On Wednesday, Jun 25, 2003, at 02:21 US/Pacific, Ganbaa wrote:
I'm trying to do. I installed OpenBSD 3.3 and configured pf on the our LAN.
OpenBSD box has 2 network cards (Internal and External). The purpose is
testing to limit bandwidth for each hosts on the LAN. LAN has more than 30
hosts. I divided into several groups those hosts. Example: developers,
marketing, servicing e.g
The problem is all traffic is going only one default queue (std queue ) on
the external interface. I attached pf.conf file and debug message. So Could
The issue is the use of NAT on the external interface:
nat on $ext_if from $internal_net to any -> ($ext_if)
Translation happens before filtering, so by the time the packet gets to
pass out on $ext_if from { <developers> } to any keep state queue developers_ex
the source address has already been changed from <developers> to ($ext_if).
The setup already uses queues on the internal interface, so tagging for external queues can't happen there.
OpenBSD -current has a tagging feature that could be used here, if you want to try that (keeping up with -current is a bit of work though, and it's hard to justify in a production environment). It would look like:
pass in on $int_if from <developers> to any keep state queue developers_in tag developers
pass out on $ext_if all keep state tagged developers queue developers_ex
The only other workaround I can think of is broken in 3.3. It's also fixed in -current, but hasn't been kicked back to -stable yet. The idea is to use the source port range for decisions:
nat on $ext_if inet from <developers> to any -> ($ext_if) port 45001:50000
nat on $ext_if inet from <servicing> to any -> ($ext_if) port 50001:55000
...
pass out on $ext_if proto { tcp, udp } from any port 45000><50001 to any queue developers_ex
Unfortunately it's useless for protocols other than TCP and UDP.
Anyone have suggestions I missed?
