View Single Post
Old 3rd December 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Default

Quote:
Originally Posted by s2scott View Post
...drop the "pass" and watch what happens.
/S
Oh, didn't saw that I will try that later and repost here.
************************************************** ********************
So, you are proposing this way of alternative doing the NAT (I've applied some queues for testing):
Code:
### Translation
nat on $ext_if tagged DO_NAT -> $ext_ip

### Filtering
pass in quick on $int_if from <network> to <data> tag DO_NAT keep state queue data label "do_nat_data"
pass in quick on $int_if from <network> to any tag DO_NAT keep state label "do_nat"
pass out quick on $ext_if tagged DO_NAT keep state label "revert_nat?"
This works - I'm seeing packets in these labels:
Code:
# pfctl -s label
do_nat_data 450 382 344201 148 6602 234 337599
do_nat 112 226 38383 131 9522 95 28861
revert_nat? 412 608 382584 329 366460 279 16124
I'm still wandering why queueing works for downloads (direction: <data> -> $ext_if -> $int_if -> <network>) while the rule is read in the opposite direction (from <network> to <data>). Can you put some light on that? What rule should I use if I want to limit upload speed?

Last edited by ivanatora; 3rd December 2008 at 12:15 PM.
Reply With Quote