DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th November 2009
MarcRiv MarcRiv is offline
New User
 
Join Date: Oct 2009
Posts: 6
Default I need help setting up queues.

I have a T1 and I am breaking it down into 4 parts Ack, voip, mail, and bulk(everything else). The main problem we face is people downloading steaming videos or are even downloading large files. I know that portion of altq doesn't work as well because you can't stop the other person from sending data. It should help by allowing the router to at least see that mail or VOIP is coming though and allow it priority right?

External interface

Code:
altq on $extif bandwidth 1.5Mb hfsc queue {e_ack, e_voip, e_network}
  queue e_ack bandwidth 1% priority 7 qlimit 50 hfsc (realtime (450Kb, 10000, 225Kb))
  queue e_voip bandwidth 1%  priority 6 qlimit 50 hfsc (realtime (300Kb, 20000, 190Kb))
  queue e_network bandwidth 1% priority 5 qlimit 50 hfsc (realtime 450Kb linkshare (1200Kb, 20000, 500Kb)) {e_mail, e_bulk}
   queue e_mail bandwidth 40% priority 7 qlimit 50 hfsc (linkshare (40%, 15000, 25%))
   queue e_bulk bandwidth 40% priority 6 qlimit 50 hfsc (linkshare 40% default)
Internal Interface

Code:
altq on $intif bandwidth 1Gb hfsc queue {ext, int}
 queue ext bandwidth 1.5Mb hfsc {i_ack, i_voip, network }
  queue i_ack bandwidth 1% priority 7 qlimit 50 hfsc (realtime (400Kb, 10000, 225Kb))
  queue i_voip bandwidth 1%  priority 6 qlimit 50 hfsc (realtime (300Kb, 20000, 190Kb))
  queue network bandwidth 1% priority 5 qlimit 50 hfsc (realtime 450Kb linkshare (1200Kb, 20000, 500Kb)) {i_mail, i_bulk}
   queue i_mail bandwidth 40% priority 7 qlimit 50 hfsc (linkshare (180Kb, 15000, 112Kb))
   queue i_bulk bandwidth 40% priority 6 qlimit 50 hfsc (linkshare (180Kb, 15000, 112Kb ) default)
 queue int bandwidth 997Mb hfsc
So once I have the queues set up I start to assign them to the proper queue
Code:
match out on $extif proto tcp from $mailserver port 25 to any queue (e_mail, e_ack)
match out on $intif proto tcp from any to $mailserver port 25 queue (i_mail, i_ack)
Of course they are allowed to pass through since everything is working. The queues don't work correctly. Everything going out on the internal interface is riding on the correct queue but when I look at the external queue everything is being applied to the bulk queue. When I use tcpdump -nettt -i pflog0 port 25 and host 192.168.5.20 it shows this to me.

Code:
rule 24/(match) pass in on em1: 192.168.5.20.39098 > 209.85.223.42.25: S 1692899968:1692899968(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
em1 is the internal interface it shows this rule then doesn't show the out rule on em0 which is the external interface. It also looks like nat is being applied on the internal network?

Let me know if you need more information about the setup.
Reply With Quote
  #2   (View Single Post)  
Old 10th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You are trying to create -separate- queues for inbound and outbound traffic. Unfortunately, you only have a single state, so you should only create a single queue for any traffic type.

Refer to my example in your previous thread.

In addition, recall that each TCP or UDP state has two port numbers. The initiating port number, and the destination port number. Using your example of SMTP, port #25 is only used as a -destination- port, so your first match rule will never trip.

Disclaimer: I have never looked at HFSC queuing, so cannot comment on priority values or other settings for it.

Last edited by jggimi; 10th November 2009 at 08:20 PM. Reason: added disclaimer
Reply With Quote
  #3   (View Single Post)  
Old 10th November 2009
MarcRiv MarcRiv is offline
New User
 
Join Date: Oct 2009
Posts: 6
Default

The other post can probably be deleted and moved here or something but looking at your previous post.

Code:
altq on $external_nic cbq bandwidth 2Mb queue {std-out, torrent-out}
queue std-out on $external_nic bandwidth 1Mb cbq (borrow, default)
queue torrent-out on $external_nic bandwidth 1Mb cbq (borrow,ecn)
altq on $internal_nic cbq bandwidth 100Mb queue {std-in, torrent-in}
queue std-in on $internal_nic bandwidth 94Mb cbq (borrow, default)
queue torrent-in on $internal_nic bandwidth 6Mb cbq (borrow, ecn)
Code:
match in proto {tcp udp} from any to any port $tor-low queue torrent-in
match out proto {tcp udp} from any port $tor-low to any queue torrent-out
match in proto {tcp udp} from any to any port $tor-high queue torrent-in
match out proto {tcp udp} from any port $tor-high to any queue torrent-out
pass in log quick on $external_nic proto {tcp udp} from any to any port $tor-low \
    rdr-to 192.168.1.42 port $tor-low
pass in log quick on $external_nic proto {tcp udp} from any to any port $tor-high \
    rdr-to 192.168.1.42 port $tor-high
So the first rules creates a state and the match rules according to this state with the traffic leaving and entering is being matched to the torrent-out/in on either the internal nic or external nic depending on which way it is going on that state right?

