From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 17:24:49 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24BDC106566C for ; Fri, 3 Jul 2009 17:24:49 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-vw0-f180.google.com (mail-vw0-f180.google.com [209.85.212.180]) by mx1.freebsd.org (Postfix) with ESMTP id D0D218FC19 for ; Fri, 3 Jul 2009 17:24:48 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: by vwj10 with SMTP id 10so567059vwj.3 for ; Fri, 03 Jul 2009 10:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=Sl27YEuQeaPlCLmVie86csjHc/B9VfT8ZMT6v6aQAWM=; b=CU+Z3ox9neLuFOO4J23M239fJ25TBbDCza4usczmpYO5C2L61HI4dbCuRmwzBpSgYL luBrpIbTfWhl/PJjdj3SGwihJbeco0VMenEofxQqSHcOqmPmV60CVZyTwOBwe7qIG62N ZvI9P4BHkSvVRThrN47xdE+xrVfbkOW9AvZcw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=GsRKuZZcGrVLQPKdsA1pedODOIo//iSePNaaPBVMSqAnib9g5fb/HwQM7sS4alM+H4 kvretSb/c+W9183Yz81k8/zNKdBC8iqB1H7F24WMhQUhaSogV4knBCVUHpPlxkaecM3q eaXdTwVycKMtLlgWc7E/++hjGj2RNPDf3Hf4M= MIME-Version: 1.0 Received: by 10.220.72.194 with SMTP id n2mr3115872vcj.36.1246639903996; Fri, 03 Jul 2009 09:51:43 -0700 (PDT) Date: Fri, 3 Jul 2009 23:51:43 +0700 Message-ID: <4d4dc3640907030951g627f096fv16e0b3ac58e9765@mail.gmail.com> From: budsz To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Problem PF and HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 17:24:49 -0000 Hello, I try to use PF under FreeBSD 7.2-STABLE. Here my config file: # Variable global ifint0="rl0" ifext0="rl1" ipcl = "{ 192.168.100.1, 192.168.100.2, 192.168.100.3, 192.168.100.4, 192.168.100.5, \ 192.168.100.6, 192.168.100.7, 192.168.100.8, 192.168.100.11, 192.168.100.12, \ 192.168.100.100 }" ipunlimit = "{ !192.168.1.0/30, !192.168.100.200 }" scrub in all altq on $ifint0 hfsc bandwidth 1Mb queue { downstream } queue downstream bandwidth 10% priority 0 hfsc (upperlimit 99% default) altq on $ifext0 hfsc bandwidth 256Kb queue { upstream } queue upstream bandwidth 10% priority 0 hfsc (upperlimit 99% default) # Outgoing traffic (Downstream banwidth) pass out quick on $ifint0 from $ipunlimit to $ipcl queue (downstream) # Incoming traffic (Upstream bandwidth) pass out quick on $ifext0 from $ipcl to $ipunlimit queue (upstream) This several my problem after I tested: 1. Why PF can't limit incoming traffic in one interface. Let's say on rl0: pass out quick on $ifint0 from $ipunlimit to $ipcl queue (downstream) pass in quick on $ifint0 from $ipcl to $ipunlimit queue (upstream) 2. For list $ipunlimit (192.168.1.0/30 and 192.168.100.200 ) still get limit. I wanna traffic from/to (192.168.1.0/30 and 192.168.100.200 ) to/from pccl _not_ limit, because that's for www/ssh local LAN. 3. I need suggestion for that rule. My purpose is link share for 11 IP address (downstream/upstream), so if saturate traffic reached. The clients still get guaranty with 10% of total bandwidth (About 100KB downstream and 253.44Kb upstream for each other). Thanks for your time. -- budsz