all you should do is:
mpd-limit += "in#1=all shape 64000",
mpd-limit += "out#1=all shape 64000",
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Now there is only ONE LAST more little thing I want to get done. I don't want the PPPoE clients to be able to have contact with each other ... I want that they're only be able to use the internet.
Thank you very much!!!
best regards,
Leander
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I just need to know how rules like that would have to look like if I would like to put them into my RADIUS config:
.. for example this command has to look like this to work ..:
mpd-rule += "100=allow all from any to any",
But how are those general IPFW commands supposed to look like:
${fwcmd} add 100 divert natd ip from any to any in via rl0
${fwcmd} add 110 divert natd ip from any to any out via rl0
... may I have to form them to something like that?
# mpd-rule += "100 divert natd ip from any to any in via rl0",
# mpd-rule += "110 divert natd ip from any to any out via rl0",
Thx,
Leander
> ... may I have to form them to something like that?
>
> # mpd-rule += "100 divert natd ip from any to any in via rl0",
> # mpd-rule += "110 divert natd ip from any to any out via rl0",
There are several problems:
- mpd numerates ipfw rules automatically, so you can't specify rules number.
- mpd binds RADIUS-given rules strictly to the clients interface by adding " via ngX" to the end of rule, so yo can't use "via rl0" there.
One of ways to make RADIUS to use some global ipfw rules (if really neded) is to make that rules use some ipfw table and define them in some system startup script. Then mpd will be able to add user's IP into that ipfw table specified by RADIUS attributes.
But How do I get it solved if I want to Limit users Bandwidth if PPPoE Server is a Gateway and the Clients want to get their Internet over the PPPoE Gateway?
Because those rules:
mpd-table += "1=11.1.11.1",
mpd-table += "1=1.2.3.4",
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to table\\(%t1\\) in",
mpd-rule += "2=pipe %p5 all from table\\(%t1\\) to any out",
mpd-rule += "100=allow all from any to any",
do only limit traffic between PPPoE Server and Client but not traffic like internet because of natd ?!
Thx,
Leander
You do not need any tables to create per-user shapes. All you need is:
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to any in",
mpd-rule += "2=pipe %p5 all from any to any out",
mpd-rule += "100=allow all from any to any",
There will be no conflict with natd as soon as shapes work on downstream ngX interfaces and natd works on upstream rl0.
For example I usually use this rule profile on the mpd Server side in /etc/rc.firewall to share Internet with my PPPoE Clients:
[...]
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 100 divert natd ip from any to any in via rl0
${fwcmd} add 110 divert natd ip from any to any out via rl0
${fwcmd} add 65000 pass all from any to any
;;
[...]
this worked fine so far for sharing internet ... but Bandwidthlimitation is not working for the clients internet useage.
If you mean it's supposed to look like that:
test User-Password == "schaefer"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 1.2.3.4,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1492,
Framed-Compression = Van-Jacobsen-TCP-IP,
# mpd-table += "1=11.1.11.1",
# mpd-table += "1=1.2.3.4",
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to table\\(%t1\\) in",
mpd-rule += "2=pipe %p5 all from table\\(%t1\\) to any out",
mpd-rule += "100=allow all from any to any",
... that doesn't Limit Bandwidth down to 20/10 Kbyte/s ... Internet just gets passed through with full speed to the clients ... ;/
Do you mean I have to create those two
mpd-table += "1=11.1.11.1",
mpd-table += "1=1.2.3.4",
tables globaly in /etc/rc.firewall one time? If yes how would that look like?
... I'm sorry - I'm not a IPFW guru ;-) ... hope you could give me some useful advices ;)
Thx,
Leander
What for do you need that tables? As I understand you need to shape all user's traffic to 10/20Kbytes/s.
So all you should do is nothing else, then just:
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to any in",
mpd-rule += "2=pipe %p5 all from any to any out",
mpd-rule += "100=allow all from any to any",
No I don't want to have the same Bandwidthlimit for all users .... My goal is it to Limit EACH users Bandwidth via radius attributes ...
So that I can say for example:
User1 has 20/10KB/s
and
User2 400/200KB/s
and so on ...
but I don't want to configure that by limiting a whole subnet .. ;/ I'll have too many users with different too many Bandwidthlimits.
