Richard, Just a quick correction on the "bandwidth 80%" lines. Change all bandwidth values to percentages or hard values to make it easier to work with. The bandwidth directives can not exceed 100% of the "altq on $ext_if bandwidth 9700kb".
-- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 29, 2008 at 12:24:41PM -0500, Calomel wrote: >Richard, > >HFSC should work for this task. I will give it a go. > >Since we are really concerned about the external interface lets just setup >that queue. The internal interface is probably 100MB or faster so and it >fast enough to not worry about right now. > >First, do you have a 10MB link from the outside interface to your ISP? If >not, we need to set it to the proper number. If you tell HFSC to use more >bandwidth than you really have then you are negating HFSC in practice. > >When we have the proper upload bandwidth to your ISP then we need to choose >an acceptable bandwidth just under it. 97% of the total is a rough idea of >what you are looking for. We want to make sure that our firewall is >queuing the packets and _not_ the upstream router. If we are sending >data faster than an upstream router can handle then they are queue, not >HFSC. We want to avoid upstream queuing at all costs. > >These are the rules I came up with. Brief explanations follow: > >#Total Upload = 10000Kb/s (queue at 97%) >altq on $ext_if bandwidth 9700kb hfsc queue { ack, us, adsl_up, sdsl_up, >default_up } > queue ack bandwidth 80% priority 7 hfsc (realtime 5%) > queue us bandwidth 80% priority 6 hfsc (realtime 5%) > queue adsl_up bandwidth 256Kb priority 5 hfsc (realtime 128Kb upperlimit > 256Kb) { adsl_client1_up, adsl_client2_up } > queue adsl_client1_up bandwidth 12Kb priority 2 hfsc(realtime 12Kb ) > queue adsl_client2_up bandwidth 12Kb priority 1 hfsc(realtime 12Kb ) > queue sdsl_up bandwidth 2048Kb priority 4 hfsc(realtime 512Kb upperlimit > 2048Kb) { sdsl_client1_up, sdsl_client2_up } > queue sdsl_client1_up bandwidth 100Kb priority 2 hfsc(realtime 12Kb ) > queue sdsl_client2_up bandwidth 100Kb priority 1 hfsc(realtime 12Kb ) > queue default_up bandwidth 1% priority 3 hfsc (realtime 5% default) > > >The "ack" rule is for ACKnowlage packets that need to have the highest >priority. This is also explained at http://calomel.org/pf_hfsc.html > >The "us" queue is for your company. since you pay for the connection you get >higher priority and more bandwidth including the ability to share all unused >bandwidth. > >The "adsl_up" is for your adsl clients. They are guarantees 128Kb, but no >more than 256Kb. Each adsl client is guaranteed 12Kb and they each share >bandwidth up to 256Kb total. > >The "sdsl_up" queue is for sdsl clients. They are guarantees 512Kb, but no >more than 2048Kb. Each sdsl client is guaranteed 12Kb and they each share >bandwidth up to 2048Kb total. > >The "default_up" is for any rule that does not fit into the queues above. >They will get lowest priority and at least 5% of the total bandwidth. > > >To apply the queues to a rule just add "queue (us, ack)" for your company's >pass rules or "queue (adsl_client1_up)" for your first adsl client. Notice >I did not put "ack" in the adsl client. We want to limit adsl clients to >256Kb and not give them more bandwidth from the "ack" queue. > > >Hope this helps. I have not tested these rules, but they should work. If >you have more questions or if it works then we would be interested in >hearing from you. > >Hierarchical Fair Service Curve (HFSC) of OpenBSD >http://calomel.org/pf_hfsc.html > >-- > Calomel @ http://calomel.org > Open Source Research and Reference > > >On Fri, Feb 29, 2008 at 03:23:18PM +0000, Richard Wilson wrote: >>Hullo all. >> >>Despite searching both this and the misc@ lists, and porting to misc@ >>and getting useful responses that I should look at >>http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained and >>http://calomel.org/pf_hfsc.html (which I did) I am still failing >>spectacularly to understand how to properly do HFSC. >> >>Having previously posted asking 'How do I do this?' I though perhaps I >>would get better answers if I tried 'This is what I've tried, what am I >>doing wrong?'. >> >>What I'm trying to do: >>We have a leased line for hosting our servers. We don't use anywhere >>near that much, so we resell the spare capacity to other tenants in our >>building, providing a {A,S}DSL-like service. In our setup, this means >>that we have pools of 20 clients, who then contend for the bandwidth >>allocated to that pool. ADSL-alike gets 2Mb down and 256Kb up, SDSL gets >>2Mb both ways. >> >>At the moment, we are on an old setup, from before I'd heard of HFSC. >>There is a single pair of rules for each pool, and all clients in that >>pool get their up- and downstream traffic assigned to those queues. This >>sucks, because if any one client tries to whore over their connection, >>they can take up the entire allocation for their pool. >> >>Instead, I would like to have it so that each client has their own >>queue, which is guaranteed their 20th of the bandwidth, and then >>contends with the other clients in their pool for the remaining 19 >>20ths. Below is my initial attempt at the queue definitions: >> >># Queueing >>altq on $ext_if bandwidth 9.7Mb hfsc(linkshare 9.7Mb upperlimit 9.7Mb) queue >>{ adsl_up, sdsl_up, default_up } >>altq on $int_if bandwidth 9.7Mb hfsc(linkshare 9.7Mb upperlimit 9.7Mb) queue >>{ adsl_dn, sdsl_dn, default_dn } >># All numbers set the same, because that's how the Hednod example had. >>Not sure why. >> >>queue adsl_up bandwidth 256Kb hfsc(realtime 128Kb linkshare 256Kb) { >>adsl_client1_up, adsl_client2_up } >>queue adsl_dn bandwidth 2048Kb hfsc(realtime 512Kb linkshare 2048Kb) { >>adsl_client1_dn, adsl_client2_dn } >>queue sdsl_up bandwidth 2048Kb hfsc(realtime 512Kb linkshare 2048Kb) { >>sdsl_client1_up, sdsl_client2_up } >>queue sdsl_dn bandwidth 2048Kb hfsc(realtime 512Kb linkshare 2048Kb) { >>sdsl_client1_dn, sdsl_client2_dn } >># (Not sure if the realtime bit is needed...) >># Not sure how to do this bit at all in fact. >># Want it so that each pool can take up to 2Mb, but if they're not using >>it, its available to default. >> >># ADSL >># Clients get a guaranteed 1/20th of the bandwidth, and fight with their >>peers >># over the remaining 19/20th. >># 256/20=12, 2048/20=102 (rounded to whole Kb) >>queue adsl_client1_up bandwidth 12Kb hfsc(realtime 12Kb linkshare 256Kb) >>queue adsl_client1_dn bandwidth 100Kb hfsc(realtime 100Kb linkshare 2048Kb) >>queue adsl_client2_up bandwidth 12Kb hfsc(realtime 12Kb linkshare 256Kb) >>queue adsl_client2_dn bandwidth 100Kb hfsc(realtime 100Kb linkshare 2048Kb) >> >># SDSL >># Clients get a guaranteed 1/20th of the bandwidth, and fight with their >>peers >># over the remaining 19/20th. >># 2048/20=102 (rounded to whole Kb) >>queue sdsl_client1_up bandwidth 100Kb hfsc(realtime 12Kb linkshare 256Kb) >>queue sdsl_client1_dn bandwidth 100Kb hfsc(realtime 100Kb linkshare 2048Kb) >>queue sdsl_client2_up bandwidth 100Kb hfsc(realtime 12Kb linkshare 256Kb) >>queue sdsl_client2_dn bandwidth 100Kb hfsc(realtime 100Kb linkshare 2048Kb) >> >># Misc >># non-DSL stuff gets whatever is left over >># Default priority is 7, so make this have a lower priority >>queue default_up bandwidth 2Mb priority 5 hfsc(default realtime 1Mb >>linkshare 9Mb) >>queue default_dn bandwidth 2Mb priority 5 hfsc(default realtime 1Mb >>linkshare 9Mb) >> >> >> >>I initially tried with the bandwidth argument set to the 2Mb/256Kb size, >>thinking that this represented a maximum, but then pf complained that >>the subqueues added up to more than the parent, so I tried this. >>However, this way I still get: >> >>claudas:~# pfctl -nf >>/etc/pf.conf >> >> >>pfctl: linkshare sc exceeds parent's sc >>/etc/pf.conf:36: errors in queue definition >>pfctl: linkshare sc exceeds parent's sc >>/etc/pf.conf:37: errors in queue definition >>pfctl: linkshare sc exceeds parent's sc >>/etc/pf.conf:46: errors in queue definition >>pfctl: linkshare sc exceeds parent's sc >>/etc/pf.conf:51: errors in queue definition >>pfctl: linkshare sc exceeds parent's sc >>/etc/pf.conf:52: errors in queue definition >>claudas:~# uname -a >>OpenBSD claudas 4.2 GENERIC#1 amd64 >>claudas:~# >> >> >>I know I have misunderstood how the numbers work, but I just don't know >>how to make it all fit. >>For those of you who have made it this far, I thank you. >>Any ideas? >> >>(Si1ent)Dave Wilson