Differences

This shows you the differences between two versions of the page.

--- documentation:examples:maximum_bsdrp_features_lab [2019/10/03 14:09] – [Router 4] olivier
+++ documentation:examples:maximum_bsdrp_features_lab [2022/07/07 13:23] (current) – [IPv6 traffic shaping] olivier
@@ Line 80: / Line 80: @@
 <code>
-sysrc hostname=R5
+sysrc hostname=R5 \
-sysrc ifconfig_em3=up
+ ifconfig_em3=up \
-sysrc cloned_interfaces=epair0
+ cloned_interfaces=epair0 \
-sysrc ifconfig_epair0a=up
+ ifconfig_epair0a=up \
-sysrc kld_list+=" if_lagg carp"
+ kld_list+=" if_lagg carp"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
 cat > /etc/devfs.rules <<EOF
@@ Line 104: / Line 104: @@
 fi
 tenant -c -j jail6 -i epair0b
-sysrc -f /etc/jails/jail5/rc.conf hostname=jail5
+sysrc -f /etc/jails/jail5/rc.conf hostname=jail5 \
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_em3="inet 10.0.45.5/24"
+ ifconfig_em3="inet 10.0.45.5/24" \
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64"
+ ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" \
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a="10.0.56.5/24"
+ ifconfig_epair0a="10.0.56.5/24" \
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a_ipv6="inet6 2001:db8:56::5 prefixlen 64"
+ ifconfig_epair0a_ipv6="inet6 2001:db8:56::5 prefixlen 64" \
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a_alias0="inet 10.0.56.254/32 vhid 1 pass testpass"
+ ifconfig_epair0a_alias0="inet 10.0.56.254/32 vhid 1 pass testpass" \
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a_alias1="inet6 2001:db8:56::fe prefixlen 128 vhid 1 pass testpass"
+ ifconfig_epair0a_alias1="inet6 2001:db8:56::fe prefixlen 128 vhid 1 pass testpass" \
-sysrc -f /etc/jails/jail5/rc.conf rtadvd_enable=YES
+ rtadvd_enable=YES \
-sysrc -f /etc/jails/jail5/rc.conf rtadvd_interfaces=epair0a
+ rtadvd_interfaces=epair0a \
-sysrc -f /etc/jails/jail5/rc.conf dhcpd_enable=YES
+ dhcpd_enable=YES \
-sysrc -f /etc/jails/jail5/rc.conf dhcpd_flags="-q"
+ dhcpd_flags="-q" \
-sysrc -f /etc/jails/jail5/rc.conf dhcpd_conf="/usr/local/etc/dhcpd.conf"
+ dhcpd_conf="/usr/local/etc/dhcpd.conf" \
-sysrc -f /etc/jails/jail5/rc.conf frr_enable=YES
+ frr_enable=YES \
-sysrc -f /etc/jails/jail5/rc.conf frr_vtysh_boot="YES"
+ frr_vtysh_boot=YES \
-sysrc -f /etc/jails/jail5/rc.conf nfacctd_enable=YES
+ nfacctd_enable=YES \
-sysrc -f /etc/jails/jail5/rc.conf pimd_enable=YES
+ pimd_enable=YES
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/rc.conf
 mkdir -p /etc/jails/jail5/local/frr
@@ Line 130: / Line 130: @@
 subnet 10.0.45.0 netmask 255.255.255.0 {
 }
 #Declare R1 LAN and gateway
 subnet 10.0.12.0 netmask 255.255.255.0 {
@@ Line 193: / Line 194: @@
 EOF
-sysrc -f /etc/jails/jail6/rc.conf hostname=jail6
+sysrc -f /etc/jails/jail6/rc.conf hostname=jail6 \
-sysrc -f /etc/jails/jail6/rc.conf ifconfig_epair0b="up"
+ ifconfig_epair0b="up" \
-sysrc -f /etc/jails/jail6/rc.conf cloned_interfaces="lagg0"
+ cloned_interfaces="lagg0" \
-sysrc -f /etc/jails/jail6/rc.conf ifconfig_lagg0="laggproto failover laggport epair0b SYNCDHCP"
+ ifconfig_lagg0="laggproto failover laggport epair0b SYNCDHCP" \
-sysrc -f /etc/jails/jail6/rc.conf ifconfig_lagg0_ipv6="inet6 accept_rtadv"
