From owner-freebsd-pf@FreeBSD.ORG Sun Nov 23 00:25:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA3301065672 for ; Sun, 23 Nov 2008 00:25:39 +0000 (UTC) (envelope-from darius@dons.net.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id C4A6A8FC08 for ; Sun, 23 Nov 2008 00:25:38 +0000 (UTC) (envelope-from darius@dons.net.au) Received: from inchoate.dons.net.au (ppp121-45-35-47.lns10.adl2.internode.on.net [121.45.35.47]) (authenticated bits=0) by cain.gsoft.com.au (8.13.8/8.13.8) with ESMTP id mAMNmM2f003249 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 23 Nov 2008 10:18:23 +1030 (CST) (envelope-from darius@dons.net.au) From: "Daniel O'Connor" To: "Chris Buechler" Date: Sun, 23 Nov 2008 10:18:18 +1030 User-Agent: KMail/1.9.10 References: <200811220225.mAM2Phuj038059@freefall.freebsd.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1411988.eb2DERsL7l"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200811231018.28601.darius@dons.net.au> X-Spam-Score: -2.212 () BAYES_00,RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.63 on 203.31.81.10 Cc: freebsd-pf@freebsd.org Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 00:25:39 -0000 --nextPart1411988.eb2DERsL7l Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 23 November 2008 08:42:48 Chris Buechler wrote: > On Fri, Nov 21, 2008 at 9:25 PM, wrote: > > Old Synopsis: pf doesn't forget the old tun IP > > New Synopsis: [pf] [tun] pf doesn't forget the old tun IP > > This sounds like the expected behavior, not a bug. You have to kill > your states when your WAN IP changes or else traffic will continue to > be translated via the existing state. I have tried to use -k $oldip but it doesn't fix the problem :( Also, I don't think it is sensible behaviour - if my IP changes any=20 connections are going to die because the other ends of the link will be=20 sending traffic to the old IP. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart1411988.eb2DERsL7l Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBJKJpM5ZPcIHs/zowRAuimAJ4gUVtY6FFAhK/Bsduhj6urEFpsewCfW3wZ be2yLzqIIAv4xAOV3Ndu3dk= =ShYT -----END PGP SIGNATURE----- --nextPart1411988.eb2DERsL7l-- From owner-freebsd-pf@FreeBSD.ORG Sun Nov 23 00:54:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14FF31065677 for ; Sun, 23 Nov 2008 00:54:44 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.227]) by mx1.freebsd.org (Postfix) with ESMTP id DA91C8FC14 for ; Sun, 23 Nov 2008 00:54:43 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: by rv-out-0506.google.com with SMTP id b25so1487146rvf.43 for ; Sat, 22 Nov 2008 16:54:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=lGKWmPOd7BHO9F1QtTc3R1qAZqQeMjTqio28LMHJUV8=; b=KNPek5z4NWrNoOiOMQ4GeC6Dfo+fFpXVtT+2aetO+7lfelYuTvqJHEV588y1RISEVp TfgnwL69kRt0csneYbiASwTIESoL1SdNXvNaPPuKSVUnQAe+F4NoAWwYX/oINxEskLa9 hy9Wkuufd6y/eUV2BGeCTzoGkz6xDjQqt5yC8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=AvF5hpjNTS9VF3ykYsnxs5011RDKJSCyhzeB6YCQUyFG/JoD8amFelfqtkpPHr+u6F sNN3C3zcCYJnp4sjDdFxUFlbsAqfYLCNUwJzgIEHEyF6ZstMcocQbw7CdNN3TTEyUzD2 j1gsCzLLAP/5sRjRBTGubEo9k0FDTBDrUL3NE= Received: by 10.142.173.14 with SMTP id v14mr979251wfe.20.1227401683681; Sat, 22 Nov 2008 16:54:43 -0800 (PST) Received: by 10.142.215.18 with HTTP; Sat, 22 Nov 2008 16:54:43 -0800 (PST) Message-ID: <7731938b0811221654m6d7fff30x3e6ac51fccd32eaa@mail.gmail.com> Date: Sun, 23 Nov 2008 00:54:43 +0000 From: "Peter Maxwell" Sender: allicient3141@googlemail.com To: freebsd-pf@freebsd.org In-Reply-To: <200811231018.28601.darius@dons.net.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811220225.mAM2Phuj038059@freefall.freebsd.org> <200811231018.28601.darius@dons.net.au> X-Google-Sender-Auth: 71ee7ea077117876 Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 00:54:44 -0000 I have only skim read the bug report, however in report it says "every second connection" which sounds like what happens when you have outgoing connections from an interface that has two IPs assigned (had got bitten with this when using IPSec over an interface that had two IPs assigned). Except this time the first IP is ofcourse now not routable, which is consistent with the observed behaviour. So, while necessary, I would doubt clearing the state table would do anything other than (possibly) fix the existing connections - as any new conenctinos have a 50% chance of having their source IP as the old IP. I'm assuming that ALL incoming connections are processed fine? pf is obviously working with the ($ext/if) syntax as it sounds like its picking up the new IP. Looks like a bug to me. 2008/11/22 Daniel O'Connor : > On Sunday 23 November 2008 08:42:48 