I have an 12mbit down/1mbit up ADSL connection, an OpenBSD router-
firewall, and several Net-hungry roommates connecting through it.
So...I want to give each roomie a guaranteed bandwidth allotment, but
not let them hog the ADSL pipe in either direction, upstream or
downstream. I'm trying to wrap my head around how it's possible - if
at all! - to set up altq directives both ways, with different sets
queues and bandwidth limits, AND do NATting at the same time.

Note that I know PF reasonably well and have altq queuing / rate
limiting working perfectly already in ONE direction (right now, the
high-bandwidth download side) - I just can't figure out how to get it
working in both directions, up and down, simultaneously.  I've beat my
head against TFM and nothing seems applicable - though this can't be
an uncommon need...?

The big, crucial thing I can't understand is that if I'm doing
NATtting and keeping TCP state as you normally would, the return TCP
packets are going to completely bypass all the pf filter rules
(because they're part of an established TCP connection, per basic pf
functionality). So if that's the case how can I ever assign those
packets to a queue, since as far as pf is concerned it never see them?
And in fact, if I queued tagged them on the inbound side already,
they're already part of a queue - but the wrong one (incoming vs.

So I'd really like to see a working rule set someone has with two
completely different sets of queues, the queue sets having different
total rates, and the filter rules that assign packets traversing the
router via a NATted connection the right queues in the right
direction, so that rate limiting happens both ways. Many thanks if you
have performed that neat trick and can share it.


Reply via email to