Hi Stuart, thank you for your clear reply On 2021-02-02 22:41:49, Stuart Henderson wrote: > Whichever rule creates state for the packets that you want to send > to a queue should have the queue assignment. The queue name is attached > to the PF state; when the packet is transmitted outbound it will use > the queue of that name on that interface.
Yup, that was is. Instead of doing
match out on $i_lan all set queue q_lte_in_http set prio 0
I did it "the opoosite" way
match in on $i_lan all set queue q_lte_in_http set prio 0
Also in my real rules I've changed "from port $p_http" to "to port $p_http",
and it started to match queues as expected. Thank you!
I did read something around these lines on the openbsd forum, that queues
are tied to input state, but I was just trying to do "pass in $i_lan".
It never occured to me to try do 'set queue' during 'in' part. I've read
about queueing in pf.conf(5) and nothing there hints this also.
> You don't want queue names dealing with in/out/interface. Just the type
> of traffic / queue policy / whatever. For example "user1", "user2", ..
> or "http", "dns", .. or "high/med/low" or something.
>
Yes, I am indeed queueing by service dns/ssh/games, but my firewall has
multiple WAN interfaces with different speed so I also must specify this.
In examples I wanted to keep things to bare minimum so people do not have
to waste time thinking what mess I have in my pf.conf :D
> I find it easier to make the match rule setting the queue quite wide,
> then do anything more complex (IP/port restrictions etc) in pass/block
> rules.
> You should use some variant of "block" covering all traffic as your
> first rule ("block" / "block log" etc) so that packets are not allowed
> to pass unless they create state. This makes it easier to figure out
> the queues, and prevents state tracking getting messed up with TCP (the
> TCP state must be created from a SYN packet not an intermediate packet
> otherwise it doesn't know what the window-scaling value is, which will
> cause longer lasting or fast connections to get dropped incorrectly).
That's what I think too, I use pf in "block by default" and have rules
to block everything at top. And I intend to queue packets by service port
or IP.
> > Is there any way to limit ingress on some ips/ports? I'd like to limit
> > greedy apps like youtube or netflix from taking all the bandwidth.
>
> Good luck finding the relevant IPs for these ;) You might like to play
> with "burst" and see if you can do something that way. (e.g. standard
> bandwidth is slower, but allow a fast initial burst). But you'll probably
> need to do that with separate queues per IP and it gets to be a pain.
I found some sites with ip ranges for netflix and youtube, they are quite
broad, but it's better than crippled network.
Thank you again for clarification and explaining this to me.
--
.-----------------.-------------------.---------------------.------------------.
| Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source |
| +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter |
| https://bofc.pl `----.--------------: 50-078 Wroclaw, Pol | /`'\ & |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer |
`----------------------^--------------^---------------------^------------------'
signature.asc
Description: PGP signature
