DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th January 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 102
Thanked 0 Times in 0 Posts
Default Help Limiting/Splitting Bandwidth

Ive been reading http://www.openbsd.org/faq/pf/queueing.html but Im curious if someone could show me a simple setup splitting the bandwidth between 3 computers.

I have pf installed and it is routing and pf works great.

Can someone show me a easy example of how to split the bandwidth evenly between 3 people (33% each)?

thanks in advance


ext_if="vl0"
int_if="vl1"

set block-policy deny
scrub in


nat on $ext_if from !($ext_if) -> ($ext_if:0)

block in
pass out keep state

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

Last edited by EverydayDiesel; 29th January 2009 at 10:43 PM.
Reply With Quote
  #2   (View Single Post)  
Old 31st March 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 102
Thanked 0 Times in 0 Posts
Default

anyone?
Reply With Quote
  #3   (View Single Post)  
Old 31st March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

What, specifically, in http://www.openbsd.org/faq/pf/queueing.html#example1 is confusing you?
Reply With Quote
  #4   (View Single Post)  
Old 31st March 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 102
Thanked 0 Times in 0 Posts
Default

i cant seem to get it right.

that example is to control the upload and I want to control the download.

How can I modify my simple rules above to incorporate altq and have it split the connection 33% on each of 3 computers?
Reply With Quote
  #5   (View Single Post)  
Old 31st March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Ah. Now I understand. Allow me to ease your confusion.

You cannot rate-limit inbound packets, directly. IP doesn't work that way. You can only rate limit on outbound packets. But, when you have a router with two interfaces, you can rate-limit them indirectly. In your case, just set up your queues for the packets leaving the router for the workstations that live on $int_if.
Reply With Quote
  #6   (View Single Post)  
Old 1st April 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

You can, to some limited extent, affect inbound speed of TCP connections (and only TCP packets) by delaying and/or dropping pakets. The other end might just get the idea that there is some restriction there and slow down. But that is all you can do. Once a packet has reached you, then it has already consumed your bandwidth. Dropping it won't do anything but wasting the bandwidth. You can do this by implementing outbound queues on your internal interface(s), as Jggimi said.
There are some systems envisioned that would allow a firewall to force upstream routers and/or servers to rate-limit for you, but none of them are well supported. You can look through what tools your ISP gives you for QOS - this would be the best way.
We get asked this one quite often, and this is the only answer that can be given.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Limit Bandwidth (not throughput) plexter OpenBSD Security 5 9th October 2008 05:10 PM
Hardware bandwidth meter? Yuka General software and network 6 2nd September 2008 05:10 PM
Testing Internet Bandwidth JMJ_coder General software and network 8 21st July 2008 01:00 AM
Interface - total bandwidth centerstage OpenBSD General 11 18th June 2008 11:20 PM
bandwidth !!! sybergod OpenBSD Security 1 23rd May 2008 09:10 AM


All times are GMT. The time now is 08:32 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick