Hi,

I use PF to manage the traffic going through a VPN connection (ng0 to ng1). I am also able to manage the traffic on the device where I expect the VPN traffic (ed1 and ed2). But now my problems starts I also want to manage the outgoing traffic on ed0 to the WAN side.

On my router s Squid installed, so I thought that all packages generated by my FreeBSD machine could be put into a queue for ed0. If i check the settings with pftop than everything looks fine. But it looks like the limits for the upper limit are totally ignored.

So I did a check from the other side. I installed an Apache on that server and tried to download a file from that server. And hey there is my bandwidth management.

So I am confused. How can I handle the traffic generated by the squid on the router on the WAN interface?

cu assetburned

---- my pf.config ----

#
# Version 2008-08-22-014
# based on https://calomel.org/pf_config.html
# manual at: http://www.openbsd.org/faq/pf/

### some basics ###
# following line is onlz possible if the two variables are defined before these line!
# IntIF = "{" $IntIF1 $IntIF2 "}"
#
# following line is not possible. there have to be at least two variables!
# ExtIF = "{" $ExtIF1 "}"
#
# following line is not possible because there would be {something {something, something}}
# Whatever = "{" $ExtIF1 $IntIF "}"


##### Interfaces #####

 ExtIF1       = "ed0"    # this is the WAN connection
IntIF1 = "ed1" # this is the real connection to all 192.168.4.x IntIF2 = "ed2" # this is the real connection to all 192.168.3.x
 LocIF        = "lo0"
 ExtIF        = "ed0"
 IntIF        = "{" $IntIF1 $IntIF2 "}"
 VPNIF0       = "ng0"
 VPNIF1       = "ng1"

# keep in mind this is only usable for nat and rdr and not for the pass rules because of the different queues!
 VPNIF        = "{" $VPNIF0 $VPNIF1 "}"

##### Speeds ####
### Interface ###

 E1_speed     = "1Mb"
 IntIF1_speed = "10Mb"
 IntIF2_speed = "10Mb"
 VPN_speed    = "3Mb"

### Protocol ###
 VPN_green    = "1Mb"
 VPN_yello    = "512Kb"
 VPN_red      = "256Kb"

##### Hosts #####
# for the case there are internel servers
 H_squid      = "192.168.5.5"
 H_sshd       = "192.168.4.5"
 H_vpnd       = "192.168.4.5"
 H_apache     = "192.168.4.5"
H_apacheV = "192.168.5.5" # the proxy where the PAC file is hosted inside the VPN H_mail = "10.10.98.217" # have to check that, this is another lab computer!

# spechial LSBU server (green listed)
 H_LOVE_MA    = "10.10.60.60"    # mail.
 H_LOVE_BB    = "10.10.76.13"    #
 H_LOVE_EC    = "10.10.98.146"   #
 H_LOVE_PB    = "10.10.109.128"  #
 H_LOVE_WW    = "10.10.109.120"  #
 H_LOVE_LB    = "10.10.109.180"  #
 H_LOVE_LP    = "10.10.109.178"  #
 H_LOVE_LR    = "10.10.109.181"  #
 H_LOVE_DH    = "any"              # the DHCP server
H_LOVE = "{" $H_LOVE_MA $H_LOVE_BB $H_LOVE_EC $H_LOVE_PB $H_LOVE_WW $H_LOVE_LB $H_LOVE_LP $H_LOVE_LR "}"

#### Protocols ####
# Well known ports
 P_squid      = "3128"
 P_msproxy    = "8080"
 P_proxy      = "{" $P_squid $P_msproxy "}"
 P_http       = "80"
 P_https      = "443"
 P_brows      = "{" $P_http $P_https "}"
 P_pop3       = "110"
 P_pop3s      = "995"
 P_imaps      = "993"
 P_imap       = "143"
 P_smtp       = "25"
 P_smtps      = "465"
P_mail = "{" $P_pop3 $P_pop3s $P_imaps $P_imap $P_smtp $P_smtps "}"
 P_ssh        = "22"
 P_dns        = "53"
 P_vpnd       = "1723"
 P_samba      = "{ 137, 138, 139 }"

 ## Low Priority Squid ##
 P_LPS        = "31280"

#### Host & Port combinations ####
 HP_squid     = $H_squid  " port " $P_squid
 HP_LPS       = $H_squid  " port " $P_LPS
 HP_apache    = $H_apache " port " $P_http
 HP_apacheV   = $H_apacheV " port " $P_http
 HP_vpnd      = $H_vpnd   " port " $P_vpnd
HP_mail = $H_mail " port {" $P_pop3 $P_pop3s $P_imaps $P_imap $P_smtp $P_smtps "}"