Now lets say you have a mail server and there are no states yet. So some mail server begins to transmit information to you it is forwarded to the the server and the state is created. While we are still receiving data from this server lets say a user sends this server a message does this create another state with that server or does it use the existing one?
Reply With Quote
  #4   (View Single Post)  
Old 11th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

A -state- is a communication between two IP addresses and, for TCP/UDP, the ports associated with both ends. If a different IP address is used, it is a different state. If a different port is used, it is a different state.

TCP is stateful, the state is established with a 3-way hand shake and remains until termination.

UDP is stateless, the state is established by traffic, and maintained by PF according to a timeout setting.

Other IP protocols (see /etc/protocols) are either stateful or stateless, and are managed by PF in similar fashion.
Quote:
While we are still receiving data from this server lets say a user sends this server a message does this create another state with that server or does it use the existing one?
If the message comes from a different IP address, or the same IP address but a different port number, it is a -new- state, and it is tracked separately.

As I've said before, set all queues to shape -outbound- traffic. Not outword from your network, but rather, from the router's -- and PF's -- perspective. Note my queues: "std-in" and "torrent-in" are -outbound- queues that happen to be on the -internal- NIC.

-----

To shape traffic, you must understand that traffic. For SMTP, as an example, the -destination- port is 25. The initiating port number from a remote server (or mail client) is random.
Reply With Quote
  #5   (View Single Post)  
Old 11th November 2009
MarcRiv MarcRiv is offline
New User
 
Join Date: Oct 2009
Posts: 6
Default

I think it finally clicked.

In the case with SMTP I can only work with the destination port because like you said the source port is random.

I really do understand that you can only work with the outbound on the interface. Like if you are downloading something it is coming in the external interface and exits on the internal interface while the return traffic would be sent into the internal interface and out the external interface but it would be riding on the state the was created by the first connection.

Which in my case I want to control the rate at which someone downloads I would create a rule that looks at the return traffic on either the external interface and add it to the correct queue?

So for my example to add smtp to the queue I would do.
Code:
match in on $extif proto tcp from any to any port 25 queue (i_mail, i_ack)
match out on $extif proto tcp from any to any port 25 queue (e_mail, e_ack)
Am I any closer than I was? lol

Last edited by MarcRiv; 11th November 2009 at 10:02 PM. Reason: Horrible spelling errors
Reply With Quote
  #6   (View Single Post)  
Old 11th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Well, I'm not sure about the use of multiple queue names and HFSC, as I mentioned above.

But yes, in general, you've got it. The pass or match rule applies the queue name, as an attribute, to the state. The altq rules describe how the queue is then applied, on outbound traffic.

To better understand existing states, use the states screen in systat(8).
Reply With Quote
  #7   (View Single Post)  
Old 17th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by MarcRiv View Post
Code:
match in on $extif proto tcp from any to any port 25 queue (i_mail, i_ack)
match out on $extif proto tcp from any to any port 25 queue (e_mail, e_ack)
Am I any closer than I was? lol
"match" is new in the 4.6; if I'm up to speed on it correctly, match inspects EVERY packet (regardless of statefulness) on the specified interface. A more efficient rule fragment may be,

Code:
pass in on $extif inet proto tcp \
 from any to ($extif:0) port 25 \
 keep state queue(i_mail,i_ack)
In using a pass-rule with state there's a performance benefit of NOT having to inspect packets that qualify as stateful. By including the queue() on the pass rule you get queuing for matching rule and stateful packets.
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Reply

Tags
altq, hfsc, pf traffic shaping, queue

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up nameservers paran0iaX OpenBSD General 11 13th March 2009 12:16 PM
getting and setting time from router michaelrmgreen General software and network 1 5th February 2009 01:58 PM
help for setting ezjail? bgobs FreeBSD General 13 15th June 2008 10:50 AM
Setting Up MPD benjgvps FreeBSD General 0 21st May 2008 12:20 PM
thanks for setting this up DraconianTimes Off-Topic 8 5th May 2008 08:14 AM


All times are GMT. The time now is 03:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick