Hi!
I have the following network topology:
[ LAN ] <--------> [ OBSD f/w ] <----- DSL -----> [ Internet ]
|
\----- > [ DMZ ]
In the DMZ I have a proxy (squid) configured and running properly on
port 3128. I want to make this proxy transparent for the users and also
QoS the outgoing connections to http port 80. Connections irrelevant
to the 80 port should be queued in the dmz_in class. Connections going
to 80 port should be proxied and then throttled through the web_in
queue. The rules on the firewall are (amongst others, the whole ruleset
can be provided on request):
# QoS
altq on $int_if bandwidth 100% cbq queue { internet_in, dmz_in }
queue internet_in bandwidth 512Kb cbq { bulk_in, web_in, std_in, rt_in }
queue std_in bandwidth 150Kb cbq(default, borrow)
queue bulk_in bandwidth 100Kb priority 0 cbq(borrow)
queue web_in bandwidth 150Kb priority 3 cbq(borrow)
queue rt_in bandwidth 60Kb priority 5 cbq(borrow)
..
queue dmz_in bandwidth 95%
# and further below the rdr rule:
# Proxy redirection for internal hosts
rdr on $int_if proto tcp from <internet_hosts> to any port www ->
$proxy port squid-http
# and filter rules...
# filter rules for $int_if outbound
block out on $int_if all
pass out on $int_if from any to <internet_hosts> queue std_in
pass out on $int_if proto tcp from any port ssh to <internet_hosts> \
queue (bulk_in, rt_in)
pass out on $int_if proto tcp from any port rdesktop to
<internet_hosts> \
queue rt_in
pass quick out on $int_if proto tcp from any port www to
<internet_hosts> \
queue web_in
pass out on $int_if proto tcp from $proxy to $internal_net queue dmz_in
The problem is that when I enable rdr all packets go to the proper
queue class except port 80 packets (going through proxy but also go to
std_in queue instead of web_in). When I disable rdr everything works as
expected (class web_in utilized).
I know that translation happens before the filtering, therefore to
queue packets I should look for destination address of the proxy, but
my pass rule is more generic (here is source addr):
pass quick out on $int_if proto tcp from any port www to
<internet_hosts> \
queue web_in
which for some reason it does not work.
Anyway since we are getting out of the interface the packet should be
re-translated, and that means it should seem to come from port 80,
right?
Also tried to tag packets:
# Proxy redirection for internet hosts
rdr on $int_if proto tcp from <internet_hosts> to any port www tag WEB
-> $proxy port squid-http
..
pass out quick on $int_if proto tcp all tagged WEB keep state queue
web_in
..
But even then the web_in queue is not used!
Before it the same rules as previously are defined...
$pfctl -vsq
queue web_in bandwidth 150Kb priority 3 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes:
0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
Miscellaneous info:
$ cat /etc/motd | head -1
OpenBSD 3.6-stable (GENERIC) #0: Thu Jan 27 22:51:18 EET 2005
on a sparc64 (Ultra1).
Any insight on why this doesn't work? Is this a bug or am I overlooking
something?
Since I am not a member of the list, would you please be kind and cc me?
Thanks in advance (for reading this huge message):
Fotos
