DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th May 2012
apsaras apsaras is offline
New User
 
Join Date: May 2012
Posts: 5
Default Altq on multi wan and multi zone environment

Hi

I am using an OpenBSD 5.1 box with multible interfaces and Altq and I would like to have your thoughts about my design and configuration.

Here is my setup

My firewall has 4 Intel Gb interfaces. One interface is used for 2 Internet feeds (vlans) with Multi-Home BGP, 1 for Extranet (Web Servers, Mail Servers and DNS), 1 for DMZ (untrasted customer servers) and 1 for VoIP Services (SIP Proxy, RTP Proxy, Softswitch).

What I would like to do is to give full priority to VoIP Service no matter what and have the other services run on best efford. So I have created one Altq for each interface.

The two public internet interfaces 4Mb each have the following altq config

Code:
altq on $bgp1_if hfsc bandwidth 3.9Mb queue { synq_voip_main, synq_other_main }
queue synq_voip_main bandwidth 30% hfsc {synq_voip}
queue synq_voip bandwidth 100% priority 6 qlimit 500 hfsc (realtime 110Kb)
queue synq_other_main bandwidth 70% hfsc {synq_acks, synq_interactive, synq_web, synq_mail, synq_ftp, synq_default}
queue synq_acks bandwidth 10% priority 7 qlimit 500 hfsc (realtime 5%)
queue synq_interactive bandwidth 10% priority 5 qlimit 500 hfsc (realtime 5% upperlimit 2Mb)
queue synq_web bandwidth 30% priority 4 qlimit 500 hfsc (realtime  (50%, 10000, 10%) ecn upperlimit 3Mb)
queue synq_mail bandwidth 20% priority 3 qlimit 500 hfsc (ecn upperlimit 3Mb)
queue synq_ftp bandwidth 5% priority 2 qlimit 500 hfsc (ecn upperlimit 1Mb)
queue synq_default bandwidth 25% priority 1 qlimit 500 hfsc (default ecn upperlimit 3Mb)
and each internal zone has the following

Code:
altq on $voice_if hfsc bandwidth 900Mb queue {voiceq_out, voiceq_default}
queue voiceq_out bandwidth 3.9Mb hfsc {voiceq_acks, voiceq_voip, voiceq_interactive,  voiceq_web, voiceq_mail, voiceq_ftp}
queue voiceq_acks bandwidth 20% priority 7 qlimit 500 hfsc (realtime 5%)
queue voiceq_voip bandwidth 50% priority 6 qlimit 500 hfsc (realtime 110Kb)
queue voiceq_interactive bandwidth 10% priority 5 qlimit 500 hfsc (realtime 5% upperlimit 2Mb)
queue voiceq_web bandwidth 10% priority 4 qlimit 500 hfsc (realtime  (20%, 10000, 10%) ecn upperlimit 3Mb)
queue voiceq_mail bandwidth 5% priority 3 qlimit 500 hfsc (ecn upperlimit 3Mb)
queue voiceq_ftp bandwidth 5% priority 2 qlimit 500 hfsc (ecn upperlimit 1Mb)
queue voiceq_default bandwidth 896Mb priority 1 qlimit 500 hfsc (default)
Problem is that I can not have correct inbound traffic control because each internal interface should be able to use full bandwidth but adding DMZ, Extranet and VoIP the assigned bandwidth is more than I want to assign.

Example. Server 1 at Extranet starts downloding a file from web and get 4Mb speed, Server 2 at DMZ does the same so Server 2 will try to get 4Mb also and finally Server 3 at VoIP starts a callout.

Moreover having 2x4Mb bandwidth with BGP I do not know from which interface the traffic will come in. Hence limiting the inbound queues to 4Mb instead of 8Mb I am using just the half of my feed.

Any best practice on that o reference to read?

Thank you in advance
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multi-Path or Route-To? SlyM OpenBSD General 25 1st July 2016 04:21 PM
Managing multi platform accounts bsdperson FreeBSD General 1 27th August 2010 11:46 AM
Multi media designer forum? Broodjegehaktmetmayo Off-Topic 0 11th April 2010 04:24 PM
Multi-boot system with Mac aleunix Other BSD and UNIX/UNIX-like 3 13th June 2008 12:16 AM
NIS in a multi-system universe? jimbus FreeBSD General 3 30th May 2008 03:57 AM


All times are GMT. The time now is 11:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick