Re: per-vlan traffic control
On 2015-08-20, Paulo Coimbra wrote: > Well, considering that only outbound packets can be queued, I've changed > some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is > upload. Packets that are "outgoing" at vlan100 is download, all right? My > changed pf.conf below: (but even with these changes, doesn´t work for me, I > getting 300Mb+ each direction.). Am I a dumb? (LMFAO). Some tips: - Use the state table to your advantage. Get rid of the "no state", when you understand the other tips you'll see why you don't need it. - With "pass ... queue XX" (or match/whatever), when a packet matches that rule, it creates PF state which is "tagged" with the queue name. When traffic traffic is transmitted out of *any* interface, if a queue of the "tagged" name exists on that interface, it will be used to throttle transmission. match from vlan100:network queue vlan100_traffic match to vlan100:network queue vlan100_traffic (or similar with "pass", I just find it easier to split these things up) - The "queue XX on YY" line relates to *where* on the path through the network stack the queue takes place. This should normally be on the physical interface (if you have "vlandev em2" then queue on em2) not the vlan itself. - You can have the same queue name on more than one interface, e.g. queue Internet on em0 bandwidth 10M queue vlan100_traffic on em0 parent Internet bandwidth 5M max 5M default queue vlan101_traffic on em0 parent Internet bandwidth 1M max 1M default queue em1_root VLANs on em1 bandwidth 1G queue vlan100_traffic on em1 parent em1_root bandwidth 5M max 5M default queue vlan101_traffic on em1 parent em1_root bandwidth 1M max 1M default etc. Troubleshooting: - Use "systat q" and check traffic is being assigned to the queues you expect. - If packets aren't in the expected queues, identify which rules are creating PF state. (pfctl -ss -v, check the rule number, pfctl -sr -R ##). If states are being created by unexpected rules, use "match log(matches)" and something like "tcpdump -neipflog0 -v" to help debug your ruleset.
Re: per-vlan traffic control
On 20.08.2015 17:31, Paulo Coimbra wrote: Hi Atanas, Thanks for your response. I follow some configurations in that link you send, but nothing had effect. Packets is not going to queues. br, Paulo Coimbra 2015-08-20 10:55 GMT-03:00 Atanas Vladimirov : On 20.08.2015 16:35, Paulo Coimbra wrote: Well, considering that only outbound packets can be queued, I've changed some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is upload. Packets that are "outgoing" at vlan100 is download, all right? My changed pf.conf below: (but even with these changes, doesn´t work for me, I getting 300Mb+ each direction.). Am I a dumb? (LMFAO). # # [0x01] Macros # $if_Internet="em1" # # [0x05] Queueing # queue Internet on $if_Internet bandwidth 10M queue vlan100_upload parent Internet bandwidth 5M max 5M default queue v100 on vlan100 bandwidth 10M queue vlan100_download parent v100 bandwidth 5M max 5M default Did you try to set the min bw as well: # # [0x05] Queueing # queue Internet on $if_Internet bandwidth 10M, min 9M max 10M queue vlan100_upload parent Internet bandwidth 5M, min 4M max 5M default queue v100 on vlan100 bandwidth 10M, min 9M max 10M queue vlan100_download parent v100 bandwidth 5M, min 4M max 5M default
Re: per-vlan traffic control
Hi Atanas, Thanks for your response. I follow some configurations in that link you send, but nothing had effect. Packets is not going to queues. br, Paulo Coimbra 2015-08-20 10:55 GMT-03:00 Atanas Vladimirov : > On 20.08.2015 16:35, Paulo Coimbra wrote: > >> Well, considering that only outbound packets can be queued, I've changed >> some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is >> upload. Packets that are "outgoing" at vlan100 is download, all right? My >> changed pf.conf below: (but even with these changes, doesnôt work for >> me, I >> getting 300Mb+ each direction.). Am I a dumb? (LMFAO). >> >> # >> # [0x01] Macros >> # >> $if_Internet="em1" >> >> # >> # [0x05] Queueing >> # >> queue Internet on $if_Internet bandwidth 10M >> queue vlan100_upload parent Internet bandwidth 5M max 5M default >> >> queue v100 on vlan100 bandwidth 10M >> queue vlan100_download parent v100 bandwidth 5M max 5M default >> >> # >> # [0x07] Packet Filtering >> # >> >> pass out quick on vlan100 set queue vlan100_download no state >> pass out quick on $if_Internet set queue vlan100_upload no state >> >> >> br, >> >> Paulo Coimbra >> >> > http://marc.info/?l=openbsd-misc&m=141085207225887&w=2 > > -- br, Paulo Coimbra
Re: per-vlan traffic control
On 20.08.2015 16:35, Paulo Coimbra wrote: Well, considering that only outbound packets can be queued, I've changed some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is upload. Packets that are "outgoing" at vlan100 is download, all right? My changed pf.conf below: (but even with these changes, doesn´t work for me, I getting 300Mb+ each direction.). Am I a dumb? (LMFAO). # # [0x01] Macros # $if_Internet="em1" # # [0x05] Queueing # queue Internet on $if_Internet bandwidth 10M queue vlan100_upload parent Internet bandwidth 5M max 5M default queue v100 on vlan100 bandwidth 10M queue vlan100_download parent v100 bandwidth 5M max 5M default # # [0x07] Packet Filtering # pass out quick on vlan100 set queue vlan100_download no state pass out quick on $if_Internet set queue vlan100_upload no state br, Paulo Coimbra http://marc.info/?l=openbsd-misc&m=141085207225887&w=2
Re: per-vlan traffic control
Well, considering that only outbound packets can be queued, I've changed some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is upload. Packets that are "outgoing" at vlan100 is download, all right? My changed pf.conf below: (but even with these changes, doesn´t work for me, I getting 300Mb+ each direction.). Am I a dumb? (LMFAO). # # [0x01] Macros # $if_Internet="em1" # # [0x05] Queueing # queue Internet on $if_Internet bandwidth 10M queue vlan100_upload parent Internet bandwidth 5M max 5M default queue v100 on vlan100 bandwidth 10M queue vlan100_download parent v100 bandwidth 5M max 5M default # # [0x07] Packet Filtering # pass out quick on vlan100 set queue vlan100_download no state pass out quick on $if_Internet set queue vlan100_upload no state br, Paulo Coimbra 2015-08-20 10:11 GMT-03:00 Josh Grosse : > On 2015-08-20 08:47, Paulo Coimbra wrote: > >> Hi all, >> >> I'm now doing some tests with openbsd+pf+queueing. My scenario is: >> >> [MIKROTIK 1] - [OPENBSD BOX]--[MIKROTIK 2] >> >> I've configured vlan 100 with physical interface em0 at openbsdBox and >> mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit >> bandwidth at 10M each direction. But... It doesn't works. >> > > [snip] > > queue v100 on em0 bandwidth 1000M >> queue vlan100_in parent v100 bandwidth 10M default >> queue vlan100_out parent v100 bandwidth 10M >> > > [snip] > > pass in quick on vlan100 set queue vlan100_in >> pass out quick on vlan100 set queue vlan100_out >> >> Any ideas? What am I doing wrong? >> > > Queuing only works on packets that are *outbound*. Once inbound packets > have arrived, they are already present. > > So, if you want to limit the rate of traffic from the Internet to your > local > LAN, do so when those packets are forwarded by the router. Those are > outbound > packets, and they can be queued. > > -- br, Paulo Coimbra
Re: per-vlan traffic control
On 2015-08-20 08:47, Paulo Coimbra wrote: Hi all, I'm now doing some tests with openbsd+pf+queueing. My scenario is: [MIKROTIK 1] - [OPENBSD BOX]--[MIKROTIK 2] I've configured vlan 100 with physical interface em0 at openbsdBox and mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit bandwidth at 10M each direction. But... It doesn't works. [snip] queue v100 on em0 bandwidth 1000M queue vlan100_in parent v100 bandwidth 10M default queue vlan100_out parent v100 bandwidth 10M [snip] pass in quick on vlan100 set queue vlan100_in pass out quick on vlan100 set queue vlan100_out Any ideas? What am I doing wrong? Queuing only works on packets that are *outbound*. Once inbound packets have arrived, they are already present. So, if you want to limit the rate of traffic from the Internet to your local LAN, do so when those packets are forwarded by the router. Those are outbound packets, and they can be queued.
Re: per-vlan traffic control
On Thu, Aug 20, 2015 at 09:47:09AM -0300, Paulo Coimbra wrote: > Hi all, Hello Paulo, > > I'm now doing some tests with openbsd+pf+queueing. My scenario is: > > [MIKROTIK 1] - [OPENBSD BOX]--[MIKROTIK 2] > > I've configured vlan 100 with physical interface em0 at openbsdBox and > mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit > bandwidth at 10M each direction. But... It doesn't works. > > My pf.conf is as follows: > --- SNIPPED --- > > queue v100 on em0 bandwidth 1000M > queue vlan100_in parent v100 bandwidth 10M default > queue vlan100_out parent v100 bandwidth 10M > --- SNIPPED --- > > Any ideas? What am I doing wrong? You didn't configure the 'max' parameter in your queue, so it's probably sharing the bandwidth. Try this: ... queue vlan100_in parent v100 bandwidth 10M, max 10M default queue vlan100_out parent v100 bandwidth 10M, max 10M ... > > thanx, > > Paulo Coimbra
Re: per-vlan traffic control
Hi all, I'm now doing some tests with openbsd+pf+queueing. My scenario is: [MIKROTIK 1] - [OPENBSD BOX]--[MIKROTIK 2] I've configured vlan 100 with physical interface em0 at openbsdBox and mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit bandwidth at 10M each direction. But... It doesn't works. My pf.conf is as follows: # # [0x01] Macros # # # [0x02] Tables # # # [0x03] Options # set skip on lo # # [0x04] Traffic Normalization # # # [0x05] Queueing # queue v100 on em0 bandwidth 1000M queue vlan100_in parent v100 bandwidth 10M default queue vlan100_out parent v100 bandwidth 10M # # [0x06] Translation # # # [0x07] Packet Filtering # pass in quick on vlan100 set queue vlan100_in pass out quick on vlan100 set queue vlan100_out Any ideas? What am I doing wrong? thanx, Paulo Coimbra 2015-08-19 22:59 GMT-03:00 James Shupe : > On 8/19/2015 3:39 PM, Paulo Coimbra wrote: > > hi, > > This is my first mail to the list. It's possible limit traffic by Vlan > with > > openbsd? For example I would like to limit 50mb for Vlan 100. > > > > Br, > > > > Paulo Coimbra > > > > > > > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf.conf&arch=i386 > > Read the QUEUEING section. > > -- br, Paulo Coimbra
Re: per-vlan traffic control
On 8/19/2015 3:39 PM, Paulo Coimbra wrote: > hi, > This is my first mail to the list. It's possible limit traffic by Vlan with > openbsd? For example I would like to limit 50mb for Vlan 100. > > Br, > > Paulo Coimbra > > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf.conf&arch=i386 Read the QUEUEING section.
per-vlan traffic control
hi, This is my first mail to the list. It's possible limit traffic by Vlan with openbsd? For example I would like to limit 50mb for Vlan 100. Br, Paulo Coimbra -- br, Paulo Coimbra
