----- Original Message ---- > From: Hermes Ojeda Ruiz <[email protected]> > To: [email protected] > Sent: Tue, September 7, 2010 12:09:03 PM > Subject: Re: Distribute bandwidth by IP's > > Sorry, if my explanation don't have enough details. > > - The internet connection is an E1 > - There are ~150 users (IPs) > - The company give full internet access to the clients. With no service > restriction. > - There only a C class LAN. > > E1 --- OpenBSD Firewall --- LAN with ~150 IPs > > The problem is to distribute equally the bandwidth to the users. My > first approach is a CBQ rule by user giving a minimum bandwidth quote > and using the "borrow" option, to use the remaining bandwidth when some > users don't waste the bandwidth. But the number of rules is so big. > > I hope that my explanation can be useful. > > On 07/09/10 13:43, Johan Beisser wrote: > > On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruiz<[email protected]> >wrote: > > > >> Hi, Maybe this is a basic question, but I've read the man pages and the PF > >> book and I don't know how solve this problem. > >> > >> - I have an E1 and the problem is how to distribute the bandwidth equally >on > >> all the ip's. There are some constraints like use DHCP, and no block ports. > >> > > What exactly are you trying to accomplish. Please explain a little > > more, in detail. > > > > > > > >> I have some simple firewalls with prioritization, but I don't know how > >> should do that. May be with CBQ but they are a lot of rules. > >> > > If you're trying to set up a fair service, remember that PF simply > > processes the packets as they come in. So turn off queues, or define > > what you're trying to accomplish first. > > > > If you're trying to ensure some kinds of traffic can always leave > > "fairly" take a look at using HFSC queuing, then define the queues > > based on ports and use packet tagging to define what matches each > > queue. > > > > http://cvs.openbsd.org/faq/pf/tagging.html > > > > > > jb > >
Why are you trying to do this? It seems overly complex to setup a queue for each IP on the network just to allow them to borrow bandwidth from each other which they would be doing anyway. It would seem more manageable to either segment the network (DMZ, IT Staff, Users) such that you can assign a segment to respective queues or in a different method to queue based on traffic type (http/ftp/ssh,etc). Filtering rules would also be incredibly more simplified. --- James A. Peltier [email protected]