Thx,
Leander
Guy, you are becoming a bit annoying. Or describe better what do you want or read what have I written to you!
I gave you example how to limit ONE user to the defined speeds. All ipfw rules applied _strictly_ to the _user's_interface_, so they affecting only ONE user. So to limit each user to the different speed you should just make it for each user with different speeds. You don't need to use any tables.
maybe something like:
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 divert natd all from any to table\\(%t1\\) in",
mpd-rule += "2=pipe %p5 divert natd all from table\\(%t1\\) to any out",
and in rc.firewall:
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
#${fwcmd} add 100 divert natd ip from any to any in via rl0
#${fwcmd} add 110 divert natd ip from any to any out via rl0
${fwcmd} add allow all from any to any
;;
??
... right now I'm trying to figure out this kind of Bandwidthlimiter because I think it's a better choise than the IPFW one ...
mpd-filter += "1#1=nomatch src net 10.0.0.0/24",
mpd-filter += "1#2=match src net 10.0.0.0/10",
mpd-filter += "2#1=match dst net 10.0.0.0/16",
mpd-filter += "2#2=match dst net 11.0.0.0/8",
mpd-limit += "in#1=flt1 pass",
mpd-limit += "in#2=flt2 shape 64000 4000 pass",
mpd-limit += "in#3=all deny",
mpd-limit += "out#1=flt2 pass",
mpd-limit += "out#2=all rate-limit 1024000 150000 300000",
mpd-limit += "out#3=all pass",
But I also don't get it working ... I just don't know if 10.0.0.0 is supposed to be the REAL interface broadcast IP from rl0 where my Internet is comming into FreeBSD or if that is the Virtual PPPoE Server address, because you never mentioned what addresses you're talking about.
It would be cool if you could give me a little more information about what IP addresses I have to fill in. I just spent a whole night trying and reading and trying again ;)
#################################################################################
#################################################################################
Here is my ifconfig while rl0 is the adapter where my Internet is comming in from a usual Router:
[root@wisp ~]# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:02:2a:d0:56:dc
inet 10.1.10.80 netmask 0xff000000 broadcast 10.255.255.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
[root@wisp ~]#
#################################################################################
while this is standing in my etc/rc.conf:
# Netzwerk
hostname="wisp.leolinux"
ifconfig_rl0="inet 10.1.10.80 netmask 255.0.0.0"
defaultrouter="10.1.10.1"
gateway_enable="YES"
# NATd
natd_enable="YES"
natd_interface="rl0"
#natd_flags="-f /etc/natd.conf"
# IPFW - Firewall
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
#################################################################################
while I use this rules out of etc/rc.firewall:
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add divert natd ip from any to any in via rl0
${fwcmd} add divert natd ip from any to any out via rl0
# ${fwcmd} add allow all from any to any
;;
#################################################################################
while this is my mpd.conf
startup:
set console self 127.0.0.1 5005
set console user admin blub
set console open
log +radius2
default:
load PPPoE_server
PPPoE_server:
create bundle template B1
set ipcp ranges 11.1.11.1/32 80.50.80.10
set ipcp dns 145.253.2.203 195.202.32.79
set ipcp yes vjcomp
set iface route default
create link template L1 pppoe
set link enable multilink
set link action bundle B1
set link disable chap pap eap
set link enable chap
load radius
set pppoe service "*"
set link keep-alive 90 120
create link template ath0 L1
set pppoe iface ath0
set link enable incoming
create link template rl0 L1
set pppoe iface rl0
set link enable incoming
#################################################################################
I have ng_car and ng_bpf (which where already on the system) loaded with kload.
I would appreciate your little kickstart very much ;)
Thx,
Leander
That example is not an exact solution, it just a syntax example.
To shape user to the defined speed with ng_car all you should do is:
mpd-limit += "in#1=all shape 64000",
mpd-limit += "out#1=all shape 64000",
Thank you man!! That was exactly what I was looking for ;)
mpd-limit += "in#1=all shape 64000",
mpd-limit += "out#1=all shape 64000",
Feels like christmas ;)
THANK YOU !!!!
Now there is only ONE LAST more little thing I want to get done. I don't want the PPPoE clients to be able to have contact with each other ... I want that they're only be able to use the internet.
Thank you very much!!!
best regards,
Leander