Terje Elde írta:
Vas_PXter wrote:
I'm a newbie just now for using OpenBSD pf, and I have a little
problem with queuing.
The OpenBSD pf FAQ says "the queueing is only useful for packets in
the outbound direction. Once a packet arrives on an interface in the
inbound direction it's already too late to queue it -- it's already
consumed network bandwidth to get to the interface that just received
it."
But I have found in this tutorial and in Peter Hansteen's pf tutorial
some examples, where queueing was set up on the inbound direction too
(and int the internal interface of the firewall too).
http://openbsd.org/faq/pf/queueing.html#example2
http://www.bgnett.no/~peter/pf/en/altqbypct.html
So, is it possible to queueing packets on the inbound direction, or
there is something special, which I didn't understand correctly?
You can't queue packets in the inbound direction, but (I'm assuming
someone will poke me with a stick if I'm mistaken) you can classify
incomming packets.
Imagine a classic setup:
Internet -> ADSL-link -> ALTQ box -> [lan]
Once a packet has traveled across the ADSL link, it'll already have
consumed resources there. Too late to change that. But you can still
classify the packet, and use the classification on an outbound queue
to the LAN.
Remember, direction is device dependant. That the packet is comming
into your network doesn't mean it's always a inbound packet. The
packet will be inbound on the WAN interface, and outbound on the LAN
interface.
Typically you'll have a few mbps capacity on the ADSL link, and
100mbps on LAN. So why would you want to use queues to limit things
on a 100mbps network, when it's already passed through a much smaller
link?
Simple answer: Flow control.
By using queues on the interface toward the LAN, you can control the
speed of TCP sessions for example. You can't control the traffic
going across the ADSL link (without control of a upstream router)
directly, but you can slow the TCP connection down by setting up
queueing on the LAN interface. The result is admittably a poor hack
compared to controlling the other end-point of the ADSL link, but it
does the trick.
Terje
Many thanks for your explanation Terje, now I understand how it is
works. Meanwhile I've found this in the PF FAQ. RTFM for me! :-/
Now I have a (maybe) coherent problem with bandwidth management. My
OpenBSD firewall at home has three NICs, one for external, other twos
for LAN machine (XP) and for DMZ server (Linux). The machines are side
by side, so I'm not using switch, each machines are connected to the
firewall with crosslink cables.
If I uploaded some files to the firewall with WinSCP, the speed was very
slow, 10-20 Kbyte/sec. But only on upload. The download went from
firewall to client with normal speed, ~8-10Mbit/sec. I don't know why,
the NICs are well-configured on each machines. The same chipset (Realtek
8139), 100Mbit/sec full-duplex mode. Even if crosslink cable has the
maximum speed on 10Mbit/sec, It must be the same speed on upload, I
think. After I configured the queueing, the problem is still persists.
Does anyone any answer, is the problem solvable with internal bandwidth
management, or is it rather hardware problem? (crosslink, poor simple
NIC, etc)
Thanks!
Peter Vas
Thanks.
