I am seeing some odd behavior and I'm not sure what the cause is. I'm using altq / pf in obsd 3.4 to do transparent traffic shaping between my LAN and dsl connection. I'm also using the openbsd machine to do NAT for the few workstations that don't have public IPs.
For some reason, all traffic to and from NAT'd machines falls into the default inbound / outbound queues. Most of the rules use "any" as the source and destination, since my goal is to do shaping for various services equally through my network... so I don't see what difference it would make if the host in question has a private or public IP. Does it matter which interface I do NAT on? Currently I'm doing it on the internal one... I'm not really sure what to try next. Any ideas?
Thanks :) -Andre
Here's my config (this is clearly a work in progress)
# set rates
inet_rate_out = "700Kb"
bulk_rate_out = "30%"
default_rate_out = "30%"
web_rate_out = "60%"inet_rate_in = "700Kb"
bulk_rate_in = "30%"
default_rate_in = "70%"# keep it clean scrub on sis0 all fragment reassemble scrub on fxp0 all fragment reassemble
# my wan-facing interface. into the back of an sdsl bridge, 10 Mbit port
altq on sis0 cbq bandwidth 10Mb queue { local_out, inet_out }
# use these queues to shape traffic headed for the internet # inet_out - Outbound Internet traffic (parent queue) # | | # dns_out - DNS queries. # tcp_ack_out - TCP ACK packets with no data payload. # udp_out - Primarily gaming traffic # icmp_out - ICMP packets # giza_web_out - higher priority queue for giza # core_web_out - lower priority for core's http traffic # ssh_im_out - SSH and IM packaets # default_out - default queue # local_out - A wire-speed queue for wan-side local traffic
queue local_out priority 3 cbq
queue inet_out priority 5 bandwidth $inet_rate_out cbq \
{ ssh_im_out, dns_out, icmp_out, tcp_ack_out, udp_out, bulk_out, web_out, default_out }
queue tcp_ack_out priority 6 cbq
queue udp_out priority 6 cbq
queue dns_out priority 5 cbq
queue ssh_im_out priority 4 cbq
queue web_out priority 4 bandwidth $web_rate_out cbq { core_web_out, giza_web_out }
queue core_web_out priority 3 bandwidth 80% cbq(red borrow)
queue giza_web_out priority 6 bandwidth 80% cbq(red borrow)
queue icmp_out priority 3 cbq
queue default_out priority 2 bandwidth $default_rate_out cbq(default red borrow)
queue bulk_out priority 2 bandwidth $bulk_rate_out cbq(red)
# my lan-facing interface. into a 10/100 Switch # We can do crude traffic shaping here in the form of bandwidth limits. # Because the point of congestion for incoming traffic is on the wan # side of my DSL, priorities here seem to have little effect.
altq on fxp0 cbq bandwidth 100Mb queue { local_in, inet_in }
# inet_in - Inbound Internet traffic (parent queue) # | | # dns_in - DNS queries. # tcp_ack_in - TCP ACK packets with no data payload. # udp_in - Primarily gaming traffic # icmp_in - ICMP packets # ssh_im_in - SSH and IM packaets # local_in - A wire-speed queue for wan-side local traffic
queue local_in priority 2 cbq
queue inet_in priority 3 bandwidth $inet_rate_in cbq \
{ ssh_im_in, dns_in, icmp_in, bulk_in, tcp_ack_in, default_in, udp_in }
queue tcp_ack_in priority 6
queue dns_in priority 5 cbq
queue ssh_im_in priority 4 cbq
queue udp_in priority 4 cbq
queue icmp_in priority 3 cbq
queue default_in priority 3 bandwidth $default_rate_in cbq(default borrow)
queue bulk_in priority 2 bandwidth $bulk_rate_in cbq
ssh_ports = "{ 22 2022 }"
im_ports = "{ 1863 5190 5222 9898 }"
quake_ports = "{ 27960 >< 27969 }"
local_nets = "{ 216.231.49.0/24 10.0/8 }"# nat! nat on fxp0 from 10.0.0.0/8 to any -> 216.231.49.13
# go away table <spam> persist file "/etc/blocked_ips" block on sis0 from <spam> to any
# filter rules for sis0 outbound # these apply to traffic headed for the internet
#pass out quick on sis0 from $local_nets to $local_nets \
# label local_out queue local_out keep state
pass out quick on sis0 proto udp from any to any \
label udp_out queue udp_out
pass out quick on sis0 inet proto icmp from any to any \
label icmp_out queue icmp_out keep state
pass out quick on sis0 proto { tcp udp } from any port domain to any \
label dns_out queue dns_out keep state
pass out quick on sis0 proto { tcp udp } from any port $ssh_ports to any \
label ssh_out queue ssh_im_out keep state
pass out quick on sis0 proto tcp from any port $im_ports to any \
label im_out queue(ssh_im_out, tcp_ack_out) keep state
pass out quick on sis0 proto tcp from any to any port 6879 >< 6890 \
label bt_out queue bulk_out keep state
pass out quick on sis0 proto tcp from any port 6879 >< 6890 to any \
label bt_out queue bulk_out keep state
pass out quick on sis0 proto tcp from 216.231.49.147 port 80 to any \
label core_web_out queue core_web_out keep state
pass out quick on sis0 proto tcp from any to 216.231.49.147 port 80 \
label core_web_out queue core_web_out keep state
pass out quick on sis0 proto tcp from 216.231.49.190 port 80 to any \
label giza_web_out queue giza_web_out keep state
pass out quick on sis0 proto tcp from any to 216.231.49.190 port 80 \
label giza_web_out queue giza_web_out keep state
pass out quick on sis0 proto tcp from any port 20 to any \
label ftp_out queue bulk_out keep state
pass out quick on sis0 proto tcp from any to any port 20 \
label ftp_out queue bulk_out keep state
pass out quick on sis0 proto tcp from any to any \
label inet_out queue(default_out, tcp_ack_out) keep state
# filter rules for fxp0 outbound
#pass out quick on fxp0 from $local_nets to $local_nets \
# label local_in queue local_in keep state
pass out quick on fxp0 proto udp from any to any \
label udp_in queue udp_in
pass out quick on fxp0 proto { tcp udp } from any port domain to any \
label dns_in queue dns_in keep state
pass out quick on fxp0 proto icmp from any to any \
label icmp_in queue icmp_in keep state
pass out quick on fxp0 proto tcp from any port $ssh_ports to any \
label ssh_in queue ssh_im_in keep state
pass out quick on fxp0 proto tcp from any port $im_ports to any \
label im_in queue ssh_im_in keep state
pass out quick on fxp0 proto tcp from any port 6879 >< 6890 to any \
label bt_in queue bulk_in keep state
pass out quick on fxp0 proto tcp from any to any port 6879 >< 6890 \
label bt_in queue bulk_in keep state
pass out quick on fxp0 proto tcp from any to any \
label inet_in queue(default_in, tcp_ack_in) keep state