All of the examples that I have seen use two queues, one on the
external interface and one on the internal interface. The example
given in the PF manual on the OpenBSD website itself also shows a 2
queue setup - http://www.openbsd.org/faq/pf/queueing.html#example1
I have taken a look at the calomel.org PF information and I must say
it is superb and I will certainly be reading through it in more detail
in the next couple of days, I suspect it will fill in a few holes in
my knowledge of PF. I have not yet tried using one queue, I will try
this tomorrow and let you know how I get on, although I do think that
I need two queues; one for upstream and one for downstream. All of the
examples of altq with PF that I have found so far with Google use two
queues in the same way I have tried to... but at this point I will try
anything ;-)
Thanks for replying, will let you know how it goes...
Adam
On Mon, Feb 25, 2008 at 10:47 PM, Calomel <[EMAIL PROTECTED]> wrote:
> Adam,
>
> As far as I know you can only have one queue group. If I read your config
> correctly your are specifying two:
>
>
> altq on sis0 cbq bandwidth 768Kb queue { std_out, adam_out }
>
> altq on sis1 cbq bandwidth 20Mb queue { std_in, adam_in }
>
> Try enabling only one and see if that works for you.
>
>
> If you are still having issues check this page
>
> OpenBSD Pf Firewall "how to" ( pf.conf )
> http://calomel.org/pf_config.html
>
> --
> Calomel @ http://calomel.org
> Open Source Research and Reference
>
>
>
>
> On Sat, Feb 23, 2008 at 12:48:34AM +0000, Adam Retter wrote:
> >I setup a simple PF configuration which worked fine, I then tried to
> >add some simple queues to the configuration, but all my traffic seems
> >to go through the std queue.
> >
> >This is for a small home network, with PF being the firewall on my
> >Soekris net4801 acting as the router/firewall for the network. sis0 is
> >the external interface and sis1 is the internal interface. The
> >Internet link connected to sis0 is a Cable connection with 20Mbps
> >downstream and 768Kbps upstream. I want to allow everything out to the
> >Internet, blocking all direct incoming connections from the Internet
> >apart from SSH which is forwarded to $funkalicious. This all works
> >fine so far :-)
> >
> >However, I also want to add bandwidth shaping with altq, I want to
> >create two queues - one for $funkalicious that allows it a minimum of
> >1/3 of the Internet link bandwidth and another queue for everything
> >else that is allowed a minimum of 2/3 of the Internet link bandwidth.
> >Each queue should be able to borrow if there is spare bandwidth,
> >allowing it up to 100% of the Internet link.
> >
> >I have tried to follow the examples on the OpenBSD/PF website and in
> >/usr/share/pf and whilst my ruleset seems to work, pftop shows that
> >all traffic is always sent/received through the std_in/std_out queues
> >and that nothing ever goes through adam_in/adam_out queue. I am trying
> >to get all traffic for $funkalicious to go through adam_in/adam_out.
> >At the moment $funkalicious is just one IP address but this may expand
> >in the future...
> >
> >Below is my pf.conf and also the output from pftop -
> >
> >ext_if="sis0"
> >int_if="sis1"
> >
> >funkalicious="172.16.16.245"
> >
> >set block-policy drop
> >set skip on lo
> >
> >scrub in
> >
> >
> ># enable queueing on the external interface to control traffic going to
> ># the Internet. upstream bandwidth is 768Kbps
> >altq on sis0 cbq bandwidth 768Kb queue { std_out, adam_out }
> >
> >queue std_out bandwidth 66% cbq(default, borrow, red)
> >queue adam_out bandwidth 34% cbq(borrow, red)
> >
> ># enable queuing on the internal interface to control traffic coming in
> ># from the Internet. downstream bandwidth is 20Mbps
> >altq on sis1 cbq bandwidth 20Mb queue { std_in, adam_in }
> >
> >queue std_in bandwidth 66% cbq(default, borrow, red)
> >queue adam_in bandwidth 34% cbq(borrow, red)
> >
> >nat on $ext_if from !($ext_if) -> ($ext_if:0)
> >nat-anchor "ftp-proxy/*"
> >rdr-anchor "ftp-proxy/*"
> >
> >rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> >rdr on $ext_if proto tcp from any to any port 22 -> $funkalicious
> >
> >block in
> >block out
> >
> >pass out on $ext_if from any queue std_out
> >pass out on $ext_if from $funkalicious queue adam_out
> >
> >anchor "ftp-proxy/*"
> >antispoof quick for { lo $int_if }
> >
> >pass in on $ext_if inet proto tcp from any to $funkalicious port 22
> >synproxy state
> >pass in quick on $int_if
> >
> >pass out on $int_if to any queue std_in
> >pass out on $int_if to $funkalicious queue adam_in
> >
> >
> >
> >pfTop: Up Queue 1-6/6, View: queue, Cache: 10000
> > 00:41:37
> >
> >QUEUE BW SCH PRIO PKTS BYTES
> >DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S
> >root_sis0 768K cbq 0 18944 1277451
> > 0 0 0 0 0 203 13762
> > std_out 506K cbq 18944 1277451
> > 0 0 0 0 0 203 13762
> > adam_out 261K cbq 0 0
> > 0 0 0 0 0 0 0
> >root_sis1 20M cbq 0 27012 40639300
> > 0 0 0 0 0 282 427647
> > std_in 13M cbq 27012 40639300
> > 0 0 0 0 0 282 427590
> > adam_in 6800K cbq 0 0
> > 0 0 0 0 0 0 0
> >
> >
> >
> >Does anyone have any idea why nothing goes through the adam_in/adam_out
> queue?
> >
> >Thanks in advance, Adam.
>
--
Adam Retter
Software Pimp Extraordinaire
