2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: > Lord Sporkton escribis: >> >> 2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: >> >>> >>> Hi, I'm using OpenBSD 4.2 >>> >>> Here my network to explain later: >>> >>> [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] >>> >>> I have a little problem when trying to setup a altq bandwidth shape with >>> pf. My intention is to give Joe only 100Kbs (bits) of the Internet total >>> bandwidth, and also I have set some local local servers on my OpenBSD to >>> give some services to Joe, but I also want to give it at the 100Kbs >>> speed mentioned before, even beign local network (up to 100Mbs). >>> >>> The thing is that I have set the PF rules as manpages say, and >>> everything work as spected when Joe goes out of my box to the internet, >>> the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp >>> from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe >>> takes a file from my box, or my box from Joe, the speed is very very >>> much hight. >>> >>> I have try several things but I don't find the key to this. One thing: >>> the speed factor when Joes connect to my OpenBSD is alwais 40x relative >>> to the bandwidth value I give to the altq. >>> >>> >>> my pf.conf (very simple, very unsafe, just to try this) >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >>> >>> ext_if="rl0" >>> int_if="sk0" >>> >>> scrub in all >>> >>> altq on $int_if cbq bandwidth 100Kb queue main >>> queue main bandwidth 100% cbq(default) >>> >>> nat on $ext_if from $int_if:network -> $ext_if >>> >>> block all >>> pass queue main >>> >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >>> >>> Thanks for your time >>> -Jesus >>> >>> >>> >> >> >> If Joe is accessing things on his local lan, that is, in his subnet, >> you will not be able to police this traffic as it never even hits the >> gateway(altq openbsd box), so the only limit will be the layer 2 >> hardware(your switch(s)). might i suggest putting your servers on a >> dmz as a solution, then Joe will be forced through the gateway for any >> server access. If your layer2 hardware is high end enough you may be >> able to do bandwidth control in the layer2 hardware its self. >> >> as a side note, i dont believe openbsd can do altq on anything other >> than a physical interface, so if you put the servers on a dmz, make >> sure to use a physical interface, not a vlan. >> >> > > I don't want to disturb, but I think you're not right. I want to shape > the bandwidth of the full interface, I know that if joe it's in lan with > other PC, the speed limit its the hardware limit, but I just want to > limit one of the interfaces on my OpenBSD box to a certain number of Kbs > (100Kbs), so PF already made changes, but I saw this weird behaviour and > want to make the 100Kbs limit universal to all the interface transfers. > > If Joe want a file from the OpenBSD gateway running a limit of 100Kbs > (pf+altq), even to get a file from the gateway box by FTP, the 100Kbs > limit should affect, or not? please, I'm really noob with this and I > don't want to bother anyone with my words, I just talk about what I > think, if I'm wrong, please let me know. > > note: DMZ is not posible for this project, I only have the same > PC to make as OpenBSD and FTP server to the "joe" users. > > Thanks for your time. > -Jesus > >
you would need to run the queue outbound on the int_if, which is what it looks like your doing. so in theory, your setup is right, as long as what ever your downloading from is on the other side of that int_if you should only see 100Kbs down to that whole int_if If you are getting more than 100Kbs take a look at "pfctl -vvs queue" -- -Lawrence