+ ifconfig_lagg0_ipv6="inet6 accept_rtadv" \
-sysrc -f /etc/jails/jail6/rc.conf rtsold_enable=YES
+ rtsold_enable=YES \
-sysrc -f /etc/jails/jail6/rc.conf bsnmpd_enable=YES
+ bsnmpd_enable=YES \
-sysrc -f /etc/jails/jail6/rc.conf gateway_enable=NO
+ gateway_enable=NO \
-sysrc -f /etc/jails/jail6/rc.conf ipv6_gateway_enable=NO
+ ipv6_gateway_enable=NO
 service jail start
 </code>
@@ Line 436: / Line 437: @@
 sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
 sysrc bird_enable=YES
-sysrc bird6_enable=YES
 sysrc pf_enable=YES
 sysrc pf_rules="/etc/pf.conf"
@@ Line 442: / Line 442: @@
 cat > /etc/pf.conf <<EOF
+#Variables definitions
+#TO_R2_if = "{" vtnet1.23 em1.23 "}"
+#TO_R4_if = "{" vtnet2 em2 "}"
+#R2 = "10.0.0.2/32"
+#R4 = "10.0.0.4/32"
+## ALTQ rules
+# Queue outgoing from \$TO_R4_if (R2 => R4)
+# Rate-limit inet 4 VPN traffic to 10Mb
+#altq on \$TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 }
+#queue VPN4_TO_R4 bandwidth 10Mb hfsc(upperlimit 10Mb)
+#queue OTHER_TO_R4 bandwidth 90Mb hfsc(default)
+# Queue for outgoing traffic from \$TO_R2_if (R4 => R2)
+#altq on \$TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 }
+#queue VPN4_TO_R2 bandwidth 10Mb hfsc(upperlimit 10Mb)
+#queue OTHER_TO_R2 bandwidth 90Mb hfsc(default)
+## PF rules
+# R2 => R4
+# Shapping works on outgoing traffic only, but need to 'mark' traffic
+# entering the interface for putting returning traffic in the good queue
+#pass in quick on \$TO_R2_if proto gre from \$R2 to \$R4 queue VPN4_TO_R2
+# Apply ALTQ to traffic that get out from \$TO_R4_if
+#pass out quick on \$TO_R4_if proto gre from \$R2 to \$R4 queue VPN4_TO_R4
+# PF rules R4 => R2
+#pass in quick on \$TO_R4_if proto gre from \$R4 to \$R2 queue VPN4_TO_R4
+#pass out quick on \$TO_R2_if proto gre from \$R4 to \$R2 queue VPN4_TO_R2
 # ALTQ is disabled since BSDRP 1.81 (too much performance impact)
 pass all
@@ Line 456: / Line 487: @@
 # Sync bird routing table with kernel
-protocol kernel {
+protocol kernel kernel4 {
+    ipv4 {
         export all;
+    };
+}
+protocol kernel kernel6 {
+    ipv6 {
+        export all;
+    };
 }
@@ Line 465: / Line 503: @@
 }
-# Include directly connected network
+# Include directly connected networks
 protocol direct {
-        interface "vtnet1", "em1", "vtnet2", "em2";
+        ipv4;
+        ipv6;
 }
-protocol rip R4 {
+protocol rip R4inet4 {
-        export all;
+    interface "vtnet2","em2" {
-        interface "vtnet2","em2" {
+        version 2;
-            version 2;
+    };
-            password "rippassword" { algorithm keyed md5; };
+    ipv4 {
-            authentication cryptographic;
+         export all;
-        };
+    };
 }
-protocol bgp R2 {
+protocol rip ng R4inet6 {
-        local as 100;
+    interface "vtnet2","em2" ;
-        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address
+    ipv6 {
-        # Otherwise it will use the wrong 0.0.0.0 IP as source
-        source address 10.0.23.3;
-        neighbor 10.0.23.2 as 100;
-        password "abigpassword";
-        import all;
         export all;
+    };
 }
-EOF
-cat > /usr/local/etc/bird6.conf <<EOF
+protocol bgp R2inet4 {
-# Configure logging
+    local as 100;
-log syslog all;
