View Single Post
  #1   (View Single Post)  
Old 26th May 2012
apsaras apsaras is offline
New User
 
Join Date: May 2012
Posts: 5
Default Altq on multi wan and multi zone environment

Hi

I am using an OpenBSD 5.1 box with multible interfaces and Altq and I would like to have your thoughts about my design and configuration.

Here is my setup

My firewall has 4 Intel Gb interfaces. One interface is used for 2 Internet feeds (vlans) with Multi-Home BGP, 1 for Extranet (Web Servers, Mail Servers and DNS), 1 for DMZ (untrasted customer servers) and 1 for VoIP Services (SIP Proxy, RTP Proxy, Softswitch).

What I would like to do is to give full priority to VoIP Service no matter what and have the other services run on best efford. So I have created one Altq for each interface.

The two public internet interfaces 4Mb each have the following altq config

Code:
altq on $bgp1_if hfsc bandwidth 3.9Mb queue { synq_voip_main, synq_other_main }
queue synq_voip_main bandwidth 30% hfsc {synq_voip}
queue synq_voip bandwidth 100% priority 6 qlimit 500 hfsc (realtime 110Kb)
queue synq_other_main bandwidth 70% hfsc {synq_acks, synq_interactive, synq_web, synq_mail, synq_ftp, synq_default}
queue synq_acks bandwidth 10% priority 7 qlimit 500 hfsc (realtime 5%)
queue synq_interactive bandwidth 10% priority 5 qlimit 500 hfsc (realtime 5% upperlimit 2Mb)
queue synq_web bandwidth 30% priority 4 qlimit 500 hfsc (realtime  (50%, 10000, 10%) ecn upperlimit 3Mb)
queue synq_mail bandwidth 20% priority 3 qlimit 500 hfsc (ecn upperlimit 3Mb)
queue synq_ftp bandwidth 5% priority 2 qlimit 500 hfsc (ecn upperlimit 1Mb)
queue synq_default bandwidth 25% priority 1 qlimit 500 hfsc (default ecn upperlimit 3Mb)
and each internal zone has the following

Code:
altq on $voice_if hfsc bandwidth 900Mb queue {voiceq_out, voiceq_default}
queue voiceq_out bandwidth 3.9Mb hfsc {voiceq_acks, voiceq_voip, voiceq_interactive,  voiceq_web, voiceq_mail, voiceq_ftp}
queue voiceq_acks bandwidth 20% priority 7 qlimit 500 hfsc (realtime 5%)
queue voiceq_voip bandwidth 50% priority 6 qlimit 500 hfsc (realtime 110Kb)
queue voiceq_interactive bandwidth 10% priority 5 qlimit 500 hfsc (realtime 5% upperlimit 2Mb)
queue voiceq_web bandwidth 10% priority 4 qlimit 500 hfsc (realtime  (20%, 10000, 10%) ecn upperlimit 3Mb)
queue voiceq_mail bandwidth 5% priority 3 qlimit 500 hfsc (ecn upperlimit 3Mb)
queue voiceq_ftp bandwidth 5% priority 2 qlimit 500 hfsc (ecn upperlimit 1Mb)
queue voiceq_default bandwidth 896Mb priority 1 qlimit 500 hfsc (default)
Problem is that I can not have correct inbound traffic control because each internal interface should be able to use full bandwidth but adding DMZ, Extranet and VoIP the assigned bandwidth is more than I want to assign.

Example. Server 1 at Extranet starts downloding a file from web and get 4Mb speed, Server 2 at DMZ does the same so Server 2 will try to get 4Mb also and finally Server 3 at VoIP starts a callout.

Moreover having 2x4Mb bandwidth with BGP I do not know from which interface the traffic will come in. Hence limiting the inbound queues to 4Mb instead of 8Mb I am using just the half of my feed.

Any best practice on that o reference to read?

Thank you in advance
Reply With Quote