Chris Buechler wrote: >> On Fri, Nov 21, 2008 at 9:25 PM, wrote: >> > Old Synopsis: pf doesn't forget the old tun IP >> > New Synopsis: [pf] [tun] pf doesn't forget the old tun IP >> >> This sounds like the expected behavior, not a bug. You have to kill >> your states when your WAN IP changes or else traffic will continue to >> be translated via the existing state. > > I have tried to use -k $oldip but it doesn't fix the problem :( > > Also, I don't think it is sensible behaviour - if my IP changes any > connections are going to die because the other ends of the link will be > sending traffic to the old IP. > > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C > From owner-freebsd-pf@FreeBSD.ORG Sun Nov 23 01:40:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CE82106564A for ; Sun, 23 Nov 2008 01:40:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 269128FC14 for ; Sun, 23 Nov 2008 01:40:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAN1e3Kv024703 for ; Sun, 23 Nov 2008 01:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAN1e3Cj024702; Sun, 23 Nov 2008 01:40:03 GMT (envelope-from gnats) Date: Sun, 23 Nov 2008 01:40:03 GMT Message-Id: <200811230140.mAN1e3Cj024702@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 01:40:04 -0000 The following reply was made to PR kern/129060; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, darius@dons.net.au Cc: Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP Date: Sun, 23 Nov 2008 02:20:57 +0100 This is a known bug in pppd. You can work around this by using "(tun0:0)" instead of just "(tun0)" whenever you refer to the interface's address. -- Max From owner-freebsd-pf@FreeBSD.ORG Mon Nov 24 03:00:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E35C01065675 for ; Mon, 24 Nov 2008 03:00:56 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from infoweapons.com (mail1.infoweapons.org [204.2.248.50]) by mx1.freebsd.org (Postfix) with ESMTP id 966CC8FC16 for ; Mon, 24 Nov 2008 03:00:56 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ([58.71.34.146]) by mail0.infoweapons.com with ESMTP id 4321444.1370286; Sun, 23 Nov 2008 21:45:28 -0500 Received: from [10.3.1.41] ([10.3.1.41]) by cebexch01.cebu.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Nov 2008 10:45:28 +0800 Message-ID: <492A1480.7080605@infoweapons.com> Date: Mon, 24 Nov 2008 10:42:08 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: Reinhold References: <56157.217.45.165.129.1223037455.squirrel@www.violetlan.net> In-Reply-To: <56157.217.45.165.129.1223037455.squirrel@www.violetlan.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Nov 2008 02:45:28.0257 (UTC) FILETIME=[B5A88B10:01C94DDE] Cc: freebsd-pf@freebsd.org Subject: Re: limiting bandwidth at certain times during the day X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 03:00:57 -0000 Current implementation of ALTQ and also PF is not dynamic. You apply changes (e.g. new Queue parameters), you basically have to flush all the queues and reload. That means, "pfctl -Fall" followed by "pfctl -f new-pf.conf" You can achieve this by creating a script that will called from cron. Be aware of the effect when flushing all the rules though. That would drop existing VPN sessions. I am not sure if there is an on-going project to support dynamic ALTQ/PF. Reinhold wrote: > Hi > > I was asked to limit the amount of bandwidth being used by our openvpn > connections during our office hours and then allow full access after > hours. > > In my current set up I'm using pf that does load balancing over 2 adsl > lines on a FreeBSD 7-STABLE system, I'm using mpd5 for dialing in and > establish the connections with our ISP. > > I'm in the process of implementing HFSC to see if I can improve our > bandwidth usage, I tried PRIQ but ended up loosing packets and the over > all performance decreased to a point where I had to disable it. > > How can I go about setting up a limit for a certain time period on the > amount of bandwidth being used by openvpn? > > Thanks > Reinhold > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 24 03:20:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 630DF1065670 for ; Mon, 24 Nov 2008 03:20:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4C8468FC08 for ; Mon, 24 Nov 2008 03:20:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAO3K4cs027211 for ; Mon, 24 Nov 2008 03:20:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAO3K4wA027210; Mon, 24 Nov 2008 03:20:04 GMT (envelope-from gnats) Date: Mon, 24 Nov 2008 03:20:04 GMT Message-Id: <200811240320.mAO3K4wA027210@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Daniel