+    # Bird creates IPSEC SAD entry automatically but it need to know the source IP address
-log "/var/log/bird6.log" all;
+    # Otherwise it will use the wrong 0.0.0.0 IP as source
-log stderr all;
+    source address 10.0.23.3;
+    neighbor 10.0.23.2 as 100;
-# Override router ID
+    password "abigpassword";
-router id 0.0.0.3;
+    ipv4 {
+        import all;
-# Sync bird routing table with kernel
-protocol kernel {
-        export all;
-}
-protocol device {
-        scan time 10;
-}
-protocol direct {
-        interface "vtnet1", "em1", "vtnet2", "em2";
-}
-protocol rip R4 {
         export all;
-        interface "vtnet2","em2" ;
+    };
 }
-protocol bgp R2 {
+protocol bgp R2inet6 {
-        local as 100;
+    local as 100;
-        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address
+    # Bird creates IPSEC SAD entry automatically but it need to know the source IP address
-        # Otherwise it will use the wrong :: IP as source
+    # Otherwise it will use the wrong :: IP as source
-        source address 2001:db8:23::3;
+    source address 2001:db8:23::3;
-        neighbor 2001:db8:23::2 as 100;
+    neighbor 2001:db8:23::2 as 100;
-        password "abigpassword";
+    password "abigpassword";
+    ipv6 {
         import all;
         export all;
+    };
 }
 EOF
@@ Line 534: / Line 557: @@
 service pf start
 service bird start
-service bird6 start
 </code>
 ==== Router 4 ====
@@ Line 735: / Line 757: @@
         kldload dummynet
 fi
 # Flush out the list before we begin.
 \${fwcmd} -f flush
@@ Line 768: / Line 791: @@
 <code>
-sysrc hostname=R1
+sysrc hostname=R1 \
-sysrc gateway_enable=NO
+ gateway_enable=NO \
-sysrc ipv6_gateway_enable=NO
+ ipv6_gateway_enable=NO \
-sysrc ifconfig_em0=up
+ ifconfig_em0=up \
-sysrc cloned_interfaces=lagg0
+ cloned_interfaces=lagg0 \
-sysrc ifconfig_lagg0="laggproto loadbalance laggport em0 SYNCDHCP"
+ ifconfig_lagg0="laggproto loadbalance laggport em0 SYNCDHCP" \
-sysrc ifconfig_lagg0_ipv6="inet6 accept_rtadv"
+ ifconfig_lagg0_ipv6="inet6 accept_rtadv" \
-sysrc sshd_enable=yes
+ sshd_enable=yes
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
 config save
@@ Line 868: / Line 891: @@
 iperf Done.
 [root@R1]~#
+</code>
+And during iperf, R4 ipfw pipe showing some activity:
+<code>
+root@R4:~ # ipfw pipe show
+:  10.000 Mbit/s    0 ms burst 0
+q131112  50 sl. 0 flows (1 buckets) sched 65576 weight 0 lmax 0 pri 0 droptail
+ sched 65576 type FIFO flags 0x0 0 buckets 0 active
+:  10.000 Mbit/s    0 ms burst 0
+q131113  50 sl. 0 flows (1 buckets) sched 65577 weight 0 lmax 0 pri 0 droptail
+ sched 65577 type FIFO flags 0x0 0 buckets 0 active
+:  20.000 Mbit/s    0 ms burst 0
+q131133  50 sl. 0 flows (1 buckets) sched 65597 weight 0 lmax 0 pri 0 droptail
+ sched 65597 type FIFO flags 0x0 0 buckets 1 active
+BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
+ip           0.0.0.0/0             0.0.0.0/0      483   378358  9 6349   0
+:  20.000 Mbit/s    0 ms burst 0
+q131132  50 sl. 0 flows (1 buckets) sched 65596 weight 0 lmax 0 pri 0 droptail
+ sched 65596 type FIFO flags 0x0 0 buckets 1 active
+ip           0.0.0.0/0             0.0.0.0/0      125    15881  0    0   0
 </code>
 ==== netflow ====