From owner-freebsd-pf@FreeBSD.ORG Fri Mar 16 12:59:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AEA5D16A404 for ; Fri, 16 Mar 2007 12:59:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 4248113C4B7 for ; Fri, 16 Mar 2007 12:59:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.185.206] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1HSC1Y1PT4-0004mu; Fri, 16 Mar 2007 13:59:13 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 16 Mar 2007 13:59:04 +0100 User-Agent: KMail/1.9.5 References: <66CE3CD196F5C24F9CDE33A03E0FB4113A7EEF@exbox.office.a24media.cz> In-Reply-To: <66CE3CD196F5C24F9CDE33A03E0FB4113A7EEF@exbox.office.a24media.cz> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1262223.FXMYdIApeq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703161359.11074.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19qaso8A/cKsQSuioQj4IJ02OsgwF2Ri8PotZc zgaJQ8PuOuQ4kJaqLnYq0PuuuFZ1euktbzKU/VSSDLAITeJoZ9 XG3iLeYeIzLDMyPhN0/sw== Cc: =?utf-8?q?Ale=C5=A1_Krajn=C3=ADk?= Subject: Re: Setting bandwidth for multiple internal subnets + few more PF questions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2007 12:59:16 -0000 --nextPart1262223.FXMYdIApeq Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Could you get your mailer to line wrap, please? ] On Thursday 15 March 2007 11:08, Ale=B9 Krajn=EDk wrote: > I have a problem with PF and I would appreciate any help. I spent few > hours googling around but found no solution. > > We have a FreeBSD 6.1 router with 4 internal subnets on 4 interfaces > (em1, fxp0, fxp1, xl0), 1 connection to the Internet (em0) - 10Mbps > both directions, full duplex. What we need is to shape traffic so em1 + > fxp1 , fxp0 and xl0 uses equally 33% of traffic, in both incoming and > outgoing directions from the Internet (incoming direction is more > important for us as we don't have almost any servers inside our network > except for HTTP for development purpose so mostly we download data from > the Internet). Traffic between local subnets should stay unlimited. > > That should not be problem - we could just set 3.33Mbps on each > interface for packets arriving from the Internet. What we cannot solve > is how to set that each interface could borrow bandwidth from other > interfaces (=3D from parent stream) if they are not fully utilised? > > If I set ALTQ on the external interface, I can control only outgoing > traffic to the Internet (I made that work successfully). If I set ALTQ > on any of the internal interfaces I cannot set it to borrow from each > other. Setting ALTQ on multiple interfaces is not supported AFAIK. Is > there any solution? Can that be solved with packet tagging? Controlling *incoming* traffic is not really supported or possible for=20 that matter. You can't controll what others send you. Of course you=20 can - as you seem to be doing - limit the *outgoing* traffic on the=20 internal interface(s). Due to the way ALTQ works, however, it is not=20 possible to share bandwidth over several interfaces. ALTQ directly hooks=20 into the queueing at the interface. What you would need are two distinct=20 boxes or a virtual interface through which you tunnel all traffic from=20 the internet to you LANs - but I'm not sure that is (easily) possible. You might want to look into using ipfw + dummynet, which works differently= =20 and might be able to solve this particular problem. I'm also open to pf=20 + dummynet integration, but don't have time to work on that, at the=20 moment. > Another thing I do not completely understand is setting ALTQ rules on > interfaces. I just want to make it clear to myself. If I set ALTQ on an > interface, it means that packets are being dropped on the chosen > interface? If I set queue on an interface, it means that packets are > added to that queue if and only if the rule is evaluated on the chosen > interface? For example if I would have rules "queue Q on em0 ..." and > "pass in on em1 ... queue Q", what would that do? Internally, queue names are resolved to a number, which is tagged to the=20 packet. If you have a queue named "foo" on em0 and em1, both these=20 queues will have the same number. It does not matter where you tag the=20 packet. On rule evaluation it is only assigned the number for the queue=20 name. As it hits an ALTQ enabled interface the queueing decides which=20 queue this number corresponds to. So in your scenario, if you call the queues on the internal interfaces the= =20 same - say "INET_IN" - you can assign incoming traffic to them with one=20 single rule on the outside interface. > My last question - I read TCP ACK packets prioritizing can increase > incoming throughput. Does that make sense on fast internet connections > like is ours or is it useful only for e.g. dial-up connections? I would > use following ALTQ settings: > > ALTQ on $lan_ex bandwidth 10Mb cbq { queue_std, queue_ack } > queue queue_std on $lan_ex bandwidth 99% cbq(default) > queue queue_ack on $lan_ex bandwidth 1% > > ... and create a TCP/ACK rule on $lan_ex with queue_ack This doesn't prioritize ACKs. You might want to read Daniel's excellent=20 article about it: http://www.benzedrine.cx/ackpri.html As he points out,=20 it's most useful on asymmetric links when you really saturate the uplink. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1262223.FXMYdIApeq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF+pSfXyyEoT62BG0RArS7AJ0SCUsBF42t8gNbzACVBgfC1WQkhQCfdZvT IfUCO+hlZDS3vLkJwYfMovo= =ocNA -----END PGP SIGNATURE----- --nextPart1262223.FXMYdIApeq--