From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 09:29:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC8201065676 for ; Wed, 23 Jul 2008 09:29:49 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 7B24D8FC18 for ; Wed, 23 Jul 2008 09:29:49 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so371692yxb.13 for ; Wed, 23 Jul 2008 02:29:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=+d2Z5rwqSHiRvD9ddIjGwbu6c/N7RgGT3lZXzo97I8c=; b=UeVbsXCGfOJ/g/WFhPEJwN26N8VczC6L1IbfE/a4jABY/EGtsDYttlu3YYSuHHL9AU 1WmI6ZHjcjEFKXv3pzTpgQ9YZk1Alq7ALxwQbGA2xB7+XjuBnzWehtCbF0pQhA+V3XE1 sdGRZNCKPnmMGcqoLTVHtM5bs82bfWITY3qW4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=urDYtKJojn5UiRQ7OKDYCDfdAej7pZwIfXIoU6HJWOb8i4+/4eBn8/uzIeoz538aGl Hzf8Waqu6jEtPiU9xDhY8vdQiy02DAIvjFuoosoy4ACY4Ub3LmeuzF8I2Bn5BYqcrBTe 19d49TTMxC0z2TsNvmFFOGINny/IajKGuHbb4= Received: by 10.151.47.7 with SMTP id z7mr4220625ybj.111.1216803780732; Wed, 23 Jul 2008 02:03:00 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 02:03:00 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 12:03:00 +0300 From: "Ivan Petrushev" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Problems in basic usage of ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 09:29:49 -0000 Hello, I'm trying to do very simple traffic shaping on my box with ALTQ. For beginning I want just to restrict HTTP downloading speed (which is port 80) to a fixed number... lets say 100Kbps. I'm on ADSL line providing me 12Mb down / 2Mb up, (and I know every ADSL tutorial recommend limiting uploads) but for syntax learning purposes let's concentrate only on limiting downloading speed. I've read some tutorials and I've reached to the following code: [code] ### Queueing # I'm not sure what to set up for a total bandwidth - 100Mb for the carrier media (Cat5 cables) or 12Mb for the provided bandwidth altq on re0 cbq bandwidth 12Mb queue {restrict, fast} # This queue 'restrict' should get the shaped traffic queue restrict bandwidth 100Kb cbq(default) # This 'fast' queue should take some fast traffic, DNS requests for example. queue fast bandwidth 500Kb priority 4 ### Translation # This is for my other PC and I don't think it plays a role here nat pass on re0 from 192.168.0.5 to any -> 10.10.10.21 ### Filtering # Restrict traffic on port 80. This is my IP. pass in on re0 proto tcp from any port 80 to 10.10.10.21 queue restrict # Pass DNS requests on the 'fast' queue pass in on re0 proto { udp, tcp } from any port 53 to 10.10.10.21 queue fast [/code] So I see DNS resolutions are done really fast (definately faster than if they fell into the 'restricted' queue), but HTTP traffic is not going with the specified bandwidth. Instead it goes about 3Mb. First I thought it is due to wrong number here: altq on re0 cbq bandwidth *100Mb* queue {restrict, fast} But changing that did not reflected in any way - the downloads went on 3Mb. Second problem - how to build the rule for queuing the other PC's NATed bandwidth? I tried [code] pass on re0 from any to 192.168.0.5 queue restrict [/code] and variations but it just didn't passed to the queue. I.e. the effect was nothing. I'm routing over only one NIC - re0 (using aliases - 10.10.10.21 and 192.168.0.5) and maybe this is wrong?