Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

How To Get The Most Out Of Dummynet 41

An anonymous reader writes "BSDVault has published a tutorial on using dummynet to weight and queue traffic based on classes and type of service. The tutorial is called 'IPFW NAT firewall with WF2Q+ (Worst-case Fair Weighted Fair Queuing) Policy' and details how to add queuing and priority to the traffic flowing in and out of your network. There is also an example script to get you started in writing your own rules with plenty of self explanatory configurations that you should find very useful for getting a similar config up and working. If you are into this kind of thing a worthy read ... "
This discussion has been archived. No new comments can be posted.

How To Get The Most Out Of Dummynet

Comments Filter:
  • by Strog ( 129969 ) on Wednesday September 18, 2002 @09:32AM (#4280828) Homepage Journal
    I was looking at options for managing bandwidth at work. We already do priority queuing but this could give a more fine grain control over who gets the bandwidth and when.

    I was going to do some testing at home. My wife just browses the internet and chats while I have some higher priority realtime traffic (Counterstrike, MOHAA, UT2003, etc). I was thinking about giving her 1/4-1/3 of the bandwidth so it didn't affect my ping as much. Her traffic is fairly light and she goes to bed early so it hasn't really been a big deal. Most of what I do at home isn't necessary but it's a good place to tinker and learn.

    There are a lot of good tidbits in this article. Very good timing for me.
  • I am experimenting with IPFW/DUMMYNET for bandwidth shaping, but using ipfilter for the firewall. A little more complicated, but I think it gives me the best of everything (I really like ipfilter, but it lacks bandwidth shaping features). This is for an ISP, so it will handle workstations and a variety of different servers. We use a PCI T1 card [] from Sangoma [], and multiple port ethernet cards. This allows me to create a DMZ (or several) quite easily. The config, overall, looks confusing at first but really isn't.

    Once it is fully implemented, I plan to publish the details (network diagram and config files). FreeBSD is perfect for this task.

    BTW- for the curious, what I describe is a poor man's Juniper switch [].

    • Have you tried ALTQ? I find it blends nicely with ipfilter (I prefer it myself).
      • I have looked at ALTQ, but I cannot find a simple "how-to" to get me started. I also got the impression that it was still a little rough-- maybe not ready for prime time.

        The server I am putting together will be a production server, so I am sticking with what I know and what I a confident will work. I am, however, curious about ALTQ (others have pointed it out to me), do you have any links or tips?

        • There are some more expierimental queueing systems for altq, but if you stick with CBQ, RED, and/or HFSC, you should be fine. ALTQ is actualy part of OpenBSD which is a nice touch (and gives it an stamp of approval on stability and such).

          This tips sheet [] is pretty much the most helpful piece of get started info. If you can get ALTQ in your system, then I would personaly start with Section 2.1 (hint: don't bother adding it staticly to your kernel, the klds work fine).

  • by smnolde ( 209197 ) on Wednesday September 18, 2002 @05:29PM (#4284719) Homepage
    I only started doing it as a way to learn how to do it.

    I began with a working ipfw/natd firewall script and added in the dummynet stuff... Funny how if the wife is holding out, I can restrict her bandwidth with a few clicks. Netsurfing at 14400bps is the pits... but it worked... that's another story.

    Then I saw queues... and what kind of power they had. I realize I'm only scratching the surface of using queues with DUMMYNET, but I wanted some flexibility of which ports I could prioritize and I didn't want to rewrite a fixed script every time.

    The result is at The beauty of my script is that it doesn't limit the user to a fixed number of queues. Luigi Rizzo seems to think thousands of queues are possible with a very minimal performance hit.

    potentially I could modify the script to limit certain ports at certain bandwidths... I am only scratching the surface.

    GPG Key 0xD869AB48

  • I've been toying with dummynet on my FreeBSD router on my home network, I especially wanted to improve the effectiveness of the Internet connection under higher loads, and looking at the documentation reveals dummynet has huge possibilities with it's level of flexibility and configuration options, and how it integrates with IPFW. However, the documentation lacks real world examples of how dummynet could be used in a practical situation.

    I found this article is somewhat helpful to me.

  • W2FQ has nice delay guarantees when composed on an end2end basis with routers employing FQ. The reality is that having RSVP signaling and FQ deployed on an end2end basis will never happen, so you're better off using diff-serv and priority queuing instead.
  • by Anonymous Coward
    take a look at the howto on 's freebsd section - it contains a slightly more understandable example
  • ALTQ (Score:1, Interesting)

    by Anonymous Coward
    For doing more sophisticated work look into altq. e. html#ALTQ
  • Ezunix has an article on this same subject.

    Net: Dummynet Traffic Shaping with WF2Q []
  • I've been doing some speed tests. The box is a 1Ghz Celeron and builtin SIS ethernet card going off to a cable modem and a second realtek card which my home network is on.

    With about 25000 rules (that all get checked), the ping times go from 7.479ms (12 rules) to 61ms. 14k rules is about 37ms.

    What I'm looking at is a bandwidth controller for a wireless isp like application. I'm figuring on NAT directly dealing with 3 seperate /24 and passing through one /28 of real internet space. I expect to have at least 5 rules per ip address. I haven't looked into using the skipto rules yet. I want to make sure some stuff has priority and has priority over the junk but I don't want to have to get draconian if I can help it.

    What I want to do is count all port 25 traffic so I can find virused pc's with ease. I would also like to count all the web traffic per IP address. I also want to be able to track down those funky spikes when they show up but I think other tools will be better for that.

    I like IPFW's ability to change rules by rule number and get a count per rule number. This allows me to have a script so I can "lart". I want to pull useage stats off to mrtg.

    One problem I haven't solved is how do I count web traffic? For example:
    00015 74 20143 count tcp from to any 3128 keep-state
    00015 39 6917 count tcp from to any 3128
    it appears that keep-state keeps track of both sides
    I'm not sure if thats counting both inbound or outbound or both.

    The IPFW system seems very powerful and I'm just getting into some of its cool features (like divert). About the only thing I can't find out how to do is specifc a inverted port range. They syntax allows you to say anything that isn't port 45 but you can't say "anything that is but not port 45"

    It would be cool if there as a way to rewrite addresses on the divert. Right now you can divert to an interface but it would be cool to be able to say divert any port 80 stuff to the squid proxy. I'm getting what I think is strange behavior. If I divert to a port that apache is looking at, it can't id the port but for some reason inetd can tell.
    • Read about natd... and you could prolly use the fwd command to forward rules, doing transproxy stuff.

      As far as your rules above, to track usage, you do need to specify inbound and outbound...
      ipfw add tcp from ${ip} to any 80
      ipfw add tcp from any 80 to ${ip} ...should do it.

      Try it out.
  • a simple-to-use (read: GUI) interface on either AltQ or Dummynet so that I can dynamically adjust the rate of different traffic classes. That is, I'd like to be able to manually lower the bandwidth allowed for some traffic that is going through my firewall.

    As an example; sometimes I've already started up a huge download (4.6.2-disc1.iso, for instance). But, now I want to play UT and so I want to make sure that as the download runs, but doesn't eat up all of the DSL line. Since most user apps don't have rate limiting built in, I just want to tweak the firewall so that all non-UT traffic to use only 50% of the DSL bandwidth.

    I want to just pull up a control panel and click.

    3 years ago at a previous employer, I helped build something just like this. For various reasons it sucked (not the least being that it was encumbered and unavailable). I had hoped that Altq or Dummynet would get something like this since then.

It is not for me to attempt to fathom the inscrutable workings of Providence. -- The Earl of Birkenhead