Documentation patches?

2018-12-17 Thread Chris McGee 
Hi:

  I'd like to submit some info for the install64.octeon documentation.
I just installed 6.4 on a newer EdgeRouter than the documentation was
written for. The instructions in the install document are probably not
enough to get the average user booted on that particular piece of
hardware.  I'd like to document the install while I still remember it.
Can I submit a patch somewhere?

Thanks!

  --Chris

Re: PF altq and limiting traffic among multiple interfaces

2012-11-20 Thread Chris McGee 
I'm no pro (and I've never seen a connection that had a transfer cap
applied to upstream+downstream), but if I was limited to 512 kb/s up+down,
I'd want to:

1) Prioritize ACKs to limit getting hammered with retransmits
2) Throttle guests tightly but allow them to borrow from other queues; not
too much, as if we allow 256k upstream we're probably getting back a lot
more bottlenecked up on the downstream. PF can't control how much data hits
the downstream except by limiting the upstream.
3) Have an upstream router that supports ECN/RED :P
4) Use the fancy HFSC scheduler! (huzzah)


For example:

altq on $ext_if bandwidth 128Kb hfsc queue { ack, dns, hipri, def, guest1,
guest2 }
  queue ack   bandwidth 60% priority 6 qlimit 200 hfsc (realtime 30% ecn)
  queue dns   bandwidth 10% priority 5 qlimit 200 hfsc (realtime 20% ecn)
  queue hipri bandwidth 10% priority 4 qlimit 150 hfsc (realtime 20% ecn)
  queue def   bandwidth  10% priority 2 qlimit 100 hfsc (realtime 20% ecn
default)
  queue guest1  bandwidth  5% priority 0 qlimit 50 hfsc (upperlimit 15% red)
  queue guest2  bandwidth  5% priority 0 qlimit 50 hfsc (upperlimit 15% red)

block in all
block out on $ext_if
block out log on $int_if
block out log on $guest1_if
block out log on $guest2_if
block out log on $dmz_if

# Now to allow some traffic. For example, let's allow DNS traffic out unto
the internets at priority 5, and its TCP ACKs at priority 6:
pass out on $ext_if proto {tcp udp} from any to any port 53 queue (dns, ack)

Haven't tried it, but I imagine that that ruleset beats the hell out of
plain old filtering from the end users' perspective.  You'll obviously need
to add all the packet filtering rules for it to work, but that would be my
first shot at the queueing.

Note that all the queues except guest1 and guest2 are allowed to borrow
bandwidth up to 100% of the 256kb queue, but guest1 and guest2 are
restricted to a max of 15% of that (so the 2 guest nets can do a max of 30%
of total outbound).

Note also that we're limiting outbound traffic to 128kb because outbound +
inbound are rate limited to 512k. Might actually have to reduce that a
little to speed things up once it gets congested; play with it and see!

Also, there's a high probability that something about this is wrong/stupid,
as it's untested, but I'm sure someone will correct me. ;)


On Tue, Nov 20, 2012 at 5:45 PM, Mikolaj Kucharski
miko...@kucharski.namewrote:

 Hi,

 Searched for this for a while. Found below old post, without answer. Is
 this actually possible to setup that way?


  From http://marc.info/?l=openbsd-pfm=112015092309886w=2
 
  List:   openbsd-pf
  Subject:Altq - limiting traffic among multiple interfaces
  From:   Jonathan Camenisch alaythia () gmail ! com
  Date:   2005-06-30 14:15:55
  Message-ID: fd5fdde005063007153fc4c2c2 () mail ! gmail ! com
 
  In our organization, I'd like to use Altq to keep any one process
  (download or whatever) from hogging bandwidth and degrading
  performance for others. It's more complicated than I expected, though,
  and I haven't been able to find an example that's much like my
  environment (I'd be glad to publish mine if I could get it working
  well). Here's the layout:
 
   Office (internal) subnet DMZ
 |   /
   [fxp0]  [fxp1]
  Internet ---[fxp4]OpenBSD/pf firewall
   [fxp2]  [fxp3]
 |   \
  Guest class 1 subnet  Guest class 2 subnet
 
  We have sort of a conference center, so we're providing access for
  guests as well as offices. Hence all the subnets. We also host some of
  our own web sites on the DMZ.
 
  Now to make it more complicated, our fractional T1 provides 512Kb of
  *total* bandwidth. That is, the total of upload *and* download
  bandwidth can never exceed 512Kb.
 
  Ideally, I would like to set up a single 512k queue and divy it up
  (with cbq) among all traffic that passes in or out of fxp4, regardless
  of which interface it exits. (I'd really like to allow borrowing among
  all directions.)
 
  But as far as I know, there's no way to do exactly that. What I'm
  hoping someone could suggest is, what's the best I can do? That is,
  how can I get the best utilization out of my limited connection while
  preventing anything from hogging it?
 
  Forgive me if I'm overlooking information that's already available.
  I'm afraid my brain's gotten a little scrambled trying to adapt the
  altq model to this scenario. Thank you for your time!
 
  Jonathan


 --
 best regards
 q#

Re: Hardware hunting

2012-11-15 Thread Chris McGee 
Thanks for all the feedback!

I really like the look of the Soekris boards.

The Soekris website isn't that helpful, but I jotted down all my research
in case someone else wanted to look at it:

https://docs.google.com/spreadsheet/ccc?key=0AqjAAj_-IRQkdEs3TWNkZnZrUGs0S0FjYnRYQjFJZlE
(That's not meant to be comprehensive; I stopped researching a model when
it failed one of my requirements.)

The text-only version (for those reading this in elm or pine :P)  is:

The Soekris Net6x series is an Intel Atom E6 with an EG20T, and 4 82574L
10/100/1000 chips, which are supported by the em driver.  $299 - $456 for
the board.
The Soekris Net5x series is an AMD Geode LX with a CS5536, and 4 VT6105m
10/100 chips, which are supported by the vr driver.  $254 - $222 for the
board.
The Soekris Net4x series uses an anonymous ethernet chip that you can't
quite read in the photos and it's not listed in the spec sheet.  I am
pretty sure the Net4501-30 has a VM552RR chip, but I don't know who makes
that. It does have a logo that looks a bit like an old Via logo.   $135 -
$178 for the board, but my current guess is that that mystery ethernet chip
is not gonna have a driver.

I think I will probably spring for the 6501-50 with their custom enclosure
and external power. That lists at $380, plus $50 for a cheapo SSD, and I
should be running at less than 30 watts for $480- which is a savings of
1,227 KWh per year (or about $283 at my local power rates), so it'll pay
for itself in around 19 months. (Since I want to go to bed, I'm not going
to attempt to figure in the change in heat loading's effect on heating and
AC bills... they'll balance each other out, dammit. ;)   )

Thanks again!


On Thu, Nov 15, 2012 at 4:47 PM, Chris McGee cmcge...@gmail.com wrote:

 Hi guys-

   I am hunting for a low-power firewall for my home network. For at least
 10 years, whenever my firewall hardware has started to die, I've grabbed a
 decommissioned game PC, added a few NIC's, and put OpenBSD on it.  The
 firewall's current incarnation pulls about 160 watts 24/7; I'd like to
 lower that by a lot.

   Requirements are:
1) Low power (50w; I want it to pay for itself before the hardware
 dies)
2) 4 network interfaces (3 gigabit, one gigabit or 100mbps)
3) Cheaper is better (e.g., a $200 4-port PCIE NIC on a $75 motherboard
 is suboptimal)
4) Works with OpenBSD 5.2
5) Won't cause a hardware bottleneck when pushing 200mbps of
 multidirectional traffic through a moderately complex pf ruleset (this
 doesn't take a lot of CPU; a 1 GHz Athlon runs at about 2% under load, and
 most of that is from hardware interrupts).

   It looks like a lot of people use the Alix 2D13 for this, but I rejected
 it for poor throughput (it would be great for the internet connection, but
 it sounds like it might be a serious bottleneck between the internal
 networks).

   Jetway makes a number of promising-looking Atom boards, including the
 4-interface NF38, but the NF38 and many other JetWays use the Realtek
 RTL8111EVL, which doesn't appear to be OpenBSD-friendly. You can add
 interfaces to Jetway boards via their daughterboards, but those are either
 Realtek RTL8111F or Intel 82574L; same problem.  (Google turns up one
 report of the RTL8111 series sorta working with -current, but if you read
 the guy's dmesg, it doesn't look like he HAS an RTL8111 in the first place.)


   ...anyway, if you have a low-power OpenBSD network appliance with 3-4
 interfaces that you're happy with, please give me a yell. I've been through
 a lot of boards without finding a winner so far!

Re: New scheduler, same problem (ALTQ questions)

2008-09-24 Thread Chris McGee 
Giancarlo, thank you for your ideas.





