pfctl: anchor name too long
Just a quick question: Does this really look wrong? [EMAIL PROTECTED] /sbin/pfctl -a upnpd/rl1-TCP-81.111.111.11-42193-10.0.0.123-42193 pfctl: anchor name 'upnpd/rl1-TCP-81.111.111.11-42193-10.0.0.123-42193' too long [EMAIL PROTECTED] Could it be some new functionality that i'm missing in my bit old PF version, runing on my FreeBSD 5.4-RELEASE-p6 ? For the record: I'm playing around with "UPnP", Freebsd and PF - and the "pfctl -a" -command is automaticly executed via the "upnpd"-deamon. --- ingolf
Re: pf, altq latency problems
On 9 Aug 2005 08:44:08 -0700, [EMAIL PROTECTED] wrote > My problem is that although the suggested altq rules allow simultaneous > full speed downloads and uploads, latency increases from tens or > hundreds of milliseconds to between two and four seconds. Strangely, > both TCP and ICMP seem to be affected. So the atlq rules make it > possible to download something large like an ISO, but browsing and > online gaming are still nearly impossible while uploading at full > speed. I think that the ACK pri's make large transfers go more smooth, not gaming and such. If you want to upload and game online at the same time, I suggest that you make some altq priq rules that prioritize your gaming in front of everything else. I sure works OK for me!
Re: Problem with NAT and FTP server
Have you tried another ftpd? Sounds like that might be the issue here.. [EMAIL PROTECTED] wrote: In my configuration there is a problem providing publicly-accessible anonymous FTP service. The config works for a small number of clients, but most cannot access my server and use any command that requires a data connection. Ftpd is running on the same machine as PF. I checked the FAQ on this but the cases that are discussed there are either already represented in my pf.conf or relate to different problems. First, I observe that pf is not blocking the connections. Second, with a packet dump on the interface, it shows that when ftpd goes back to the client to make a data connection, the source IP is different from the publicly known address of the FTP server. This is due to the effect of NAT statement(s) and an attempt to manage a block of addresses. In particular, my public FTP address is advertised to be at .197, and the rules are configured for ftpd to answer requests on that address. General outgoing NAT is mapped to .199 with this command: nat on $ext_if1 from $lan_net to any -> a.b.c.199 Control connections work fine. But when ftpd attempts to make a data connection with the client, the source address is mapped to .199. I believe that the clients are ignoring this since it is not correlated to the known connection on .197. On the wire I see ftpd responses going out a number of times. The client does not respond to these packets and ultimately times out with an error about not being to establish the data connection. If there was a NAT option to qualify by user or service I might be able to make a new NAT rule that would translate to the proper address first. Any suggestions as to how to configure this behaviour in a workable arrangement ?
Re: ALTQ and VoIP
Matt Pearce wrote: I run 1536/256 ADSL here and found that a figure or 205Kb is the upper limit for me (versus the 170Kb you have) , any more and the queue wont drop packets correctly, any less and i'm not getting the full bandwidth i'm paying for. If you have 256Kb try changing this figure and you might find you gain some extra speed. Yeah, i know that i'm not getting the max out of my connection, but if i set it to anything over 200Kbit i get more lag/delay on the connection. I had a play a while ago with the qlimit but I had it added into the "altq on rl1.." line, oddly it never changed a thing and never gave an error. Since seeing your qlimit statements i've been playing with it for the past couple of days and working on tuning and found a qlimit of 1 serverly limited queues and they never saw full bandwith potential. I found a good figure for me was 10 as opposed to a standard 50. My testing of the qlimit number had me pinging a local site while uploading with Azurues and watching its graph. What where your ping-times? Another thing: i'm trying to prioritize my outgoing icmp-packets.. and if I send 4 pings i get "8 packets" in pfctl -vs rules on the rule i made. I would think that "4 packets" would be more correct? *confused*
Re: ALTQ and VoIP
I've been trying i bit more since I wrote the first mail. I've been
talking in the phone for about an hour now - with full upload (approx 10
torrent seeding from 2 computers i the LAN), and the conversation was
close to perfect, I would say.
The interesting bit now is to see if anybody else get the same experience.
Here is some of my altq config. VoIP traffic has the highest priority,
of course. Any comments are appreciated.
