Re: pf shape download

[Michel Blais]

Hi David (and thank to all the others for you reply),
I didn't have time to work on it but will have some time this week.

I think my main problem was from my Windows 7 laptop that look like to 
block traffic until it "understand" that traffic can pass.

A exemple we often see with Windows 7 is when the are a internet 
problem, when the problem is fix, you can ping external network and 
domain name but until Windows 7 remove the yellow triangle on the 
network adapter, browser (we are using IE, Firefox & Chrome) won't be 
able to go on the internet.

Even with our old firewall (base on iptables), it was the same. It taked 
some minutes for Windows user to apply rule change. Exemple, I forward 
the port 80 to a server with a alert to contact us, the contact us then 
we erase the rule and apply it but the user will still be forwarded for 
several minutes.

So will doing my test, if I apply a ruleset like, "pass in" instead of 
"block in", often, traffic was still block. It's really hard to test 
ruleset in this condition. For sure, I was able one time to make the 
traffic pass on my second queue but it was after a long time working on 
something else. When I came back to it and looked at pftop, I saw the 
traffic on the second queue.

If I remember well, my ruleset was
block in
block out
pass in on re0 to 10.254.200.2 queue second
pass out on re0 to 10.254.200.2 queue second
pass in on re1 to 10.254.200.2 queue second
pass out on re1 to 10.254.200.2 queue second
pass in on re0 from 10.254.200.2 queue second
pass out on re0 from 10.254.200.2 queue second
pass in on re1 from 10.254.200.2 queue second
pass out on re1 from 10.254.200.2 queue second

I will do more test and write back to the mailling list.

Michel

Le 2011-08-22 18:40, David Newman a icrit :
Did you have any luck getting this working?

Thanks!

dn



On 8/16/11 8:20 AM, Michel Blais wrote:
Hi,

I'm having a problem to shape download with PF. I have 2 HFSC queue
(main and second) created on my internal NIC. Main is my default
queue. If I try to match download traffic to the second queue, it still
go trought the main queue.

The IP I want to download trought the second queue for my test
unit is 10.254.200.2
$ext_if=re0
$int_if=re1

My rule to foward traffic to second queue is :
match out on $int_if from any to 10.254.200.2
I also try with pass instead of match

Look fine if I check the bob exemple in this faq :
http://www.openbsd.org/faq/pf/queueing.html#example1

pfctl -vvsq still show traffic on main queue :

queue  main on re1 bandwidth 1Mb priority 2 qlimit 100 hfsc( red default
upperlimit 97Mb )
   [ pkts:      24701  bytes:   37333295  dropped pkts:      0
bytes:      0 ]
   [ qlength:   0/100 ]
   [ measured:   236.4 packets/s, 2.86Mb/s ]
queue  second on re1 bandwidth 1Mb priority 0 qlimit 250 hfsc( red
upperlimit 97Mb )
   [ pkts:          0  bytes:          0  dropped pkts:      0
bytes:      0 ]
   [ qlength:   0/250 ]
   [ measured:     0.0 packets/s, 0 b/s ]

pftop -v rules show me that the rule don't match
12 Pass out re1     K 0 0 0 inet from any to 10.254.200.2/32    flags
S/SA queue second

I can see my download with tcpdump :
# tcpdump -i re1 host 10.254.200.2
...
10:49:19.802505 10.254.200.2.49266>  hammurabi.acc.umu.se.www: . ack
832200 win 64240 (DF)
10:49:19.802716 hammurabi.acc.umu.se.www>  10.254.200.2.49266: .
832200:833660(1460) ack 1 win 6564 (DF)
10:49:19.802911 hammurabi.acc.umu.se.www>  10.254.200.2.49266: .
833660:835120(1460) ack 1 win 6564 (DF)
10:49:19.803040 hammurabi.acc.umu.se.www>  10.254.200.2.49266: .
835120:836580(1460) ack 1 win 6564 (DF)
10:49:19.803211 10.254.200.2.49266>  hammurabi.acc.umu.se.www: . ack
836580 win 64240 (DF)
10:49:19.803248 hammurabi.acc.umu.se.www>  10.254.200.2.49266: .
836580:838040(1460) ack 1 win 6564 (DF)
10:49:19.803252 hammurabi.acc.umu.se.www>  10.254.200.2.49266: .
838040:839500(1460) ack 1 win 6564 (DF)
10:49:19.803367 hammurabi.acc.umu.se.www>  10.254.200.2.49266: .
839500:840960(1460) ack 1 win 6564 (DF)
...

I have pass days on this with OpenBSD 4.9 and
FreeBSD 8.2 without result.

I even tryed every 8 possible rules at the same time and
pfctl was still showing traffic trought the main queue on :

match in on re0 from any to 10.254.200.2 queue second
match in on re1 from any to 10.254.200.2 queue second
match out on re0 from any to 10.254.200.2 queue second
match out on re0 from any to 10.254.200.2 queue second
match in on re0 from 10.254.200.2 to any queue second
match in on re1 from 10.254.200.2 to any queue second
match out on re0 from 10.254.200.2 to any queue second
match out on re0 from 10.254.200.2 to any queue second

in this case, pftop was showing that it
match out on re0 from 10.254.200.2 to any
match on re1 from 10.254.200.2 to any
it look like only upload rule match

Can somebody help me on this ?

Thanks

Michel

P.S : I have a VoIP queue that I will add after that will need the
realtime option, that why I'm using HFSC.



--
Michel Blais
Administrateur riseau / Network administrator
Targo Communications
www.targo.ca
514-448-0773