>><SNIP Traffic shaping for VoIP>
>>
>>
>>># ----------
>>># altq rules
>>># ----------
>>>
>>># These are very simple altq rules.
>>># All they do is give priority to outgoing voip traffic.
>>> altq on $ext_if cbq bandwidth 380Kb \
>>> queue { std_out, voip_out, voip_in, ack_out}
>>>
>>> queue std_out cbq(red default)
>>> queue voip_out priority 4 cbq(red)
>>> queue voip_in priority 4 cbq(red)
>>> queue ack_out priority 6 cbq(red)
>>>
>>>
>><SNIP>
>><disclaimer>This is just what I've discovered, and should definately not
be taken as gospel</disclaimer>
>>Wouldn't you be better off using something with guarantees? I am
thinking here of HFSC. My personal experience has been far better with
this queueing type than any other, and so I've switched all my queueing
boxes over. (But that was a while (1yr+?) ago, so things may have
changed).
>>I've got the following snippet in one of my configs. (Sorry about the
wrapping).
>>If you can find out the minimum/preferred bandwidth required by the VoIP
applications, you should be able to guarantee them bandwidth, at least
for outbound traffic.
>>In my case q_big is guaranteed to have at least 225Kbps available (~28KB/s)
>>
>>############
>># HFSC for ADSL
>>############
>>altq on $ext_if hfsc bandwidth 450Kb queue { q_pri, q_icmp, q_http,
q_big, q_mail, q_low, q_def }
>>queue q_pri bandwidth 10% priority 7 hfsc( realtime 10%
upperlimit 30% linkshare 15% )
>>queue q_icmp bandwidth 10% priority 5 hfsc( realtime 1%
upperlimit 10% linkshare 1% )
>>queue q_big bandwidth 20% priority 4 hfsc( ecn realtime 55%
upperlimit 90% linkshare 50% )
>>queue q_http bandwidth 10% priority 3 hfsc( ecn realtime 5%
upperlimit 80% linkshare 5% )
>>queue q_def bandwidth 10% priority 2 hfsc(default ecn realtime 5%
upperlimit 80% linkshare 5% )
>>queue q_low bandwidth 5% priority 0 hfsc( ecn realtime 4%
upperlimit 80% linkshare 4% )
Craig..
Thx for the pointers.. I did some more reading and also upgraded to
OpenBSD 3.7 (was on 3.4 not 3.3)
Anyway.. I got an error:
pfctl: the sum of the child bandwidth higher than parent
on OBSD 3.7 so following your example and some others I came up with this..
modification to my altq rules..
oh.. and my ssh rules that didn't work with 3.4 started working on
3.7... strange....
anyway.. thx for the help..
here is the complete ruleset..
( all I want is my voip to have priority on
outbound.. since my bandwidth is about 384 up and 4MB down...)
thx
charles
pf.conf on OpenBSD 3.7
---------------------------
# ---------------------
# Generic configuration
# ---------------------
set limit { states 2500, frags 5000 }
set optimization aggressive
# Enabling the block-policy return show "closed ports"
http://scan.sygatetech.com/quickscan.html
# set block-policy return
set fingerprints "/etc/pf.os"
# --------------------
# Variable definitions
# --------------------
ext_if = "fxp1"
int_if = "fxp0"
mail = "192.168.1.2"
voipbox = "192.168.1.7"
voip_tcp = "5060"
# voip_udp = "{ 5060, 4569, 5036, 9999 < 20001, 2727 }"
voip_udp = "{ 5060 < 65534 }"
tcp_services = "{ 22, 113 }"
smtp2 = "2525"
# read the pf-howto for details.
# TCP_OPTIONS = "flags S/SAFR keep state"
TCP_OPTIONS = "flags S/SA keep state"
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
reserved = " {
0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
224.0.0.0/3 } "
#Tables
table <spamd persist
# -----------
# scrub rules
# -----------
scrub in on $ext_if all
# ----------
# altq rules
# ----------
# These are very simple altq rules.
# All they do is give priority to outgoing voip traffic.
altq on $ext_if cbq bandwidth 380Kb queue { std_out, voip_out, ack_out}
queue std_out bandwidth 60% priority 6 cbq (default,borrow)
queue voip_out bandwidth 35% priority 7 cbq(red,borrow)
queue ack_out bandwidth 5% priority 6 cbq(red,borrow)
# ---------
# Nat and Rdr rules
# ---------
nat on $ext_if inet from $int_if/24 to any - ($ext_if)
# Redirect to Mailserver
rdr on $ext_if proto tcp from any to $ext_if port $smtp2 - $mail rdr on
$ext_if proto tcp from any to $ext_if port https - $mail
# Redirect for SpamD
rdr inet proto tcp from <spamd to any port smtp - 127.0.0.1 port 8025
no rdr on { lo0, lo1 } from any to any
# --------
# pf rules
# --------
# Default policy.
# remove the log-keyword if you ever get ddossed.
block in log on $ext_if all
# ---------------
# SPOOFERS
# ---------------
# Block spoofing.
block in quick on $ext_if from $reserved to any
block out quick on $ext_if from $reserved to any
# antispoof _has_ to be preceeded with pass in quick on lo0 all.
pass in quick on { lo0, lo1 } all
antispoof for { lo0, $int_if, $ext_if }
# ----
# ICMP
# ----
# The inet keyword means ipv4 so ipv6 pings will be blocked.
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep
state queue std_out
# pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# ---
# UDP
# ---
# outgoing UDP
pass out on $ext_if proto udp all keep state queue std_out
# Outgoing Voip always gets the highest priority.
pass out on $ext_if proto udp from any to any port $voip_udp \
keep state queue ( voip_out, ack_out )
# ---
# TCP
# ---
# Incoming TCP
# First the nat'ed traffic
# The rest of all this trafic should be aimed at $ext_if so We can cut #
of the rest. Broadcasts and other garbage. Saves a lot of fubar in # the
logs
block in on $ext_if inet from any to ! ($ext_if)
# ssh
pass in on $ext_if inet proto tcp from any to any port ssh \
$TCP_OPTIONS
# Pass rule for Mailserver
pass in on $ext_if inet proto tcp from any to any port $smtp2 \
$TCP_OPTIONS
pass in on $ext_if inet proto tcp from any to any port https \
$TCP_OPTIONS
# Outgoing TCP
# Outgoing Voip always gets the highest priority.
pass out on $ext_if proto tcp from any to any port $voip_tcp \
keep state queue ( voip_out, ack_out )
pass out on $ext_if proto tcp all keep state queue std_out