(256Kbit/s ADSL)
altq on rl1 priq bandwidth 170Kb queue { std_out, websrv_out, web_out,
im_out, rdp_out, radio_out, ssh_out, dns_out, udp_gaming_out,
ip_telefoni_out }
queue std_out priq(default red) qlimit 1
queue websrv_outpriority 2 qlimit 1
queue rdp_out priority 3 qlimit 1
queue web_out priority 4 qlimit 1
queue im_outpriority 5 qlimit 1
queue radio_out priority 6 qlimit 1
queue ssh_out priority 7 qlimit 1
queue dns_out priority 8 qlimit 1
queue udp_gaming_outpriority 11 qlimit 1
queue ip_telefoni_out priority 15
(end-section pass-rules)
ip_telefon_fwd = "{ 5060:5061, 16000:1 }"
pass out on rl1 proto udp from any to any port $ip_telefon_fwd keep
state queue ip_telefoni_out
Ingolf Zeiner Petersen wrote:
I just got my VoIP adaptor in the mail, and started testing it on my
internet-connection. I want to use BitTorrent and p2p-apps that
maximizes my upstream at the same time as i'm talking in the phone.
I've tried priq and cbq queues now - with good results, but not good
enough. I still get feedback from the people I talk with that i sound a
bit "jagged".
Simple questions: has anybody set up an pf.conf and really tested the
configuration by really maxing the upstream and talking at the same time
(and god feedback from the person in the other end that you sound just
fine - or the person hears echo and other effects).
I've searched on google etc. but I only find people that have config's
that they Believe work - or they aren't using they'r connection hard
enough.
By the way, i'm using Telio (.no)
Thanks in advance!
Re: ALTQ on PF for gaming
[EMAIL PROTECTED] wrote:
I can add more of the ruleset if needed, but I just want to know how to
prioritize the incoming bandwidth for cs.
I would think that this would work:
pass out on $int_if inet proto { udp tcp } from any { 27000:27020 } to
any port keep state queue (cs_in)
You might want to use a more wide port-range (maybe?).
I'm running the same settings myself for online gaming, but only on the
outgoing traffic. It really sux that I only can have one altq setting
pr. NIC.. (i don't want to shape my internal traffic..)
Hope hearing from you if this was to any help!
ALTQ and VoIP
I just got my VoIP adaptor in the mail, and started testing it on my internet-connection. I want to use BitTorrent and p2p-apps that maximizes my upstream at the same time as i'm talking in the phone. I've tried priq and cbq queues now - with good results, but not good enough. I still get feedback from the people I talk with that i sound a bit "jagged". Simple questions: has anybody set up an pf.conf and really tested the configuration by really maxing the upstream and talking at the same time (and god feedback from the person in the other end that you sound just fine - or the person hears echo and other effects). I've searched on google etc. but I only find people that have config's that they Believe work - or they aren't using they'r connection hard enough. By the way, i'm using Telio (.no) Thanks in advance!
Re: altq priq Anomaly?
Melameth, Daniel D. wrote: I implemented altq's priq a while back in the hope of "speeding up" my overall 'net connection by prioritizing empty TCP ACKs. However, I noticed that I was never coming close to my 256Kb/s upload cap since I did this and looked into it a little bit further today. I don't know if you've got ADSL, but for my own case I got 1024/256 ADSL, and I have actually set the up-limit to 180Kbit/s to get useful latency-rates (together with priq queues). Because empty TCP ACKs is much about how fast the packets get sent to the destination - this becomes relevant. Try it, and tell us about your result! :-)
Re: Is NAT in PF UPnP enabled or Non UPnP?
Siju George wrote: I don't think PF supports UPnP. But you should try to forward 3389/tcp to you NAT'ed computer (the rdp -port). But this will only allow one Computer to connect to the Windows Remote Desktop at a time isn't it? I would suggest that you try before you ask :-) But i'm pretty sure that you can have X no. of connections to the rdp-server simultaneously. This is however a rdp-software question rather than a pf-issue.
Re: Is NAT in PF UPnP enabled or Non UPnP?
I don't think PF supports UPnP. But you should try to forward 3389/tcp to you NAT'ed computer (the rdp -port). Hope this helps you with your problem... Siju George wrote: Hi all, I would like to know if there is any body using Windows XP remote desktop sharing behind an OpenBSD Firewall. What I would like to do is to allow a couple of windows users behind my OpenBSD firewall to access windows XP remote desktops on the internet. From http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/worki01.mspx I understand that it is possible with UPnP enabled NAT devices. Is the NAT in PF UPnP enabled?? or could someone tell me how I can accomplish this with OpenBSD. Thankyou so much Kind Regards Siju
Filtering out LAN-traffic from altq bw limits
I'm setting up queues on internal and external interfaces with the purpose to have control over my internet traffic. But the rules also affect the traffic between my local subnet and the server (non-internet traffic). I have tried "pass" -rules for this, but it seems like everything is goin through the "altq on rl0 cbq bandwidth 1Mb queue..." rule anyway. Do I have to set up an own queue for the local traffic under the "altq on rl0" line, or is there an easier way? Thanks in advance for any response.
