I have an 12mbit down/1mbit up ADSL connection, an OpenBSD router- firewall, and several Net-hungry roommates connecting through it. So...I want to give each roomie a guaranteed bandwidth allotment, but not let them hog the ADSL pipe in either direction, upstream or downstream. I'm trying to wrap my head around how it's possible - if at all! - to set up altq directives both ways, with different sets queues and bandwidth limits, AND do NATting at the same time.
Note that I know PF reasonably well and have altq queuing / rate limiting working perfectly already in ONE direction (right now, the high-bandwidth download side) - I just can't figure out how to get it working in both directions, up and down, simultaneously. I've beat my head against TFM and nothing seems applicable - though this can't be an uncommon need...? The big, crucial thing I can't understand is that if I'm doing NATtting and keeping TCP state as you normally would, the return TCP packets are going to completely bypass all the pf filter rules (because they're part of an established TCP connection, per basic pf functionality). So if that's the case how can I ever assign those packets to a queue, since as far as pf is concerned it never see them? And in fact, if I queued tagged them on the inbound side already, they're already part of a queue - but the wrong one (incoming vs. outgoing). So I'd really like to see a working rule set someone has with two completely different sets of queues, the queue sets having different total rates, and the filter rules that assign packets traversing the router via a NATted connection the right queues in the right direction, so that rate limiting happens both ways. Many thanks if you have performed that neat trick and can share it. /bp/