does anyone here have experience with altq on pf?
i'm in desperate need of help. i've even considered hiring a consultant if i can't get it working soon.
i'm in desperate need of help. i've even considered hiring a consultant if i can't get it working soon.
never used it... looked at it years and years ago. didn't look too daunting then. What's the issue?
Yup, I have.
ok, guys, mind helping out? :)
requirements for queuing:
(1) cap the upstream bandwidth that atlas gets at 768 Kbps. it absolutely should not be allowed to go over that amount.
(2) all other traffic should get priority over atlas's upstream traffic.
as a result, i've tried to prioritize traffic in the following order: tcp ack, dns, ssh, standard/default, atlas.
available upstream bandwidth seems to vary. many tests at various times show throughput at about 3 Mbps. my plan with my isp says i get 1 Mbps upstream.
i seem to have trouble tagging traffic to and from atlas.
here is the ruleset i've been playing with. note: it is not in production use. (how concerned should i be with making public my ruleset?)
requirements for queuing:
(1) cap the upstream bandwidth that atlas gets at 768 Kbps. it absolutely should not be allowed to go over that amount.
(2) all other traffic should get priority over atlas's upstream traffic.
as a result, i've tried to prioritize traffic in the following order: tcp ack, dns, ssh, standard/default, atlas.
available upstream bandwidth seems to vary. many tests at various times show throughput at about 3 Mbps. my plan with my isp says i get 1 Mbps upstream.
i seem to have trouble tagging traffic to and from atlas.
here is the ruleset i've been playing with. note: it is not in production use. (how concerned should i be with making public my ruleset?)
$ sudo cat /etc/pf_queueing.conf
# macros
int_if="vr0"
ext_if="vr1"
tcp_services="{ 113 }"
icmp_types="echoreq"
kharon="10.6.6.1"
kharon_ssh="49152"
atlas="10.6.6.254"
atlas_ssh="49153"
user_lu="49154:49156"
user_da="49157:49159"
user_bs="49160:49162"
user_ms="49163:49165"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# queuing
altq on $ext_if hfsc bandwidth 2560Kb queue { network atlas }
queue network bandwidth 896Kb { std ssh dns ack }
queue ack bandwidth 384Kb priority 5 hfsc( realtime 384Kb )
queue dns bandwidth 128Kb priority 4 hfsc( realtime 128Kb )
queue ssh bandwidth 128Kb priority 3 hfsc( realtime 128Kb ) { ssh_login ssh_bulk }
queue ssh_login bandwidth 32Kb priority 3 hfsc( realtime 32Kb )
queue ssh_bulk bandwidth 96Kb priority 3 hfsc( realtime 96Kb )
queue std bandwidth 256Kb priority 2 hfsc( default ecn realtime ( 256Kb, 10000, 32Kb ) )
queue atlas bandwidth 128Kb priority 1 hfsc { user_lu user_bs user_ms user_da }
queue user_lu bandwidth 32Kb priority 1 hfsc
queue user_bs bandwidth 32Kb priority 1 hfsc
queue user_ms bandwidth 32Kb priority 1 hfsc
queue user_da bandwidth 32Kb priority 1 hfsc
# ftp proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp rdr-to 127.0.0.1 port 8021
# match rules
match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if)
# filtering
block in on $ext_if all
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) queue(std, ack)
pass out on $ext_if inet proto { udp icmp } from ($ext_if)
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain queue dns
pass out on $ext_if inet proto tcp from ($ext_if) to any port ssh queue ( ssh_bulk, ssh_login )
pass out on $ext_if inet proto tcp from $atlas port $user_lu queue user_lu
pass out on $ext_if inet proto tcp from $atlas port $user_da queue user_da
pass out on $ext_if inet proto tcp from $atlas port $user_bs queue user_bs
pass out on $ext_if inet proto tcp from $atlas port $user_ms queue user_ms
pass out quick
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in on $ext_if inet proto tcp to ($ext_if) port $kharon_ssh rdr-to $kharon port ssh synproxy state queue ssh
pass in on $ext_if inet proto tcp to ($ext_if) port $atlas_ssh rdr-to $atlas port ssh synproxy state queue ssh
pass in on $ext_if inet proto tcp to ($ext_if) port $user_lu rdr-to $atlas synproxy state queue user_lu
pass in on $ext_if inet proto tcp to ($ext_if) port $user_da rdr-to $atlas synproxy state queue user_da
pass in on $ext_if inet proto tcp to ($ext_if) port $user_bs rdr-to $atlas synproxy state queue user_bs
pass in on $ext_if inet proto tcp to ($ext_if) port $user_ms rdr-to $atlas synproxy state queue user_ms
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
$
post your pf.conf? I've used it before, but it was a long time ago and they've probably changed the syntax by now.
woops too slow. I'll look at that when it's not my bedtime.
You could try adding this:
pass in on $int_if inet proto tcp to ($int_if) queue(std, ack)
pass in on $int_if inet proto { udp icmp } to ($int_if)
pass in on $int_if inet proto { tcp udp } from any to ($int_if) port domain queue dns
pass in on $int_if inet proto tcp from any to($int_if) port ssh queue ( ssh_bulk, ssh_login )
pass in on $int_if inet proto tcp to $atlas port $user_lu queue user_lu
pass in on $int_if inet proto tcp to $atlas port $user_da queue user_da
pass in on $int_if inet proto tcp to $atlas port $user_bs queue user_bs
pass in on $int_if inet proto tcp to $atlas port $user_ms queue user_ms
ok, i'll try it out when it's also not my bedtime. thanks. :) i'll get back to you with the results.
i need to work on this more. for now, some references:
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide
http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide
http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained