Adam,
As far as I know you can only have one queue group. If I read your config
correctly your are specifying two:
altq on sis0 cbq bandwidth 768Kb queue { std_out, adam_out }
altq on sis1 cbq bandwidth 20Mb queue { std_in, adam_in }
Try enabling only one and see if that works for you.
If you are still having issues check this page
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Sat, Feb 23, 2008 at 12:48:34AM +0000, Adam Retter wrote:
>I setup a simple PF configuration which worked fine, I then tried to
>add some simple queues to the configuration, but all my traffic seems
>to go through the std queue.
>
>This is for a small home network, with PF being the firewall on my
>Soekris net4801 acting as the router/firewall for the network. sis0 is
>the external interface and sis1 is the internal interface. The
>Internet link connected to sis0 is a Cable connection with 20Mbps
>downstream and 768Kbps upstream. I want to allow everything out to the
>Internet, blocking all direct incoming connections from the Internet
>apart from SSH which is forwarded to $funkalicious. This all works
>fine so far :-)
>
>However, I also want to add bandwidth shaping with altq, I want to
>create two queues - one for $funkalicious that allows it a minimum of
>1/3 of the Internet link bandwidth and another queue for everything
>else that is allowed a minimum of 2/3 of the Internet link bandwidth.
>Each queue should be able to borrow if there is spare bandwidth,
>allowing it up to 100% of the Internet link.
>
>I have tried to follow the examples on the OpenBSD/PF website and in
>/usr/share/pf and whilst my ruleset seems to work, pftop shows that
>all traffic is always sent/received through the std_in/std_out queues
>and that nothing ever goes through adam_in/adam_out queue. I am trying
>to get all traffic for $funkalicious to go through adam_in/adam_out.
>At the moment $funkalicious is just one IP address but this may expand
>in the future...
>
>Below is my pf.conf and also the output from pftop -
>
>ext_if="sis0"
>int_if="sis1"
>
>funkalicious="172.16.16.245"
>
>set block-policy drop
>set skip on lo
>
>scrub in
>
>
># enable queueing on the external interface to control traffic going to
># the Internet. upstream bandwidth is 768Kbps
>altq on sis0 cbq bandwidth 768Kb queue { std_out, adam_out }
>
>queue std_out bandwidth 66% cbq(default, borrow, red)
>queue adam_out bandwidth 34% cbq(borrow, red)
>
># enable queuing on the internal interface to control traffic coming in
># from the Internet. downstream bandwidth is 20Mbps
>altq on sis1 cbq bandwidth 20Mb queue { std_in, adam_in }
>
>queue std_in bandwidth 66% cbq(default, borrow, red)
>queue adam_in bandwidth 34% cbq(borrow, red)
>
>nat on $ext_if from !($ext_if) -> ($ext_if:0)
>nat-anchor "ftp-proxy/*"
>rdr-anchor "ftp-proxy/*"
>
>rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>rdr on $ext_if proto tcp from any to any port 22 -> $funkalicious
>
>block in
>block out
>
>pass out on $ext_if from any queue std_out
>pass out on $ext_if from $funkalicious queue adam_out
>
>anchor "ftp-proxy/*"
>antispoof quick for { lo $int_if }
>
>pass in on $ext_if inet proto tcp from any to $funkalicious port 22
>synproxy state
>pass in quick on $int_if
>
>pass out on $int_if to any queue std_in
>pass out on $int_if to $funkalicious queue adam_in
>
>
>
>pfTop: Up Queue 1-6/6, View: queue, Cache: 10000
> 00:41:37
>
>QUEUE BW SCH PRIO PKTS BYTES
>DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S
>root_sis0 768K cbq 0 18944 1277451
> 0 0 0 0 0 203 13762
> std_out 506K cbq 18944 1277451
> 0 0 0 0 0 203 13762
> adam_out 261K cbq 0 0
> 0 0 0 0 0 0 0
>root_sis1 20M cbq 0 27012 40639300
> 0 0 0 0 0 282 427647
> std_in 13M cbq 27012 40639300
> 0 0 0 0 0 282 427590
> adam_in 6800K cbq 0 0
> 0 0 0 0 0 0 0
>
>
>
>Does anyone have any idea why nothing goes through the adam_in/adam_out queue?
>
>Thanks in advance, Adam.
