queuing question
Hi
Only two simple questions (I hope). I'm trying to shape traffic between
several subnets (some in form of VLANs and some have own physical interface)
Is possible something like this?
Just an example
Subnet 1 -- fxp0 - OpenBSD - fxp1 --- Subnet 2
altq on $fxp0 bandwidth 100% cbq queue{fxp0_high, fxp0_def}
altq on $fxp1 bandwidth 100% cbq queue{fxp1_high, fxp1_def}
queue fxp0_high bandwidth 30% priority 7 cbq(red)
queue fxp0_def bandwidth 70% priority 6 cbq(red, default)
queue fxp1_high bandwidth 30% priority 7 cbq(red)
queue fxp1_def bandwidth 70% priority 6 cbq(red, default)
pass in on {lo0 fxp0 fxp1}
pass out on fxp0 inet proto {tcp udp} all flags S/SA keep state
pass out on fxp0 inet proto {tcp udp} from any to any port $highports \
flags S/SA keep state queue fxp1_high
pass out on fxp1 inet proto {tcp udp} all flags S/SA keep state
pass out on fxp1 inet proto {tcp udp} from any to any port $highports \
flags S/SA keep state queue fxp0_high
So I create a state that will pass packets belonging to this connection
through both interfaces, on one interface and they will be assigned to the
queue on the other interface without creating any explicit pass rule for
this interface to assign the packet to the correct queue (because I don't
know then which service it was) Am I right?
queuing question
Hello, I understand from the pf documentation (and logic) that you cannot queue incoming packets on an interface, makes sense... In various examples around the net, however, I've seen people attaching queues to inbound rules as well. I'm confused as to whether this is just a mistake or if people are doing this on INBOUND rules which keep state in order to have all OUTBOUND packets which are state tracked to that rule get the queue assignment from the inbound rule. Can someone please clarify? Thanks, Daniel
Re: queuing question
On 4/13/05, Peter Huncar <[EMAIL PROTECTED]> wrote:
> Hi
>
> Only two simple questions (I hope). I'm trying to shape traffic between
> several subnets (some in form of VLANs and some have own physical interface)
>
> Is possible something like this?
>
Anything is possible..
> Just an example
> Subnet 1 -- fxp0 - OpenBSD - fxp1 --- Subnet 2
>
> altq on $fxp0 bandwidth 100% cbq queue{fxp0_high, fxp0_def}
> altq on $fxp1 bandwidth 100% cbq queue{fxp1_high, fxp1_def}
>
> queue fxp0_high bandwidth 30% priority 7 cbq(red)
> queue fxp0_def bandwidth 70% priority 6 cbq(red, default)
> queue fxp1_high bandwidth 30% priority 7 cbq(red)
> queue fxp1_def bandwidth 70% priority 6 cbq(red, default)
>
Having the priorites so close will most likely outweigh the benefit here
> pass in on {lo0 fxp0 fxp1}
>
> pass out on fxp0 inet proto {tcp udp} all flags S/SA keep state
> pass out on fxp0 inet proto {tcp udp} from any to any port $highports \
> flags S/SA keep state queue fxp1_high
>
> pass out on fxp1 inet proto {tcp udp} all flags S/SA keep state
> pass out on fxp1 inet proto {tcp udp} from any to any port $highports \
> flags S/SA keep state queue fxp0_high
>
>
> So I create a state that will pass packets belonging to this connection
> through both interfaces, on one interface and they will be assigned to the
> queue on the other interface without creating any explicit pass rule for
> this interface to assign the packet to the correct queue (because I don't
> know then which service it was) Am I right?
>
well, you are on the "right" path, although this would not work, as
you're crossing your queue definitions, all the traffic going out of
fxp0 would go to your default queue fxp0_def, except anything matching
the pass from $highports would end up on fxp1_high queue.
The following ruleset would work as you intend:
altq on $fxp0 bandwidth 100% cbq queue{fxp0_high, fxp0_def}
queue fxp0_high bandwidth 30% priority 7 cbq(red)
queue fxp0_def bandwidth 70% priority 2 cbq(red, default)
altq on $fxp1 bandwidth 100% cbq queue{fxp1_high, fxp1_def}
queue fxp1_high bandwidth 30% priority 7 cbq(red)
queue fxp1_def bandwidth 70% priority 2 cbq(red, default)
pass quick on lo0
pass in on { fxp0 fxp1 }
pass out on fxp0 inet proto {tcp udp} \
all\
flags S/SA keep state
pass out on fxp0 inet proto {tcp udp} \
from any to any port $highports\
flags S/SA keep state \
queue fxp0_high
pass out on fxp1 inet proto {tcp udp} \
all\
flags S/SA keep state
pass out on fxp1 inet proto {tcp udp} \
from any to any port $highports\
flags S/SA keep state \
queue fxp0_high
Kimi
--
spamassassinexception
Re: queuing question
Peter Huncar wrote: So I create a state that will pass packets belonging to this connection through both interfaces, on one interface and they will be assigned to the queue on the other interface without creating any explicit pass rule for this interface to assign the packet to the correct queue (because I don't know then which service it was) Am I right? http://www.openbsd.org/faq/pf/queueing.html#assign
Re: queuing question
On Wed, Feb 27, 2008 at 11:28:28AM -0800, Daniel Duerr wrote: > I understand from the pf documentation (and logic) that you cannot > queue incoming packets on an interface, makes sense... In various > examples around the net, however, I've seen people attaching queues > to inbound rules as well. I'm confused as to whether this is just a > mistake or if people are doing this on INBOUND rules which keep state > in order to have all OUTBOUND packets which are state tracked to that > rule get the queue assignment from the inbound rule. Can someone > please clarify? The latter (queue replies of incoming connections) is true. Daniel
Re: queuing question
On 11:28, Wed 27 Feb 08, Daniel Duerr wrote: > Hello, > > I understand from the pf documentation (and logic) that you cannot > queue incoming packets on an interface, makes sense... In various > examples around the net, however, I've seen people attaching queues > to inbound rules as well. I'm confused as to whether this is just a > mistake or if people are doing this on INBOUND rules which keep state > in order to have all OUTBOUND packets which are state tracked to that > rule get the queue assignment from the inbound rule. Can someone > please clarify? The latter is correct. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Re: queuing question
Thank you Daniel. Just a suggestion-- someone might want to add this to the docs, very good thing to know. On Feb 27, 2008, at 10:34 PM, Daniel Hartmeier wrote: On Wed, Feb 27, 2008 at 11:28:28AM -0800, Daniel Duerr wrote: I understand from the pf documentation (and logic) that you cannot queue incoming packets on an interface, makes sense... In various examples around the net, however, I've seen people attaching queues to inbound rules as well. I'm confused as to whether this is just a mistake or if people are doing this on INBOUND rules which keep state in order to have all OUTBOUND packets which are state tracked to that rule get the queue assignment from the inbound rule. Can someone please clarify? The latter (queue replies of incoming connections) is true. Daniel -- daniel duerr | president | gizmo creative [EMAIL PROTECTED] | +1 (831) 621-1710 x103
