On 2012-11-21, openbsd2012 <openbsd2...@breeno.net> wrote:
> In short, the problem with keeping state across interfaces (PF's
> default) is that it makes it impractical, if not impossible, to
> have packets in different queues on both your internal and external
> network interfaces. To fix this, you need to configure PF to keep
> state on a per interface basis. This is done with a declaration in
> PF of "set state-policy if-bound".
There's another way which I think is better:
Give the queues the *same names* on the different interfaces.
Here's a slightly tweaked excert from one of my pf.conf files. The hfsc
config may be a bit wrong as I only have a rough idea how to write hfsc
rules (pieced together from posts on pfsense forums and Jacek Artymiak's
old book), but it works OK in practice and is enough to show the idea.
Also, I find it much easier to deal with queue assignment in one
place, separate from the filter rules, so I do this all in one block
using match rules.
altq on pppoe0 hfsc bandwidth 820Kb queue {fast, med, low, bulk}
queue fast on pppoe0 bandwidth 30% priority 8 qlimit 20 hfsc (realtime 180Kb)
queue med on pppoe0 bandwidth 5% priority 4 qlimit 40 hfsc (realtime (200Kb,
10000, 60Kb))
queue low on pppoe0 bandwidth 20% priority 2 qlimit 50 hfsc (realtime (200Kb,
10000, 60Kb) default)
queue bulk on pppoe0 bandwidth 5% priority 1 qlimit 50 hfsc
altq on vr3 hfsc bandwidth 80Mb queue {local, internet}
queue local on vr3 bandwidth 1% priority 8 qlimit 50 hfsc (realtime 50Mb
upperlimit 50Mb)
queue internet on vr3 bandwidth 3Mb priority 8 qlimit 50 hfsc (realtime 3Mb
upperlimit 3Mb) {fast, med, low, bulk}
queue fast on vr3 bandwidth 1% priority 8 qlimit 50 hfsc (realtime 256Kb)
queue med on vr3 bandwidth 1% priority 4 qlimit 50 hfsc (realtime (800Kb,
10000, 256Kb) upperlimit 800Kb)
queue low on vr3 bandwidth 1% priority 2 qlimit 50 hfsc (realtime (500Kb,
10000, 256Kb) upperlimit 500Kb default)
queue bulk on vr3 bandwidth 1% priority 1 qlimit 50 hfsc
match proto tcp queue (low fast)
match proto tcp to port {http https} queue (med fast)
match proto udp from port {ntp domain snmp} queue (fast)
match proto udp to port {ntp domain snmp} queue (fast)
match proto tcp from port domain queue (fast)
match proto tcp to port domain queue (fast)
match proto tcp from port smtp queue (bulk)
match proto tcp to port smtp queue (bulk)
match proto udp from $pbx queue fast
match proto udp to $pbx queue fast
