Date: Fri, 13 Feb 2009 04:52:31 -0600 From: eculp <eculp@encontacto.net> To: Tom Uffner <tom@uffner.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer Message-ID: <20090213045231.18054m16fhi70z6s@econet.encontacto.net> In-Reply-To: <49952803.80404@uffner.com> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Tom Uffner <tom@uffner.com>: > eculp wrote: >> Thanks for responding. As I read your answer and my question. I'm =20 >> pretty sure that I probably didn't ask the question properly. What =20 >> I need to do is be intermediary between my upstream ISP's and my =20 >> customers and would like to control the bandwidth hogs. >> >> Basically, I want certain outgoing traffic based on port to go to =20 >> ISP1 and all other, not blocked, ports to go to the other while =20 >> limiting the available internal bandwidth to each downstream client =20 >> say to 64k if and if borrowing is possible when traffic is low, =20 >> great. I did something like this with IPFW and dummynet maybe 6 or =20 >> more years ago and as I remember, worked and solved an immediate =20 >> problem of downstream demand not being distributed adequately or =20 >> equitably. The major differences were connection speed and there =20 >> was only one isp. > > assuming that your BSD firewall/router has separate interfaces connected t= o > each ISP, you can do the outgoing part of what you want several ways in pf= , > with or without using altq. you could write pass...route-to rules similar = to > the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you > want to go out through each ISP, or you could tag the traffic on the way i= n > your inside interface and use the tags to assign it to an altq queue for t= he > proper outbound interface. > > as for rationing bandwidth to your downstream clients, there are several > reasons why it doesn't make sense, and/or why altq is not the best tool, > but it is possible. > > first, the objections: > > as many people have pointed out in this & other altq threads, altq has no > convenient way of splitting bandwidth by IP like dummynet. you have to > create a queue and a filter rule per address by hand which is tedious and > increasingly inefficient as the number of clients grows. > > your lan border is the wrong place to try to fight bandwidth-hogs because > they have already hogged the bandwidth on the small pipe from your provide= r > and it is not really useful to limit them to a trickle in the much larger > pipe that is your lan. > > if possible, it would be much better to convince your ISP(s) to let you > co-locate a BSD appliance to queue the traffic at their end of your WAN > link(s) where it will do much more good. > > also there are a few outstanding PRs on altq at this time: =20 > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D0+0+archive/2009/freebsd-pf= /20090208.freebsd-pf > > but if you choose to, the way to do it is to create an altq on your inside > interface using cbq, borrow, and bandwidth equal to the sum of your ISP > connections, then set up either a subqueue for each client, or subqueues > for each class of service, and subqueues of those for the clients. > > i've seen some mentions that it is possible to use dummynet w/ pf. if have > no idea how, but if true it might be a better option for you. > Tom, thanks for confirming all that I had hoped was not true;) I'm =20 going to look a bit closer at using dummynet with altq or just go back =20 to IPFW. Thanks again, ed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090213045231.18054m16fhi70z6s>