Операция “Кооперация”: IPFW, stargazer и 4 ADSL-соединения
Общага – место крайне полезное, особенно для тех, кто умеет искать халяву. Еда, выпивка, интернет… стоит лишь немного поднапрячься. В одной из таких общаг мы и будем творить свои злобные делишки – раздавать людям интернеты анлимно и покилограммно.
Под катом много конфигов и технических терминов, так что слабонервным и гуманитариям лучше не заходить
Что мы имеем?
– 4 ADSL-модема с безлимитами на каждом
– Сервер на FreeBSD 8.1
– IPFW NAT
– Старгайзер в качестве биллинга
Вполне достаточно для наших целей. Перво-наперво, проверяем, чтобы в ядро было собрано с вот такими опциями:
##USER_OPTIONS
#Сам IPFW
options IPFIREWALL
options IPFIREWALL_FORWARD
#Включаем режим логов
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
#Включаем, собственно, NAT
options IPFIREWALL_NAT
options IPDIVERT
options LIBALIAS
#Создаем 5 независимых таблиц маршрутизации: 4 для пользователей и одну для сервера
options ROUTETABLES=5
options HZ=4000
Далее просто приведу примеры своих конфигов с комментариями, ибо от howto большего и не требуется 🙂
Для начала – настраиваем таблицы маршрутизации. Для этого создаем файлик /usr/local/etc/rc.d/setfib1:
#!/bin/sh
# PROVIDE: SETFIB1
# REQUIRE: NETWORKING
# BEFORE: DAEMON
#
# Add the following lines to /etc/rc.conf to enable setfib -1 at startup
# setfib1 (bool): Set to "NO" by default.
# Set it to "YES" to enable setfib1
# setfib1_defaultroute (str): Set to "" by default
# Set it to ip address of default gateway for use in fib 1
. /etc/rc.subr
name="setfib1"
rcvar=`set_rcvar`
load_rc_config $name
[ -z "$setfib1_enable" ] && setfib1_enable="NO"
[ -z "$setfib1_defaultroute" ] && setfib1_defaultroute=""
start_cmd="${name}_start"
stop_cmd="${name}_stop"
setfib1_start()
{
if [ ${setfib1_defaultroute} ]
then
setfib 1 route add -net default ${setfib1_defaultroute}
else
echo "Can't set defaultroute for fib 1 (setfib1_defaultroute is not set)"
fi
}
setfib1_stop()
{
setfib 1 route del -net default
}
Делаем его исполняемым, и так для каждой таблицы (кроме дефолтной) – т.е. четыре штуки
В rc.conf:
gateway_enable="YES"
hostname="my_server.lan"
#Интерфейс, смотрящий во внутреннюю сеть
ifconfig_fxp0="inet 10.0.0.1 netmask 255.255.255.0"
#Интерфейс, смотрящий на модемы
ifconfig_fxp1="inet 192.169.0.5 netmask 255.255.255.0"
#Каждый модем в своем влане
cloned_interfaces="vlan1691 vlan1692 vlan1693 vlan1694 vlan1695"
ifconfig_vlan1691="inet 192.169.1.5 netmask 255.255.255.0 vlan 1691 vlandev fxp1"
ifconfig_vlan1692="inet 192.169.2.5 netmask 255.255.255.0 vlan 1692 vlandev fxp1"
ifconfig_vlan1693="inet 192.169.3.5 netmask 255.255.255.0 vlan 1693 vlandev fxp1"
ifconfig_vlan1694="inet 192.169.4.5 netmask 255.255.255.0 vlan 1694 vlandev fxp1"
#влан, смотрящий в локальную сеть провайдера
ifconfig_vlan1695="inet 192.168.100.9 netmask 255.255.255.0 vlan 1695 vlandev fxp1"
#Сам сервер ходит через модем №1
defaultrouter="192.169.1.1"
setfib1_enable="YES"
setfib1_defaultroute="192.169.1.1"
setfib2_enable="YES"
setfib2_defaultroute="192.169.2.1"
setfib3_enable="YES"
setfib3_defaultroute="192.169.3.1"
setfib4_enable="YES"
setfib4_defaultroute="192.169.4.1"
#Включаем шейпинг
dummynet_enable="YES"
#Включаем фаервол
firewall_enable="YES"
firewall_logging="YES"
#Конфиг-файл фаервола
firewall_script="/usr/home/snake/net/rc.fire.conf"
Не забываем о маршрутизации:
#Подсеть провайдера
route add 192.168.0.0/16 192.168.106.1
setfib 1 route add 192.168.0.0/16 192.168.100.1
setfib 2 route add 192.168.0.0/16 192.168.100.1
setfib 3 route add 192.168.0.0/16 192.168.100.1
setfib 4 route add 192.168.0.0/16 192.168.100.1
Ну и теперь приступаем к настройкам фаервола:
1, Запрещаем весь посторонний трафик
#!/bin/sh
#IPFW--------------------------------
fw="/sbin/ipfw -q"
fwa="/sbin/ipfw -q add"
#Ifaces-----------------------------
lan="fxp0"
lan2="fxp1"
inet="vlan1691"
inet2="vlan1692"
inet3="vlan1693"
inet4="vlan1694"
ifnet="vlan1695"
#Selfcare & service
##loopback (1000-1020)
$fwa 01000 allow ip from any to any via lo0
$fwa 01010 deny ip from any to 127.0.0.0/8
$fwa 01020 deny ip from 127.0.0.0/8 to any
##Разрешаем доступ к модемам, иначе ничего не увидим)
$fwa 01040 allow ip from 192.169.1.0/24 to me in via $inet
$fwa 01050 allow ip from me to 192.169.1.0/24 out via $inet
$fwa 01060 allow ip from 192.169.2.0/24 to me in via $inet2
$fwa 01070 allow ip from me to 192.169.2.0/24 out via $inet2
$fwa 01080 allow ip from 192.169.3.0/24 to me in via $inet3
$fwa 01090 allow ip from me to 192.169.3.0/24 out via $inet3
$fwa 01100 allow ip from 192.169.4.0/24 to me in via $inet4
$fwa 01110 allow ip from me to 192.169.4.0/24 out via $inet4
$fwa 01120 allow ip from 192.169.5.0/24 to me in via $ifnet
$fwa 01130 allow ip from me to 192.169.5.0/24 out via $ifnet
#Deny packets (2000-2999)
##Через интерфейсы, смотрящие непосредственно в интернет, не должен проходить локальный траффик
$fwa 2000 deny log ip from 10.0.0.0/8 to any in via $inet
$fwa 2010 deny log ip from any to 10.0.0.0/8 out via $inet
$fwa 2020 deny log ip from 172.16.0.0/12 to any in via $inet
$fwa 2030 deny log ip from any to 172.16.0.0/12 out via $inet
$fwa 2040 deny log ip from 192.168.0.0/16 to any in via $inet
$fwa 2050 deny log ip from any to 192.168.0.0/16 out via $inet
$fwa 2100 deny log ip from 10.0.0.0/8 to me in via $inet2
$fwa 2110 deny log ip from any to 10.0.0.0/8 out via $inet2
$fwa 2120 deny log ip from 172.16.0.0/12 to any in via $inet2
$fwa 2130 deny log ip from any to 172.16.0.0/12 out via $inet2
$fwa 2140 deny log ip from 192.168.0.0/16 to any in via $inet2
$fwa 2150 deny log ip from any to 192.168.0.0/16 out via $inet2
$fwa 2200 deny log ip from 10.0.0.0/8 to me in via $inet3
$fwa 2210 deny log ip from any to 10.0.0.0/8 out via $inet3
$fwa 2220 deny log ip from 172.16.0.0/12 to any in via $inet3
$fwa 2230 deny log ip from any to 172.16.0.0/12 out via $inet3
$fwa 2240 deny log ip from 192.168.0.0/16 to any in via $inet3
$fwa 2250 deny log ip from any to 192.168.0.0/16 out via $inet3
$fwa 2300 deny log ip from 10.0.0.0/8 to any in via $inet4
$fwa 2310 deny log ip from any to 10.0.0.0/8 out via $inet4
$fwa 2320 deny log ip from 172.16.0.0/12 to any in via $inet4
$fwa 2330 deny log ip from any to 172.16.0.0/12 out via $inet4
$fwa 2340 deny log ip from 192.168.0.0/16 to any in via $inet4
$fwa 2350 deny log ip from any to 192.168.0.0/16 out via $inet4
##Через подсеть провайдера может проходить только "свой" трафик
$fwa 2300 deny log ip from 10.0.0.0/8 to any in via $ifnet
$fwa 2310 deny log ip from any to 10.0.0.0/8 out via $ifnet
$fwa 2410 deny log ip from 172.16.0.0/12 to any in via $ifnet
$fwa 2420 deny log ip from any to 172.16.0.0/12 out via $ifnet
3. Собственно, правила для выпускания в интернет
#!/bin/sh
#IPFW--------------------------------
fw="/sbin/ipfw -q"
fwa="/sbin/ipfw -q add"
#Ifaces-----------------------------
lan="fxp0"
lan2="fxp1"
inet="vlan1691"
inet2="vlan1692"
inet3="vlan1693"
inet4="vlan1694"
ifvtk="vlan1695"
#IP groups--------------------------
#Внутренняя сеть
hostel="10.0.0.0/24"
net="192.168.0.0/16"
#Internet access
##Stargazer
###Интернет для пользователей в таблице 2
$fwa 04141 allow ip from "table(2)" to not $net in via $lan
$fwa 04144 allow ip from not $net to "table(2)" out via $lan