O'Connor" Cc: Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel O'Connor List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 03:20:04 -0000 The following reply was made to PR kern/129060; it has been noted by GNATS. From: "Daniel O'Connor" To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP Date: Mon, 24 Nov 2008 13:34:15 +1030 --nextPart34103142.i1CJtADx0V Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 23 November 2008 11:50:57 Max Laier wrote: > This is a known bug in pppd. You can work around this by using "(tun0:0)" > instead of just "(tun0)" whenever you refer to the interface's address. OK, I've mangled my PF rules, fingers crossed :) What is the actual bug with PPP? =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart34103142.i1CJtADx0V Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBJKhm75ZPcIHs/zowRAqApAJ9TymAWVg7czROjD8uoIExiMLYudACfYyZ0 g3HWLxngK+Y1FErYB1gigCs= =c48z -----END PGP SIGNATURE----- --nextPart34103142.i1CJtADx0V-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 24 11:07:19 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9525C1065670 for ; Mon, 24 Nov 2008 11:07:19 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 84C088FC19 for ; Mon, 24 Nov 2008 11:07:19 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAOB7Jtf019991 for ; Mon, 24 Nov 2008 11:07:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAOB7IOL019987 for freebsd-pf@FreeBSD.org; Mon, 24 Nov 2008 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Nov 2008 11:07:18 GMT Message-Id: <200811241107.mAOB7IOL019987@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 11:07:19 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 24 21:21:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46EAA1065673; Mon, 24 Nov 2008 21:21:52 +0000 (UTC) (envelope-from marcello@linconet.com.br) Received: from mail.linconet.com.br (mail.linconet.com.br [189.17.121.39]) by mx1.freebsd.org (Postfix) with ESMTP id DFE878FC17; Mon, 24 Nov 2008 21:21:51 +0000 (UTC) (envelope-from marcello@linconet.com.br) Received: from wolwerine (unknown [200.172.230.194]) by mail.linconet.com.br (Postfix) with ESMTP id 30D7B29B1A; Mon, 24 Nov 2008 18:04:21 -0300 (BRT) Date: Mon, 24 Nov 2008 18:04:11 -0300 From: Marcello Barreto To: freebsd-pf@freebsd.org, freebsd-isp@freebsd.org Message-ID: <20081124180411.0b065be5@wolwerine> Organization: Linconet - =?UTF-8?Q?Solu=C3=A7=C3=B5es?= em =?UTF-8?Q?infor?= =?UTF-8?Q?m=C3=A1tica?= X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Linconet-MailScanner: Found to be clean X-Linconet-MailScanner-From: marcello@linconet.com.br X-Spam-Status: No Cc: Subject: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 21:21:52 -0000 Hello Folks, I believe you have heard this several times, but I'm new to FreeBSD and i'm trying to change my bandwidth control from Linux (iptables + TC + iproute) to Freebsd (PF + ALTQ). I read about PF and I was very interested on it, but I want to limit the bandwidth (Download and Upload) from each customer behind a router (Obviously, FreeBSD with PF.).. There are several networks and a lot of customers, and with my rules, only what I got was each customer sharing the same queue... There are my rules: altq on $external cbq queue {def_up, def_up300, def_up450, def_up600, def_up1000} altq on $internal cbq queue {def_down, def_down300, def_down450, def_down600, def_down1000} queue def_up bandwidth 10% cbq(default) queue def_down bandwidth 10% cbq(default) queue def_up300 bandwidth 128Kb cbq(red) queue def_up450 bandwidth 200Kb cbq(red) queue def_up600 bandwidth 300Kb cbq(red) queue def_up1000 bandwidth 500Kb cbq(red) queue def_down300 bandwidth 300Kb cbq(red) queue def_down450 bandwidth 450Kb cbq(red) queue def_down600 bandwidth 600Kb cbq(red) queue def_down1000 bandwidth 1024Kb cbq(red) pass in quick inet proto {tcp, udp} from to any queue def_down300 pass out quick inet proto {tcp, udp} from to any queue def_up300 Ps.: Excuse me for my bad English. -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 27 12:58:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E9811065675 for ; Thu, 27 Nov 2008 12:58:40 +0000 (UTC) (envelope-from chflags@gmail.com) Received: from mail-qy0-f18.google.com (mail-qy0-f18.google.com [209.85.221.18]) by mx1.freebsd.org (Postfix) with ESMTP id 233D08FC25 for ; Thu, 27 Nov 2008 12:58:40 +0000 (UTC) (envelope-from chflags@gmail.com) Received: by qyk11 with SMTP id 11so1230766qyk.19 for ; Thu, 27 Nov 2008 04:58:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=iRWjB4bKGOD7CRu2/XQvrPvW3Rcn63xZ2auY0oxWJwI=; b=hPV/IlrWGU3uBle0cGn0yVceKBbthegom9YF27J5dVvoB7/ZBRzYuQ5y8pKTRchpCi