|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Bandwidth limit per IP
Good morning!
Today it was the second time, one uploader in the company blocked the whole internet-connection because he used the full bandwidth for his upload. So what I would like to do is setup a pf-rule that says: If one host uses up full bandwidth, let him. When other hosts come in and require bandwidth, share the full bandwidth equally between them, depending on the amount of total hosts and the bandwidth they actually need. When the other hosts are idle, give full bandwidth back to the first host. I have seen setups with queue rules, that distribute bandwidth per address or queue, but none of them used such a dynamic rule. Thanks in advance Patrick |
|
|||
Hm, do I get this right:
I setup one queue "clients" and assign each of them say 10% of the bandwidth maximum. This should mean "use all the bandwidth, but if traffic gets heavier, do not exceed 10% of the total"? Could you give me an example? My pf.conf doesn't use queues yet, I haven't actually needed them yet. |
|
|||
You can find an example in http://www.openbsd.dk/faq/pf/queueing.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Well, I went through it.
But that only describes load distribution by protocol or subnet, not by host! That won't work for my case, as I want to keep any host in the network from eating up all the bandwidth? |
|
||||
In previous threads you have stated, in no uncertain terms, that you don't want to be told to read a FAQ page or a man page. I will take a risk of ridicule from you once more, and point out one line from the PF FAQ, only:
Quote:
match in 10.0.0.1 to any queue myqueueThe match rule is not described in the FAQ, but it is in the man page. I won't tell you to read it. Any pass or match rule can be used to assign a queue. |
|
|||
May be it is me but I see a lot of instances of cbq in the second example at http://www.openbsd.dk/faq/pf/queueing.html#example2.
I never use queueing myself, so I don't have any examples. When my daughter was still living home once in a while I used YBQ, "Yell Based Queueing" : hey, are you downloading something, cannot you wait until I watch the news and Nova at 10:00 hrs?!"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I have four class-c nets, is it wise to load up 1000 filter rules?
By the way, we already use ybq. But also we also use dwbp (doesn't work = blame patrick), I'd like to improve a little bit |
|
||||
No, it probably isn't wise. It will consume memory to house the rule set, and it will consume CPU to process the rules, even with PF optimization.
Why do your 1000 addresses need to have individualized queues? You should have classes of users that can all share the same queue. E.g: 500 of your users might have a workload (or everything, which is what you wanted) in a queue that consumes 10% of total bandwidth when there is contention, and borrows up to 50% of the total bandwith from a parent queue (which does not borrow) when there is not. |
|
|||
The problem is, that we transfer a HUGE amount of data over the internet, but independent from the kind of host.
So one day the ftp-server will be stuffed with 2T of data and then downloaded, the other day it's one of the desktop machines, that uploads 50G and jams the whole internet-connection (this is exactly what happened thursday) So from what I understood, the queuing stuff can only limit down to one queue: I can share 50% to Group A and 50% to Group B. But what happens if Host 1 in Group A uses up all it can get? Group B can still claim 50% bandwidth. But what about Host 2 in Group A? |
|
||||
Quote:
I have only ever used the class based queing scheduler, and organized queues by network application, to shape outbound bandwidth use. If conducting your shaping by application doesn't meet your needs, you might investigate the hierarchical fair service curve scheduler. It is not mentioned in the FAQ, but is described in the pf.conf man page, which says: Quote:
|
|
|||
Well, frankly I don't understand why nobody hasn't run into the problem of keeping one user to block the whole network yet?
|
|
||||
In this case, I would not queue based on IP/host, but on the type of traffic you deem the most important (or the type of traffic you want the least interference with).
If you don't want FTP or rsync to consume all of your bandwidth, give them a 'lower queue' and a bandwidth limit with the ability to borrow from higher queues when these are not full. (this is for CBQ only) I don't know which type of traffic you favour over others, but it should be relatively easy to identify them and determine which queueing order would work best. E.g. if you have a local webserver you want to be reachable at all times, queue http traffic higher than ftp or rsync traffic, and if you value ssh even more, put that above the http queue. Depending on the type of altq mechanism you use, you can define up to 15 types of traffic. You don't absolutely need CBQ unless you want to give any of the traffic types a minimum bandwidth guarantee. PRIQ alone will do fine if you don't mind that ftp or rsync (assuming that these are in the 'bottom queues') are blown away by traffic in the higher queues. |
|
||||
Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Limit Bandwidth (not throughput) | plexter | OpenBSD Security | 5 | 9th October 2008 05:10 PM |
limit use memory by Apache | mfaridi | FreeBSD Security | 4 | 8th July 2008 05:59 PM |
Approaching the limit on PV entries | ccc | FreeBSD General | 6 | 14th June 2008 06:58 PM |
bandwidth !!! | sybergod | OpenBSD Security | 1 | 23rd May 2008 09:10 AM |