On 4/8/2007 10:12 AM Drew Tomlinson said the following:
I am struggling to get pf set up correctly. Specifically I don't
understand why I don't see any packets in the "pfctl -vs queue" output
for a queue I named "voip_out". I see the packets matching rule 61 &
rule 62 when viewing the log with "tcpdump -netttti pflog0":
2007-04-08 09:54:25.392552 rule 61/0(match): pass in on dc0:
192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394
2007-04-08 09:54:54.580693 rule 62/0(match): pass in on dc0:
192.168.1.7 > 192.168.1.2: ICMP echo request, id 16724, seq 43514,
length 40
2007-04-08 09:55:13.532744 rule 61/0(match): pass in on dc0:
192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394
Rules 61 & 62 are:
@61 pass log quick inet proto udp from 192.168.1.7 to any keep state
queue voip_out
[ Evaluations: 7237 Packets: 44 Bytes: 18502
States: 1 ]
@62 pass log quick inet proto icmp from 192.168.1.7 to any keep state
queue voip_out
[ Evaluations: 331 Packets: 142 Bytes: 8520
States: 1 ]
Yet here is the "pfctl -vs queue" output:
queue voip_out bandwidth 175Kb priority 6 hfsc( realtime 140Kb )
[ pkts: 0 bytes: 0 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
I have rules to prioritize http traffic and queuing works as expected
there. Can anyone please explain to me why I am seeing this
behavior? And is there some way to actually watch traffic passing
through the queues?
OK, I've done some more digging and maybe I understand now. I was
missing the fact that NAT occurs BEFORE filtering (yes, now I see where
it's written in the OpenBSD PF FAQ). :)
So with this in mind, is there a way to write a rule to put traffic from
a node on the internal network in a specific queue? For example, I want
my VoIP phone (192.168.1.7) device to have outbound priority over all
other traffic. My network is configured like this:
internal network ----- dc0 - FBSD router - dc1 ----- Internet
So what's happening is that the traffic from the VoIP device enters the
router via dc0 and matches rule 61 as listed above. But then NAT occurs
and now the packet is no longer from 192.168.1.7 but my public IP and
thus it doesn't match rule 61. It matches rule 75 which is:
@75 pass log-all quick inet proto udp from 66.205.146.210 to any keep
state queue(std_out, ack_out)
I can also see via tcpdump that the destination ports are either 5060 or
5200 so I guess I could filter on that. But I really don't want to
prioritize traffic to 5060 or 5200 from ALL nodes on my internal
network, just from 192.168.1.7. Plus what about the case where a
destination port might be random? Then how would one filter?
Thanks,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