bQ4AYJqXXgTpvhlaNl9bCautJViSx+zh9YjOvBl1cZj+zYr2Lzrwkw7+sBgA5rvbrfaJ iCNflDOWagnCGo/HfRWqiDBdrrbo04BMtJ8kU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=uG8L4QGyHLs2fEJCRoutRW7efDe9EoYOTJxyXm6zWjBCdI4+11yhzR5XMjtkZ36Cmj +I5e1bpDO4ZrLf3mBhGAZ1N2CFrbpfwMp3CGt0yJBIes67RINynSlgjuNAs+EVrtpNA/ 1Z25wrfRx3dO0eMKe//rVgtkamhMqRZQq9Im8= Received: by 10.214.244.14 with SMTP id r14mr6719307qah.93.1227788815458; Thu, 27 Nov 2008 04:26:55 -0800 (PST) Received: by 10.214.147.11 with HTTP; Thu, 27 Nov 2008 04:26:55 -0800 (PST) Message-ID: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> Date: Thu, 27 Nov 2008 20:26:55 +0800 From: "Kevin Foo" To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: if_bridge + pf rdr (bridged inline proxy) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: chflags@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 12:58:40 -0000 Hi list, I recently setup a bridge box with inline cache proxy. if_bridge with pf filtering was working perfectly. However, squid-cache listening on loopback device did not get any packets from pf rdr. I have seen successful setups with OpenBSD's bridge spamd which rather a similar setup. Is something broken on FreeBSD's if_bridge or am I missing some configuration here? pfctl -ss (on bridge box): ------------------ all tcp 127.0.0.1:3128 <- 71.14.235.147:80 <- 192.168.1.100:1041 CLOSED:SYN_SENT all tcp 192.168.1.100:1041 -> 127.0.0.1:3128 SYN_SENT:CLOSED Environment ------------------ FreeBSD bridge.mybox 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov 25 22:56:22 MYT 2008 kev@bridge.mybox:/usr/obj/usr/src/sys/BRIDGE i386 Squid Cache: Version 2.7.STABLE5 with --enable-pf-transparent rc.conf: ------------------ cloned_interfaces="bridge0" ifconfig_bridge0="addm bge0 addm bge1 up" ifconfig_bge0="up" ifconfig_bge1="up" pf_enable="YES" squid_enabld="YES" pf.conf: ------------------ int_if="bge0" ext_if="bge1" rdr pass on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128 pass in all pass out all pass on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 sysctl net.link.bridge : ------------------ net.link.bridge.ipfw: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 Hping Testing (from client 192.168.1.100): ------------------ hping -S -p 80 -c 10 www.google.com A quick search on freebsd-pf archive, I found a thread on similar setup in 2004. http://lists.freebsd.org/pipermail/freebsd-pf/2004-October/000522.html However, the bridge code of FreeBSD was blamed for poor performance and lack of functionalities. A more recent post on freebsd-net mailing list on similar issue. http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019556.html Any ideas? TIA. P/S : please cc me as I'm not subscribed to freebsd-pf nor freebsd-net mailing list. Thanks. -- Regards Kevin Foo From owner-freebsd-pf@FreeBSD.ORG Thu Nov 27 14:15:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45C361065672 for ; Thu, 27 Nov 2008 14:15:50 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id EA4AB8FC2B for ; Thu, 27 Nov 2008 14:15:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=XNzavE+rEGrOliyiruUKB8sBcGdto5XmSHNxD45xBRszeFpDX0wWrcznU+OparoztklNCHR9QFjwtCD+K9iO2GU/+4LTf+dJDVFwTqEaw89sHARzc/LLiJ1Wd0Fx9ohpLg2Kn77qKZgMBVuVxr9KO/ijCvzcLR2fyDuWrxRXl80=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L5hPk-000NUw-CC; Thu, 27 Nov 2008 17:00:16 +0300 Date: Thu, 27 Nov 2008 17:00:15 +0300 From: Eygene Ryabinkin To: Kevin Foo Message-ID: References: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0qVF/w3MHQqLSynd" Content-Disposition: inline In-Reply-To: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: if_bridge + pf rdr (bridged inline proxy) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 14:15:50 -0000 --0qVF/w3MHQqLSynd Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kevin, good day. Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote: > I recently setup a bridge box with inline cache proxy. if_bridge with > pf filtering was working perfectly. However, squid-cache listening on > loopback device did not get any packets from pf rdr. I have seen > successful setups with OpenBSD's bridge spamd which rather a similar > setup. Is something broken on FreeBSD's if_bridge or am I missing some > configuration here? pf can 'rdr' only incoming packets (from 'man pf.conf'): ----- Evaluation order of the translation rules is dependent on the type of = the translation rules and of the direction of a packet. binat rules are always evaluated first. Then either the rdr rules are evaluated on an inbound packet or the nat rules on an outbound packet. Rules of the s= ame type are evaluated in the same