Vas_PXter wrote:
I'm a newbie just now for using OpenBSD pf, and I have a little
problem with queuing.
The OpenBSD pf FAQ says "the queueing is only useful for packets in
the outbound direction. Once a packet arrives on an interface in the
inbound direction it's already too late to queue it -- it's already
consumed network bandwidth to get to the interface that just received
it."
But I have found in this tutorial and in Peter Hansteen's pf tutorial
some examples, where queueing was set up on the inbound direction too
(and int the internal interface of the firewall too).
http://openbsd.org/faq/pf/queueing.html#example2
http://www.bgnett.no/~peter/pf/en/altqbypct.html
So, is it possible to queueing packets on the inbound direction, or
there is something special, which I didn't understand correctly?
You can't queue packets in the inbound direction, but (I'm assuming
someone will poke me with a stick if I'm mistaken) you can classify
incomming packets.
Imagine a classic setup:
Internet -> ADSL-link -> ALTQ box -> [lan]
Once a packet has traveled across the ADSL link, it'll already have
consumed resources there. Too late to change that. But you can still
classify the packet, and use the classification on an outbound queue to
the LAN.
Remember, direction is device dependant. That the packet is comming
into your network doesn't mean it's always a inbound packet. The packet
will be inbound on the WAN interface, and outbound on the LAN interface.
Typically you'll have a few mbps capacity on the ADSL link, and 100mbps
on LAN. So why would you want to use queues to limit things on a
100mbps network, when it's already passed through a much smaller link?
Simple answer: Flow control.
By using queues on the interface toward the LAN, you can control the
speed of TCP sessions for example. You can't control the traffic going
across the ADSL link (without control of a upstream router) directly,
but you can slow the TCP connection down by setting up queueing on the
LAN interface. The result is admittably a poor hack compared to
controlling the other end-point of the ADSL link, but it does the trick.
Terje
