Use the same queue names for up & down and you can use the default "keep state".
On 2008-11-24, Matthew Sibson <[EMAIL PROTECTED]> wrote:
> Hi,
>
> We provide an "ADSL" service to our clients in our shared building at 1:20
> contention from
> our 10MB symmetric leased line. For some of our clients we also handle packet
> filtering,
> rather than leaving it open for their own router to cope with. My problem is
> that I cannot
> find a way to both have asymmetric bandwidth limits and provide filtering at
> the same
> time. We're using OpenBSD 4.4, here is a basic pf.conf that I have been using
> to test:
>
>
> ext = "vlan13"
> int = "vlan10"
>
>
> #Total Upload = 10Mbit (queue at 97%)
> altq on $ext bandwidth 9.7Mb hfsc queue { default_up, adsl_up }
>
> queue default_up bandwidth 9.4Mb hfsc(default)
>
> queue adsl_up bandwidth 256Kb hfsc(upperlimit 256Kb) { client1_up,
> client2_up }
> queue client1_up bandwidth 5% hfsc(realtime 5%)
> queue client2_up bandwidth 5% hfsc(realtime 5%)
>
> #Total Download = 10Mbit (queue at 97%)
> altq on $int bandwidth 9.7Mb hfsc queue { default_down, adsl_down }
>
> queue default_down bandwidth 7.7Mb hfsc(default)
>
> queue adsl_down bandwidth 2Mb hfsc(upperlimit 2Mb) { client1_down,
> client2_down }
> queue client1_down bandwidth 5% hfsc(realtime 5%)
> queue client2_down bandwidth 5% hfsc(realtime 5%)
>
> pass out on $ext from $client_router to any no state queue (client1_up)
> pass out on $int from any to $client_router no state queue (client1_down)
>
> I've replaced the test IP with $client_router which would be the IP for the
> router at the
> client end. VLAN13 is our connection to the leased line end equipment, VLAN10
> is our
> connection out to the client.
>
> I've added "no state" to turn off the default addition of "flags S/SA keep
> state". As I
> understand it, if I did have "keep state" on either or both of these rules, a
> connection
> initiated from the internet to the client would be limited at 2Mbit in both
> directions and
> a connection initiated from the client to outside would be limited at 256Kbit
> as
> appropriate. A state is tagged with the queue of the rule that created that
> state and
> future packets bypass the filter altogether, if this is not correct or 100%
> accurate
> please let me know, this might be where I'm going wrong!
>
> If there were no bandwidth limits involved, I'd do the following:
>
> pass out on $ext from $client_router to any
> pass out on $int from <table-of-ips> to $client_router
>
> Obviously, assume there are appropriate blocking rules preventing contact to
> and from the
> $client_router without these rules, and we're also using OpenBSD 4.4 which
> adds "flags
> S/SA keep state" by default. Replies as a result of outgoing connections
> would be caught
> by state, and new connections incoming only from the tabled IPs would be
> allowed back to
> the router.
>
> There also seems to be problems even in the basic configuration without
> trying to firewall
> connections. I can get upload limited to 256Kb but download will shoot up to
> 8Mb for
> example, but that's another post! There have been a few posts on the mailing
> list re:
> queueing, some just this last week but I shall post again on this issue once
> I have
> reviewed those posts. I mention it only as a symptom that I might be doing
> something wrong
> elsewhere...
>
> If anyone has any insight on how I could get around this that'd be great. I
> know in Linux
> IPTables the existing/related states have to be handled in the firewall rules
> and I could
> easily check the IPs involved. If there is some way to feed back through the
> filter this
> way in PF that'd work, but the PF FAQ seems to point out that once there is
> state no rule
> processing occurs.
>
>
>
> Thanks for all help received!
>
> Matthew Sibson
