Нужно натить пользователей на разные каналы независимо друг от друга
Проблема - периодические лаги
Поллинг отключен (проверял с ним - пинги растут)
net.inet.ip.fw.one_pass=0
Небольшие пояснения:
Есть четыре группы пользователей, для каждой свой table. Каждая группа с помошью setfib и такой-то матери заворачивается на свой канал. ipfw nat пробовал пользовать, но не вышло - больно глючная штука оказалась. (я тут где-то про это уже писал). Доступ к серверу - как просто NAT, так и впн
Конфиг ipfw:
Код: Выделить всё
#Pipes------------------------------
$fw pipe 100 config bw $downi queue 50
$fw pipe 200 config bw $upi queue 50
$fw pipe 300 config bw $downi queue 50
$fw pipe 400 config bw $up2 queue 50
$fw pipe 500 config bw $downvtk queue 50
$fw pipe 600 config bw $upvtk queue 50
$fw pipe 700 config bw $downi queue 50
$fw pipe 800 config bw $up3 queue 50
$fw pipe 1120 config bw $downinkhd queue 50
$fw pipe 1220 config bw $upinkhd queue 50
$fw pipe 1320 config bw $downkhd queue 50
$fw pipe 1420 config bw $upkhd queue 50
$fw pipe 2120 config bw $gamestr queue 50
$fw pipe 2220 config bw $gamestr queue 50
#-----------------------------------
#Queues
#inet --> LAN
$fw queue 101 config weight $tcp1w queue 50 pipe 100 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> inet
$fw queue 201 config weight $tcp1w queue 50 pipe 200 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#inet --> LAN
$fw queue 301 config weight $tcp1w queue 50 pipe 300 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> inet
$fw queue 401 config weight $tcp1w queue 50 pipe 400 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#VTK --> LAN
$fw queue 501 config weight $tcp2w queue 50 pipe 500 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> VTK
$fw queue 601 config weight $tcp2w queue 50 pipe 600 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#inet --> LAN
$fw queue 701 config weight $tcp1w queue 50 pipe 700 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> inet
$fw queue 801 config weight $tcp1w queue 50 pipe 800 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#KHD inet --> LAN
$fw queue 1121 config weight $tcp1w queue 50 pipe 1120 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> KHD inet
$fw queue 1221 config weight $tcp1w queue 50 pipe 1220 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#KHD Net --> LAN
$fw queue 1321 config weight $tcp2w queue 50 pipe 1320 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> KHD Net
$fw queue 1421 config weight $tcp2w queue 50 pipe 1420 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#KHD Game --> LAN
$fw queue 2121 config weight $tcp1w queue 50 pipe 2120 gred 0.002/10/35/0.1 mask dst-ip 0xffffffff
#LAN --> KHD Game
$fw queue 2221 config weight $tcp1w queue 50 pipe 2220 gred 0.002/10/35/0.1 mask src-ip 0xffffffff
#-----------------------------------
#Selfcare & service
##loopback
$fwa 01000 allow ip from any to any via lo0
$fwa 01010 deny ip from any to 127.0.0.0/8
$fwa 01020 deny ip from 127.0.0.0/8 to any
#-----------------------------------
##Routing tables
$fwa 01100 setfib 0 ip from "table(5)" to any in recv $lan
$fwa 01110 setfib 0 ip from "table(5)" to any in recv $vlan
setfib 1 route delete default
setfib 1 route add default $gw
