I setup a simple PF configuration which worked fine, I then tried to
add some simple queues to the configuration, but all my traffic seems
to go through the std queue.
This is for a small home network, with PF being the firewall on my
Soekris net4801 acting as the router/firewall for the network. sis0 is
the external interface and sis1 is the internal interface. The
Internet link connected to sis0 is a Cable connection with 20Mbps
downstream and 768Kbps upstream. I want to allow everything out to the
Internet, blocking all direct incoming connections from the Internet
apart from SSH which is forwarded to $funkalicious. This all works
fine so far :-)
However, I also want to add bandwidth shaping with altq, I want to
create two queues - one for $funkalicious that allows it a minimum of
1/3 of the Internet link bandwidth and another queue for everything
else that is allowed a minimum of 2/3 of the Internet link bandwidth.
Each queue should be able to borrow if there is spare bandwidth,
allowing it up to 100% of the Internet link.
I have tried to follow the examples on the OpenBSD/PF website and in
/usr/share/pf and whilst my ruleset seems to work, pftop shows that
all traffic is always sent/received through the std_in/std_out queues
and that nothing ever goes through adam_in/adam_out queue. I am trying
to get all traffic for $funkalicious to go through adam_in/adam_out.
At the moment $funkalicious is just one IP address but this may expand
in the future...
Below is my pf.conf and also the output from pftop -
ext_if="sis0"
int_if="sis1"
funkalicious="172.16.16.245"
set block-policy drop
set skip on lo
scrub in
# enable queueing on the external interface to control traffic going to
# the Internet. upstream bandwidth is 768Kbps
altq on sis0 cbq bandwidth 768Kb queue { std_out, adam_out }
queue std_out bandwidth 66% cbq(default, borrow, red)
queue adam_out bandwidth 34% cbq(borrow, red)
# enable queuing on the internal interface to control traffic coming in
# from the Internet. downstream bandwidth is 20Mbps
altq on sis1 cbq bandwidth 20Mb queue { std_in, adam_in }
queue std_in bandwidth 66% cbq(default, borrow, red)
queue adam_in bandwidth 34% cbq(borrow, red)
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 22 -> $funkalicious
block in
block out
pass out on $ext_if from any queue std_out
pass out on $ext_if from $funkalicious queue adam_out
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to $funkalicious port 22
synproxy state
pass in quick on $int_if
pass out on $int_if to any queue std_in
pass out on $int_if to $funkalicious queue adam_in
pfTop: Up Queue 1-6/6, View: queue, Cache: 10000
00:41:37
QUEUE BW SCH PRIO PKTS BYTES
DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S
root_sis0 768K cbq 0 18944 1277451
0 0 0 0 0 203 13762
std_out 506K cbq 18944 1277451
0 0 0 0 0 203 13762
adam_out 261K cbq 0 0
0 0 0 0 0 0 0
root_sis1 20M cbq 0 27012 40639300
0 0 0 0 0 282 427647
std_in 13M cbq 27012 40639300
0 0 0 0 0 282 427590
adam_in 6800K cbq 0 0
0 0 0 0 0 0 0
Does anyone have any idea why nothing goes through the adam_in/adam_out queue?
Thanks in advance, Adam.