order in which they appear in the rules= et. The first matching rule decides what action is taken. ----- So this can be just pf-related. And may be not, as usual... --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --0qVF/w3MHQqLSynd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkup+8ACgkQthUKNsbL7YjIJQCff20fjLaHQ7j5sscSdcUBElK+ trQAn3cHJZVTVJ1LcWbrjjH0fgWUQ7bU =rd2z -----END PGP SIGNATURE----- --0qVF/w3MHQqLSynd-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 27 19:13:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16E971065689 for ; Thu, 27 Nov 2008 19:13:02 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id C8F568FC08 for ; Thu, 27 Nov 2008 19:13:01 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so278070qwb.7 for ; Thu, 27 Nov 2008 11:13:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=M4XmiI0EEiOn56XDbixWbSC2bPnICHlMqlblftIBkAY=; b=oCYI9GYOog5+2HPTBo4UG2WVFS7lsAnBy5c4fbRjD8gdTlTlUArEolAG59WMccxYQk 3tNLNxo6eZt0n1YHbdnKbSQ8hBgC3ZBpMUmgfsM1nHuAWtZdwIHZ87jRVDzvp8a4hvBs N8HgeZLPoXEz8TmNv9TpHpwYV7anQUBSM80e4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=oD4MidiTubABsZmiJBTgMWWCGYadZpcAJNYLyvLI/rcldKoWJN23H6k06X7xIvKzPP BfW27CiMJfwmvjUpGbYna2y8M0OURX5odfAtXeNyTVNL5h3eTqQNSJMHQbR7VbmDcBUL BVwaYdyuyRRUFYXSiijfFLhEcPhW0dYzgvLBU= Received: by 10.215.67.20 with SMTP id u20mr7161234qak.231.1227811363460; Thu, 27 Nov 2008 10:42:43 -0800 (PST) Received: by 10.214.46.10 with HTTP; Thu, 27 Nov 2008 10:42:43 -0800 (PST) Message-ID: Date: Thu, 27 Nov 2008 21:42:43 +0300 From: "Vladimir Ermakov" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 19:13:02 -0000 hello I tried to rule with `synproxy state` uname FreeBSD 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Wed Oct 29 12:47:36 UTC 2008 (amd64 & i386 arch) the synproxy state is not working uname FreeBSD 7.0-RELEASE GENERIC (amd64 & i386 arch) the synproxy state is working # cat /etc/pf.conf pass on em0 proto tcp from any to 192.168.0.1 port http synproxy state to all, please check and confirm or deny /Vladimir Ermakov From owner-freebsd-pf@FreeBSD.ORG Fri Nov 28 05:29:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57134106564A for ; Fri, 28 Nov 2008 05:29:36 +0000 (UTC) (envelope-from chflags@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 0AB008FC0C for ; Fri, 28 Nov 2008 05:29:35 +0000 (UTC) (envelope-from chflags@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so305349qwb.7 for ; Thu, 27 Nov 2008 21:29:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=TQo1Dom25u2RFFFlCWQyXI/FXgo4eUHTEDN7CyVFfyY=; b=nPiNvlf1JjPVflEYo1RskES0LmAAI3HwV0PJaJ7RG9qTkyoDAL4RtFDok2GAeUOFY7 UkaW+tacaTDKE2PKyEzIfLeJQKGIchqnFOBlLcKz2iJ5OeQzpPWmfG4+JIArzLICgOQa FqcX2SAX2oPkW9vk6RLL2khuzj9JcnSkRK5cY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=QttUqXFh3A2q1IcfqH6OdSEzFgpICN4GEUnog3qEMRC2mVy2kbC3o2sX4aaKfe+Hwf WI+w9dW5Gw39z1jPFAh8mqjPkuaTKFZI999UpGprxnBwhkTdl+SpAUVbGbXDt4lr8npF O9fmirQ6UekdHOvFqXU0xUZgXxKmEB2X1uxj4= Received: by 10.215.67.5 with SMTP id u5mr7427146qak.12.1227850175373; Thu, 27 Nov 2008 21:29:35 -0800 (PST) Received: by 10.214.147.11 with HTTP; Thu, 27 Nov 2008 21:29:35 -0800 (PST) Message-ID: <25cb30811272129h68e50bf4u46b15823b101a3@mail.gmail.com> Date: Fri, 28 Nov 2008 13:29:35 +0800 From: "Kevin Foo" To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> Cc: Subject: Re: if_bridge + pf rdr (bridged inline proxy) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: chflags@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2008 05:29:36 -0000 Thank Eygene for the reply. It might be but I'm not sure. Anyone is having the same setting or any info on this? -- Regards Kevin Foo On Thu, Nov 27, 2008 at 10:00 PM, Eygene Ryabinkin wrote: > Kevin, good day. > > Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote: >> I recently setup a bridge box with inline cache proxy. if_bridge with >> pf filtering was working perfectly. However, squid-cache listening on >> loopback device did not get any packets from pf rdr. I have seen >> successful setups with OpenBSD's bridge spamd which rather a similar >> setup. Is something broken on FreeBSD's if_bridge or am I missing some >> configuration here? > > pf can 'rdr' only incoming packets (from 'man pf.conf'): > ----- > Evaluation order of the translation rules is dependent on the type of the > translation rules and of the direction of a packet. binat rules are > always evaluated first. Then either the rdr rules are evaluated on an > inbound packet or the nat rules on an outbound packet. Rules of the same > type are evaluated in the same order in which they appear in the ruleset. > The first matching rule