$fwa 01120 setfib 1 ip from "table(6)" to any in recv $lan
$fwa 01130 setfib 1 ip from "table(6)" to any in recv $vlan
setfib 2 route delete default
setfib 2 route add default $gw2
$fwa 01140 setfib 2 ip from "table(7)" to any in recv $lan
$fwa 01150 setfib 2 ip from "table(7)" to any in recv $vlan
setfib 3 route delete default
setfib 3 route add default $gw_khd
$fwa 01160 setfib 3 ip from "table(8)" to any in recv $lan
$fwa 01170 setfib 3 ip from "table(8)" to any in recv $vlan
#-----------------------------------
##Incoming VPN for KHD users
$fwa 02300 allow ip from "table(9)" to me in via $lan
$fwa 02305 allow ip from me to "table(9)" out via $lan
#-----------------------------------
##Access for gaming and web servers
$fwa 03041 allow ip from $hostel to $khd_serv in via $lan
$fwa 03042 allow ip from $hostel to $khd_serv in via $vlan
$fwa 03043 allow ip from $khd_serv to $hostel out via $lan
$fwa 03044 allow ip from $khd_serv to $hostel out via $vlan
##KHD Inet & intranet
$fwa 03045 allow ip from "table(8)" to not me in via $lan
$fwa 03046 allow ip from "table(8)" to not me in via $vlan
$fwa 03047 allow ip from not me to "table(8)" out via $lan
$fwa 03048 allow ip from not me to "table(8)" out via $vlan
##KHD VPN
$fwa 03090 allow ip from $vpn_net to not me in
$fwa 03091 allow ip from not me to $vpn_net out
#Khd game servers
#Stargazer
$fwa 03141 allow ip from "table(1)" to not me in via $lan
$fwa 03142 allow ip from "table(1)" to not me in via $vlan
$fwa 03143 allow ip from not me to "table(1)" out via $lan
$fwa 03144 allow ip from not me to "table(1)" out via $vlan
#----------------------------------
#NAT & queues
##Outcoming queues
$fwa 05010 queue 2221 ip from $hostel to $khd_serv out via $ifkhd
$fwa 05020 queue 1421 ip from "table(8)" to $khd_net out via $ifkhd
$fwa 05030 queue 1421 ip from "table(8)" to $khd_real out via $ifkhd
$fwa 05040 queue 1421 ip from $vpn_net to $khd_net out via $ifkhd
$fwa 05050 queue 1421 ip from $vpn_net to $khd_real out via $ifkhd
$fwa 05045 queue 1421 ip from "table(5)" to $khd_net out via $ifkhd
$fwa 05055 queue 1421 ip from "table(5)" to $khd_real out via $ifkhd
$fwa 05060 queue 201 ip from "table(5)" to any out via $inet
$fwa 05070 queue 401 ip from "table(6)" to any out via $inet2
$fwa 05080 queue 801 ip from "table(7)" to any out via $inet3
$fwa 05090 queue 1221 ip from "table(8)" to any out via $ifkhd
$fwa 05100 queue 1221 ip from $vpn_net to any out via $ifkhd
$fwa 05110 queue 201 ip from me to any out via $inet
#-----------------------------------
##NAT
#$fwa 07100 nat 100 ip from any to any via $inet
#$fwa 07130 nat 400 ip from any to any via $inet2
$fwa 07100 divert 8778 ip from "table(8)" to any out via $ifkhd
$fwa 07110 divert 8778 ip from $vpn_net to any out via $ifkhd
$fwa 07120 divert 8778 ip from $hostel to any out via $ifkhd
$fwa 07130 divert 8778 ip from "table(5)" to any out via $ifkhd
$fwa 07140 fwd $gw_khd ip from $host_khd to any
$fwa 07150 divert 8778 ip from any to me in via $ifkhd
$fwa 07200 divert 8558 ip from "table(6)" to any out via $inet2
$fwa 07230 fwd $gw ip from $host to any
$fwa 07250 divert 8558 ip from any to me in via $inet2
$fwa 07300 divert 8668 ip from "table(7)" to any out via $inet3
$fwa 07330 fwd $gw2 ip from $host2 to any
$fwa 07350 divert 8668 ip from any to me in via $inet3
$fwa 07420 divert 8448 ip from "table(5)" to any out via $inet
$fwa 07450 divert 8448 ip from any to me in via $inet
#$fwa 07300 nat 200 ip from any to any via $inet3
#$fwa 07400 nat 300 ip from any to any via $wan
#----------------------------------
##Incoming queues
$fwa 08010 queue 2121 ip from $khd_serv to $hostel in via $ifkhd
$fwa 08020 queue 1321 ip from $khd_net to "table(8)" in via $ifkhd
$fwa 08030 queue 1321 ip from $khd_real to "table(8)" in via $ifkhd
$fwa 08045 queue 1321 ip from $khd_real to "table(5)" in via $ifkhd
$fwa 08055 queue 1321 ip from $khd_net to "table(5)" in via $ifkhd
$fwa 08040 queue 1321 ip from $khd_real to $vpn_net in via $ifkhd
$fwa 08050 queue 1321 ip from $khd_net to $vpn_net in via $ifkhd
$fwa 08060 queue 101 ip from any to "table(5)" in via $inet
$fwa 08070 queue 301 ip from any to "table(6)" in via $inet2
$fwa 08080 queue 701 ip from any to "table(7)" in via $inet3
$fwa 08090 queue 1121 ip from any to "table(8)" in via $ifkhd
$fwa 08100 queue 1121 ip from any to $vpn_net in via $ifkhd
$fwa 08110 queue 101 ip from any to me in via $inet
#$fwa 08050 queue 501 ip from $vtk to any in via $wan
#-----------------------------------
#$fwa 09000 allow all from any to any
#Allowing connections
##Outcoming allowers
#$fwa 09000 allow ip from "table(5)" to $vtk out via $wan
#$fwa 09010 allow ip from me to $vtk out via $wan
$fwa 09010 allow ip from $hostel to $khd_serv out via $ifkhd
$fwa 09020 allow ip from "table(8)" to $khd_real out via $ifkhd
$fwa 09030 allow ip from "table(8)" to $khd_net out via $ifkhd
$fwa 09025 allow ip from "table(5)" to $khd_real out via $ifkhd
$fwa 09035 allow ip from "table(5)" to $khd_net out via $ifkhd
$fwa 09040 allow ip from $vpn_net to $khd_real out via $ifkhd
$fwa 09050 allow ip from $vpn_net to $khd_net out via $ifkhd
$fwa 09060 allow ip from "table(5)" to any out via $inet
$fwa 09070 allow ip from "table(6)" to any out via $inet2
$fwa 09080 allow ip from "table(7)" to any out via $inet3
$fwa 09090 allow ip from "table(8)" to any out via $ifkhd
$fwa 09100 allow ip from $vpn_net to any out via $ifkhd
$fwa 09110 allow ip from me to any out via $inet
$fwa 09120 allow ip from me to any out via $inet2
$fwa 09130 allow ip from me to any out via $inet3
$fwa 09140 allow ip from me to any out via $ifkhd
##Incoming allowers
#$fwa 09100 allow ip from $vtk to "table(5)" in via $wan
#$fwa 09110 allow ip from $vtk to me in via $wan
$fwa 09210 allow ip from $khd_serv to $hostel in via $ifkhd
$fwa 09220 allow ip from $khd_real to "table(8)" in via $ifkhd
$fwa 09230 allow ip from $khd_net to "table(8)" in via $ifkhd
$fwa 09240 allow ip from $khd_real to "table(5)" in via $ifkhd
$fwa 09250 allow ip from $khd_net to "table(5)" in via $ifkhd
$fwa 09260 allow ip from any to "table(5)" in via $inet
$fwa 09270 allow ip from any to "table(6)" in via $inet2
$fwa 09280 allow ip from any to "table(7)" in via $inet3
$fwa 09290 allow ip from any to "table(8)" in via $ifkhd
$fwa 09300 allow ip from any to $vpn_net in via $ifkhd
$fwa 09399 allow ip from any to me in via $inet
#----------------------------------
##ICMP
$fwa 50200 allow icmp from me to any
$fwa 50250 allow icmp from any to me
##Allow all outcoming
$fwa 60000 allow ip from me to any