DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th February 2010
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default Bandwidth limit per IP

Good morning!

Today it was the second time, one uploader in the company blocked the whole internet-connection because he used the full bandwidth for his upload.

So what I would like to do is setup a pf-rule that says:

If one host uses up full bandwidth, let him.

When other hosts come in and require bandwidth, share the full bandwidth equally between them, depending on the amount of total hosts and the bandwidth they actually need.

When the other hosts are idle, give full bandwidth back to the first host.

I have seen setups with queue rules, that distribute bandwidth per address or queue, but none of them used such a dynamic rule.

Thanks in advance

Patrick
Reply With Quote
  #2   (View Single Post)  
Old 18th February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

I haven't seen your config, and don't know from your description if your selected queuing methodology supports borrowing. Quoting from the Class Based Queing section of the PF User's Guide:
Quote:
A queue may optionally be configured to borrow bandwidth from its parent queue if the parent is being under-utilized.
That is what I do. If there is bandwidth, I let those that want more get it (they "borrow"), when there is bandwidth contention, they are restricted to their designed caps.
Reply With Quote
  #3   (View Single Post)  
Old 18th February 2010
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default

Hm, do I get this right:

I setup one queue "clients" and assign each of them say 10% of the bandwidth maximum.

This should mean "use all the bandwidth, but if traffic gets heavier, do not exceed 10% of the total"?

Could you give me an example? My pf.conf doesn't use queues yet, I haven't actually needed them yet.
Reply With Quote
  #4   (View Single Post)  
Old 18th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,167
Default

You can find an example in http://www.openbsd.dk/faq/pf/queueing.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 19th February 2010
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default

Well, I went through it.

But that only describes load distribution by protocol or subnet, not by host!

That won't work for my case, as I want to keep any host in the network from eating up all the bandwidth?
Reply With Quote
  #6   (View Single Post)  
Old 19th February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

In previous threads you have stated, in no uncertain terms, that you don't want to be told to read a FAQ page or a man page. I will take a risk of ridicule from you once more, and point out one line from the PF FAQ, only:
Quote:
To assign traffic to a queue, the queue keyword is used in conjunction with PF's filter rules.
Here's one example of assigning a queue to a user from a particular IP address. It assigns the queue "myqueue" to all packets inbound from 10.0.0.1:
match in 10.0.0.1 to any queue myqueue
The match rule is not described in the FAQ, but it is in the man page. I won't tell you to read it. Any pass or match rule can be used to assign a queue.
Reply With Quote
  #7   (View Single Post)  
Old 19th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,167
Default

May be it is me but I see a lot of instances of cbq in the second example at http://www.openbsd.dk/faq/pf/queueing.html#example2.

I never use queueing myself, so I don't have any examples. When my daughter was still living home once in a while I used YBQ, "Yell Based Queueing" : hey, are you downloading something, cannot you wait until I watch the news and Nova at 10:00 hrs?!"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 19th February 2010
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default

I have four class-c nets, is it wise to load up 1000 filter rules?

By the way, we already use ybq. But also we also use dwbp (doesn't work = blame patrick), I'd like to improve a little bit
Reply With Quote
  #9   (View Single Post)  
Old 20th February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

No, it probably isn't wise. It will consume memory to house the rule set, and it will consume CPU to process the rules, even with PF optimization.

Why do your 1000 addresses need to have individualized queues? You should have classes of users that can all share the same queue.

E.g: 500 of your users might have a workload (or everything, which is what you wanted) in a queue that consumes 10% of total bandwidth when there is contention, and borrows up to 50% of the total bandwith from a parent queue (which does not borrow) when there is not.
Reply With Quote
Old 20th February 2010
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default

The problem is, that we transfer a HUGE amount of data over the internet, but independent from the kind of host.

So one day the ftp-server will be stuffed with 2T of data and then downloaded, the other day it's one of the desktop machines, that uploads 50G and jams the whole internet-connection (this is exactly what happened thursday)

So from what I understood, the queuing stuff can only limit down to one queue: I can share 50% to Group A and 50% to Group B. But what happens if Host 1 in Group A uses up all it can get? Group B can still claim 50% bandwidth. But what about Host 2 in Group A?
Reply With Quote
Old 21st February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

Quote:
Originally Posted by PatrickBaer View Post
...I can share 50% to Group A and 50% to Group B. But what happens if Host 1 in Group A uses up all it can get? Group B can still claim 50% bandwidth. But what about Host 2 in Group A?
Using the example you cite, Hosts 1 and 2 will share 50% of the bandwidth, because they share the same queue.

I have only ever used the class based queing scheduler, and organized queues by network application, to shape outbound bandwidth use. If conducting your shaping by application doesn't meet your needs, you might investigate the hierarchical fair service curve scheduler. It is not mentioned in the FAQ, but is described in the pf.conf man page, which says:
Quote:
...Each queue can have a priority and a bandwidth assigned. Priority main-
ly controls the time packets take to get sent out, while bandwidth
primarily affects throughput. hfsc supports both link-sharing and
guaranteed real-time services. It employs a service curve based
QoS model, and its unique feature is an ability to decouple delay
and bandwidth allocation.
Reply With Quote
Old 22nd February 2010
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default

Well, frankly I don't understand why nobody hasn't run into the problem of keeping one user to block the whole network yet?
Reply With Quote
Old 22nd February 2010
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

In this case, I would not queue based on IP/host, but on the type of traffic you deem the most important (or the type of traffic you want the least interference with).

If you don't want FTP or rsync to consume all of your bandwidth, give them a 'lower queue' and a bandwidth limit with the ability to borrow from higher queues when these are not full. (this is for CBQ only)

I don't know which type of traffic you favour over others, but it should be relatively easy to identify them and determine which queueing order would work best.

E.g. if you have a local webserver you want to be reachable at all times, queue http traffic higher than ftp or rsync traffic, and if you value ssh even more, put that above the http queue. Depending on the type of altq mechanism you use, you can define up to 15 types of traffic. You don't absolutely need CBQ unless you want to give any of the traffic types a minimum bandwidth guarantee.

PRIQ alone will do fine if you don't mind that ftp or rsync (assuming that these are in the 'bottom queues') are blown away by traffic in the higher queues.
Reply With Quote
Old 22nd February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

Quote:
Originally Posted by PatrickBaer View Post
Well, frankly I don't understand why nobody hasn't run into the problem of keeping one user to block the whole network yet?
If you find our answers are incomplete or unsatisfactory, please post your question to the PF mailing list, where an audience that is both broader and deeper may be able to assist you. http://www.benzedrine.cx/mailinglist.html
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Limit Bandwidth (not throughput) plexter OpenBSD Security 5 9th October 2008 05:10 PM
limit use memory by Apache mfaridi FreeBSD Security 4 8th July 2008 05:59 PM
Approaching the limit on PV entries ccc FreeBSD General 6 14th June 2008 06:58 PM
bandwidth !!! sybergod OpenBSD Security 1 23rd May 2008 09:10 AM


All times are GMT. The time now is 05:54 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick