Altq - limiting traffic among multiple interfaces
In our organization, I'd like to use Altq to keep any one process (download or whatever) from hogging bandwidth and degrading performance for others. It's more complicated than I expected, though, and I haven't been able to find an example that's much like my environment (I'd be glad to publish mine if I could get it working well). Here's the layout: Office (internal) subnet DMZ | / [fxp0] [fxp1] Internet ---[fxp4]OpenBSD/pf firewall [fxp2] [fxp3] | \ Guest class 1 subnet Guest class 2 subnet We have sort of a conference center, so we're providing access for guests as well as offices. Hence all the subnets. We also host some of our own web sites on the DMZ. Now to make it more complicated, our fractional "T1" provides 512Kb of *total* bandwidth. That is, the total of upload *and* download bandwidth can never exceed 512Kb. Ideally, I would like to set up a single 512k queue and divy it up (with cbq) among all traffic that passes in or out of fxp4, regardless of which interface it exits. (I'd really like to allow borrowing among all directions.) But as far as I know, there's no way to do exactly that. What I'm hoping someone could suggest is, what's the best I can do? That is, how can I get the best utilization out of my limited connection while preventing anything from hogging it? Forgive me if I'm overlooking information that's already available. I'm afraid my brain's gotten a little scrambled trying to adapt the altq model to this scenario. Thank you for your time! Jonathan
Re: [Fwd: Problems with voip and state clashes]
Hi Tim,
I have been running asterisk behind an OpenBSD 3.x firewall for two years
now.
It was a pain to get it working due to the fact that I didn't know much
about SIP and RTP at that time.
There are basically one problem to get this working and it's because the
private IP of the asterisk server is put into the packet payload in the
RTP handshaking. Other than that, it's a rdr problem.
This is my basic setup:
pf.conf:
#altq configuration
altq on $ext_if priq bandwidth 768kb queue { q_pri, sip, webb, dflt }
queue q_pri priority 6
queue sip priority 5
queue webb priority 4
queue dflt priority 1 priq(default)
#macros
asterisk_server="10.0.0.1"
rtp_ports = "{ 1:11000 }" # taken from rtp.conf
#outgoing
nat on $ext_if inet proto udp from $asterisk_server to any port 5060 ->
$ext_if port 5060
nat on $ext_if inet proto udp from $asterisk_server to any port $rtp_ports
-> $ext_if static-port
#incoming
rdr on $ext_if proto udp from any to $external_addr port 5060 ->
$asterisk_server port 5060
rdr on $ext_if proto udp from any to $external_addr port $rtp_ports ->
$asterisk_server
# altq rules
pass out on $ext_if inet proto udp from any to any port $rtp_ports queue
(dflt, sip)
#fw rules
pass in on $ext_if proto udp from any port $rtp_udp to any
pass in on $ext_if proto { tcp, udp } from any port 5060 to $external_addr
/etc/asterisk/rtp.conf:
;
; RTP Configuration
;
[general]
;
; RTP start and RTP end configure start and end addresses
;
rtpstart=1
rtpend=10999
You also need to tweak the sip.conf file:
[general]
port = 5060
bindaddr = 10.0.0.1 ; local addr
nat=yes
canreinvite=no
externip=a.b.c.d
localnet=10.0.0.0/24
What this means is that your asterisk server inserts the public IP
(nat=yes) in the RTP header instead of the private IP.
"canreinvite=no" tells asterisk that it shall transcode your SIP traffic,
which means that all voice channels should pass the asterisk server.
This is good if you don't want your sip private phones talk directly to
external phones. This also means that you can monitor calls. This is bad
if you have lots of telephone calls. Transcoding can be a very CPU
intensive process.
If you want your phones to only use the asterisk server for call setup
then you need to make sure that your phone is capable of doing the same
trick as the asterisk server for using public IP's instead of the private.
This is a different problem which involves nat, rdr and pass rules in
pf.conf.
I also use altq rules to make sure that the rtp traffic has higher
priority than "normal" traffic. Voice calls are very sensitive to network
delays.
This configuration works very well for me with a small number of IP phones
behind pf.
Hope this gets you going!
/Johan
> No ideas?
>
> Even though most are using asterisk behind a nat with simple port
> forwarding, it looks like I am unable to do this with pf. I have grown
> to love pf so much it would be a shame to have to dump it on MY network
> :-(
>
> I am having real trouble with PF and Asterisk behind a NAT.
>
> The long and short of it is that I'd really like NAT a subset of
> traffic, without putting the connection in the translation table. That
> is, I want to translate the source ip:port on the outbound, but not
> worry about return traffic (since it is handled by a RDR, hence the
> clash).
>
> Is that possible?
Re: [Fwd: Problems with voip and state clashes]
Tim, What are you using asterisk for, SIP? What are the rules you have now? What is exactly the problem? Quoting Tim Pushor <[EMAIL PROTECTED]>: > No ideas? > > Even though most are using asterisk behind a nat with simple port > forwarding, it looks like I am unable to do this with pf. I have grown > to love pf so much it would be a shame to have to dump it on MY network :-( > > Thanks, > Tim > > > Original Message > Subject: Problems with voip and state clashes > Date: Sun, 26 Jun 2005 10:55:48 -0600 > From: Tim Pushor <[EMAIL PROTECTED]> > To: PF List > > > > Hi Friends, > > I am having real trouble with PF and Asterisk behind a NAT. > > The long and short of it is that I'd really like NAT a subset of > traffic, without putting the connection in the translation table. That > is, I want to translate the source ip:port on the outbound, but not > worry about return traffic (since it is handled by a RDR, hence the clash). > > Is that possible? > > I know this is short on details, but if theres an easy way to do that, I > don't need to bore you with them ;-) > > Thanks a lot, > Tim >
Re: ALTQ and VoIP
I've been trying i bit more since I wrote the first mail. I've been
talking in the phone for about an hour now - with full upload (approx 10
torrent seeding from 2 computers i the LAN), and the conversation was
close to perfect, I would say.
The interesting bit now is to see if anybody else get the same experience.
Here is some of my altq config. VoIP traffic has the highest priority,
of course. Any comments are appreciated.
(256Kbit/s ADSL)
altq on rl1 priq bandwidth 170Kb queue { std_out, websrv_out, web_out,
im_out, rdp_out, radio_out, ssh_out, dns_out, udp_gaming_out,
ip_telefoni_out }
queue std_out priq(default red) qlimit 1
queue websrv_outpriority 2 qlimit 1
queue rdp_out priority 3 qlimit 1
queue web_out priority 4 qlimit 1
queue im_outpriority 5 qlimit 1
queue radio_out priority 6 qlimit 1
queue ssh_out priority 7 qlimit 1
queue dns_out priority 8 qlimit 1
queue udp_gaming_outpriority 11 qlimit 1
queue ip_telefoni_out priority 15
(end-section pass-rules)
ip_telefon_fwd = "{ 5060:5061, 16000:1 }"
pass out on rl1 proto udp from any to any port $ip_telefon_fwd keep
state queue ip_telefoni_out
Ingolf Zeiner Petersen wrote:
I just got my VoIP adaptor in the mail, and started testing it on my
internet-connection. I want to use BitTorrent and p2p-apps that
maximizes my upstream at the same time as i'm talking in the phone.
I've tried priq and cbq queues now - with good results, but not good
enough. I still get feedback from the people I talk with that i sound a
bit "jagged".
Simple questions: has anybody set up an pf.conf and really tested the
configuration by really maxing the upstream and talking at the same time
(and god feedback from the person in the other end that you sound just
fine - or the person hears echo and other effects).
I've searched on google etc. but I only find people that have config's
that they Believe work - or they aren't using they'r connection hard
enough.
By the way, i'm using Telio (.no)
Thanks in advance!
Re: Utility for automatic removal of old table-entries.
My previous reply was cut by some unknown reason, let me try again. On Sun, 26 Jun 2005, Henrik Gustafsson wrote: Hi! As a response to an idea posted in pf@ the other day I wrote this utility for removing pf table entries based on their age. It has now been somewhat tested and updated, and so I figured it would be good to make it available to a larger group of people for testing on a larger scale. I've been using this on a machine for atleast a week now, trying to fend off ssh bruteforce attempts. Works perfectly with pf rules like these: block in quick on $ext_if from . . pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload flush global) I'm then purging entries older than one hour from the ssh-bruteforce table, using the above named utility run from cron every five minutes. This is imho a lot nicer then solutions based on modifying and patching the ssh daemon. /Johan
Re: [Fwd: Problems with voip and state clashes]
On 09:14, Wed 29 Jun 05, Tim Pushor wrote: > No ideas? > > Even though most are using asterisk behind a nat with simple port > forwarding, it looks like I am unable to do this with pf. I have grown > to love pf so much it would be a shame to have to dump it on MY network :-( > > Thanks, > Tim > > > Original Message > Subject: Problems with voip and state clashes > Date: Sun, 26 Jun 2005 10:55:48 -0600 > From: Tim Pushor <[EMAIL PROTECTED]> > To: PF List > > > > Hi Friends, > > I am having real trouble with PF and Asterisk behind a NAT. > > The long and short of it is that I'd really like NAT a subset of > traffic, without putting the connection in the translation table. That > is, I want to translate the source ip:port on the outbound, but not > worry about return traffic (since it is handled by a RDR, hence the clash). > > Is that possible? > > I know this is short on details, but if theres an easy way to do that, I > don't need to bore you with them ;-) > > Thanks a lot, > Tim Tim, Without details of your current setup it's hard to help. Please provide some more info. -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: [Fwd: Problems with voip and state clashes]
At 08:14 AM 6/29/2005, you wrote: No ideas? Even though most are using asterisk behind a nat with simple port forwarding, it looks like I am unable to do this with pf. I have grown to love pf so much it would be a shame to have to dump it on MY network :-( I've been tinkering with asterisk as a possible solution for my own office, but this makes me far from being knowledgeable. Since I have pf installed and working and the pbx is an afterthought then its the pbx that will get the boot before pf does. In any case I've just done a little research for firewall comments in the asterisk archives and found that other fw's have generated questions for asterisk users, making me wonder if asterisk plays nicely with any firewalls. At the same time however, by the sound of this response in those archives: http://www.marko.net/asterisk/archives/0302/0055.html, I have to wonder if it is yet again a simple matter of configuration. A range of ports is easily programmed into pf, you just need to know what port range your app (asterisk) will want to pull.
Re: [Fwd: Problems with voip and state clashes]
On Wednesday 29 June 2005 11:14 am, Tim Pushor wrote: > The long and short of it is that I'd really like NAT a subset of > traffic, without putting the connection in the translation table. That > is, I want to translate the source ip:port on the outbound, but not > worry about return traffic (since it is handled by a RDR, hence the clash). I'm not too familiar with asterisk, but why do you need a RDR? Wouldn't the return traffic have a state, and thus be rerouted before it gets to any possible redirects? (I'm looking at an old copy of the pf flow-diagram, I don't know how up-to-date that is)... Maybe if you could give some background on how asterisk works at the IP level, Mike
