View Single Post
  #4   (View Single Post)  
Old 13th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,501
Default

You are already nicely queuing outbound traffic only, so I wonder why the two previous posters feel the need to remind you of something you are already doing

An overview:
  • External interface
    • Outgoing traffic
      Possible to be rate limited/queued on this interface
      This is "upload" for the local network clients.
    • incoming traffic
      Not possible to be rate limited/queued on this interface
      This is "download" for the local network clients
  • Internal interface
    • outgoing traffic
      Possible to be rate limited/queued
      This is "download" for the local network clients
    • incoming traffic
      Not possible to be rate limited/queued on this interface
      This is "upload" for the local network clients

Check the output of pfctl -vvs rules to see whether the rules have any affect. Keep in mind that pf uses a "last rule match" strategy. By using the "quick" keyword you can prevent this strategy.

Does the the output of "pfctl -vvs queue" give any clue? Or the output of "systat queues" ?

In a discussion of the OpenBSD tech mailing list Stuart Henderson gave some nice links about HFSC queueing

Quote:
If you want to play around with HFSC (and I'd recommend this before
considering changing code), here's some suggested reading...

http://forum.pfsense.org/index.php/t....html#msg48336
http://www.probsd.net/pf/index.php/H...HFSC_explained
http://forum.pfsense.org/index.php?topic=33950.0
http://forum.pfsense.org/index.php/topic,3050.0.html
"Building firewalls with OpenBSD and PF" (slightly outdated as it
pre-dates PF nat changes - in particular I think the "queuing incoming
packets" section talking about needing two boxes no longer applies -
but on the whole the altq section in here is rather good).
The http://www.probsd.net/pf/index.php/H...HFSC_explained link is excellent.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote