Giancarlo Razzolini wrote: > Hello folks, > >I finally did took some time and did my pf.conf firewall from scratch, >actually learning it (i did my first using fwbuilder. It worked, but i >wanted to do a "hands on" approach). And know i must say i'm almost >proficient in pf. I must confess i found it much simpler than iptables. >And more secure, since you can do full state inspection. But know i have > 2 questions about traffic shaping. I want do limit my downloads, to >make every one im my house to have a fair slice and to limit my uploads, >to make my ssh connections not to hang up every time some ones start a >upload. I have a ADSL line with 300Kb inbound and 150Kb outbound. I just >want to make clear 3 things: > >1) To limit my uploads i have to filter my external interface, using my >upload bandwidth as the parameter to the altq (150Kb ) ? >2) And to limit my downloads i have to limit my internal interface (that >have a 10Mbps link with the internal net, and can perform 4.5Mbit/sec) >and if so, how to limit my firewall's downloads >3) I'm using CBQ for both queues with ecn activated. Just wanna know if >it's viable, or it's better to use CBQ on the internal interface and >PRIQ on the external. > >I would be glad if some of you could clear the things up for me. > >Thanks in advance, > Welcome to the crew. Sounds like you're doing pretty much the exact same thing I was doing last year on an ADSL line shared between myself and two roomies. If you haven't gotten all the way through it yet, read the PF user's guide at http://www.openbsd.org/faq/pf/index.html, and pay special attention to the examples in the "Packet Queueing and Prioritization" section. While leaving the particular rules up to you, I'll make the following suggestions:
1: Set your upload bandwidth to about 125% of your advertised rate 2: Unless it was just dumb luck, there's nothing wrong with using the full bandwidth of your internal interface. 3: I've had better results using CBQ on internal interfaces, and PRIQ on the external. In my 3-person condo last year, using your 300k downstream, I'd set 100k (borrow) to each person internally, so that if someone's not using their straw, the others could borrow from it. Likewise, my outbound priority was something along the lines of ACK, DNS, SSH, HTTP, SMTP/POP, bulk (one was an anime freak, and forcing his habit into the 'bulk' queue allowed the rest of us to surf in peace). Obviously, what worked best for me may not be best for you.
