Hi, For the past couple of days I've been trying to setup packet queueing on OpenBSD 3.4 but have been unsuccessful getting the queues to borrow excess bandwidth from other queues. I'd really appreciate it if someone could take a look and possibly give me some pointers as to what I'm doing wrong.
To illustrate the problem and to lessen the likelihood that I'm doing some- thing terribly wrong, I decided to setup a small environment that resembles one of the examples outlined in the PF FAQ because the same problem is evi- dent here as well. (http://www.openbsd.org/faq/pf/queueing.html#example2) [ IT ]---[ SWITCH ]------fxp2 [ FIREWALL ] fxp0------ [ INTERNET ] | fxp1 | | | | [ BOSS ] [ DMZ ] Here's the corresponding pf.conf: ext_if ="fxp0" dmz_if ="fxp1" int_if ="fxp2" it_net = "192.168.0.2" int_nets = "192.168.0.0/24" dmz_net = "192.168.1.0/24" boss = "192.168.0.3" wwwserv = "192.168.1.2" altq on $ext_if cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } queue std_ext cbq(default) queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc } queue www_ext_http priority 3 cbq(red) queue www_ext_misc priority 1 queue boss_ext priority 3 altq on $int_if cbq bandwidth 100% queue { net_int, www_int } queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int } queue std_int cbq(default) queue it_int bandwidth 500Kb cbq(borrow) queue boss_int priority 3 queue www_int cbq(red) altq on $dmz_if cbq bandwidth 100% queue { internal_dmz, net_dmz } queue internal_dmz queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc } queue net_dmz_http priority 3 cbq(red) queue net_dmz_misc priority 1 cbq(default) # default deny block on { $ext_if, $dmz_if, $int_if } all # filter rules for external interface inbound pass in on $ext_if proto tcp from any to $wwwserv port { 21, \ > 49151 } flags S/SA keep state queue www_ext_misc pass in on $ext_if proto tcp from any to $wwwserv port 80 \ flags S/SA keep state queue www_ext_http # filter rules for external interface outbound pass out on $ext_if from $int_nets to any keep state pass out on $ext_if from $boss to any keep state queue boss_ext # filter rules for internal interface inbound pass in on $int_if from $int_nets to any keep state pass in on $int_if from $it_net to any queue it_int keep state pass in on $int_if from $boss to any queue boss_int keep state pass in on $int_if proto tcp from $int_nets to $wwwserv port { 21, 80, \ > 49151 } flags S/SA keep state queue www_int # filter rules for internal interface outbound pass out on $int_if from $int_if to $int_nets # filter rules for dmz interface inbound pass in on $dmz_if proto { tcp, udp } from $wwwserv to any port 53 \ keep state # filter rules for dmz interface outbound pass out on $dmz_if proto tcp from any to $wwwserv port { 21, \ > 49151 } flags S/SA keep state queue net_dmz_misc pass out on $dmz_if proto tcp from any to $wwwserv port 80 \ flags S/SA keep state queue net_dmz_http pass out on $dmz_if proto tcp from $int_nets to $wwwserv port { 80, \ 21, > 49151 } flags S/SA keep state queue internal_dmz The queue directives and filter rules were copied from the FAQ. I removed most of the comments for brevity's sake, replaced the interface names with macros and added 'keep state' statement to the end of lines 48 and 49 but left the rest of the configuration intact. According to the FAQ, the IT department's network should be able to utilize more than the reserved 500Kbps when downloading from the Internet, if extra bandwidth is available. However, when I test this in my environment the download rate never exceeds 500Kbps. From the 'pfctl -sq -vv' output I (perhaps incorrectly) understand that the it_int queue fills up but doesn't borrow bandwidth from the net_int (the parent) queue. queue root_fxp2 bandwidth 100Mb priority 0 cbq( wrr root ) {net_int, www_int} [ pkts: 4288 bytes: 6217280 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 41.7 packets/s, 492.74Kb/s ] queue net_int bandwidth 1Mb {std_int, it_int, boss_int} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue std_int bandwidth 1Mb cbq( default ) [ pkts: 1 bytes: 42 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue it_int bandwidth 500Kb cbq( borrow ) [ pkts: 4287 bytes: 6217238 dropped pkts: 0 bytes: 0 ] [ qlength: 12/ 50 borrows: 2573 suspends: 820 ] [ measured: 41.7 packets/s, 492.74Kb/s ] queue boss_int bandwidth 1Mb priority 3 [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue www_int bandwidth 100Mb cbq( red ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] Another thing I've noticed is that when the boss's computer and the IT dept download from the Internet simultaneously the total bandwidth exceeds the 1 Mbps limit that has been imposed on the net_int queue. queue root_fxp2 bandwidth 100Mb priority 0 cbq( wrr root ) {net_int, www_int} [ pkts: 7527 bytes: 11205187 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 124.6 packets/s, 1.50Mb/s ] queue net_int bandwidth 1Mb {std_int, it_int, boss_int} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue std_int bandwidth 1Mb cbq( default ) [ pkts: 2 bytes: 102 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue it_int bandwidth 500Kb cbq( borrow ) [ pkts: 2621 bytes: 3814188 dropped pkts: 0 bytes: 0 ] [ qlength: 13/ 50 borrows: 15 suspends: 1279 ] [ measured: 42.6 packets/s, 505.58Kb/s ] queue boss_int bandwidth 1Mb priority 3 [ pkts: 4904 bytes: 7390897 dropped pkts: 0 bytes: 0 ] [ qlength: 11/ 50 borrows: 0 suspends: 1628 ] [ measured: 82.0 packets/s, 992.55Kb/s ] queue www_int bandwidth 100Mb cbq( red ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] I've tried to solve the problem on my own (Read the pf.conf man page, FAQ and numerous example configurations I found on the Internet) but have been unable to solve this problem thus far. Any clues, pointers, etc. are greatly appreciated. Best regards, -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.