#### Networks ####
 N_ExtIF1     = "10.10.0.0/16"
 N_IntIF1     = "192.168.4.0/24"
 N_IntIF2     = "192.168.3.0/24"
 N_VPN        = "192.168.5.0/24"
# I don't know why it isn't possible to use the variables from above.
 N_intern     = "{ 192.168.4.0/24 , 192.168.3.0/24 }"

 N_priv1      = "127.0.0.0/8"
 N_priv2      = "172.16.0.0/12"
 N_priv3      = "169.254.0.0/16"
 N_priv4      = "192.168.0.0/16"
N_privat = "{ 127.0.0.0/8 , 172.16.0.0/12 , 169.254.0.0/16 , 192.168.0.0/16 }"

### States & Queues ###
 SynState     = "flags S/SAFR synproxy state"
 TcpState     = "flags S/SAFR modulate state"
 UdpState     = "keep state"

### Stateful Tracking Options ###
ExtIfSTO = "(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 254)" IntIfSTO = "(max 250, source-track rule, max-src-conn 100, max-src-nodes 254, max-src-conn-rate 75/20)"

### Options ###
 set optimization aggressive
 set block-policy drop
 set ruleset-optimization basic

##### Normalization #####
# to hide what is going on in the LAN
# and to be sure that an optimum of payload is send by each packet.
scrub log on $ExtIF all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

#### queueing ####
# check for exampe: http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained
# check for more: http://puffer.sru.ac.th/OpenBSD/firewall page 213ff
# check also : https://calomel.org/pf_config.html

## physical interfaces ##
altq on $ExtIF1 bandwidth $E1_speed hfsc(linkshare $E1_speed upperlimit $E1_speed) queue {E1_Imp, E1_LSB, E1_Ext, E1_def } queue E1_Imp bandwidth 10% qlimit 500 priority 9 hfsc( linkshare 10% ) {E1_ICM, E1_DNS} queue E1_ICM bandwidth 2% priority 8 hfsc(realtime 2% ) queue E1_DNS bandwidth 8% priority 8 hfsc(realtime 8% ) queue E1_LSB bandwidth 50% priority 8 hfsc( linkshare 50% ) {E1_LSS, E1_PUB, E1_OTH} queue E1_LSS bandwidth 5% qlimit 500 priority 7 hfsc(realtime 5% ) {E1_SLO, E1_SBU}
   queue E1_SLO      bandwidth  1%                   priority 6 hfsc
   queue E1_SBU      bandwidth  4%                   priority 6 hfsc
queue E1_PUB bandwidth 30% qlimit 500 priority 7 hfsc(realtime 30% ) {E1_PCO, E1_PBU}
   queue E1_PCO      bandwidth 10%                   priority 6 hfsc
   queue E1_PBU      bandwidth 20%                   priority 6 hfsc
queue E1_OTH bandwidth 15% qlimit 500 priority 6 hfsc(realtime 15% ) {E1_OCO, E1_OBU}
   queue E1_OCO      bandwidth 10%                   priority 5 hfsc
   queue E1_OBU      bandwidth  5%                   priority 5 hfsc
queue E1_Ext bandwidth 35% priority 7 hfsc( linkshare 35% ) {E1_GOO, E1_BAD} queue E1_GOO bandwidth 30% qlimit 500 priority 6 hfsc(realtime 30% ) {E1_GCO, E1_GBU}
   queue E1_GCO      bandwidth 10%                   priority 5 hfsc
   queue E1_GBU      bandwidth 20%                   priority 5 hfsc
queue E1_BAD bandwidth 5% priority 5 hfsc(realtime 5% ) {E1_BCO, E1_BBU}
   queue E1_BCO      bandwidth  2%                   priority 4 hfsc
   queue E1_BBU      bandwidth  3%                   priority 4 hfsc
queue E1_def bandwidth 5% priority 1 hfsc(realtime 5% upperlimit 20% default)

altq on $IntIF1 bandwidth $IntIF1_speed hfsc(linkshare $IntIF1_speed upperlimit $IntIF1_speed) queue {I1_VPN, I1_non, I1_def} queue I1_VPN bandwidth 80% priority 9 hfsc( linkshare 80% ) queue I1_non bandwidth 19% priority 5 hfsc( linkshare 18% ) queue I1_def bandwidth 1% priority 1 hfsc(realtime 1% linkshare 2% default) altq on $IntIF2 bandwidth $IntIF2_speed hfsc(linkshare $IntIF2_speed upperlimit $IntIF2_speed) queue {I2_VPN, I2_non, I2_def} queue I2_VPN bandwidth 80% priority 9 hfsc( linkshare 80% ) queue I2_non bandwidth 19% priority 5 hfsc( linkshare 18% ) queue I2_def bandwidth 1% priority 1 hfsc(realtime 1% linkshare 2% default)

## vpn interfaces ##
altq on $VPNIF0 bandwidth $VPN_speed hfsc(linkshare $VPN_speed upperlimit $VPN_speed) queue {VPNIF0_green, VPNIF0_yello, VPNIF0_red} queue VPNIF0_green bandwidth $VPN_green priority 9 hfsc( linkshare $VPN_green ) queue VPNIF0_yello bandwidth $VPN_yello priority 5 hfsc( linkshare $VPN_yello ) queue VPNIF0_red bandwidth $VPN_red priority 1 hfsc(realtime $VPN_red linkshare $VPN_red upperlimit $VPN_red default) altq on $VPNIF1 bandwidth $VPN_speed hfsc(linkshare $VPN_speed upperlimit $VPN_speed) queue {VPNIF1_green, VPNIF1_yello, VPNIF1_red} queue VPNIF1_green bandwidth $VPN_green priority 9 hfsc( linkshare $VPN_green ) queue VPNIF1_yello bandwidth $VPN_yello priority 5 hfsc( linkshare $VPN_yello ) queue VPNIF1_red bandwidth $VPN_red priority 1 hfsc(realtime $VPN_red linkshare $VPN_red upperlimit $VPN_red default)

##### Translation #####

## NAT ##
 nat on $ExtIF from $N_intern to $N_ExtIF1  port $P_dns   -> ($ExtIF1)
 nat on $ExtIF from $N_VPN    to $N_ExtIF1  port $P_brows -> ($ExtIF1)
 nat on $ExtIF from $N_VPN    to $H_mail/32 port $P_mail  -> ($ExtIF1)

## RDR ##
 no rdr on $LocIF from any to any

# all local traffic to proxies or webpages should be redirected to the local Apache rdr on $IntIF1 inet proto tcp from any to any port $P_brows -> $H_apache port 80 rdr on $IntIF2 inet proto tcp from any to any port $P_brows -> $H_apache port 80 rdr on $IntIF3 inet proto tcp from any to any port $P_brows -> $H_apache port 80 rdr on $IntIF4 inet proto tcp from any to any port $P_brows -> $H_apache port 80

## first global blocking rules ##
# remember because there is no quick in this rule this rule can be overwritten! #
 block                on $ExtIF
 block                on $IntIF
 block                on $VPNIF

# block some bad ssh hacker #
 table <denyhosts> persist file "/var/db/denyhosts"
block drop in quick from <denyhosts> to any

## do not send or recive LAN traffic on the WAN ##
block in quick on $ExtIF1 inet from any to $N_privat block in quick on $ExtIF1 inet from $N_privat to any block out quick on $ExtIF1 inet from any to $N_privat block out quick on $ExtIF1 inet from $N_privat to any

# now let the blocking rules more precise #
# i know it is useless, but nice to see in the pftop and maybe somewhen this should be converted to pass rules #

## Samba is not allowed ##
block in inet proto tcp from any port $P_samba to any block in inet proto udp from any port $P_samba to any block out inet proto tcp from any to any port $P_samba block out inet proto udp from any to any port $P_samba

## Pass rules for physical interfaces ##

# allow users without an VPN connection to see the VPN servers login page pass in quick on $IntIF1 inet proto tcp from $IntIF1:network to $HP_apache keep state queue (I1_non, I1_VPN) pass in quick on $IntIF2 inet proto tcp from $IntIF2:network to $HP_apache keep state queue (I2_non, I2_VPN) pass in quick on $IntIF3 inet proto tcp from $IntIF3:network to $HP_apache keep state queue (I3_non, I3_VPN) pass in quick on $IntIF4 inet proto tcp from $IntIF4:network to $HP_apache keep state queue (I4_non, I4_VPN)

# put the VPN traffic in it's own queue on the right interface
pass out quick on $IntIF1 inet proto gre from $H_vpnd to $IntIF1:network queue I1_VPN pass out quick on $IntIF2 inet proto gre from $H_vpnd to $IntIF2:network queue I2_VPN pass out quick on $IntIF3 inet proto gre from $H_vpnd to $IntIF3:network queue I3_VPN pass out quick on $IntIF4 inet proto gre from $H_vpnd to $IntIF4:network queue I4_VPN

## Pass rules for VPN interfaces ##
pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_apacheV queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_squid queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_LPS queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF0 inet proto udp from ($VPNIF0:peer) to any port $P_dns queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $H_LOVE port $P_brows queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_mail queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $N_ExtIF1 port $P_brows queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF0 inet proto icmp from ($VPNIF0:peer) to $N_ExtIF1 icmp-type 8 code 0 queue (VPNIF0_yello, VPNIF0_green) pass out quick on $VPNIF0 inet proto icmp from any to ($VPNIF0:peer) icmp-type 8 code 0 queue (VPNIF0_yello, VPNIF0_green)

pass in quick on $VPNIF1 inet proto tcp from ($VPNIF0:peer) to $HP_apacheV queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $HP_squid queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $HP_LPS queue (VPNIF1_yello, VPNIF1_green) pass in quick on $VPNIF1 inet proto udp from ($VPNIF1:peer) to any port $P_dns queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $H_LOVE port $P_brows queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $HP_mail queue (VPNIF1_yello, VPNIF1_green) pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $N_ExtIF1 port $P_brows queue (VPNIF1_yello, VPNIF1_green) pass in quick on $VPNIF1 inet proto icmp from ($VPNIF1:peer) to $N_ExtIF1 icmp-type 8 code 0 queue (VPNIF1_yello, VPNIF1_green) pass out quick on $VPNIF1 inet proto icmp from any to ($VPNIF1:peer) icmp-type 8 code 0 queue (VPNIF1_yello, VPNIF1_green)

pass in on $ExtIF1 inet proto tcp from $N_ExtIF1 to ($ExtIF1) $TcpState $ExtIfSTO queue (E1_OBU, E1_OCO) pass in on $ExtIF1 inet proto tcp from $H_LOVE to ($ExtIF1) port $P_brows $TcpState $ExtIfSTO queue (E1_PBU, E1_PCO) pass in on $ExtIF1 inet proto tcp from $N_ExtIF1 to ($ExtIF1) port $P_ssh $TcpState $ExtIfSTO queue (E1_SLO, E1_SBU) pass in on $ExtIF1 inet proto udp from $N_ExtIF1 to ($ExtIF1) port $P_dns $UdpState $ExtIfSTO queue E1_DNS pass in on $ExtIF1 inet proto icmp from $N_ExtIF1 to ($ExtIF1) icmp-type 8 code 0 $UdpState $ExtIfSTO queue E1_ICM pass in on $ExtIF1 inet proto tcp from ! $N_ExtIF1 to ($ExtIF1) $TcpState $ExtIfSTO queue (E1_BBU, E1_BCO) pass in on $ExtIF1 inet proto tcp from ! $N_ExtIF1 to ($ExtIF1) port $P_brows $TcpState $ExtIfSTO queue (E1_GBU, E1_GCO) pass in on $ExtIF1 inet proto udp from ! $N_ExtIF1 to ($ExtIF1) port $P_dns $UdpState $ExtIfSTO queue E1_DNS pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to $N_ExtIF1 $TcpState $ExtIfSTO queue (E1_OBU, E1_OCO) pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to $H_LOVE port $P_brows $TcpState $ExtIfSTO queue (E1_PBU, E1_PCO) pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to $N_ExtIF1 port $P_ssh $TcpState $ExtIfSTO queue (E1_SLO, E1_SBU) pass out on $ExtIF1 inet proto udp from ($ExtIF1) to $N_ExtIF1 port $P_dns $UdpState $ExtIfSTO queue E1_DNS pass out on $ExtIF1 inet proto icmp from ($ExtIF1) to $N_ExtIF1 icmp-type 8 code 0 $UdpState $ExtIfSTO queue E1_ICM pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to !$N_ExtIF1 $TcpState $ExtIfSTO queue (E1_BBU, E1_BCO) pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to !$N_ExtIF1 port $P_brows $TcpState $ExtIfSTO queue (E1_GBU, E1_GCO) pass out on $ExtIF1 inet proto udp from ($ExtIF1) to !$N_ExtIF1 port $P_dns $UdpState $ExtIfSTO queue E1_DNS

#
# still to optimize
#

 pass in on $IntIF1 queue I1_non
 pass in on $IntIF2 queue I2_non
 pass in on $IntIF3 queue I3_non
 pass in on $IntIF4 queue I4_non
 pass in on lo0

 pass out on lo0
 pass out on $IntIF1 queue I1_non
 pass out on $IntIF2 queue I2_non
 pass out on $IntIF3 queue I3_non
 pass out on $IntIF4 queue I4_non
## EOF ##

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to