Traffic Shaping Using PF

[Amithapr]

Hi,

Currently in my OpenBSD firewall there are traffic shaping rules, but I doubt whether those are working since when the other users are downloading or streaming the PCs that apply the traffic shaping rules are getting slower

My pf.conf's rules are as follows

Code:

ext_if="rl0"
ext_ip="x.x.x.x"
int_if="em0" 
bmpc_wks="{192.168.94.22/32, 192.168.94.23/32, 192.168.94.24/32}"
http_comp="192.168.94.43"
#hrwebserver = "192.168.94.45"

# allow ping icmp_type
icmp_types="{ echoreq, unreach }"
#webports = "{ http, https }"

#General Options -AL
set loginterface $ext_if
set limit { states 40000, frags 5000 }
set optimization normal
set block-policy drop
match all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp)
#Rules in Traffic Parity Queue Shaping-AL
altq on rl0 cbq bandwidth 3Mb queue {std,bmpc}
queue std bandwidth 2Mb cbq(default ecn borrow)
queue bmpc bandwidth 1Mb cbq(ecn borrow)
pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc

Thanks

[jggimi]

Things I notice:

• You are only shaping traffic outbound from your router upstream to the Internet. You are not shaping outbound traffic downstream to your internal network.
• You defined two queues but only reference one in the rules you posted.

And, of course, I must remind you again...

• Altq was removed from OpenBSD in 2014. Your OS is unsupported.
• You must still be using your OpenBSD 4.1 - 4.2 - 5.3 - n.n system. This deployed system is unsupportable, even if any of the versions within were still supported by the Project.
• My prior advice to you to reinstall or completely replace this "Frankensystem" remains unchanged.

[Amithapr]

Hi jggimi,

Thanks for the information. I tried to get the desired result by adding " pass in on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc " before the pass out on rule, still it seems that traffic shaping is not happening.

I have no idea how to implement the other queue(std) that you have mentioned in your reply.

Thanks.

[jggimi]

Your example temporary added rule would never match any traffic. There is never inbound traffic from your workstations on your external network.

Queues are attached to a state when the state is established. So if a state is established on outbound traffic by the pass rule in your top post, the queue would remain assigned for the inbound traffic. I did not see any rules for any other traffic, and that is why I made note of it.

----

Q: When is a queue deployed?

A: When there is outgoing traffic that is delayed waiting for a network connection to become free.

Q: Why only outgoing traffic?

A: Because if a packet has arrived... it is already here. There is nothing to queue. If we are flooded and cannot manage to process the packet, we can drop it, but there is no queue to put it on because is not waiting for an outgoing connection.

Q: Why are my queues not queuing?

A: Your performance delays are likely due to bottlenecks on incoming packets from the Internet. You don't have local queues on Internet inbound traffic because the incoming traffic is much slower than your local network. The ISP's router is queuing the traffic, but your router does not need to.

Q: How can I monitor queues?

A: systat(8) and the pftop package.

[Amithapr]

Hi All,

I ran the command systat queues and got to know the std queue is getting priority so I changed the default queue to bmpc. now the traffic shaping rule works. But i'm not sure I did the correct thing. Chnges done are in bold colour.

Code:

ext_if="rl0"
ext_ip="x.x.x.x"
int_if="em0" 
bmpc_wks="{192.168.94.22/32, 192.168.94.23/32, 192.168.94.24/32}"
http_comp="192.168.94.43"
#hrwebserver = "192.168.94.45"

# allow ping icmp_type
icmp_types="{ echoreq, unreach }"
#webports = "{ http, https }"

#General Options -AL
set loginterface $ext_if
set limit { states 40000, frags 5000 }
set optimization normal
set block-policy drop
match all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp)
#Rules in Traffic Parity Queue Shaping-AL
altq on rl0 cbq bandwidth 3Mb queue {std,bmpc}
queue std bandwidth 50% priority 0 cbq(ecn borrow)
queue bmpc bandwidth 50 % priority 7 cbq(default ecn borrow)
pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc

Thanks for your help.....!!!

[Amithapr]

Dear All,

It seems that only the bmpc queue is working the std queue is idle, I feel something wrong in my configuration though the bmpc queue is working

systat queues output is attahced

[jggimi]

You have set your bmpc queue as your default.

[Amithapr]

Hi Jggimi,

I changed the default queue. but the systat command only shows one queue's statistics. The screenshot attached.

[jggimi]

Please post your revised /etc/pf.conf file.

[Amithapr]

Hi Jggimi,

Sorry for the late reply. Please find the latest pf.conf file herewith.

Thanks

[jggimi]

I don't see anything obviously wrong with your PF configuration.

Noted:

• You are using "/32" in your $bmpc_wks macro but that should be immaterial.
• You have only a single rule which assigns a queue to passed traffic. You can confirm whether that rule matches or not by adding the log option to the rule and monitoring traffic with tcpdump(8) and your pflog(4) device. Assuming, of course, that your "Frankensystem" changes have not eliminated that capability.

You don't want me to tell you to upgrade or replace this system, again. Or, to hire support to help you. I think I've tried to tell you to do so about twenty times. So I will only repeat that your system is not supported by the OpenBSD Project, and cannot be supported by me through this forum. You are truly on your own.

The altq subsystem was removed and replaced for very good reasons. Years ago. See http://quigon.bsws.de/papers/2012/bsdcan/

[jggimi]

Actually, looking again, I note that there are many pass rules after the rule that assigns the queue. If any of them match, the queue will be reassigned to the default.