  2) Regarding hfsc, what is the old bandwidth statement used for? It 
 seems 
  like it would be obsolete. Changing it doesn't seem to affect 
 anything, 
  either. The manpage doesn't say. :)

 What do you mean by old bandwidth?
 
 
 
 
 
 I mean that the bandwidth statement seems to be deprecated... you can set 
 those numbers to anything you want, and the behavior of the scheduler 
 doesn't seem to change. Also, upper limit, lower limit, priority, and 
 linkshare are all specifically defined in other statements, so it seems 
 like a bandwidth directive really doesn't give the scheduler any 
 instructions that it didn't already have.
 
 
 
 What I'm asking is whether hfsc even looks at the value of the 
 bandwidth statement. (I know that it is used in cbq and priq, and I 
 know what it does there, but hfsc is new to me. :)  )
 
 
 
 
 The linkshare statement specify how much of the bandwidth of that queue
 will be shared with other queues when not used. Think in it like a
 shared pool.
 
 
 
 Ahh, it must default to 100% then, because I see full usage (up to 
 whatever I define the bandwidth as) of the link with no linkshare 
 statements in my config file.
 
 
  If you modem doesn't get to renegotiate the speed with you ISP, then 
 you are doomed,
 
 because snmp won't work, so you variable rate won't work either. 
 
 
 
 I never thought of using snmp for this. I bet it doesn't help even if it 
 does work (I bet everyone's modem is running at 38mb/s, and the bandwidth 
 of the segment itself limits the number of packets that pass), but if the 
 client modems DO renegotiate individual speeds, that would be neat. I 
 have a Motorola SB5100, which does have some SNMP functions. I'm 
 installing scli from ports right now, and I'll play with it. That would 
 rock. However, I bet it doesn't renegotiate; my available bandwidth just 
 depends on how much traffic the other users on my segment are generating.
 
 
 
 You can do something. You can install syweb or any other graph tool to 
 measure how
 your bandwidth vary trough, i'd say, a week. Based on that, you can have
 cron entries to change you hfsc rates trough the day. This could work 
 also.
 
 
 
 That's a good idea, but that is sort of hit or miss since the congestion 
 is obviously sort of random.
 
 
 
 Thanks again! I'll let you know how the snmp thing works out (still 
 building dependencies) :).

New scheduler, same problem (ALTQ questions)

2008-09-21 Thread Chris McGee 
Hi guys-



  I've been using an OpenBSD firewall on my home network for about 10 
years. I recently upgraded the hardware to a retired gaming machine and 
went to OpenBSD 4.3 (woo!).



  I'm playing with the new scheduler in altq, and I like the way that it 
works, but the documentation is iffy and it still doesn't look like it 
solves one problem that priq and cbq couldn't solve...  prioritizing 
outbound traffic on a variable-bandwidth link. (Yes, I've got a cable 
modem. =D)



  Here's the problem I'm trying to solve: My cable modem allows around 
750kb/s when traffic is really ugly, and about 2100kb/s in the dead of the 
night.  In order for the scheduler to know when to start limiting traffic, 
I have to tell it how fast the link is but I don't *know* how fast the 
link is, because it varies.



  I've been trying the following rules:



altq on $ext_if bandwidth 2048Kb hfsc queue { ack, dns, games, def, bt }
  queue ack   bandwidth 80% priority 6 qlimit 500 hfsc (realtime 50% 
ecn)
  queue dns   bandwidth  5% priority 5 qlimit 500 hfsc (realtime 5% 
ecn)
  queue games bandwidth  5% priority 3 qlimit 500 hfsc (realtime 5% ecn)
  queue def   bandwidth  5% priority 2 qlimit 500 hfsc (realtime 10% 
ecn default)
  queue bt  bandwidth  5% priority 1 qlimit 500 hfsc (upperlimit 80% 
red)



(the ack queue is TCP ack's, the dns queue is DNS requests, high priority 
user traffic and VOIP goes in games, and the rest is regular and 
low-priority user traffic.



When I'm usually using the internet connection, my outbound bandwidth is 
probably around 1200kb.  Cranking the bandwidth down to 750 or so is one 
solution, but then I'm artificially limiting my own upstream to the worst 
case scenario.



My questions are:



1) Is there a more effective way I could be doing the above?

2) Regarding hfsc, what is the old bandwidth statement used for? It seems 
like it would be obsolete. Changing it doesn't seem to affect anything, 
either. The manpage doesn't say. :)

3) Another hfsc question- exactly what does the linkshare statement do? The 
manpage says :  linkshare sc The bandwidth share of a backlogged 
queue.).





Thanks :)



--Chris