On 08/05/2005 11:43:07 AM, Daniel T. Staal wrote:
On Fri, August 5, 2005 12:30 pm, Karl O. Pinc said: > Hi, > > I want to route all inbound WAN traffic to a loopback > interface so I can try some queueing on inbound traffic > (to see if I can trade bandwidth for latency). > But I'm not sure there's a way to do this > in conjunction with stateful firewalling. > > Seems like: > > pass in on $internal_if from any to any port http keep state > pass out on $external_if from any to any port http \ > route-to lo1 keep state > > is going to route the outbound traffic on $external_if > whereas what I want is to route the returning > inbound traffic. Right? Is there a way to route inbound > traffic to a loopback address so I can play around > with queueing inbound traffic? > > Thanks.Ok, three things: First off, to do what you ask you need to change that last line to: pass in on $external_if from any to any port http \ route-to lo1 keep state
But if I did that then replies to the packets from my users's http requests on $internal_if would never make it back to them.
Second: You can quite easily apply queueing directly to the inbound traffic on $external_if if you want. It's just another interface.
The pf FAQ says I can only queue outbound traffic on an interface, or that's how I read it. "The only solution is to enable queueing on the adjacent router or, if the host that received the packet is acting as a router, to enable queueing on the internal interface where packets exit the router." (Which won't work for me as I have multiple interfaces where the packets exit the router and want only one queue.) And a look over the code seems to confirm queueing is on interface exit, although I don't really know what I'm looking at.
Third: Doing so (or doing this) won't help you. By the time the packets have reached you it no longer matters what queues you set up for them. Think of it this way: Queueing says 'If you need to drop packets, drop these packets before those packets.' That's all it says. And the simple fact is that by the time the packets have reached your external interface *no more packets need to be dropped.* This is because the only reason to drop them is because you couldn't fit them on the connection, and you have only recieved the ones that *would* fit.
Au-contrar (sp), if there's a big fat ftp download filling the pipe I want to drop some of it's packets to favor, for example, VOIP traffic. But when there's no VOIP traffic I want ftp to be able to (almost) fill the pipe. So, I start dropping packets _before_ the pipe is filled so that I _can_ receive the packets I want to favor and let them take up more of the allowed bandwidth. The improvement in "interesting" bandwidth is worth the loss in total bandwidth. (See old thread: http://marc.theaimsgroup.com/?t=112139406900001&r=1&w=2&n=6 ) Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
