From owner-freebsd-pf@FreeBSD.ORG Thu Nov 24 18:05:15 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD81C1065674 for ; Thu, 24 Nov 2011 18:05:15 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe6.ukr.net (ffe6.ukr.net [195.214.192.56]) by mx1.freebsd.org (Postfix) with ESMTP id 83A0A8FC0C for ; Thu, 24 Nov 2011 18:05:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:Subject:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=BXmTnTFpgZzfwOgsAPfUcGeRkOdea6UNmuYapDYFe/4=; b=d7gRGu7KRednO0YY31VSsNr5YtiLiAQ+X3I7FrdTnqnW7Ta8OEgP8SbFEK1LPAVVac0omwgO1I4zelzTB1B7R7HiCLs+Bv/QXap+98Nrel7FhdfR66CLivCF/fA8k1XGQa/50KGl5J9HyxYezpalyyxR7Y8UiXWXg7W2cio9ouU=; Received: from mail by ffe6.ukr.net with local ID 1RTdfd-0009Ep-Pc for freebsd-pf@freebsd.org; Thu, 24 Nov 2011 20:05:13 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" To: "freebsd-pf@FreeBSD.org" From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.78] Message-Id: <35025.1322157913.1199695190218178560@ffe6.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0 Date: Thu, 24 Nov 2011 20:05:13 +0200 Subject: HFSC ALTQ for prioritization LAN and router traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 18:05:16 -0000 Hi! I have FreeBSD9 router with ADSL connections and with 5Mb/s download speeed and only 850 Kb/s upload. I am attempting prioritization outgoing traffic coming from LAN (bulk and TCP ACK) and traffic coming from the router, because I have some services running on the server for remote clients. mst="modulate state" ext_if="em0" int_if1="em1" table persist {192.168.10/24} set skip on {lo} set ruleset-optimization basic set state-policy if-bound set require-order yes scrub on $ext_if all random-id no-df min-ttl 128 ### ALTQ altq on $ext_if hfsc bandwidth 800Kb queue {std, lan, lan_ack, serv, serv_ack} queue std bandwidth 50Kb priority 1 hfsc (default realtime 50Kb) queue lan bandwidth 50Kb priority 2 hfsc (realtime 50Kb) queue lan_ack bandwidth 50Kb priority 7 hfsc (realtime 300Kb upperlimit 300Kb) queue serv bandwidth 50Kb priority 2 hfsc (realtime 50Kb) queue serv_ack bandwidth 50Kb priority 7 hfsc (realtime 50Kb) ### nat on $ext_if tag INET tagged INET -> ($ext_if) port 1024:65535 ###################### BLOCK IN/OUT/ALL block all block in quick inet from urpf-failed to any block in quick inet from no-route to any antispoof quick for {$int_if1 lo} inet ####################### PASS IN ### EXT_IF_IN pass in quick on $ext_if inet from any to ($ext_if) $mst (max 100) queue (serv serv_ack) ### INT_IF pass in quick on $int_if1 inet from to !$int_if1 $mst tag INET pass in quick on $int_if1 inet from to $int_if1 ###################### PASS OUT ### EXT_IF pass out quick on $ext_if inet from $ext_if to any tagged INET queue (lan lan_ack) pass out quick on $ext_if inet from $ext_if to any queue (serv serv_ack) ### INT_IF pass out quick on $int_if1 inet from $int_if1 to pfctl -vvsq queue root_em0 on em0 bandwidth 800Kb priority 0 {std, lan, lan_ack, serv, serv_ack} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue std on em0 bandwidth 50Kb hfsc( default realtime 50Kb ) [ pkts: 3 bytes: 126 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue lan on em0 bandwidth 50Kb priority 2 hfsc( realtime 50Kb ) [ pkts: 17 bytes: 1123 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue lan_ack on em0 bandwidth 50Kb priority 7 hfsc( realtime 300Kb upperlimit 300Kb ) [ pkts: 8872 bytes: 479088 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 49.0 packets/s, 21.19Kb/s ] queue serv on em0 bandwidth 50Kb priority 2 hfsc( realtime 50Kb ) [ pkts: 11290 bytes: 17089007 dropped pkts: 0 bytes: 0 ] [ qlength: 43/ 50 ] [ measured: 50.0 packets/s, 605.60Kb/s ] queue serv_ack on em0 bandwidth 50Kb priority 7 hfsc( realtime 50Kb ) [ pkts: 29 bytes: 2597 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] Without ALTQ when anybody from Internet dowloading from server the dowload speed for LAN bring down to 20Kb/s. When use ALTQ - speed for LAN users bring down to 2Mb/s. This is good, but not as I have specified in pf.conf I have specified realtime speed for ACK's packets 300Kb but in real I have about 20Kb. In above queues output, one user from LAN downloading file and one from Internet downloading from router. Both via ftp. Where is my mistake?