PF queue assignment not working

[BetaJim]

Hi,

I'm using OpenBSD 5.7 as a firewall and router between my home network and a satellite ISP. I have a limited monthly data allotment and want to limit the bandwidth to some hosts. For some reason, the outgoing traffic on the internal interface is always assigned to the default queue.

I've tried combinations of match and pass rules to have traffic sent out $inf_if to 192.168.2.38 be assigned to the int_slow queue, but the pfctl -vvsq command shows that no packets are ever handled by that queue. The only thing not reflected in the pf.conf rules below are that vr0 and em0 are bridged together to do MAC filtering.

I figure I'm missing something simple and hope a second set of eyes may help.

Thank you.

HTML Code:

int_if="vr0"
ext_if="em0"
localnet  = $int_if:network

# tables
include "/etc/pf/pf.tables.conf"

# options
set optimization high-latency
set block-policy return
set loginterface $int_if
set skip on lo

# interface queuing
queue int on $int_if bandwidth 100000K
      queue int_main parent int bandwidth 99840K max 100M default
      queue int_slow parent int bandwidth 160K max 160K

match on $int_if to 192.168.2.38 set queue int_slow set prio (6,7)

# NAT, matching IPv4 only
match out on egress inet from $localnet nat-to (egress) set prio (6, 7)

block all

pass out quick keep state
antispoof quick for { lo $int_if }

# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass out inet proto tcp from $int_if to any port ftp

# Rule for the Squid proxy
pass in quick log inet proto tcp to !<cache_bypass> port 80 divert-to 127.0.0.1 port 3128

pass in on $int_if tagged MATT   label MATT_TRAF  keep state (pflow)
pass in on $int_if tagged TINA   label TINA_TRAF  keep state (pflow)
pass in on $int_if tagged JOHN   label JOHN_TRAF  keep state (pflow)

[jggimi]

Hello, and welcome!

You're using prio with bandwidth queuing. The prio setting is ignored for queued traffic. You must also set a maximum for your root queue, which is the parent.

Is any traffic assigned to the int_main queue?

[BetaJim]

Hi, thank you, I made these changes to the queue section:

HTML Code:

queue int on $int_if bandwidth 100M max 100M
      queue int_main parent int bandwidth 99840K max 100M default
      queue int_slow parent int bandwidth 160K max 160K

match on $int_if to 192.168.2.38 set queue int_slow

All traffic ends up in the default queue. I had been testing by generating https traffic (to avoid the squid proxy) and nothing was showing up in the int_slow queue.

So I tried a different test, and sftp'ed a file to the firewall from the .2.38 host. This time pfctl -vvsq showed traffic in the int_slow queue at 155kbps. The download speed to the firewall varied between 500-700 kbps. This much works like I'd expect it to.

Doing the reverse, sftp'ing a file to 2.38 from the firewall results in 10MBps transfer with all packets in the default queue and none in int_slow.

It seems that traffic which originates from 2.38 all lands in the default queue, but when the traffic originates from the firewall then the outgoing int_slow queue is used. I'm not sure why there would be this difference, but maybe these clues will help.

Many thanks!

[jggimi]

You're match rule is "to" so it won't match any inbound traffic. You can add a second match rule for the "from" traffic ... but note that you'll only be able to apply it as a queue when the traffic leaves the firewall, since incoming traffic cannot be queued. (Once it has arrived, it's already there.)

[BetaJim]

It's only the outbound traffic that I want queued (it's data from the internet that I care about slowing down). Last night I was thinking about what you said and the behavior of the queues in my tests, and I thought of trying a rule modification.

I added the queue assignment to the "pass in" rule and removed the match rule:

HTML Code:

pass in on $int_if tagged JOHN label JOHN_TRAF keep state (pflow) set queue int_slow

Surprisingly this accomplishes what I want. Traffic from the firewall or internet to the host is now assigned to the int_slow queue and I see the transfer rates that I expect.

It seems that traffic is only assigned to a queue when state for a connection is first created. Does that seem like a correct explanation? I have a copy of Peter Hansteen's PF book (which is pretty good btw), but I've found no details about this situation. To me it seems odd to have an outbound queue assignment be part of a "pass in" rule.

Thank you for your help jggimi!

[jggimi]

The queue assignment can occur with any rule, but the application of the queue will only occur with outbound traffic.

I'm glad you got it working!