Re: limiting outbound throughput from an IP using altq

2006-12-17 Thread rootrider 
- Original Message -
From: Stuart Henderson [EMAIL PROTECTED]
Sent: Friday, December 15, 2006 12:05 AM
Subject: Re: limiting outbound throughput from an IP using altq


 On 2006/12/14 16:33, rootrider wrote:
  Traffic is being assigned to the nick_int queue, and inbound
  (from the internet to the lan) traffic is being limited... to
my
  surprise. That doesn't even make any sense to me.

 Use the same name for queues on each interface, e.g.

   altq on $ext_if cbq bandwidth 950Kb queue { nick, other }
 queue nick on $ext_ifbandwidth 1% priority 1 cbq
 queue other on $ext_if   bandwidth 99%  priority 7
cbq(default, borrow)

   altq on $int_if cbq bandwidth 8Mb queue { nick, other }
 queue nick on $int_ifbandwidth 1% priority 1 cbq
 queue other on $int_if   bandwidth 99% priority 7
cbq(default)

 'pass...keep state queue foo_in' rules mean that packets
matching the
 state (i.e. in _both_ directions) are assigned to queue foo_in,
which is
 not what you want. Using 'queue..on $if1' and 'queue...on $if2'
creates
 two queues with the same name so that a single 'pass' rule
assigns
 packets to the queue for whichever interface is relevant.

 (thanks to Henning on the pf mailing list for the tip about
this).

well, I tried this.. even plugged the exact text in here and used
that as my sole altq configuration. I got the exact same result I
had before: unlimited upload speed and download speed limited to
80 kbps. I've got to be missing something somewhere... Isn't
there anyone with a working pf.conf that limits upload speed of
an IP?
--
Joel
[rootrider]

Re: limiting outbound throughput from an IP using altq

2006-12-15 Thread Stuart Henderson 
On 2006/12/14 16:33, rootrider wrote:
 Traffic is being assigned to the nick_int queue, and inbound
 (from the internet to the lan) traffic is being limited... to my
 surprise. That doesn't even make any sense to me.

Use the same name for queues on each interface, e.g.

  altq on $ext_if cbq bandwidth 950Kb queue { nick, other }
queue nick on $ext_ifbandwidth 1% priority 1 cbq
queue other on $ext_if   bandwidth 99%  priority 7 cbq(default, borrow)

  altq on $int_if cbq bandwidth 8Mb queue { nick, other }
queue nick on $int_ifbandwidth 1% priority 1 cbq
queue other on $int_if   bandwidth 99% priority 7 cbq(default)

'pass...keep state queue foo_in' rules mean that packets matching the
state (i.e. in _both_ directions) are assigned to queue foo_in, which is
not what you want. Using 'queue..on $if1' and 'queue...on $if2' creates
two queues with the same name so that a single 'pass' rule assigns
packets to the queue for whichever interface is relevant.

(thanks to Henning on the pf mailing list for the tip about this).

limiting outbound throughput from an IP using altq

2006-12-14 Thread rootrider 
OpenBSD 3.9 i386, using pf/altq

I have a nat/firewall box running here, with our cable internet
(6mbps/1mbps) on the external interface and our lan (100mbps) on
the internal interface. I'm attempting to assign outbound traffic
from an internal IP (10.0.0.243 in this case) to 1% of the total
queue. I feel like I'm missing something really obvious here. If
anyone can tell me what I'm doing wrong I would *really*
appreciate it.

Traffic is being assigned to the nick_int queue, and inbound
(from the internet to the lan) traffic is being limited... to my
surprise. That doesn't even make any sense to me.

No traffic is being assigned to nick_ext at all.. everything is
showing up on the default queue (other) instead.

I'm using 'pfctl -vvs queue' to check whether any traffic is
being assigned to a queue and using my own IP for $nick_net to
test.

related text from my pf.conf:

=

ext_if  =   xl1
int_if  =   xl0

nick_net= 10.0.0.243

set block-policy drop
set state-policy if-bound

altq on $ext_if cbq bandwidth 950Kb queue { nick_ext, other }
  queue nick_ext bandwidth 1% priority 1 cbq
  queue other   bandwidth 99%  priority 7 cbq(default, borrow)

altq on $int_if cbq bandwidth 8Mb queue { all_in, nick_int }
  queue all_in  bandwidth 99% priority 7 cbq(default)
  queue nick_intbandwidth 1% priority 1 cbq

nat on $ext_if from $int_if:network to any - ($ext_if)

block drop all
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state queue
all_in

pass out on $ext_if from any to any keep state queue other

pass in quick on $int_if from $nick_net to any keep state queue
nick_int
pass out quick on $ext_if from $nick_net to any keep state queue
nick_ext

=

Have I set this up completely wrong or am I just missing
something? I've assigned traffic based on the external
interface's local port successfully before, but if I take that
same rule and specify an internal IP then no traffic is assigned
at all.
--
Joel
[rootrider]