Hello, everybody.
We've been trying to get "borrow" to work for us, but despite our reading every reasonable piece of documentation, messages in this list and several web pages - trying to find a solution, it's still not working. We also tried to use the same PF configuration on BSD 3.3 and 3.6, with no success.
Our pf.conf follows. It's a simple setup that intends to share 1MB of the available bandwidth between two hosts, guaranteeing a mimimum of 256Kbps for each. The issue is that even when all the bandwith is available, downloads won't borrow from the parent, as expected, and, therefore, won't go faster than 512Kbps.
# -----------------------------------------------------------------------------
# Connections
# fxp0 - 10.0.5.0/24 - LAN # xl0 - 10.0.0.200 - Ext
# -----------------------------------------------------------------------------
# Definitions: Interfaces
lan_if = "fxp0" lan_gw = "10.0.5.1"
ext_if = "xl0" ext_gw = "10.0.0.200"
# -----------------------------------------------------------------------------
# Firewall Options
set limit { states 100000, frags 5000 }
set loginterface $lan_if
scrub in all fragment reassemble no-df# ----------------------------------------------------------------------------
# Queue
altq on $lan_if bandwidth 10Mb cbq queue { std_down, ext_down }
queue std_down bandwidth 1024Kb cbq(default)
queue ext_down bandwidth 1024Kb { lan_down_1, lan_down_2 }
queue lan_down_1 bandwidth 512Kb cbq(borrow)
queue lan_down_2 bandwidth 512Kb# -----------------------------------------------------------------------------
# NAT
nat on $ext_if from $lan_if:network to any -> ($ext_if)
# -----------------------------------------------------------------------------
# Filter
# Default policy: block all traffic block log all
# Allow loopback communication pass quick on lo0 all
# -----------------------------------------------------------------------------
# Filter
pass in on $lan_if proto tcp \
from $lan_if:network to any flags S/SA modulate state
pass in on $lan_if proto { udp, icmp } \
from $lan_if:network to any keep state# For Machine 1
pass in on $lan_if proto tcp \
from 10.0.5.100 to any flags S/SA modulate state queue lan_down_1
pass in on $lan_if proto { udp, icmp } \
from 10.0.5.100 to any keep state queue lan_down_1# For Machine 2
pass in on $lan_if proto tcp \
from 10.0.5.101 to any flags S/SA modulate state queue lan_down_2
pass in on $lan_if proto { udp, icmp } \
from 10.0.5.101 to any keep state queue lan_down_2# Destination: This Host pass in on $lan_if from $lan_if:network to ($lan_if) keep state pass in on $ext_if from $ext_if:network to ($ext_if) keep state
# Outbound Traffic Rules
pass out on $ext_if inet proto tcp \
from any to any flags S/SA modulate state
pass out on $ext_if inet proto { udp, icmp } \
from any to any keep state# -----------------------------------------------------------------------------
Any help would be VERY appreciated. Thanks a lot.
Alexandre Ilha Network Administration TeleHUMANA Communications http://www.telehumana.com.br
P.S.: The system that pf.conf is used on is _not_ my production firewall, so please don't flame me with that 'it's dangerous' talk... :-)
