Re: pf-altq-bandwith_problem
2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: > Hi, I'm using OpenBSD 4.2 > > Here my network to explain later: > > [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] > > I have a little problem when trying to setup a altq bandwidth shape with > pf. My intention is to give Joe only 100Kbs (bits) of the Internet total > bandwidth, and also I have set some local local servers on my OpenBSD to > give some services to Joe, but I also want to give it at the 100Kbs > speed mentioned before, even beign local network (up to 100Mbs). > > The thing is that I have set the PF rules as manpages say, and > everything work as spected when Joe goes out of my box to the internet, > the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp > from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe > takes a file from my box, or my box from Joe, the speed is very very > much hight. > > I have try several things but I don't find the key to this. One thing: > the speed factor when Joes connect to my OpenBSD is alwais 40x relative > to the bandwidth value I give to the altq. > > > my pf.conf (very simple, very unsafe, just to try this) > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > ext_if="rl0" > int_if="sk0" > > scrub in all > > altq on $int_if cbq bandwidth 100Kb queue main > queue main bandwidth 100% cbq(default) > > nat on $ext_if from $int_if:network -> $ext_if > > block all > pass queue main > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Thanks for your time > -Jesus > > If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. -- -Lawrence
Re: pf-altq-bandwith_problem
Lord Sporkton escribis: 2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: Hi, I'm using OpenBSD 4.2 Here my network to explain later: [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). The thing is that I have set the PF rules as manpages say, and everything work as spected when Joe goes out of my box to the internet, the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe takes a file from my box, or my box from Joe, the speed is very very much hight. I have try several things but I don't find the key to this. One thing: the speed factor when Joes connect to my OpenBSD is alwais 40x relative to the bandwidth value I give to the altq. my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if="rl0" int_if="sk0" scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network -> $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks for your time -Jesus If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. I don't want to disturb, but I think you're not right. I want to shape the bandwidth of the full interface, I know that if joe it's in lan with other PC, the speed limit its the hardware limit, but I just want to limit one of the interfaces on my OpenBSD box to a certain number of Kbs (100Kbs), so PF already made changes, but I saw this weird behaviour and want to make the 100Kbs limit universal to all the interface transfers. If Joe want a file from the OpenBSD gateway running a limit of 100Kbs (pf+altq), even to get a file from the gateway box by FTP, the 100Kbs limit should affect, or not? please, I'm really noob with this and I don't want to bother anyone with my words, I just talk about what I think, if I'm wrong, please let me know. note: DMZ is not posible for this project, I only have the same PC to make as OpenBSD and FTP server to the "joe" users. Thanks for your time. -Jesus
Re: pf-altq-bandwith_problem
2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: > Lord Sporkton escribis: >> >> 2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>: >> >>> >>> Hi, I'm using OpenBSD 4.2 >>> >>> Here my network to explain later: >>> >>> [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] >>> >>> I have a little problem when trying to setup a altq bandwidth shape with >>> pf. My intention is to give Joe only 100Kbs (bits) of the Internet total >>> bandwidth, and also I have set some local local servers on my OpenBSD to >>> give some services to Joe, but I also want to give it at the 100Kbs >>> speed mentioned before, even beign local network (up to 100Mbs). >>> >>> The thing is that I have set the PF rules as manpages say, and >>> everything work as spected when Joe goes out of my box to the internet, >>> the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp >>> from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe >>> takes a file from my box, or my box from Joe, the speed is very very >>> much hight. >>> >>> I have try several things but I don't find the key to this. One thing: >>> the speed factor when Joes connect to my OpenBSD is alwais 40x relative >>> to the bandwidth value I give to the altq. >>> >>> >>> my pf.conf (very simple, very unsafe, just to try this) >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >>> >>> ext_if="rl0" >>> int_if="sk0" >>> >>> scrub in all >>> >>> altq on $int_if cbq bandwidth 100Kb queue main >>> queue main bandwidth 100% cbq(default) >>> >>> nat on $ext_if from $int_if:network -> $ext_if >>> >>> block all >>> pass queue main >>> >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >>> >>> Thanks for your time >>> -Jesus >>> >>> >>> >> >> >> If Joe is accessing things on his local lan, that is, in his subnet, >> you will not be able to police this traffic as it never even hits the >> gateway(altq openbsd box), so the only limit will be the layer 2 >> hardware(your switch(s)). might i suggest putting your servers on a >> dmz as a solution, then Joe will be forced through the gateway for any >> server access. If your layer2 hardware is high end enough you may be >> able to do bandwidth control in the layer2 hardware its self. >> >> as a side note, i dont believe openbsd can do altq on anything other >> than a physical interface, so if you put the servers on a dmz, make >> sure to use a physical interface, not a vlan. >> >> > > I don't want to disturb, but I think you're not right. I want to shape > the bandwidth of the full interface, I know that if joe it's in lan with > other PC, the speed limit its the hardware limit, but I just want to > limit one of the interfaces on my OpenBSD box to a certain number of Kbs > (100Kbs), so PF already made changes, but I saw this weird behaviour and > want to make the 100Kbs limit universal to all the interface transfers. > > If Joe want a file from the OpenBSD gateway running a limit of 100Kbs > (pf+altq), even to get a file from the gateway box by FTP, the 100Kbs > limit should affect, or not? please, I'm really noob with this and I > don't want to bother anyone with my words, I just talk about what I > think, if I'm wrong, please let me know. > > note: DMZ is not posible for this project, I only have the same > PC to make as OpenBSD and FTP server to the "joe" users. > > Thanks for your time. > -Jesus > > you would need to run the queue outbound on the int_if, which is what it looks like your doing. so in theory, your setup is right, as long as what ever your downloading from is on the other side of that int_if you should only see 100Kbs down to that whole int_if If you are getting more than 100Kbs take a look at "pfctl -vvs queue" -- -Lawrence
Re: pf-altq-bandwith_problem
On 2008-05-18, Lord Sporkton <[EMAIL PROTECTED]> wrote: > as a side note, i dont believe openbsd can do altq on anything other > than a physical interface, so if you put the servers on a dmz, make > sure to use a physical interface, not a vlan. altq works here on pppoe and vlan.
Re: pf-altq-bandwith_problem
Maxim Belooussov escribis: Hi, I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if="rl0" int_if="sk0" scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network -> $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Have you tried tagging the traffic for Joe and then altq it on tag? or, first, you could try this one first: pass out on $int_if queue main (sorry if it didn't help, I haven't played with altq since I left adsl world three years ago) Max I will try, thanks for the info. Just to make sure I'm not dealing with a bug can anyone try this??... just set a global limit to a interface ($int_if), then do a ftp transfer to the gateway ( the one with the PF+ALTQ) and time the put and get transfers with a large file. When I get a download time of 3 minutes, the upload is of 10 seconds... :s Thanks for your time. -Jesus
Re: pf-altq-bandwith_problem
I will try, thanks for the info. Just to make sure I'm not dealing with a bug can anyone try this??... just set a global limit to a interface ($int_if), then do a ftp transfer to the gateway ( the one with the PF+ALTQ) and time the put and get transfers with a large file. When I get a download time of 3 minutes, the upload is of 10 seconds... :s Hi, Just a shot in the dark here. Maybe I totally misunderstood your sentence: "When I get a download time of 3 minutes, the upload is of 10 seconds..." Did you mean: "_While_ I get a download time of 3 minutes, the upload is of 10 seconds..." If that's what you meant, isn't that behavior normal? Considering that (as the PF user's guide puts it): "Note that queueing is only useful for packets in the outbound direction. Once a packet arrives on an interface in the inbound direction it's already too late to queue it -- it's already consumed network bandwidth to get to the interface that just received it." Sorry if my question is beside the point! :o) -Martin
Re: pf-altq-bandwith_problem
Martin Gignac escribis: I will try, thanks for the info. Just to make sure I'm not dealing with a bug can anyone try this??... just set a global limit to a interface ($int_if), then do a ftp transfer to the gateway ( the one with the PF+ALTQ) and time the put and get transfers with a large file. When I get a download time of 3 minutes, the upload is of 10 seconds... :s Hi, Just a shot in the dark here. Maybe I totally misunderstood your sentence: "When I get a download time of 3 minutes, the upload is of 10 seconds..." Did you mean: "_While_ I get a download time of 3 minutes, the upload is of 10 seconds..." If that's what you meant, isn't that behavior normal? Considering that (as the PF user's guide puts it): "Note that queueing is only useful for packets in the outbound direction. Once a packet arrives on an interface in the inbound direction it's already too late to queue it -- it's already consumed network bandwidth to get to the interface that just received it." Sorry if my question is beside the point! :o) -Martin Maybe you're right with the PF user's guide, anyway I explain better to avoid confussions: [Joe PC] -- [OpenBSD box] -- Internet, lets take away the internet, only the Joe - box thing is the matter. OpenBSD is doing nat as explained on my pf.conf in the original post of this thread. The OpenBSD box also makes of FTP server, but I want a limit of 100Kbs (simetrical 100Kbs) speaking of bits, and not bytes. So I do the needed rules on pf.conf to make Joe get only 100Kbs of the interface in OpenBSD box serving Joe PC. If, from Joe PC, I get a file by ftp from the OpenBSD box, I get exactly what I want, the 100Kb limit. (at the same time I'm not doing anything with the net, like browsing or getting mail...) If, from Joe PC, I put a file by ftp to OpenBSD box, then the problem appears, and the speed ups in a factor of 40x. If I change the bandwidth value on altq rule of pf.conf, then the speed of put a file on OpenBSD box also changes, but is 40 times more speed. I mean, I want simetrical 100Kbs limit on the interface to Joe PC, can I have this setting? I hope not to be making noise in the mail list. Thanks for your time. -Jesus
Re: pf-altq-bandwith_problem
If that's what you meant, isn't that behavior normal? Considering that (as the PF user's guide puts it): "Note that queueing is only useful for packets in the outbound direction. Once a packet arrives on an interface in the inbound direction it's already too late to queue it -- it's already consumed network bandwidth to get to the interface that just received it." [Joe PC] -- [OpenBSD box] -- Internet, limit of 100Kbs (simetrical 100Kbs) speaking of bits, and not bytes. So I do the needed rules on pf.conf to make Joe get only 100Kbs of the interface in OpenBSD box serving Joe PC. If, from Joe PC, I get a file by ftp from the OpenBSD box, I get exactly what I want, the 100Kb limit. (at the same time I'm not doing anything with the net, like browsing or getting mail...) If, from Joe PC, I put a file by ftp to OpenBSD box, then the problem appears, and the speed ups in a factor of 40x. If I change the bandwidth value on altq rule of pf.conf, then the speed of put a file on OpenBSD box also changes, but is 40 times more speed. I mean, I want simetrical 100Kbs limit on the interface to Joe PC, can I have this setting? When Joe downloads _from_ the OpenBSD box, then queuing is involved (and seems to work in your case) because the majority of data (FTP data) is being sent *out* of the OpenBSD box (hence, in the outbound direction from the point of view of the interface) and therefore _is_ subject to your queueing parameters. When Joe uploads _to_ the OpenBSD box, then queueing is _not_ involved since the data is coming _in_ to the box, and ALTQ cannot shape _incoming_ traffic. The way I see it, the only way for you to shape traffic symmetrically in both directions is to run your FTP server on another machine than the OpenBSD one, make sure that traffic between Joes' box and the FTP server gets _routed_ via the OpenBSD box, and apply your queue on the "Joe-side" interface and on the "FTP-side" interface. That way, you'll be shaping the traffic going from Joe's to the FTP box as well since the FTP traffic from Joe's uploads will be shaped at the egress interface when the packets are moving from the OpenBSD box towards the FTP server. Hope this helps, -Martin
(Fwd) Re: pf-altq-bandwith_problem
sorry, missed misc@ when replying... On 18 May 2008 at 19:16, Jesus Sanchez wrote: > Martin Gignac escribis: > >> I will try, thanks for the info. Just to make sure I'm not dealing > >> with a bug can anyone try this??... just set a global limit to a > >> interface ($int_if), then do a ftp transfer to the gateway ( the > >> one with the PF+ALTQ) and time the put and get transfers with a > >> large file. > >> > >> When I get a download time of 3 minutes, the upload is of 10 > >> seconds... :s > > > > Hi, > > > > Just a shot in the dark here. Maybe I totally misunderstood your > > sentence: > > > > "When I get a download time of 3 minutes, the upload is of 10 > > seconds..." > > > > Did you mean: > > > > "_While_ I get a download time of 3 minutes, the upload is of 10 > > seconds..." > > > > If that's what you meant, isn't that behavior normal? Considering > > that (as the PF user's guide puts it): > > > > "Note that queueing is only useful for packets in > > the outbound direction. Once a packet arrives on an interface in > > the inbound direction it's already too late to queue it -- it's > > already consumed network bandwidth to get to the interface that > > just received it." > > > > Sorry if my question is beside the point! :o) > > -Martin > > > Maybe you're right with the PF user's guide, anyway I explain better > to avoid confussions: > > [Joe PC] -- [OpenBSD box] -- Internet, > > lets take away the internet, only the Joe - box thing is the matter. > > OpenBSD is doing nat as explained on my pf.conf in the original post > of this thread. The OpenBSD box also makes of FTP server, but I want > a limit of 100Kbs (simetrical 100Kbs) speaking of bits, and not bytes. > So I do the needed rules on pf.conf to make Joe get only 100Kbs of > the interface in OpenBSD box serving Joe PC. > > If, from Joe PC, I get a file by ftp from the OpenBSD box, I get > exactly what I want, the 100Kb limit. (at the same time I'm not doing > anything with the net, like browsing or getting mail...) > > If, from Joe PC, I put a file by ftp to OpenBSD box, then the problem > appears, and the speed ups in a factor of 40x. If I change the > bandwidth value on altq rule of pf.conf, then the speed of put a file > on OpenBSD box also changes, but is 40 times more speed. I mean, I > want simetrical 100Kbs limit on the interface to Joe PC, can I have > this setting? Not easily. As Martin pointed out, pf can only control outbound bandwidth, i.e. from the OpenBSD box out to Joe and not the other way around. So any control applied to the opposite direction is indirect. That is you can slow down most TCP protocols (such as FTP) by slowing down the ACKnowledgements of the received packets. But of course the ACK packets do not use nearly as much bandwidth as the data packets they are acknowledging. The 40x ratio you have observed sounds quite reasonable given header overheads. So, if you want to try to control Joe's upload bandwidth you will need to set up a special very slow queue for the FTP ACK packets. > > I hope not to be making noise in the mail list. > > Thanks for your time. > -Jesus > > --- End of forwarded message --- - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941