I'm looking to extend my PF setup on my OBSD 5.5 firewall. Right now I can set the max upload and download speed for hosts without using ip-addresses, which is super! The ability I need is to set a higher download limit for selected hosts.
Right now the host with the ip 192.168.1.84 is unaffected by the bandwidth increase and downloads steady at 5Mb.
I can't seem to figure it out! Thanks in advance for any help or feedback!
The altq part
/etc/pf.conf
Code:
#QUEUEING
#server_ip = " { 192.168.2.11, 192.168.2.14 } "
admin_ip = "192.168.1.84"
#elev_ip = "{ 192.168.5.4 }"
#UPLOAD
altq on $ext_if cbq bandwidth 10Mb queue { std_out, sim_out } #TOTAL UPP
oldqueue std_out bandwidth 1Mb cbq(default)
oldqueue sim_out bandwidth 100Kb cbq
#DOWNLOAD
#Separate students from administration
altq on $admin_if cbq bandwidth 30Mb queue { adm_in, adm_in_high } #ADMIN NER
altq on { $elev_if, $grottan_if, $larare_if } cbq bandwidth 70Mb queue elv_in #ANDRA NER
oldqueue adm_in bandwidth 5Mb cbq(default)
#Allow for higher bandwidth on selected hosts
oldqueue adm_in_high bandwidth 10Mb cbq
#Students bandwidth
oldqueue elv_in bandwidth 5Mb cbq(default)
pass on $ext_if all
pass on { em1, em2, em3, em4, em5 } all
#Higher bandwidth hosts?
pass in on $admin_if from $admin_ip queue adm_in_high
pass out on $admin_if from $admin_ip queue adm_in_high
#
Full config
Code:
##tODO
#LABELS s169
#TRAFFIC SHAPING s139
# macros
ext_if="em0"
admin_if="em1"
admin_net=$admin_if:network
servers_if="em2"
server_net=$servers_if:network
grottan_if="em3"
grottan_net=$grottan_if:network
larare_if="em4"
larar_net=$larare_if:network
elev_if="em5"
elev_net=$elev_if:network
tcp_services="{ 22, 113 }"
udp_services = "{ domain, ntp }"
elev_ports = "{ ssh, http, https, imaps, imap, pop3 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface egress
set skip on lo
# match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# filter rules
block all
pass out quick
antispoof quick for { lo $admin_if }
#pass in on egress inet proto tcp from any to (egress) \
# port $tcp_services
pass in log on egress inet proto tcp to (egress) port 22 rdr-to 192.168.1.1
pass in log on egress inet proto tcp to (egress) port 443 rdr-to 192.168.1.1
#QUEUEING
#server_ip = " { 192.168.2.11, 192.168.2.14 } "
admin_ip = "192.168.1.84"
#elev_ip = "{ 192.168.5.4 }"
#UPLOAD
altq on $ext_if cbq bandwidth 50Mb queue { std_out, sim_out } #TOTAL UPP
oldqueue std_out bandwidth 0.5Mb cbq(default)
oldqueue sim_out bandwidth 100Kb cbq
#DOWNLOAD
#Separate students from administration
altq on $admin_if cbq bandwidth 30Mb queue { adm_in, adm_in_high } #ADMIN NER
altq on { $elev_if, $grottan_if, $larare_if } cbq bandwidth 70Mb queue elv_in #ANDRA NER
oldqueue adm_in bandwidth 5Mb cbq(default)
#Allow for higher bandwidth on selected hosts
oldqueue adm_in_high bandwidth 10Mb cbq
#Students bandwidth
oldqueue elv_in bandwidth 5Mb cbq(default)
pass on $ext_if all
pass on { em1, em2, em3, em4, em5 } all
#Higher bandwidth hosts
pass in on $admin_if from $admin_ip queue adm_in_high
pass out on $admin_if from $admin_ip queue adm_in_high
#
#Isolate networks
#admin_net
pass in on $admin_if
#server_net
pass in on $servers_if
block in log on $servers_if to { $larar_net, $admin_net, $grottan_net, $elev_net }
#pass in log on $servers_if proto tcp from $server_net to 192.168.1.1 port 22
#grottan_net
pass in on $grottan_if
block in log on $grottan_if to { $server_net, $admin_net, $larar_net $elev_net }
#pass in log on $grottan_if proto tcp from $grottan_net to 192.168.1.1 port 22
#larar_net
pass in on $larare_if
block in log on $larare_if to { $server_net, $admin_net, $grottan_net, $elev_net }
#pass in log on $larare_if proto tcp from larar_net to 192.168.1.1 port 22
#elev_net
pass in on $elev_if
block in log on $elev_if to { $server_net, $admin_net, $grottan_net, $larar_net }
pass in log on $elev_if proto tcp from $elev_net to 192.168.3.4 port 22
#pass proto tcp from $elev_net to port $elev_ports #Filtrera portar ut
#DHCP
pass out on any proto {udp,tcp} from any port 68 to any port 67 keep state
pass in on any proto {udp,tcp} from any port 67 to any port 68 keep state
#DNS + NTP
pass quick inet proto { tcp, udp } to any port $udp_services keep state
#ICMP
pass in inet proto icmp all icmp-type $icmp_types
#AD BLOCKER
table <ad-servers> persist
block return in quick on {em1, em2, em3, em4, em5} from any to <ad-servers>