Hi
I'm sharing a connection and I'm trying to set aside bandwidth for some
users. Here is the pftop -v queue log
QUEUE BANDW SCH PRIO PKTS BYTES
DROP_P DROP_B QLEN BORROW SUSPENDS P/S B/S
std_out priq 350 55249
0
dns_out priq 4 6 464
0
games_out priq 5 461 25566 0
ssh_out priq 6 0 0
0
tcp_ack_out priq 7 0 0 0
root_xl0 10M cbq 0 657 104572
0
std_in 7M cbq 657 104572
0
luke_in 1M cbq 0 0
0
pete_in 1M cbq 0 0
0
nick_in 1M cbq 0 0
0
As you can see the priq outbound queues work, But I can't get the cbq to
work for inbound connections. All connections just go to the default
queue.
Here is my pf.conf -> love to hear your thoughts, I've tried everything!
# cat /etc/pf.conf
# macros
int_if = "xl0"
ext_if = "xl1"
tcp_services = "{ 22, 113, 5050, 443, 80 }"
udp_services = "{ 443, 5050 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
luke = "192.168.0.15"
nick = "192.168.0.49"
pete = "192.168.0.20"
myth = "192.168.0.253"
obsd = "192.168.0.250"
games = "{ 6112:6119, 4711, 29900:29901, 1024:1124, 1500:4999, 27900,
28910, 16567, 55123:55125, 27910, 27960, 4000, 27020:27050, 1200,
27000:27015 }"
# options
set block-policy return
set loginterface $ext_if
set optimization aggressive
# scrub
scrub in all
scrub out on $ext_if all random-id
#prioritization
#outbound
altq on $ext_if priq bandwidth 10Mb queue { std_out, web_req, dns_out,
games_out, ssh_out, tcp_ack_out }
queue std_out priq(default)
queue web_req priority 3
queue dns_out priority 4
queue games_out priority 5
queue ssh_out priority 6
queue tcp_ack_out priority 7
#inbound
altq on $int_if cbq bandwidth 10Mb queue { std_in, luke_in, pete_in,
nick_in }
queue std_in bandwidth 70% cbq(default borrow ecn)
queue luke_in bandwidth 10% cbq(borrow ecn)
queue pete_in bandwidth 10% cbq(borrow ecn)
queue nick_in bandwidth 10% cbq(borrow ecn)
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
rdr on $ext_if proto { tcp, udp } from any to any port 443 -> $int_if
port 22
rdr on $ext_if proto { tcp, udp } from any to any port www -> $myth port
www
# filter rules
block log all
pass quick on lo0 all
#stop spoofing
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
#pass rules
pass in on $ext_if proto tcp from port 20 to ($ext_if) user proxy flags
S/SA keep state
pass in on $ext_if proto tcp from any to any port $tcp_services modulate
state flags S/SA
pass in on $ext_if proto udp from any to any port $udp_services keep
state
#allow icmp
pass in inet proto icmp all icmp-type $icmp_types keep state
#allow all traffic to and from lan
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $int_if from any to $luke keep state queue luke_in
pass out on $int_if from any to $pete keep state queue pete_in
pass out on $int_if from any to $nick keep state queue nick_in
#let internal traffic access external using queues defined above
pass out on $ext_if proto tcp all modulate state flags S/SA queue
(std_out, tcp_ack_out)
pass out on $ext_if proto { udp, icmp } all keep state queue std_out
pass out on $ext_if proto tcp from any to any port www modulate state
queue web_req
pass out on $ext_if proto { tcp udp } from any to any port domain keep
state queue dns_out
pass out on $ext_if proto { tcp udp } from any to any port $games keep
state queue games_out
pass out on $ext_if proto tcp from any to any port ssh modulate state
queue ssh_out
pass out on $ext_if proto esp all keep state
