|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Traffic Shaping Using PF
Hi,
Currently in my OpenBSD firewall there are traffic shaping rules, but I doubt whether those are working since when the other users are downloading or streaming the PCs that apply the traffic shaping rules are getting slower My pf.conf's rules are as follows Code:
ext_if="rl0" ext_ip="x.x.x.x" int_if="em0" bmpc_wks="{192.168.94.22/32, 192.168.94.23/32, 192.168.94.24/32}" http_comp="192.168.94.43" #hrwebserver = "192.168.94.45" # allow ping icmp_type icmp_types="{ echoreq, unreach }" #webports = "{ http, https }" #General Options -AL set loginterface $ext_if set limit { states 40000, frags 5000 } set optimization normal set block-policy drop match all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp) #Rules in Traffic Parity Queue Shaping-AL altq on rl0 cbq bandwidth 3Mb queue {std,bmpc} queue std bandwidth 2Mb cbq(default ecn borrow) queue bmpc bandwidth 1Mb cbq(ecn borrow) pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc Thanks Last edited by Amithapr; 8th February 2017 at 12:44 PM. |
|
|||
Hi jggimi,
Thanks for the information. I tried to get the desired result by adding " pass in on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc " before the pass out on rule, still it seems that traffic shaping is not happening. I have no idea how to implement the other queue(std) that you have mentioned in your reply. Thanks. Last edited by Amithapr; 9th February 2017 at 10:49 AM. |
|
||||
Your example temporary added rule would never match any traffic. There is never inbound traffic from your workstations on your external network.
Queues are attached to a state when the state is established. So if a state is established on outbound traffic by the pass rule in your top post, the queue would remain assigned for the inbound traffic. I did not see any rules for any other traffic, and that is why I made note of it. ---- Q: When is a queue deployed? A: When there is outgoing traffic that is delayed waiting for a network connection to become free. Q: Why only outgoing traffic? A: Because if a packet has arrived... it is already here. There is nothing to queue. If we are flooded and cannot manage to process the packet, we can drop it, but there is no queue to put it on because is not waiting for an outgoing connection. Q: Why are my queues not queuing? A: Your performance delays are likely due to bottlenecks on incoming packets from the Internet. You don't have local queues on Internet inbound traffic because the incoming traffic is much slower than your local network. The ISP's router is queuing the traffic, but your router does not need to. Q: How can I monitor queues? A: systat(8) and the pftop package. |
|
|||
Hi All,
I ran the command systat queues and got to know the std queue is getting priority so I changed the default queue to bmpc. now the traffic shaping rule works. But i'm not sure I did the correct thing. Chnges done are in bold colour. Code:
ext_if="rl0" ext_ip="x.x.x.x" int_if="em0" bmpc_wks="{192.168.94.22/32, 192.168.94.23/32, 192.168.94.24/32}" http_comp="192.168.94.43" #hrwebserver = "192.168.94.45" # allow ping icmp_type icmp_types="{ echoreq, unreach }" #webports = "{ http, https }" #General Options -AL set loginterface $ext_if set limit { states 40000, frags 5000 } set optimization normal set block-policy drop match all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp) #Rules in Traffic Parity Queue Shaping-AL altq on rl0 cbq bandwidth 3Mb queue {std,bmpc} queue std bandwidth 50% priority 0 cbq(ecn borrow) queue bmpc bandwidth 50 % priority 7 cbq(default ecn borrow) pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc |
|
|||
Dear All,
It seems that only the bmpc queue is working the std queue is idle, I feel something wrong in my configuration though the bmpc queue is working systat queues output is attahced |
|
|||
Hi Jggimi,
I changed the default queue. but the systat command only shows one queue's statistics. The screenshot attached. |
|
|||
Hi Jggimi,
Sorry for the late reply. Please find the latest pf.conf file herewith. Thanks |
|
||||
I don't see anything obviously wrong with your PF configuration.
Noted:
You don't want me to tell you to upgrade or replace this system, again. Or, to hire support to help you. I think I've tried to tell you to do so about twenty times. So I will only repeat that your system is not supported by the OpenBSD Project, and cannot be supported by me through this forum. You are truly on your own. The altq subsystem was removed and replaced for very good reasons. Years ago. See http://quigon.bsws.de/papers/2012/bsdcan/ Last edited by jggimi; 15th March 2017 at 04:50 PM. Reason: typos |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PF only firefox traffic ? | bryn1u | OpenBSD Security | 12 | 7th November 2014 04:39 AM |
Traffic between two vpn networks | bertj | FreeBSD Security | 4 | 31st January 2013 02:44 PM |
PF Traffic Shaping question. | MarcRiv | OpenBSD Security | 6 | 28th October 2009 07:22 PM |
[FreeBSD + PF cbq + borrow] Dynamic shaping | Enemy | FreeBSD General | 4 | 19th May 2009 08:56 AM |
Dynamic Traffic Shaping | LordZ | OpenBSD Security | 6 | 19th January 2009 04:30 PM |