Перейти к содержанию

Операция «Кооперация»: IPFW, stargazer и 4 ADSL-соединения

Общага — место крайне полезное, особенно для тех, кто умеет искать халяву. Еда, выпивка, интернет… стоит лишь немного поднапрячься. В одной из таких общаг мы и будем творить свои злобные делишки — раздавать людям интернеты анлимно и покилограммно.
Под катом много конфигов и технических терминов, так что слабонервным и гуманитариям лучше не заходить

Что мы имеем?
— 4 ADSL-модема с безлимитами на каждом
— Сервер на FreeBSD 8.1
IPFW NAT
— Старгайзер в качестве биллинга

Вполне достаточно для наших целей. Перво-наперво, проверяем, чтобы в ядро было собрано с вот такими опциями:

##USER_OPTIONS
#Сам IPFW
options         IPFIREWALL
options         IPFIREWALL_FORWARD
#Включаем режим логов
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
#Включаем, собственно, NAT
options         IPFIREWALL_NAT
options         IPDIVERT
options         LIBALIAS
#Создаем 5 независимых таблиц маршрутизации: 4 для пользователей и одну для сервера
options         ROUTETABLES=5
options         HZ=4000

Далее просто приведу примеры своих конфигов с комментариями, ибо от howto большего и не требуется 🙂

Для начала — настраиваем таблицы маршрутизации. Для этого создаем файлик /usr/local/etc/rc.d/setfib1:

#!/bin/sh
# PROVIDE: SETFIB1
# REQUIRE: NETWORKING
# BEFORE: DAEMON
#
# Add the following lines to /etc/rc.conf to enable setfib -1 at startup
# setfib1 (bool): Set to "NO" by default.
#                Set it to "YES" to enable setfib1
# setfib1_defaultroute (str): Set to "" by default
#       Set it to ip address of default gateway for use in fib 1
. /etc/rc.subr
name="setfib1"
rcvar=`set_rcvar`
load_rc_config $name
[ -z "$setfib1_enable" ] && setfib1_enable="NO"
[ -z "$setfib1_defaultroute" ] && setfib1_defaultroute=""
start_cmd="${name}_start"
stop_cmd="${name}_stop"
setfib1_start()
{
if [ ${setfib1_defaultroute} ]
then
setfib 1 route add -net default ${setfib1_defaultroute}
else
echo "Can't set defaultroute for fib 1 (setfib1_defaultroute is not set)"
fi
}
setfib1_stop()
{
setfib 1 route del -net default
}

Делаем его исполняемым, и так для каждой таблицы (кроме дефолтной) — т.е. четыре штуки

В rc.conf:

gateway_enable="YES"
hostname="my_server.lan"
#Интерфейс, смотрящий во внутреннюю сеть
ifconfig_fxp0="inet 10.0.0.1 netmask 255.255.255.0"
#Интерфейс, смотрящий на модемы
ifconfig_fxp1="inet 192.169.0.5 netmask 255.255.255.0"
#Каждый модем в своем влане
cloned_interfaces="vlan1691 vlan1692 vlan1693 vlan1694 vlan1695"
ifconfig_vlan1691="inet 192.169.1.5 netmask 255.255.255.0 vlan 1691 vlandev fxp1"
ifconfig_vlan1692="inet 192.169.2.5 netmask 255.255.255.0 vlan 1692 vlandev fxp1"
ifconfig_vlan1693="inet 192.169.3.5 netmask 255.255.255.0 vlan 1693 vlandev fxp1"
ifconfig_vlan1694="inet 192.169.4.5 netmask 255.255.255.0 vlan 1694 vlandev fxp1"
#влан, смотрящий в локальную сеть провайдера
ifconfig_vlan1695="inet 192.168.100.9 netmask 255.255.255.0 vlan 1695 vlandev fxp1"
#Сам сервер ходит через модем №1
defaultrouter="192.169.1.1"
setfib1_enable="YES"
setfib1_defaultroute="192.169.1.1"
setfib2_enable="YES"
setfib2_defaultroute="192.169.2.1"
setfib3_enable="YES"
setfib3_defaultroute="192.169.3.1"
setfib4_enable="YES"
setfib4_defaultroute="192.169.4.1"
#Включаем шейпинг
dummynet_enable="YES"
#Включаем фаервол
firewall_enable="YES"
firewall_logging="YES"
#Конфиг-файл фаервола
firewall_script="/usr/home/snake/net/rc.fire.conf"

Не забываем о маршрутизации:

#Подсеть провайдера
route add 192.168.0.0/16 192.168.106.1
setfib 1 route add 192.168.0.0/16 192.168.100.1
setfib 2 route add 192.168.0.0/16 192.168.100.1
setfib 3 route add 192.168.0.0/16 192.168.100.1
setfib 4 route add 192.168.0.0/16 192.168.100.1

Ну и теперь приступаем к настройкам фаервола:
1, Запрещаем весь посторонний трафик

#!/bin/sh
#IPFW--------------------------------
fw="/sbin/ipfw -q"
fwa="/sbin/ipfw -q add"
#Ifaces-----------------------------
lan="fxp0"
lan2="fxp1"
inet="vlan1691"
inet2="vlan1692"
inet3="vlan1693"
inet4="vlan1694"
ifnet="vlan1695"
#Selfcare & service
##loopback (1000-1020)
$fwa 01000 allow ip from any to any via lo0
$fwa 01010 deny ip from any to 127.0.0.0/8
$fwa 01020 deny ip from 127.0.0.0/8 to any
##Разрешаем доступ к модемам, иначе ничего не увидим)
$fwa 01040 allow ip from 192.169.1.0/24 to me in via $inet
$fwa 01050 allow ip from me to 192.169.1.0/24 out via $inet
$fwa 01060 allow ip from 192.169.2.0/24 to me in via $inet2
$fwa 01070 allow ip from me to 192.169.2.0/24 out via $inet2
$fwa 01080 allow ip from 192.169.3.0/24 to me in via $inet3
$fwa 01090 allow ip from me to 192.169.3.0/24 out via $inet3
$fwa 01100 allow ip from 192.169.4.0/24 to me in via $inet4
$fwa 01110 allow ip from me to 192.169.4.0/24 out via $inet4
$fwa 01120 allow ip from 192.169.5.0/24 to me in via $ifnet
$fwa 01130 allow ip from me to 192.169.5.0/24 out via $ifnet
#Deny packets (2000-2999)
##Через интерфейсы, смотрящие непосредственно в интернет, не должен проходить локальный траффик
$fwa 2000 deny log ip from 10.0.0.0/8 to any in via $inet
$fwa 2010 deny log ip from any to 10.0.0.0/8 out via $inet
$fwa 2020 deny log ip from 172.16.0.0/12 to any in via $inet
$fwa 2030 deny log ip from any to 172.16.0.0/12 out via $inet
$fwa 2040 deny log ip from 192.168.0.0/16 to any in via $inet
$fwa 2050 deny log ip from any to 192.168.0.0/16 out via $inet
$fwa 2100 deny log ip from 10.0.0.0/8 to me in via $inet2
$fwa 2110 deny log ip from any to 10.0.0.0/8 out via $inet2
$fwa 2120 deny log ip from 172.16.0.0/12 to any in via $inet2
$fwa 2130 deny log ip from any to 172.16.0.0/12 out via $inet2
$fwa 2140 deny log ip from 192.168.0.0/16 to any in via $inet2
$fwa 2150 deny log ip from any to 192.168.0.0/16 out via $inet2
$fwa 2200 deny log ip from 10.0.0.0/8 to me in via $inet3
$fwa 2210 deny log ip from any to 10.0.0.0/8 out via $inet3
$fwa 2220 deny log ip from 172.16.0.0/12 to any in via $inet3
$fwa 2230 deny log ip from any to 172.16.0.0/12 out via $inet3
$fwa 2240 deny log ip from 192.168.0.0/16 to any in via $inet3
$fwa 2250 deny log ip from any to 192.168.0.0/16 out via $inet3
$fwa 2300 deny log ip from 10.0.0.0/8 to any in via $inet4
$fwa 2310 deny log ip from any to 10.0.0.0/8 out via $inet4
$fwa 2320 deny log ip from 172.16.0.0/12 to any in via $inet4
$fwa 2330 deny log ip from any to 172.16.0.0/12 out via $inet4
$fwa 2340 deny log ip from 192.168.0.0/16 to any in via $inet4
$fwa 2350 deny log ip from any to 192.168.0.0/16 out via $inet4
##Через подсеть провайдера может проходить только "свой" трафик
$fwa 2300 deny log ip from 10.0.0.0/8 to any in via $ifnet
$fwa 2310 deny log ip from any to 10.0.0.0/8 out via $ifnet
$fwa 2410 deny log ip from 172.16.0.0/12 to any in via $ifnet
$fwa 2420 deny log ip from any to 172.16.0.0/12 out via $ifnet

3. Собственно, правила для выпускания в интернет

#!/bin/sh
#IPFW--------------------------------
fw="/sbin/ipfw -q"
fwa="/sbin/ipfw -q add"
#Ifaces-----------------------------
lan="fxp0"
lan2="fxp1"
inet="vlan1691"
inet2="vlan1692"
inet3="vlan1693"
inet4="vlan1694"
ifvtk="vlan1695"
#IP groups--------------------------
#Внутренняя сеть
hostel="10.0.0.0/24"
net="192.168.0.0/16"
#Internet access
##Stargazer
###Интернет для пользователей в таблице 2
$fwa 04141 allow ip from "table(2)" to not $net in via $lan
$fwa 04144 allow ip from not $net to "table(2)" out via $lan
###Внутрисеть для пользователей из табл. 3
$fwa 04241 allow ip from "table(3)" to $net in via $lan
$fwa 04244 allow ip from $net to "table(3)" out via $lan
#Выпускаем трафик..
##Наружу
$fwa 06010 allow ip from any to not $vtk out via $inet
$fwa 06020 allow ip from any to not $vtk out via $inet2
$fwa 06030 allow ip from any to not $vtk out via $inet3
$fwa 06040 allow ip from any to not $vtk out via $inet4
$fwa 06050 allow ip from any to $vtk out via $ifvtk
##Пропускаем внутрь) В таблицах 5-9 разбитые на группы пользователи
$fwa 06210 allow ip from not $net to "table(5)" in via $inet
$fwa 06220 allow ip from not $net to "table(6)" in via $inet2
$fwa 06230 allow ip from not $net to "table(7)" in via $inet3
$fwa 06240 allow ip from not $net to "table(8)" in via $inet4
$fwa 06250 allow ip from not $net to "table(9)" in via $inet4
$fwa 06260 allow ip from $net to "table(3)" in via $ifnet
#----------------------------------
##ICMP
$fwa 60200 allow icmp from me to any
$fwa 60250 allow icmp from any to me
##Allow all outcoming
$fwa 65000 allow ip from me to any

А теперь — самое интересное 🙂 Шейпинг:

#!/bin/sh
#IPFW--------------------------------
fw="/sbin/ipfw -q"
fwa="/sbin/ipfw -q add"
fwt="/sbin/ipfw table"
#Env---------------------------------
gw0="192.169.1.1"
gw1="192.169.1.1"
gw2="192.169.2.1"
gw3="192.169.3.1"
gw4="192.169.4.1"
gw5="192.169.5.1"
#Ifaces-----------------------------
lan="fxp0"
lan2="fxp1"
inet="vlan1691"
inet2="vlan1692"
inet3="vlan1693"
inet4="vlan1694"
ifnet="vlan1695"
#IP's-------------------------------
iplan="10.0.0.1"
ipnet="192.168.100.9"
#IP groups--------------------------
hostel="10.0.0.0/24"
net="192.168.0.0/16"
#Priority---------------------------
tcphigh=100
tcpother=40
udpall=20
ipall=20
tcp_ports="20,21,22,53,80,81,443,5190,5222,3128,8080,8081,8088,28960"
#Размер очереди прикидываем вот так:
#http://www.opennet.ru/tips/info/1411.shtml
#Queue size-------------------------
qdowni="350Kbytes"
qupi="50Kbytes"
qdownnet="550Kbytes"
qupnet="70Kbytes"
#Speed------------------------------
##Main outgoing queue
upi=500Kbit/s
##Main downloading queue
downi=3400Kbit/s
##NET outgoing queue
upnet=800Kbit/s
##net downloading queue
downnet=5000Kbit/s
#Пайпы (по одной на канал)
$fw pipe 100 config bw $downi queue $qdowni gred 0.002/10/30/0.1
$fw pipe 200 config bw $upi queue $qupi gred 0.002/10/30/0.1
$fw pipe 300 config bw $downi queue $qdowni gred 0.002/10/30/0.1
$fw pipe 400 config bw $upi queue $qupi gred 0.002/10/30/0.1
$fw pipe 500 config bw $downi queue $qdowni gred 0.002/10/30/0.1
$fw pipe 600 config bw $upi queue $qupi gred 0.002/10/30/0.1
$fw pipe 700 config bw $downi queue $qdowni gred 0.002/10/30/0.1
$fw pipe 800 config bw $upi queue $qupi gred 0.002/10/30/0.1
$fw pipe 900 config bw $downnet queue $qdownvtk gred 0.002/10/30/0.1
$fw pipe 1000 config bw $upnet queue $qupvtk gred 0.002/10/30/0.1
#-----------------------------------
#Очереди
#inet --> LAN
#Для различного типа трафика действует различный приоритет
$fw queue 101 config weight $tcphigh pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 102 config weight $tcpother pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 103 config weight $udpall pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 104 config weight $ipall pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 301 config weight $tcphigh pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 302 config weight $tcpother pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 303 config weight $udpall pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 304 config weight $ipall pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 501 config weight $tcphigh pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 502 config weight $tcpother pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 503 config weight $udpall pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 504 config weight $ipall pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 701 config weight $tcphigh pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 702 config weight $tcpother pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 703 config weight $udpall pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 704 config weight $ipall pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
#LAN --> inet
$fw queue 201 config weight $tcphigh pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 202 config weight $tcpother pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 203 config weight $udpall pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 204 config weight $ipall pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 401 config weight $tcphigh pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 402 config weight $tcpother pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 403 config weight $udpall pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 404 config weight $ipall pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 601 config weight $tcphigh pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 602 config weight $tcpother pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 603 config weight $udpall pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 604 config weight $ipall pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 801 config weight $tcphigh pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 802 config weight $tcpother pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 803 config weight $udpall pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 804 config weight $ipall pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
#WAN --> LAN
$fw queue 901 config weight $tcphigh pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 902 config weight $tcpother pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 903 config weight $udpall pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
$fw queue 904 config weight $ipall pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff
#LAN --> WAN
$fw queue 1001 config weight $tcphigh pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 1002 config weight $tcpother pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 1003 config weight $udpall pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
$fw queue 1004 config weight $ipall pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
#-----------------------------------
#Настройки NAT
$fw nat 100 config if $inet same_ports reset deny_in
$fw nat 200 config if $inet2 same_ports reset deny_in
$fw nat 300 config if $inet3 same_ports reset deny_in
$fw nat 400 config if $inet4 same_ports reset deny_in
$fw nat 500 config if $ifnet same_ports reset deny_in
#-----------------------------------
##Routing tables
setfib 0 route delete default
setfib 0 route add default 192.169.1.1
###Clients route tables 1200-1599
setfib 1 route delete default
setfib 1 route add default 192.169.1.1
$fwa 01210 setfib 1 ip from "table(5)" to any in recv $lan
$fwa 01220 setfib 1 ip from "table(5)" to any in recv $vlan1204
$fwa 01230 setfib 1 ip from "table(5)" to any in recv $vlan1205
setfib 2 route delete default
setfib 2 route add default 192.169.2.1
$fwa 01310 setfib 2 ip from "table(6)" to any in recv $lan
$fwa 01320 setfib 2 ip from "table(6)" to any in recv $vlan1204
$fwa 01330 setfib 2 ip from "table(6)" to any in recv $vlan1205
setfib 3 route delete default
setfib 3 route add default 192.169.3.1
$fwa 01310 setfib 3 ip from "table(7)" to any in recv $lan
$fwa 01320 setfib 3 ip from "table(7)" to any in recv $vlan1204
$fwa 01330 setfib 3 ip from "table(7)" to any in recv $vlan1205
setfib 4 route delete default
setfib 4 route add default 192.169.4.1
$fwa 01410 setfib 4 ip from "table(8)" to any in recv $lan
$fwa 01420 setfib 4 ip from "table(8)" to any in recv $vlan1204
$fwa 01430 setfib 4 ip from "table(8)" to any in recv $vlan1205
###---Table 9 for limit tariff users
$fwa 01440 setfib 4 ip from "table(9)" to any in recv $lan
$fwa 01450 setfib 4 ip from "table(9)" to any in recv $vlan1204
$fwa 01460 setfib 4 ip from "table(9)" to any in recv $vlan1205
#-----------------------------------
#NAT & queues
##Исходящие очереди
###ADSL1
$fwa 05011 queue 201 tcp from "table(5)" to any $tcp_ports out xmit $inet
$fwa 05012 queue 202 tcp from "table(5)" to not any $tcp_ports out xmit $inet
$fwa 05013 skipto 5110 tcp from "table(5)" to any out xmit $inet
$fwa 05014 queue 203 udp from "table(5)" to any out xmit $inet
$fwa 05015 skipto 5110 udp from "table(5)" to any out xmit $inet
$fwa 05016 queue 201 icmp from "table(5)" to any out xmit $inet
$fwa 05017 skipto 5110 icmp from "table(5)" to any out xmit $inet
$fwa 05018 queue 204 ip from "table(5)" to any out xmit $inet
###ADSL2
$fwa 05021 queue 401 tcp from "table(6)" to any $tcp_ports out xmit $inet2
$fwa 05022 queue 402 tcp from "table(6)" to not any $tcp_ports out xmit $inet2
$fwa 05023 skipto 5120 tcp from "table(6)" to any out xmit $inet2
$fwa 05024 queue 403 udp from "table(6)" to any out xmit $inet2
$fwa 05025 skipto 5120 udp from "table(6)" to any out xmit $inet2
$fwa 05026 queue 401 icmp from "table(6)" to any out xmit $inet2
$fwa 05027 skipto 5120 icmp from "table(6)" to any out xmit $inet2
$fwa 05028 queue 404 ip from "table(6)" to any out xmit $inet2
###ADSL3
$fwa 05031 queue 601 tcp from "table(7)" to any $tcp_ports out xmit $inet3
$fwa 05032 queue 602 tcp from "table(7)" to not any $tcp_ports out xmit $inet3
$fwa 05033 skipto 5130 tcp from "table(7)" to any out xmit $inet3
$fwa 05034 queue 603 udp from "table(7)" to any out xmit $inet3
$fwa 05035 skipto 5130 udp from "table(7)" to any out xmit $inet3
$fwa 05036 queue 601 icmp from "table(7)" to any out xmit $inet3
$fwa 05037 skipto 5130 icmp from "table(7)" to any out xmit $inet3
$fwa 05038 queue 604 ip from "table(7)" to any out xmit $inet3
###ADSL4
$fwa 05041 queue 801 tcp from "table(8)" to any $tcp_ports out xmit $inet4
$fwa 05042 queue 802 tcp from "table(8)" to not any $tcp_ports out xmit $inet4
$fwa 05043 skipto 5140 tcp from "table(8)" to any out xmit $inet4
$fwa 05044 queue 803 udp from "table(8)" to any out xmit $inet4
$fwa 05045 skipto 5140 udp from "table(8)" to any out xmit $inet4
$fwa 05046 queue 801 icmp from "table(8)" to any out xmit $inet4
$fwa 05047 skipto 5140 icmp from "table(8)" to any out xmit $inet4
$fwa 05048 queue 804 ip from "table(8)" to any out xmit $inet4
###Юзвери, сидящие на лимитированных тарифах обслуживаются в первую очередь
$fwa 05051 queue 801 ip from "table(9)" to any out xmit $inet4
###ADSL5
$fwa 05061 queue 1001 tcp from "table(3)" to $net $tcp_ports out xmit $ifnet
$fwa 05062 queue 1002 tcp from "table(3)" to not $net $tcp_ports out xmit $ifnet
$fwa 05063 skipto 5150 tcp from "table(3)" to any out xmit $ifnet
$fwa 05064 queue 1003 udp from "table(3)" to $net out xmit $ifnet
$fwa 05065 skipto 5150 udp from "table(3)" to any out xmit $ifnet
$fwa 05066 queue 1004 icmp from "table(3)" to $net out xmit $ifnet
$fwa 05067 skipto 5150 icmp from "table(3)" to any out xmit $ifnet
$fwa 05068 queue 1004 ip from "table(3)" to $net out xmit $ifnet
#-----------------------------------
##NAT
$fwa 05110 nat 100 ip from any to any via $inet
$fwa 05120 nat 200 ip from any to any via $inet2
$fwa 05130 nat 300 ip from any to any via $inet3
$fwa 05140 nat 400 ip from any to any via $inet4
$fwa 05150 nat 500 ip from any to any via $ifnet
#----------------------------------
##Incoming queues
$fwa 05311 queue 101 tcp from any $tcp_ports to "table(5)" in recv $inet
$fwa 05312 queue 102 tcp from not any $tcp_ports to "table(5)" in recv $inet
$fwa 05313 skipto 6010 tcp from any to "table(5)" in via $inet
$fwa 05314 queue 103 udp from any to "table(5)" in recv $inet
$fwa 05315 skipto 6010 udp from any to "table(5)" in via $inet
$fwa 05316 queue 101 icmp from any to "table(5)" in recv $inet
$fwa 05317 skipto 6010 icmp from any to "table(5)" in via $inet
$fwa 05318 queue 104 ip from any to "table(5)" in recv $inet
$fwa 05321 queue 301 tcp from any $tcp_ports to "table(6)" in recv $inet2
$fwa 05322 queue 302 tcp from not any $tcp_ports to "table(6)" in recv $inet2
$fwa 05323 skipto 6010 tcp from any to "table(6)" in via $inet2
$fwa 05324 queue 303 udp from any to "table(6)" in recv $inet2
$fwa 05325 skipto 6010 udp from any to "table(6)" in via $inet2
$fwa 05326 queue 301 icmp from any to "table(6)" in recv $inet2
$fwa 05327 skipto 6010 icmp from any to "table(6)" in via $inet2
$fwa 05328 queue 304 ip from any to "table(6)" in recv $inet2
$fwa 05331 queue 501 tcp from any $tcp_ports to "table(7)" in recv $inet3
$fwa 05332 queue 502 tcp from not any $tcp_ports to "table(7)" in recv $inet3
$fwa 05333 skipto 6010 tcp from any to "table(7)" in via $inet3
$fwa 05334 queue 503 udp from any to "table(7)" in recv $inet3
$fwa 05335 skipto 6010 udp from any to "table(7)" in via $inet3
$fwa 05336 queue 501 icmp from any to "table(7)" in recv $inet3
$fwa 05337 skipto 6010 icmp from any to "table(7)" in via $inet3
$fwa 05338 queue 504 ip from any to "table(7)" in recv $inet3
$fwa 05341 queue 701 tcp from any $tcp_ports to "table(8)" in recv $inet4
$fwa 05342 queue 702 tcp from not any $tcp_ports to "table(8)" in recv $inet4
$fwa 05347 skipto 6010 tcp from any to "table(8)" in via $inet4
$fwa 05343 queue 703 udp from any to "table(8)" in recv $inet4
$fwa 05347 skipto 6010 udp from any to "table(8)" in via $inet4
$fwa 05344 queue 701 icmp from any to "table(8)" in recv $inet4
$fwa 05347 skipto 6010 icmp from any to "table(8)" in via $inet4
$fwa 05345 queue 704 ip from any to "table(8)" in recv $inet4
$fwa 05351 queue 701 ip from any to "table(9)" in recv $inet4
$fwa 05352 skipto 6010 ip from any to "table(9)" in via $inet4
$fwa 05361 queue 901 tcp from $net $tcp_ports to "table(3)" in recv $ifnet
$fwa 05362 queue 902 tcp from not $net $tcp_ports to "table(3)" in recv $ifnet
$fwa 05367 skipto 6010 tcp from $net to "table(3)" in via $ifnet
$fwa 05363 queue 903 udp from $net to "table(3)" in recv $ifnet
$fwa 05367 skipto 6010 udp from $net to "table(3)" in via $ifnet
$fwa 05364 queue 901 icmp from $net to "table(3)" in recv $ifnet
$fwa 05367 skipto 6010 icmp from $net to "table(3)" in via $ifnet
$fwa 05365 queue 904 ip from $vtk to "table(3)" in recv $ifnet

Такая схема работает более или менее успешно. Пользователи распихиваются по таблицам примерно поровну, после чего за каждой группой пользователей закрепляется «свой» канал.
Все вопросы можно задавать тут)

Будьте первым, кто оставит комментарий

Добавить комментарий

%d такие блоггеры, как: