Calomel, thank you very much for your useful reply, I apologise for not replying sooner but the nature of my job is such that when the support phone rings, other things get put on the back burner, and it seems like someone has put stupid in the water recently.
I have tried to run your sample rules through the parser (with the addition of a definition of ext_if) and it didn't like it much: [EMAIL PROTECTED]:~$ pfctl -nf ./pf.conf pfctl: the sum of the child bandwidth higher than parent "root_vlan13" pfctl: linkshare sc exceeds parent's sc ./pf.conf:6: errors in queue definition pfctl: the sum of the child bandwidth higher than parent "root_vlan13" pfctl: linkshare sc exceeds parent's sc ./pf.conf:10: errors in queue definition parent sdsl_up not found for sdsl_client1_up ./pf.conf:11: errors in queue definition parent sdsl_up not found for sdsl_client2_up ./pf.conf:12: errors in queue definition I have a few questions, which I will attempt to work through below: Calomel wrote: > Richard, > > Just a quick correction on the "bandwidth 80%" lines. Change all bandwidth > values to percentages or hard values to make it easier to work with. If I use percentages, is that x% of the parent queue, or of the entire altq? > The > bandwidth directives can not exceed 100% of the "altq on $ext_if bandwidth > 9700kb". > This doesn't seem to fit with what you did below... > -- > Calomel @ http://calomel.org > Open Source Research and Reference > > > On Fri, Feb 29, 2008 at 12:24:41PM -0500, Calomel wrote: > >> Richard, >> >> HFSC should work for this task. I will give it a go. >> >> Since we are really concerned about the external interface lets just setup >> that queue. The internal interface is probably 100MB or faster so and it >> fast enough to not worry about right now. >> This is true, although I will have to limit the internal interface as well, to be able to control downloads, as I believe one cannot queue inbound traffic, so instead I must throttle outbound of the internal interface. >> First, do you have a 10MB link from the outside interface to your ISP? If >> not, we need to set it to the proper number. If you tell HFSC to use more >> bandwidth than you really have then you are negating HFSC in practice. >> Yes, I have 10Mb in both directions to the ISP. >> When we have the proper upload bandwidth to your ISP then we need to choose >> an acceptable bandwidth just under it. 97% of the total is a rough idea of >> what you are looking for. We want to make sure that our firewall is >> queuing the packets and _not_ the upstream router. If we are sending >> data faster than an upstream router can handle then they are queue, not >> HFSC. We want to avoid upstream queuing at all costs. >> >> These are the rules I came up with. Brief explanations follow: >> >> #Total Upload = 10000Kb/s (queue at 97%) >> altq on $ext_if bandwidth 9700kb hfsc queue { ack, us, adsl_up, sdsl_up, >> default_up } >> queue ack bandwidth 80% priority 7 hfsc (realtime 5%) >> queue us bandwidth 80% priority 6 hfsc (realtime 5%) >> You said earlier that the bandwidth numbers must not be more than 100% of the altq, but here we already have 160% after only two rules... I'm confused... >> queue adsl_up bandwidth 256Kb priority 5 hfsc (realtime 128Kb upperlimit >> 256Kb) { adsl_client1_up, adsl_client2_up } >> queue adsl_client1_up bandwidth 12Kb priority 2 hfsc(realtime 12Kb ) >> queue adsl_client2_up bandwidth 12Kb priority 1 hfsc(realtime 12Kb ) >> How does the system know from these lines that the clients are allowed to take more than 12Kb, if it is available? I would expect some sort of a linkshare or borrow here, looking at it as it is I would think there was a hard max of 12Kb per client. Is the inferrence that without a linkshare parameter or an upperlimit, the children of adsl_up will automatically make use of the bandwidth up to the upperlimit 256Kb of adsl_up? >> queue sdsl_up bandwidth 2048Kb priority 4 hfsc(realtime 512Kb upperlimit >> 2048Kb) { sdsl_client1_up, sdsl_client2_up } >> queue sdsl_client1_up bandwidth 100Kb priority 2 hfsc(realtime 12Kb ) >> queue sdsl_client2_up bandwidth 100Kb priority 1 hfsc(realtime 12Kb ) >> Same question as above, where is the instruction to share the spare bandwidth in sdsl_up? Also, is there a particular reason why client1 and client2 have different priorities? I'd like all clients in a pool to be equal, and there aren't enough priorities for on each in a pool of 20 :-) >> queue default_up bandwidth 1% priority 3 hfsc (realtime 5% default) >> Sorry to just reply with more questions, but I really want to understand how its actually working rather than just copy and past stuff and plug in numbers... Si1entDave
