I write this mail because I want to ask few questions about pf and
queuing.
Sorry, my english grammar is bad. English is a foreign language for me,
I usually speak Romanian and Hungarian.
I have a small computer network at home. This network have a gateway
(OpenBSD 3.8).
The scenario :
1) My gateway has two network cards ( rl0 and fxp0 ).
rl0 - connected to Internet (82.79.81.6)
fxp0 - connected to Ethernet switch (192.168.10.1)
2) This gateway share the Internet for all computers in local network
(192.168.10.0/24)
3) The maximum Internet speed is 24kb/sec. Maximum internet speed mean:
The download speed in Firefox is 24kb/sec, when i get a file from Internet.
I think is not a very fast connection, but my ISP don't give more speed
now :(
4) I have 5 users in network. I need to apply queue rules for 3 users
(bob, mike, peter)
- I want to reserve for bob and mike 8Kb/sec download bandwidth. I
want to allow for bob and mike to use more than 8Kb/sec when it's aviable.
- I want to reserve for peter 4Kb/sec download bandwidth. I want to
allow for peter to use more than 4Kb/sec when it's aviable.
- SSH and instant message traffic need to have a higher priority than
regular traffic.
- DNS queries and replies need to have the second highest priority.
- Outgoing TCP ACK packets need to have a higher priority than all
other outgoing traffic.
This is my /etc/pf.conf now :
# macros
ext_if = "rl0"
int_if = "fxp0"
int_net = "192.168.10.0/24"
irc_ports = "{ 6667, 6668, 6669, 7000 }"
irc_allow = "{ 192.168.10.2, 192.168.10.3 }"
ssh_ports = "{ 22 2022 }"
im_ports = "{ 1863 5190 5222 }"
bob = "192.168.10.4"
mike = "192.168.10.5"
peter = "192.168.10.6"
# tables
table <deny> persist file "/etc/pf.deny"
# scrub
scrub in all no-df
scrub out all no-df
# queuing on external interface
altq on $ext_if priq bandwidth 610Kb queue { std_out, ssh_im_out,
dns_out, \
tcp_ack_out }
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
# queuing on internal interface
altq on $int_if cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in,
bujor_in }
queue std_in bandwidth 1.6Mb cbq(default)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in bandwidth 120Kb priority 5
queue bob_in bandwidth 80Kb cbq(borrow)
# nat
nat on $ext_if from $int_net to any -> $ext_if
# filter rules for external interface inbound
block in on $ext_if all
# filter rules for external interface outbound
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \
keep state queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep
state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port
domain \
keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \
flags S/SA keep state queue(std_outm ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
# filter rules for internal interface inbound
block in on $int_if all
pass in on $int_if from $int_net
# filter rules for internal interface outbound
block out on $int_if all
pass out on $int_if from any to $int_net
pass out on $int_if proto { tcp udp } from any port domain to $int_net \
queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $int_net \
queue(std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to $int_net \
queue ssh_im_in
pass out on $int_if from any to $bob queue bob_in
# block irc
block in on $int_if proto tcp from $int_net to any port $irc_ports
pass in on $int_if proto tcp from $irc_allow to any port $irc_ports
# block icmp
block in on $ext_if inet proto icmp all icmp-type echoreq
My problems are:
- I don't know if queue value on external interface (610Kb) is good for
my internet connection (my 24kb/sec internet connection).
altq on $ext_if priq bandwidth 610Kb queue { std_out, ssh_im_out,
dns_out, \
tcp_ack_out }
- I don't know what lines need to add to define the following rules:
- Reserve for bob and mike 8Kb/sec download bandwidth. Allow for bob
and mike to use more than 8Kb/sec when it's aviable.
- Reserve for peter 4Kb/sec download bandwidth. Allow for peter to use
more than 4Kb/sec when it's aviable.
If anyone want to help me a bit please write a reply.
Until March I don't have time to read much documentation, I have a lot
of exams at university.
Thank you very much for any help!
