2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: > Hi, I'm using OpenBSD 4.2 > > Here my network to explain later: > > [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] > > I have a little problem when trying to setup a altq bandwidth shape with > pf. My intention is to give Joe only 100Kbs (bits) of the Internet total > bandwidth, and also I have set some local local servers on my OpenBSD to > give some services to Joe, but I also want to give it at the 100Kbs > speed mentioned before, even beign local network (up to 100Mbs). > > The thing is that I have set the PF rules as manpages say, and > everything work as spected when Joe goes out of my box to the internet, > the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp > from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe > takes a file from my box, or my box from Joe, the speed is very very > much hight. > > I have try several things but I don't find the key to this. One thing: > the speed factor when Joes connect to my OpenBSD is alwais 40x relative > to the bandwidth value I give to the altq. > > > my pf.conf (very simple, very unsafe, just to try this) > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > ext_if="rl0" > int_if="sk0" > > scrub in all > > altq on $int_if cbq bandwidth 100Kb queue main > queue main bandwidth 100% cbq(default) > > nat on $ext_if from $int_if:network -> $ext_if > > block all > pass queue main > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Thanks for your time > -Jesus > >
If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. -- -Lawrence
