On Tue, Nov 03, 2009 at 10:44:08PM +0000, Stuart Henderson wrote:
> On 2009-11-03, Alexander Shikoff <[email protected]> wrote:
> > Because I need queuing for outgoing traffic on vlan* interfaces.
> > When keep state is used then queues for outgoing traffic do not work.
>
> this (and variations) keep coming up (and has been answered 3 or 4
> times in various mailing lists), but it's incorrect.
>
> you can do this with stateful rules, you just need to do the queue
> assignments in the right place/s to make sure that traffic gets
> queued correctly.
>
> - when you keep state, the state entry has a queue name associated
> with it. any packets matching that state will be assigned to
> the queue/s with that name on _any_ interface in the system.
>
> - you can assign traffic on an interface other than the one holding
> the queue. assuming you want to queue the downstream traffic you have
> received on bge0 and want to forward to 1.2.3.4 on vlan1:
>
> +--- --- -- -
> | altq on vlan1 [...] queue { onetwothreefour [...] }
> | queue onetwothreefour...
> |
> | ## incoming connections to 1.2.3.4 get queued:
> | pass in on bge0 to 1.2.3.4 queue { onetwothreefour }
> |
> | ## outbound connections from 1.2.3.4 create state with a queue,
> | ## so _return traffic matching that state_ is queued:
> | pass in on vlan1 from 1.2.3.4 queue { onetwothreefour }
> +--- --- -- -
>
> - if you're queuing both upstream and downstream, note that
> queues on different interfaces can have the same name:
>
> +--- --- -- -
> | altq on vlan1 [...] queue { onetwothreefour [...] }
> | altq on bge0 [...] queue { onetwothreefour [...] }
> | queue onetwothreefour...
> | pass in on vlan1 from 1.2.3.4 queue { onetwothreefour }
> | pass in on bge0 to 1.2.3.4 queue { onetwothreefour }
> +--- --- -- -
Thank you Stuart! I came to OpenBSD from FreeBSD which has not support
for altq on vlan-interfaces and it was great news for me to know that
OpenBSD does.
I'm wondering how to apply your solution to configuration
with enabled NAT? Let's assume that vlan1 is the LAN interface,
and on bge0 there is NAT enabled. User in LAN initiates connection.
Rule
- pass in on vlan1 from 10.0.0.10 queue { onetwothreefour }
creates a state and assigns outgoing packets to the queue 'onetwothreefour'.
Traffic flowing back to this user will be also assigned to the same queue.
It looks excellent while you do not need different queues for incoming
and outgoing traffic (remembering that we have NAT and all connections
are initiated from LAN).
- pass in on vlan1 from 10.0.0.10 queue { from_onetwothreefour }
- pass out on vlan1 to 10.0.0.10 queue { to_onetwothreefour }
the second rule will not work, because first one created state.
Am I right?
Thanks in advance!
--
MINO-RIPE