decides what action is taken. > ----- > So this can be just pf-related. And may be not, as usual... > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # > From owner-freebsd-pf@FreeBSD.ORG Sat Nov 29 14:27:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E75641065678 for ; Sat, 29 Nov 2008 14:27:33 +0000 (UTC) (envelope-from david_5073@yahoo.com) Received: from web38504.mail.mud.yahoo.com (web38504.mail.mud.yahoo.com [209.191.125.50]) by mx1.freebsd.org (Postfix) with SMTP id B10EF8FC14 for ; Sat, 29 Nov 2008 14:27:33 +0000 (UTC) (envelope-from david_5073@yahoo.com) Received: (qmail 42129 invoked by uid 60001); 29 Nov 2008 14:00:52 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=Gm/oAqgsTQacz8GT50YUZDHnmk0lNtTjtMBKo0dhFHbTtAzkAiahR3Wxa78Kdo7N2koiTADegF9YZzzEbZOElYYIf2D1+Y0Rfx/cLUEeT+0jcRaSUuV04NAZ0PQSpfKZAmjRIciOZoMnTUnAbIA7KBgRz6lcZubkijuKGlas+z8=; X-YMail-OSG: piCTbqEVM1nVflng.R4TCx0bLxlBLbzx78ehFvRoE2iDifrNBjiIcRRSXTJo2sXgWRoRHBvtazerAu6F4yIPgtw6pJdIFGlAZNFTj4deZZ2bYh8ylkzaahnrEWifM7YfRg_zLCLXjrIiWXnCjqNm2f9i3tN995kM1oFyXzQstj01iNZjC5Ui.iXh5LnokLaaizIMRdG2kNaKxFXXfL68Fb7D6qRIfzWdg4tSDIubN4gThhn_qgP5gMfZ1F60 Received: from [98.242.222.229] by web38504.mail.mud.yahoo.com via HTTP; Sat, 29 Nov 2008 06:00:52 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Sat, 29 Nov 2008 06:00:52 -0800 (PST) From: David Roseman To: freebsd-pf@freebsd.org, freebsd-isp@freebsd.org, Marcello Barreto In-Reply-To: <20081124180411.0b065be5@wolwerine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <705757.42117.qm@web38504.mail.mud.yahoo.com> X-Mailman-Approved-At: Sat, 29 Nov 2008 15:11:59 +0000 Cc: Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: david_5073@yahoo.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2008 14:27:34 -0000 --- On Mon, 11/24/08, Marcello Barreto wrote: > From: Marcello Barreto > Subject: PF + ALTQ - Bandwidth per customer > To: freebsd-pf@freebsd.org, freebsd-isp@freebsd.org > Date: Monday, November 24, 2008, 4:04 PM > Hello Folks, > I believe you have heard this several times, but I'm > new to FreeBSD and i'm trying to change my bandwidth > control from Linux (iptables + TC + iproute) to Freebsd (PF > + ALTQ). > I read about PF and I was very interested on it, but I > want to limit the bandwidth (Download and Upload) from each > customer behind a router (Obviously, FreeBSD with PF.).. > There are several networks and a lot of customers, and with > my rules, only what I got was each customer sharing the same > queue... > > There are my rules: > altq on $external cbq queue {def_up, def_up300, def_up450, > def_up600, def_up1000} > altq on $internal cbq queue {def_down, def_down300, > def_down450, def_down600, def_down1000} > > queue def_up bandwidth 10% cbq(default) > queue def_down bandwidth 10% cbq(default) > > queue def_up300 bandwidth 128Kb cbq(red) > queue def_up450 bandwidth 200Kb cbq(red) > queue def_up600 bandwidth 300Kb cbq(red) > queue def_up1000 bandwidth 500Kb cbq(red) > > queue def_down300 bandwidth 300Kb cbq(red) > queue def_down450 bandwidth 450Kb cbq(red) > queue def_down600 bandwidth 600Kb cbq(red) > queue def_down1000 bandwidth 1024Kb cbq(red) > > > pass in quick inet proto {tcp, udp} from > to any queue def_down300 > pass out quick inet proto {tcp, udp} from > to any queue def_up300 > You should consider a commercial product rather than relying on old and somewhat unreliable technology. We've been able to squeeze a lot more customers onto our network for a $3500. investment. It paid for itself in 2 months. We have a dual-core 2.33Ghz system passing 95Mb/s with 12000 rules in place and it runs at about 10%. The latest version is truly amazing. http://www.etinc.com Regards, David From owner-freebsd-pf@FreeBSD.ORG Sat Nov 29 15:48:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DED11065672 for ; Sat, 29 Nov 2008 15:48:37 +0000 (UTC) (envelope-from sebastian.tymkow@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 02A998FC08 for ; Sat, 29 Nov 2008 15:48:36 +0000 (UTC) (envelope-from sebastian.tymkow@gmail.com) Received: by ug-out-1314.google.com with SMTP id 30so2144822ugs.39 for ; Sat, 29 Nov 2008 07:48:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=Iv/mu6m1DhG+kgJF2yQqafeuCJd8covf8g3zUmuK8us=; b=RFQlSKgjgbKnoMzXEglBbdzr+vvgBOdOzfd9oYyfesm9xbYhV5+/d5ow8FITTpzbs7 BTVK6zccipX+VcE5JnDTer9AShWJTxJrLh/Mvmf++xRJ/QKg/Rg1dCZG/j3jKJ9vyisO KWE9S+iPT0C4DJ+Lm2DdmCFkstqBU7sG8LggU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=i64KEXWkBxQ2RA2KinIrkw1Kpl0rG64Nwvv9iSrc8+bAlntALpqL7z2dDrlV8v0imq Eu7f4QvUQ6eDrHc8Egegpp703kmtwZsYo4ZiKI3zYtvJgCPS7bFb4d1Lob0fu/bpGT8I YRqze3gYgDobVTtswjw3egX+t8MW9OWWnG6X4= Received: by 10.210.29.11 with SMTP id c11mr2658914ebc.141.1227973715094; Sat, 29 Nov 2008 07:48:35 -0800 (PST) Received: by 10.210.45.16 with HTTP; Sat, 29 Nov 2008 07:48:35 -0800 (PST) Message-ID: <692660060811290748i33059137g3977e51f692d8340@mail.gmail.com> Date: Sat, 29 Nov 2008 16:48:35 +0100 From: "=?ISO-8859-1?Q?Sebastian_Tymk=F3w?