Hello OpenBSD fans and pf experts!
I have a problem setting up traffic shapping on OpenBSD. I will try to
explain it as clearly as possible.
MY GOAL:
I plan to do some traffic shapping on my bastion which runs OpenBSD.
That machine acts smoothly as a firewall and a router. On 1 interface is
connected an ethernet ADSL modem. A lot of DMZed machines are connected
to 10 other RJ45 plugs and one interface is used to connect the local
network. At some hours the asymetric ADSL connexion is completly
saturated: it is then almost impossible to surf on the internet from the
local network. That is quite normal since the bandwidth of the ADSL line
is only 512/128 Kbps! I know that is really few and therefore I plan to
migrate to a 15/2 Mbps ADSL2 line in the following months. However I
need to solve that congestion problem up to then.
I read the pf FAQ and found some useful information about traffic
shapping on OpenBSD. I understand traffic shapping can only take place
on outgoing paquets. I have to shape traffic in both directions and I
would like to use the CBQ traffic shapping method.
NETWORK SCHEMA:
I drawn a simplified schema on which only 4 interfaces are present. In
fact, there are 6 network interface cards and 12 RJ45 plugs on that
bastion.
BASTION
DMZ +---------+
+===================+ | |
| [ DNS Server ] |-- dc0-| |
| | | | 128Kbps -->
| [ WWW Server ] |-- dc1-| OpenBSD |-ep0 ------------- Internet
+===================+ | | <-- 512Kbps
| |
[ Local Network ] --- dc2-| |
+---------+
OUTBOUND TRAFFIC SHAPPING:
As regards to the outbound traffic (128Kbps), I plan to create a root
queue on ep0 and affect packets to that queue when they pass in through
the dc0, dc1 and dc2 interfaces. That seems quite simple to set up.
INBOUND TRAFFIC SHAPPING: PROBLEM! :-/
Then I tried to figure out how to shape inbound traffic. Inbound traffic
has to be shaped on the outgoing packets going through the dc0, dc1 and
dc2 interfaces. The problem is that an alternate queueing (ALTQ) must be
defined on ONE interface only. Here is an extract from the pf FAQ:
"altq on interface scheduler bandwidth bw qlimit qlim tbrsize size queue
{ queue_list }
interface - the network interface to activate queueing on."
Initially, I thought I would create one 512Kbps ALTQ for the dc0, dc1
and dc2 interfaces but that is not possible. I read in the pf FAQ a
queue can be valid on several interfaces:
"queue name [on interface] bandwidth bw [priority pri] [qlimit qlim]
scheduler ( sched_options ) { queue_list }
interface - the network interface that the queue is valid on. This value
is optional, and when not specified, will make the queue valid on all
interfaces."
But I am not sure that really helps in my case.
MY QUESTIONS:
- Is it possible to set up a maximum bandwidth limit which would be
shared and borrowed by several queues acting on several physical
interfaces?
- If shaping inbound traffic on my multi-homed bastion is impossible,
must I add a traffic shapping dedicated dual-homed machine between the
bastion and the ethernet modem?
Thanks for your help!
Nicolas, Paris.
--
--- OxStOnE -------------- O
- Z750 & Linux ------- ._ /\_>
--- Powered ---------- (x)> (x)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