###Внутрисеть для пользователей из табл. 3
$fwa 04241 allow ip from "table(3)" to $net in via $lan
$fwa 04244 allow ip from $net to "table(3)" out via $lan
#Выпускаем трафик..
##Наружу
$fwa 06010 allow ip from any to not $vtk out via $inet
$fwa 06020 allow ip from any to not $vtk out via $inet2
$fwa 06030 allow ip from any to not $vtk out via $inet3
$fwa 06040 allow ip from any to not $vtk out via $inet4
$fwa 06050 allow ip from any to $vtk out via $ifvtk
##Пропускаем внутрь) В таблицах 5-9 разбитые на группы пользователи
$fwa 06210 allow ip from not $net to "table(5)" in via $inet
$fwa 06220 allow ip from not $net to "table(6)" in via $inet2
$fwa 06230 allow ip from not $net to "table(7)" in via $inet3
$fwa 06240 allow ip from not $net to "table(8)" in via $inet4
$fwa 06250 allow ip from not $net to "table(9)" in via $inet4
$fwa 06260 allow ip from $net to "table(3)" in via $ifnet
#----------------------------------
##ICMP
$fwa 60200 allow icmp from me to any
$fwa 60250 allow icmp from any to me
##Allow all outcoming
$fwa 65000 allow ip from me to any
А теперь – самое интересное 🙂 Шейпинг:
#!/bin/sh #IPFW-------------------------------- fw="/sbin/ipfw -q" fwa="/sbin/ipfw -q add" fwt="/sbin/ipfw table" #Env--------------------------------- gw0="192.169.1.1" gw1="192.169.1.1" gw2="192.169.2.1" gw3="192.169.3.1" gw4="192.169.4.1" gw5="192.169.5.1" #Ifaces----------------------------- lan="fxp0" lan2="fxp1" inet="vlan1691" inet2="vlan1692" inet3="vlan1693" inet4="vlan1694" ifnet="vlan1695" #IP's------------------------------- iplan="10.0.0.1" ipnet="192.168.100.9" #IP groups-------------------------- hostel="10.0.0.0/24" net="192.168.0.0/16" #Priority--------------------------- tcphigh=100 tcpother=40 udpall=20 ipall=20 tcp_ports="20,21,22,53,80,81,443,5190,5222,3128,8080,8081,8088,28960" #Размер очереди прикидываем вот так: #http://www.opennet.ru/tips/info/1411.shtml #Queue size------------------------- qdowni="350Kbytes" qupi="50Kbytes" qdownnet="550Kbytes" qupnet="70Kbytes" #Speed------------------------------ ##Main outgoing queue upi=500Kbit/s ##Main downloading queue downi=3400Kbit/s ##NET outgoing queue upnet=800Kbit/s ##net downloading queue downnet=5000Kbit/s #Пайпы (по одной на канал) $fw pipe 100 config bw $downi queue $qdowni gred 0.002/10/30/0.1 $fw pipe 200 config bw $upi queue $qupi gred 0.002/10/30/0.1 $fw pipe 300 config bw $downi queue $qdowni gred 0.002/10/30/0.1 $fw pipe 400 config bw $upi queue $qupi gred 0.002/10/30/0.1 $fw pipe 500 config bw $downi queue $qdowni gred 0.002/10/30/0.1 $fw pipe 600 config bw $upi queue $qupi gred 0.002/10/30/0.1 $fw pipe 700 config bw $downi queue $qdowni gred 0.002/10/30/0.1 $fw pipe 800 config bw $upi queue $qupi gred 0.002/10/30/0.1 $fw pipe 900 config bw $downnet queue $qdownvtk gred 0.002/10/30/0.1 $fw pipe 1000 config bw $upnet queue $qupvtk gred 0.002/10/30/0.1 #-----------------------------------
#Очереди #inet --> LAN #Для различного типа трафика действует различный приоритет $fw queue 101 config weight $tcphigh pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 102 config weight $tcpother pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 103 config weight $udpall pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 104 config weight $ipall pipe 100 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 301 config weight $tcphigh pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 302 config weight $tcpother pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 303 config weight $udpall pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 304 config weight $ipall pipe 300 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 501 config weight $tcphigh pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 502 config weight $tcpother pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 503 config weight $udpall pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 504 config weight $ipall pipe 500 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 701 config weight $tcphigh pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 702 config weight $tcpother pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 703 config weight $udpall pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 704 config weight $ipall pipe 700 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff #LAN --> inet $fw queue 201 config weight $tcphigh pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 202 config weight $tcpother pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 203 config weight $udpall pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 204 config weight $ipall pipe 200 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 401 config weight $tcphigh pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 402 config weight $tcpother pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 403 config weight $udpall pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 404 config weight $ipall pipe 400 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 601 config weight $tcphigh pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 602 config weight $tcpother pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 603 config weight $udpall pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 604 config weight $ipall pipe 600 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 801 config weight $tcphigh pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 802 config weight $tcpother pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 803 config weight $udpall pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 804 config weight $ipall pipe 800 gred 0.002/10/30/0.1 mask src-ip 0xffffffff #WAN --> LAN $fw queue 901 config weight $tcphigh pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 902 config weight $tcpother pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 903 config weight $udpall pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff $fw queue 904 config weight $ipall pipe 900 gred 0.002/10/30/0.1 mask dst-ip 0xffffffff #LAN --> WAN $fw queue 1001 config weight $tcphigh pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 1002 config weight $tcpother pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 1003 config weight $udpall pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff $fw queue 1004 config weight $ipall pipe 1000 gred 0.002/10/30/0.1 mask src-ip 0xffffffff
#----------------------------------- #Настройки NAT $fw nat 100 config if $inet same_ports reset deny_in $fw nat 200 config if $inet2 same_ports reset deny_in $fw nat 300 config if $inet3 same_ports reset deny_in $fw nat 400 config if $inet4 same_ports reset deny_in $fw nat 500 config if $ifnet same_ports reset deny_in #----------------------------------- ##Routing tables setfib 0 route delete default setfib 0 route add default 192.169.1.1 ###Clients route tables 1200-1599 setfib 1 route delete default setfib 1 route add default 192.169.1.1 $fwa 01210 setfib 1 ip from "table(5)" to any in recv $lan $fwa 01220 setfib 1 ip from "table(5)" to any in recv $vlan1204 $fwa 01230 setfib 1 ip from "table(5)" to any in recv $vlan1205 setfib 2 route delete default setfib 2 route add default 192.169.2.1 $fwa 01310 setfib 2 ip from "table(6)" to any in recv $lan $fwa 01320 setfib 2 ip from "table(6)" to any in recv $vlan1204 $fwa 01330 setfib 2 ip from "table(6)" to any in recv $vlan1205 setfib 3 route delete default setfib 3 route add default 192.169.3.1 $fwa 01310 setfib 3 ip from "table(7)" to any in recv $lan $fwa 01320 setfib 3 ip from "table(7)" to any in recv $vlan1204 $fwa 01330 setfib 3 ip from "table(7)" to any in recv $vlan1205 setfib 4 route delete default setfib 4 route add default 192.169.4.1 $fwa 01410 setfib 4 ip from "table(8)" to any in recv $lan $fwa 01420 setfib 4 ip from "table(8)" to any in recv $vlan1204 $fwa 01430 setfib 4 ip from "table(8)" to any in recv $vlan1205 ###---Table 9 for limit tariff users $fwa 01440 setfib 4 ip from "table(9)" to any in recv $lan $fwa 01450 setfib 4 ip from "table(9)" to any in recv $vlan1204 $fwa 01460 setfib 4 ip from "table(9)" to any in recv $vlan1205 #-----------------------------------
#NAT & queues ##Исходящие очереди ###ADSL1 $fwa 05011 queue 201 tcp from "table(5)" to any $tcp_ports out xmit $inet $fwa 05012 queue 202 tcp from "table(5)" to not any $tcp_ports out xmit $inet $fwa 05013 skipto 5110 tcp from "table(5)" to any out xmit $inet $fwa 05014 queue 203 udp from "table(5)" to any out xmit $inet $fwa 05015 skipto 5110 udp from "table(5)" to any out xmit $inet $fwa 05016 queue 201 icmp from "table(5)" to any out xmit $inet $fwa 05017 skipto 5110 icmp from "table(5)" to any out xmit $inet $fwa 05018 queue 204 ip from "table(5)" to any out xmit $inet ###ADSL2 $fwa 05021 queue 401 tcp from "table(6)" to any $tcp_ports out xmit $inet2 $fwa 05022 queue 402 tcp from "table(6)" to not any $tcp_ports out xmit $inet2 $fwa 05023 skipto 5120 tcp from "table(6)" to any out xmit $inet2 $fwa 05024 queue 403 udp from "table(6)" to any out xmit $inet2 $fwa 05025 skipto 5120 udp from "table(6)" to any out xmit $inet2 $fwa 05026 queue 401 icmp from "table(6)" to any out xmit $inet2 $fwa 05027 skipto 5120 icmp from "table(6)" to any out xmit $inet2 $fwa 05028 queue 404 ip from "table(6)" to any out xmit $inet2 ###ADSL3 $fwa 05031 queue 601 tcp from "table(7)" to any $tcp_ports out xmit $inet3 $fwa 05032 queue 602 tcp from "table(7)" to not any $tcp_ports out xmit $inet3 $fwa 05033 skipto 5130 tcp from "table(7)" to any out xmit $inet3 $fwa 05034 queue 603 udp from "table(7)" to any out xmit $inet3 $fwa 05035 skipto 5130 udp from "table(7)" to any out xmit $inet3 $fwa 05036 queue 601 icmp from "table(7)" to any out xmit $inet3 $fwa 05037 skipto 5130 icmp from "table(7)" to any out xmit $inet3 $fwa 05038 queue 604 ip from "table(7)" to any out xmit $inet3 ###ADSL4 $fwa 05041 queue 801 tcp from "table(8)" to any $tcp_ports out xmit $inet4 $fwa 05042 queue 802 tcp from "table(8)" to not any $tcp_ports out xmit $inet4 $fwa 05043 skipto 5140 tcp from "table(8)" to any out xmit $inet4 $fwa 05044 queue 803 udp from "table(8)" to any out xmit $inet4 $fwa 05045 skipto 5140 udp from "table(8)" to any out xmit $inet4 $fwa 05046 queue 801 icmp from "table(8)" to any out xmit $inet4 $fwa 05047 skipto 5140 icmp from "table(8)" to any out xmit $inet4 $fwa 05048 queue 804 ip from "table(8)" to any out xmit $inet4 ###Юзвери, сидящие на лимитированных тарифах обслуживаются в первую очередь $fwa 05051 queue 801 ip from "table(9)" to any out xmit $inet4 ###ADSL5 $fwa 05061 queue 1001 tcp from "table(3)" to $net $tcp_ports out xmit $ifnet $fwa 05062 queue 1002 tcp from "table(3)" to not $net $tcp_ports out xmit $ifnet $fwa 05063 skipto 5150 tcp from "table(3)" to any out xmit $ifnet $fwa 05064 queue 1003 udp from "table(3)" to $net out xmit $ifnet $fwa 05065 skipto 5150 udp from "table(3)" to any out xmit $ifnet $fwa 05066 queue 1004 icmp from "table(3)" to $net out xmit $ifnet $fwa 05067 skipto 5150 icmp from "table(3)" to any out xmit $ifnet $fwa 05068 queue 1004 ip from "table(3)" to $net out xmit $ifnet
#----------------------------------- ##NAT $fwa 05110 nat 100 ip from any to any via $inet $fwa 05120 nat 200 ip from any to any via $inet2 $fwa 05130 nat 300 ip from any to any via $inet3 $fwa 05140 nat 400 ip from any to any via $inet4 $fwa 05150 nat 500 ip from any to any via $ifnet #---------------------------------- ##Incoming queues $fwa 05311 queue 101 tcp from any $tcp_ports to "table(5)" in recv $inet $fwa 05312 queue 102 tcp from not any $tcp_ports to "table(5)" in recv $inet $fwa 05313 skipto 6010 tcp from any to "table(5)" in via $inet $fwa 05314 queue 103 udp from any to "table(5)" in recv $inet $fwa 05315 skipto 6010 udp from any to "table(5)" in via $inet $fwa 05316 queue 101 icmp from any to "table(5)" in recv $inet $fwa 05317 skipto 6010 icmp from any to "table(5)" in via $inet $fwa 05318 queue 104 ip from any to "table(5)" in recv $inet $fwa 05321 queue 301 tcp from any $tcp_ports to "table(6)" in recv $inet2 $fwa 05322 queue 302 tcp from not any $tcp_ports to "table(6)" in recv $inet2 $fwa 05323 skipto 6010 tcp from any to "table(6)" in via $inet2 $fwa 05324 queue 303 udp from any to "table(6)" in recv $inet2 $fwa 05325 skipto 6010 udp from any to "table(6)" in via $inet2 $fwa 05326 queue 301 icmp from any to "table(6)" in recv $inet2 $fwa 05327 skipto 6010 icmp from any to "table(6)" in via $inet2 $fwa 05328 queue 304 ip from any to "table(6)" in recv $inet2 $fwa 05331 queue 501 tcp from any $tcp_ports to "table(7)" in recv $inet3 $fwa 05332 queue 502 tcp from not any $tcp_ports to "table(7)" in recv $inet3 $fwa 05333 skipto 6010 tcp from any to "table(7)" in via $inet3 $fwa 05334 queue 503 udp from any to "table(7)" in recv $inet3 $fwa 05335 skipto 6010 udp from any to "table(7)" in via $inet3 $fwa 05336 queue 501 icmp from any to "table(7)" in recv $inet3 $fwa 05337 skipto 6010 icmp from any to "table(7)" in via $inet3 $fwa 05338 queue 504 ip from any to "table(7)" in recv $inet3 $fwa 05341 queue 701 tcp from any $tcp_ports to "table(8)" in recv $inet4 $fwa 05342 queue 702 tcp from not any $tcp_ports to "table(8)" in recv $inet4 $fwa 05347 skipto 6010 tcp from any to "table(8)" in via $inet4 $fwa 05343 queue 703 udp from any to "table(8)" in recv $inet4 $fwa 05347 skipto 6010 udp from any to "table(8)" in via $inet4 $fwa 05344 queue 701 icmp from any to "table(8)" in recv $inet4 $fwa 05347 skipto 6010 icmp from any to "table(8)" in via $inet4 $fwa 05345 queue 704 ip from any to "table(8)" in recv $inet4 $fwa 05351 queue 701 ip from any to "table(9)" in recv $inet4 $fwa 05352 skipto 6010 ip from any to "table(9)" in via $inet4 $fwa 05361 queue 901 tcp from $net $tcp_ports to "table(3)" in recv $ifnet $fwa 05362 queue 902 tcp from not $net $tcp_ports to "table(3)" in recv $ifnet $fwa 05367 skipto 6010 tcp from $net to "table(3)" in via $ifnet $fwa 05363 queue 903 udp from $net to "table(3)" in recv $ifnet $fwa 05367 skipto 6010 udp from $net to "table(3)" in via $ifnet $fwa 05364 queue 901 icmp from $net to "table(3)" in recv $ifnet $fwa 05367 skipto 6010 icmp from $net to "table(3)" in via $ifnet $fwa 05365 queue 904 ip from $vtk to "table(3)" in recv $ifnet
Такая схема работает более или менее успешно. Пользователи распихиваются по таблицам примерно поровну, после чего за каждой группой пользователей закрепляется “свой” канал.
Все вопросы можно задавать тут)