=" To: david_5073@yahoo.com In-Reply-To: <705757.42117.qm@web38504.mail.mud.yahoo.com> MIME-Version: 1.0 References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-isp@freebsd.org, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2008 15:48:37 -0000 Hello, Why do you think it's unrealiable technology ? I think system that you propose rely on this technology ;) Most of this use bsd/linux/unix on board with own solutions and than they're packed into the box with cute web interface. Of course I can be wrong... Best regards, Shamrock 2008/11/29 David Roseman > > > > --- On Mon, 11/24/08, Marcello Barreto wrote: > > > From: Marcello Barreto > > Subject: PF + ALTQ - Bandwidth per customer > > To: freebsd-pf@freebsd.org, freebsd-isp@freebsd.org > > Date: Monday, November 24, 2008, 4:04 PM > > Hello Folks, > > I believe you have heard this several times, but I'm > > new to FreeBSD and i'm trying to change my bandwidth > > control from Linux (iptables + TC + iproute) to Freebsd (PF > > + ALTQ). > > I read about PF and I was very interested on it, but I > > want to limit the bandwidth (Download and Upload) from each > > customer behind a router (Obviously, FreeBSD with PF.).. > > There are several networks and a lot of customers, and with > > my rules, only what I got was each customer sharing the same > > queue... > > > > There are my rules: > > altq on $external cbq queue {def_up, def_up300, def_up450, > > def_up600, def_up1000} > > altq on $internal cbq queue {def_down, def_down300, > > def_down450, def_down600, def_down1000} > > > > queue def_up bandwidth 10% cbq(default) > > queue def_down bandwidth 10% cbq(default) > > > > queue def_up300 bandwidth 128Kb cbq(red) > > queue def_up450 bandwidth 200Kb cbq(red) > > queue def_up600 bandwidth 300Kb cbq(red) > > queue def_up1000 bandwidth 500Kb cbq(red) > > > > queue def_down300 bandwidth 300Kb cbq(red) > > queue def_down450 bandwidth 450Kb cbq(red) > > queue def_down600 bandwidth 600Kb cbq(red) > > queue def_down1000 bandwidth 1024Kb cbq(red) > > > > > > pass in quick inet proto {tcp, udp} from > > to any queue def_down300 > > pass out quick inet proto {tcp, udp} from > > to any queue def_up300 > > > > You should consider a commercial product rather than relying on > old and somewhat unreliable technology. We've been able to squeeze a > lot more customers onto our network for a $3500. investment. It paid for > itself in 2 months. We have a dual-core 2.33Ghz system passing 95Mb/s > with 12000 rules in place and it runs at about 10%. The latest version is > truly amazing. > > http://www.etinc.com > > > Regards, > > David > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Nov 29 16:26:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F5A31065676 for ; Sat, 29 Nov 2008 16:26:58 +0000 (UTC) (envelope-from david_5073@yahoo.com) Received: from web38505.mail.mud.yahoo.com (web38505.mail.mud.yahoo.com [209.191.125.51]) by mx1.freebsd.org (Postfix) with SMTP id DF6878FC14 for ; Sat, 29 Nov 2008 16:26:57 +0000 (UTC) (envelope-from david_5073@yahoo.com) Received: (qmail 11959 invoked by uid 60001); 29 Nov 2008 16:26:57 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=0AmLQrzKd50u55YH/5EAVagm0lbRG7agGF11Qe2jmXN6lWmWd7bG0tk5lu/hWJM2F/gPuuBvJQIMHp2HfmRfI+Za1TA/YY/UzzUmCoZ9G0hoSw33pP69G4gqSNjj4b2sh20Zsp2GbI2MjzpOh16Ev9r5niPIR5G1nelKPxRJSvY=; X-YMail-OSG: c7BuLBwVM1n.EQ2yH2uIsYswXOhN4XYV29wbssX918sGq.wa_SD62hG6l7nzoBtnLCxxDWBuEWfcUrfuVo7_VMZ_9DfVCwbP.fiRf.SE7toK0PS0cPUez1PkZvRov3a70gBkGg5HzVEir3NcgDaHnCz0hEL03F8w22sjuF98e_1t.Mad2PKZJ9ee6ejzBLNWt3qb10sX2q01Vm6lWvDJJaOEdD2BogUecQM2lRcYM9dd8IwV6_URWOJIS0lq Received: from [98.242.222.229] by web38505.mail.mud.yahoo.com via HTTP; Sat, 29 Nov 2008 08:26:57 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Sat, 29 Nov 2008 08:26:57 -0800 (PST) From: David Roseman To: =?iso-8859-1?Q?Sebastian_Tymk=F3w?= In-Reply-To: <692660060811290748i33059137g3977e51f692d8340@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <425805.11833.qm@web38505.mail.mud.yahoo.com> X-Mailman-Approved-At: Sat, 29 Nov 2008 17:25:44 +0000 Cc: freebsd-isp@freebsd.org, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: david_5073@yahoo.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2008 16:26:58 -0000 Is top-posting allowed here? This product has been around longer than ALTQ and pf. So its unlikely that they threw away something that has always been superior to ALTQ to=20 replace it with ALTQ. The release notes go back to 1996. They also claim to have re-written the FreeBSD bridging code to gain 40% in performance.=20 http://www.etinc.com/release.notes RED and CBQ were technologies championed by Cisco. They're designed to work on CPU-starved routers. Cisco had a big problem because their routers were designed to move packets and they didn't have any cpu power available for intelligent processing required for packet shaping. So they designed these brain-dead "leaky bucket" and CBQ models to work on their cpu-starved= routers in the 90s. Inexplicably, these silly techniques were copied and p= ut into pubic operating systems, and people still use them to save what amounts to pennies compared to the new business they can attract with a better network. If you'd read the white papers you'd know its not a queue-based product and its totally custom. Window shaping is really the most important technology to reduce the amount of traffic in a nework. Slowing servers naturally without having to queue data makes a dramatic change in the delay patterns of a large network. Imagine 1000 servers sending 3000 bytes per window instead of 32K. The backup queue depths are dramatically= =20 reduced even without specific bandwidth limits per customer. It also has a traffic monitor that is indispensable in tracking down=20 DOS attacks, worms and out of control servers. I'd pay $500. just for the m= onitor. I have a problem, I fire up the monitor and bingo, I find the=20 problem. I think you can buy the lowest priced license and still use the monitor and gather statistics no matter how large your network is. David --- On Sat, 11/29/08, Sebastian Tymk=F3w wrote= : > From: Sebastian Tymk=F3w > Subject: Re: PF + ALTQ - Bandwidth per customer > To: david_5073@yahoo.com > Cc: freebsd-pf@freebsd.org, freebsd-isp@freebsd.org, "Marcello Barreto" <= marcello@linconet.com.br> > Date: Saturday, November 29, 2008, 10:48 AM > Hello, >=20 > Why do you think it's unrealiable technology ? > I think system that you propose rely on this technology ;) > Most of this use bsd/linux/unix on board with own solutions > and than they're > packed into the box > with cute web interface. > Of course I can be wrong... >=20 > Best regards, >=20 > Shamrock >=20 > 2008/11/29 David Roseman >=20 > > > > > > > > --- On Mon, 11/24/08, Marcello Barreto > wrote: > > > > > From: Marcello Barreto > > > > Subject: PF + ALTQ - Bandwidth per customer > > > To: freebsd-pf@freebsd.org, > freebsd-isp@freebsd.org > > > Date: Monday, November 24, 2008, 4:04 PM > > > Hello Folks, > > > I believe you have heard this several > times, but I'm > > > new to FreeBSD and i'm trying to change my > bandwidth > > > control from Linux (iptables + TC + iproute) to > Freebsd (PF > > > + ALTQ). > > > I read about PF and I was very interested > on it, but I > > > want to limit the bandwidth (Download and Upload) > from each > > > customer behind a router (Obviously, FreeBSD with > PF.).. > > > There are several networks and a lot of > customers, and with > > > my rules, only what I got was each customer > sharing the same > > > queue... > > > > > > There are my rules: > > > altq on $external cbq queue {def_up, def_up300, > def_up450, > > > def_up600, def_up1000} > > > altq on $internal cbq queue {def_down, > def_down300, > > > def_down450, def_down600, def_down1000} > > > > > > queue def_up bandwidth 10% cbq(default) > > > queue def_down bandwidth 10% cbq(default) > > > > > > queue def_up300 bandwidth 128Kb cbq(red) > > > queue def_up450 bandwidth 200Kb cbq(red) > > > queue def_up600 bandwidth 300Kb cbq(red) > > > queue def_up1000 bandwidth 500Kb cbq(red) > > > > > > queue def_down300 bandwidth 300Kb cbq(red) > > > queue def_down450 bandwidth 450Kb cbq(red) > > > queue def_down600 bandwidth 600Kb cbq(red) > > > queue def_down1000 bandwidth 1024Kb cbq(red) > > > > > > > > > pass in quick inet proto {tcp, udp} from > > > > to any queue def_down300 > > > pass out quick inet proto {tcp, udp} from > > > to any queue def_up300 > > > > > > > You should consider a commercial product rather than > relying on > > old and somewhat unreliable technology. We've been > able to squeeze a > > lot more customers onto our network for a $3500. > investment. It paid for > > itself in 2 months. We have a dual-core 2.33Ghz system > passing 95Mb/s > > with 12000 rules in place and it runs at about 10%. > The latest version is > > truly amazing. > > > > http://www.etinc.com > > > > > > Regards, > > > > David =0A=0A=0A