Okay, I think I found some stuff on the Vonage site that gave me clues as to why I got the results in my testing. Please you pf gurus, can you give me feedback?
Below is the testing I did (from previous message for background), and I found that maybe I am not getting the pf function when I have the OpenBSD bridge behind the router? Seems the priority of the filtered traffic doesn't get carried through the router.
(Can someone give me the technical reason why this happens?)
If this is so, then maybe it really WILL work when I set up the OpenBSD box as replacement for the router, with these functions:
router firewall DHCP Server(for LAN) DHCP client on WAN side NAT pf
Egads, I didn't really want to do all that. Are there alternatives?
OK HERE IS THE BACKGROUND:
First the setup:
3 Computers on Ethernet LAN to Netgear RP614v2, Cable/DSL Gateway/Router/Switch (Firmware v. 5.13) and this attached to DSL modem.
Cisco ATA186 (Analog Telephone Adaptor) used with a service that connects telephones into ethernet (VOIP). Phone attaches to the ATA186 and this goes to ethernet (LAN) to the Netgear router. Service is through Vonage.
Here is the problem:
When using the phone or fax over the Cisco ATA186 it works fine UNTIL there is any other traffic from the computers. Not sure if problem with traffic on LAN, but definitely when there is simultaneous traffic to or from Internet to any of the computers, the voice in the phone to the Cisco ATA186 gets choppy or lost, and a fax can even get dropped.
Proposed solution for first trial:
Seemed that using an OpenBSD box with 2 NICs, I could configure pf as NAT router/firewall, and also give priority to the VOIP traffic (the Cisco box is using DHCP server in the Netgear router but I can change it to fixed IP address to aid filtering by pf). This way, I would be replacing the Netgear router, and fixing the problem with the choppy voice or dropped faxes. I may need a switch between the pf box to the computers, to handle the multiple ports. But to get a quick test I decided to keep it simple, and I configured the OpenBSD box as a bridge, with both interfaces lacking IP address.
TEST SETUP IN LAB, PRIOR TO SETUP AT FRIEND'S SITE:
In my test lab, I was able to get what I thought was very good result using this setup:
C1 - obsd - SWITCH - C2
where C1 represents 2 hosts and one host was set to use static IP address and mimic the Vonage box (ATA186), and the other used DHCP (router with DHCP server was at the C2 side of the switch); obsd is the OpenBSD v 3.4 box set up as bridge; SWITCH is a Netgear FS108 (typical SOHO level 2 switch); and C2 is a couple hosts using DHCP.
I was using static IP address on the "vonage mimic" box since I thought I could set the actual ATA186 to use a static address (but see below for complication).
Now, in this test, I was able to initiate transfer of files of large size (18 MB) between hosts on C1 and C2 sides. In transfers going in both directions, I was able to see a quite marked difference in speed of transfer to favor my "vonage mimic" host. The quick summary is that when transfers were proceeding with pf disabled, each host would take about 6 minutes, plus or minus less than a minute. But with pf enabled, download or upload to/from the "vonage mimic" was done in about 5 minutes, with the transfer to/from the other host less than 10% complete.
Now, I took my OpenBSD box into my friend's site, and tried to set the ATA186 to use static address. Discovered that the voice interface functions were largely LOCKED (and the web interface was completely locked!) and googling revealed this is a feature from Vonage. We could unlock this for a fee (!)
So I just found out what the ATA186 IP address was, and set the pf.conf for this address, to do my test. I did not think that the difference in using DHCP versus static IP would effect the pf functions, is this wrong????????????
Anyway, the simple test I did was to duplicate the problem before putting the OpenBSD box inline. I was able to start download of a huge file (some humongous Linux iso image ;-) on a host on his LAN then make an outbound call via the ATA186. The call would not go through (dial tones then silence). Stopping the download would let the call ring through.
Now I put the OpenBSD in line. Results were the same. UGH! Maybe I need to tweak something?
So at my friend's site, here is his usual config ( I described this in words above):
C1 - Router - DSL - Inet
where C1 are hosts on his LAN (including the ATA186); Router is the Netgear Router; DSL is the broadband modem; and this goes out to Internet.
Ok, now I brought a simple multiport switch and altered the C1 - Router part of the above config to be this:
C1 - SWITCH - obsd - Router -
and out to DSL modem as before. In this setup, there is just one host for the file transfers, and ATA186. Now, I have on the OpenBSD box these interfaces:
rl0 went to Router rl1 went to the switch
(these both RTL8139 type NICs)
Now here is my pf.conf, please is there something I could change to make this work better?
I think the only other data that may help is that my friend says his DSL link is supposed to be 144 up, and 288 down, but in using some Internet sites that are supposed to measure speed, these show downloads of only about a tenth of the nominal value!
This may be relevant, since in my test lab, I was testing file transfers over my LAN which is mixed 10/100 Mbps, whereas I was using download from Inet in the onsite test.
<START PF.CONF>
ext_if="rl0" int_if="rl1"
altq on $int_if priq bandwidth 2Mb queue { vonage_in, others_in }
queue others_in priq (default)
queue vonage_in priority 15
altq on $ext_if priq bandwidth 2Mb queue { vonage_out, others_out }
queue others_out priq(default)
queue vonage_out priority 15von = "192.168.0.2"
pass in all pass quick on lo0 all
pass out on $int_if from any to $von queue vonage_in pass out on $ext_if from $von to any queue vonage_out
<END PF.CONF>
I took out comments for ease in viewing. Please, do you have any ideas on how to make this work?
Is there a reason I must use a static IP address for the ATA186??
THANK YOU!
David
