Hello, i have another question regarding CBQ-based ALTQ queuing
I use the following pf.conf file for an internal network that passes through the
openbsd gateway box then goes its way to the external firewall -> then outside The
problem is that often packets are dropped, for ex. pingging google.com from an
internal network's hosts results in almost 40-50 % of the packets dropped... Do you
know anything that may be the cause of the problem (i.e pf timeout settings, queue
design errors, passing packets errors, kernel options, etc?)
pf.conf
-------------------------------------------------------------
# Macros: define common values, so they can be referenced and changed easily.
extif="fxp1" # replace with actual external interface name i.e., dc0
intif="fxp0" # replace with actual internal interface name i.e., dc1
internal_net="172.16.0.0/16"
external_addr="192.168.173.34"
loif="lo0"
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 50, tcp.closed 70 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 10000, frags 10000 }
set optimization normal
set block-policy drop
#set require-order yes
scrub in all
############ SHAPING goes here ###############################
altq on $intif cbq bandwidth 100Mb queue {etherdown, downstream,corsodown}
queue etherdown bandwidth 96% cbq(default)
queue downstream bandwidth 4% cbq
queue corsodown bandwidth 80Kb cbq(borrow)
altq on $extif cbq bandwidth 100Mb queue { etherup, upstream, corsoup}
queue etherup bandwidth 99Mb cbq(default)
queue upstream bandwidth 386Kb cbq
queue corsoup bandwidth 10Kb cbq(borrow)
block in quick on $intif proto tcp from any to any port {1608,1214, 6346,6699,6347,
6701, 6700, 4661, 4662, 4663, 4665, 4329
}
block in quick on $intif proto udp from any to any port {1214, 6346, 6699, 6347, 6701,
6700, 4661, 4662, 4663, 4665, 4329}
pass in quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherdown
pass out quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherup
pass in quick on $intif from any to 172.16.13.95 queue corsodown
pass in on $intif proto tcp from any port 80 to 172.16.0.0/16 keep state queue
downstream
pass in on $intif proto tcp from any port 53 to 172.16.0.0/16 keep state queue
downstream
pass in on $intif proto tcp from any port 8080 to 172.16.0.0/16 keep state queue
downstream
pass in on $intif proto tcp from any port 5190 to 172.16.0.0/16 queue downstream
pass in on $intif proto tcp from any port 443 to 172.16.0.0/16 queue downstream
pass in on $intif proto tcp from any port 4000 to 172.16.0.0/16 queue downstream
pass in on $intif proto tcp from any port 25 to 172.16.0.0/16 queue downstream
pass in on $intif proto icmp from any to 172.16.0.0/16 queue downstream
pass in on $intif proto udp from any port 80 to 172.16.0.0/16 queue downstream
pass in on $intif proto udp from any port 53 to 172.16.0.0/16 queue downstream
### manage upstream here
pass out quick on $extif from 172.16.0.0/16 to 172.17.0.0/16 queue etherup
pass out quick on $extif from 172.16.0.0/16 to 172.20.0.0/16 queue etherup
pass out quick on $extif from 172.16.13.95 to any queue corsoup
pass out on $extif proto tcp from 172.16.0.0/16 to any port 80 keep state queue
upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 53 keep state queue
upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue
upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 443 queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 4000 queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 25 queue upstream
pass out on $extif proto udp from 172.16.0.0/16 to any port 53 queue upstream
pass out on $extif proto udp from 172.16.0.0/16 to any port 80 queue upstream
pass out on $extif proto icmp from 172.16.0.0/16 to any queue upstream
