Odd Red Dog

Using FreeBSD's dummynet to Simulate Slow/Unreliable Networks

31 August 2013

Here's an easy way to simulate unreliable networks using FreeBSD's ipfw firewall. It allows you to control things like bandwidth, latency and packet loss. It also works on Mac, Linux and Windows, although some features might not work on all platforms (like shaping the traffic of a bridge in Linux).

More details about dummynet can be obtained here:

dummynet

FreeBSD man page for ipfw

Initial Setup

Starting from a vanilla FreeBSD 9.1 install you'll need to first enable the firewall before moving on. This is done by adding the following lines to /etc/rc.conf:

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

Note that the second line tells FreeBSD to load our own configuration file. That file will simply contain a bunch of ipfw commands as if they were executed from the shell. We'll get back to that later...

Next, you need to tell FreeBSD to load the actual module that is used to implement the traffic shaping. You can load this module manually by calling kldload dummynet or you can have it loaded automatically at boot time by adding the following line to /boot/loader.conf:

dummynet_load="YES"

Once this is done you can reboot your system and validate that both the ipfw and dummynet modules are loaded by running kldstat.

Creating the pipe

This example is pretty simple: set given bandwidth/latency/... limits on a pipe and pass all traffic through it. That is, all traffic from any interface. If you wanted to specify dedicated interfaces or more granular control, you would do so by using less generic rules in the various ipfw commands.

The next step is setting up the actual firewall rules. Here we're setting up a pipe that will affect all traffic by adding a delay of 100ms, dropping 10% of the packets and limiting the bandwidth to 256Kbit/s.

ipfw -q -f flush
ipfw pipe 1 config delay 100ms plr 0.1 bw 256Kbit/s
ipfw add 100 pipe 1 all from any to any

That should be it. You should now be able to test the additional delay and packet loss by running something like ping www.google.com and by looking at its output.

To view details about the current rules, you can use ipfw list and ipfw pipe list.

This is really just scratching the surface of a very powerful tool. See the man page for ipfw for all the possible configuration options.