Hi Stuart, thank you for your clear reply On 2021-02-02 22:41:49, Stuart Henderson wrote: > Whichever rule creates state for the packets that you want to send > to a queue should have the queue assignment. The queue name is attached > to the PF state; when the packet is transmitted outbound it will use > the queue of that name on that interface.
Yup, that was is. Instead of doing match out on $i_lan all set queue q_lte_in_http set prio 0 I did it "the opoosite" way match in on $i_lan all set queue q_lte_in_http set prio 0 Also in my real rules I've changed "from port $p_http" to "to port $p_http", and it started to match queues as expected. Thank you! I did read something around these lines on the openbsd forum, that queues are tied to input state, but I was just trying to do "pass in $i_lan". It never occured to me to try do 'set queue' during 'in' part. I've read about queueing in pf.conf(5) and nothing there hints this also. > You don't want queue names dealing with in/out/interface. Just the type > of traffic / queue policy / whatever. For example "user1", "user2", .. > or "http", "dns", .. or "high/med/low" or something. > Yes, I am indeed queueing by service dns/ssh/games, but my firewall has multiple WAN interfaces with different speed so I also must specify this. In examples I wanted to keep things to bare minimum so people do not have to waste time thinking what mess I have in my pf.conf :D > I find it easier to make the match rule setting the queue quite wide, > then do anything more complex (IP/port restrictions etc) in pass/block > rules. > You should use some variant of "block" covering all traffic as your > first rule ("block" / "block log" etc) so that packets are not allowed > to pass unless they create state. This makes it easier to figure out > the queues, and prevents state tracking getting messed up with TCP (the > TCP state must be created from a SYN packet not an intermediate packet > otherwise it doesn't know what the window-scaling value is, which will > cause longer lasting or fast connections to get dropped incorrectly). That's what I think too, I use pf in "block by default" and have rules to block everything at top. And I intend to queue packets by service port or IP. > > Is there any way to limit ingress on some ips/ports? I'd like to limit > > greedy apps like youtube or netflix from taking all the bandwidth. > > Good luck finding the relevant IPs for these ;) You might like to play > with "burst" and see if you can do something that way. (e.g. standard > bandwidth is slower, but allow a fast initial burst). But you'll probably > need to do that with separate queues per IP and it gets to be a pain. I found some sites with ip ranges for netflix and youtube, they are quite broad, but it's better than crippled network. Thank you again for clarification and explaining this to me. -- .-----------------.-------------------.---------------------.------------------. | Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source | | +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter | | https://bofc.pl `----.--------------: 50-078 Wroclaw, Pol | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `----------------------^--------------^---------------------^------------------'
signature.asc
Description: PGP signature