On 2012-04-04, Peter Farmer <[email protected]> wrote:
> Hi All,
>
> I have the following OpenBSD multi-tenant firewall setup:
>
> |
> +-----+---------------+----+----+---------------+---+
>| | vlan10 | | | vlan11 | |
>| | 195.188.200.a |--(em0)--| 195.188.201.a | |
>| | 195.188.200.b | | 195.188.201.b | |
>| | rdomain 1 | | rdomain 2 | |
>| +---------------+ +---------------+ |
>| |
>| +---------------+ +---------------+ |
>| | vlan160 | | vlan161 | |
>| | 10.1.160.1 |--(em1)--| 10.1.160.1 | |
>| | rdomain 160 | | | rdomain 161 | |
> +-----+---------------+----+----+---------------+---+
> |
>
> vlan10 and vlan11 represent the PUBLIC side of the firewall and each
> vlan has a separate rdomain. A customer could be assigned IP addresses
> from both vlan10 and vlan11. Traffic from vlans 160 and 161 is then
> natted out of vlan10 and vlan11 using pf rules (and vice-verse, with
> some tagging). vlan160 and vlan161 represent the customer side of the
> firewall, ip addresses on this side can only be rfc1918, but can be
> the same subnets in each vlan (hence separate rdomains). What I'd like
> to be able to do is queue traffic as it leaves the firewall, both
> north and south, but I'm unsure as to where to enable altq. Should I
> do:
>
> # "out" being out of em0
> altq on em0 cbq bandwidth 300Mb queue { INT_em0, queue1_out, queue2_out }
> queue INT_em0 bandwidth 100Mb cbq(default)
> queue queue1_out bandwidth 100Mb cbq(ecn)
> queue queue2_out bandwidth 100Mb cbq(ecn)
>
> # Using pass in to keep state for packets coming back out of vlan10
> pass in on vlan10 from any to 195.188.200.a queue queue1_out
> pass in on vlan10 from any to 195.188.200.b queue queue2_out
>
> # "in" being out of em1
> altq on em1 cbq bandwidth 300Mb queue { INT_em1, queue1_in, queue2_in }
> queue INT_em1 bandwidth 100Mb cbq(default)
> queue queue1_in bandwidth 100Mb cbq(ecn)
> queue queue2_in bandwidth 100Mb cbq(ecn)
>
> # Using pass in to keep state for packets coming back out of vlan160 or
> vlan161
> pass in on vlan160 from any to any queue queue1_in
> pass in on vlan160 from any to any queue queue2_in
>
>
>
> or should I do:
>
> altq on vlan10 cbq bandwidth 300MB queue { INT_vlan10, queue1_out, queue2_out
> }
> queue INT_vlan10 bandwidth 100Mb cbq(default)
> queue queue1_out bandwidth 100Mb cbq(ecn)
> queue queue2_out bandwidth 100Mb cbq(ecn)
>
> # Using pass in to keep state for packets coming back out of vlan10
> pass in on vlan10 from any to 195.188.200.a queue queue1_out
> pass in on vlan10 from any to 195.188.200.b queue queue2_out
>
> # "in" being out of vlan160
> altq on vlan160 cbq bandwidth 100Mb queue { INT_vlan160 }
> queue INT_vlan160 bandwidth 100Mb cbq(default)
>
> # Using pass in to keep state for packets coming back out of vlan160 or
> vlan161
> pass in on vlan160 from any to any queue queue1_in
> pass in on vlan160 from any to any queue queue2_in
>
>
> With altq statements for each vlan interface.
>
> Ideally I'd want to do altq on the vlan parent interface.
>
>
> Thanks,
>
> Peter
>
>
not got time to consider everything here, but generally:
- where possible, queue on the physical interface rather than a
virtual one (vlan/pppoe/etc)
- you generally do not want separate queue names for inbound and
outbound, otherwise it is easy to get traffic in the wrong queues
depending on whether state was created from an incoming or an
outgoing connection. just use the same queue name on multiple
interfaces, e.g.
+-- -- -- -- --
| altq on em0 cbq bandwidth 300Mb queue { INT, queue1, queue2 }
| altq on em1 cbq bandwidth 300Mb queue { INT, queue1, queue2 }
|
| queue INT bandwidth 100Mb cbq(default)
| queue queue1 bandwidth 100Mb cbq(ecn)
| queue queue2 bandwidth 100Mb cbq(ecn)
+-- -- -- -- --
if you require different parameters for each interface you can do
something like this:
+-- -- -- -- --
| altq on em0 cbq bandwidth 300Mb queue { INT, queue1, queue2 }
| altq on em1 cbq bandwidth 250Mb queue { INT, queue1, queue2 }
|
| queue INT bandwidth 100Mb cbq(default)
| queue queue1 on em0 bandwidth 100Mb cbq(ecn)
| queue queue1 on em1 bandwidth 50Mb cbq(ecn)
| queue queue2 bandwidth 100Mb cbq(ecn)
+-- -- -- -- --
i find it more straightforward to decouple queue configuration
from filtering rules, so i use "match" to assign traffic to queues.
this allows things like "match to port 25 queue {slow}" or "match
from $somehost queue {somehost}" / "match to $somehost queue
{somehost}" at the top of the ruleset, and then have a separate
set of pass/block rules which don't need to consider queueing.
