| -----Original Message----- | From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On | Behalf Of Stuart Henderson | Sent: Wednesday, November 21, 2012 7:47 AM | To: misc@openbsd.org | Subject: Re: PF altq and limiting traffic among multiple interfaces | | On 2012-11-21, openbsd2012 <openbsd2...@breeno.net> wrote: | > In short, the problem with keeping state across interfaces (PF's | > default) is that it makes it impractical, if not impossible, to have | > packets in different queues on both your internal and external network | > interfaces. To fix this, you need to configure PF to keep state on a | > per interface basis. This is done with a declaration in PF of "set | > state-policy if-bound". | | There's another way which I think is better: | | Give the queues the *same names* on the different interfaces.
Stuart, I'm finally getting some time to try out like-named queues on multiple interfaces, but I'm not getting the result you previously indicated. Packets originating on my internal network are being matched to the correct queues, but after being NAT'ed they are flowing through the default queue on the external interface. Likewise, packets originating on external networks are queuing correctly to my external interface, but after being NAT'ed they then flow through the default queue on the internal interface. I have not implemented your match rules, as my preference is to queue on the pass rule. However, I haven't seen anything that would indicate that match rules transcend state tracking, which is the only way I can see that using match rules could have an effect. Does your output from 'systat queues' actually show that you have packets hitting your like-named queues on the interface opposite of packet origination? Breen
