From owner-freebsd-pf@FreeBSD.ORG Thu Nov 9 13:57:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7353D16A412 for ; Thu, 9 Nov 2006 13:57:38 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 518144417E for ; Thu, 9 Nov 2006 13:53:23 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de [212.23.126.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 960AB33D3F for ; Thu, 9 Nov 2006 14:53:11 +0100 (CET) Received: from [127.0.0.1] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 3E0EE2E55F; Thu, 9 Nov 2006 14:52:40 +0100 (CET) Message-ID: <455321A2.6090606@vwsoft.com> Date: Thu, 09 Nov 2006 13:40:02 +0100 From: Volker User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Muhammad Reza References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> <1163010356.1504.46.camel@beastie.mra.co.id> In-Reply-To: <1163010356.1504.46.camel@beastie.mra.co.id> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: "FreeBSD \(PF\)" Subject: Re: Re: pf.conf + altq problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 13:57:38 -0000 On 37378-12-23 20:59, Muhammad Reza wrote: > still not work with pass in rule. > > add info with this rule set: > > altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} > queue int_out bandwidth 3Mb > queue dflt_out bandwidth 16Kb cbq (default) > > altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} > queue int_in bandwidth 3Mb > queue dflt_in bandwidth 16Kb cbq (default) > > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags > S/SA queue (int_out) > pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags > S/SA queue (int_in) > > if i only enabled altq on in one interface only (xl1 or xl2) , traffic > limitation that i want is can be done. > > Is there something that can be done with ALTQ and PF or my rule is > bad ??? > > please help me... > > >> Try this rules: >> pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags >> S/SA queue (int_out) >> pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep state flags >> S/SA queue (int_in) >> >> Gilberto >> >> >> 2006/11/6, Muhammad Reza : >>> Dear All. >>> >>> I start with the simple rule set in my pf bridge machine to limit >>> bandwidth 3Mbps from my server on lan to internet and from internet to >>> my server on lan >>> this my setup: >>> >>> Internet ---xl1 xl2---LAN >>> >>> and my pf.conf >>> >>> lan="172.16.0.0/24" >>> #ALTQ at outgoing interface to limit traffic 3 MBps from lan to internet >>> altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out} >>> queue int_out bandwidth 3Mb >>> queue dflt_out bandwidth 16Kb cbq (default) >>> #ALTQ at lan interface to limit traffic 3 MBps from internet to lan >>> altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in} >>> queue int_in bandwidth 3Mb cbq (default) >>> queue dflt_in bandwidth 16Kb >>> >>> block on xl1 >>> pass in on xl1 from any to $lan >>> pass out on xl1 from $lan to any >>> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) >>> >>> block on xl2 >>> pass in on xl2 from $lan to any keep state >>> pass out on xl2 from any to $lan keep state >>> #pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in) >>> >>> I have done some test with iperf with no luck. >>> Is there something wrong with this rule set to acompilished my need ? >>> Please help >>> >>> Regards >>> Reza Reza, you're really using just one queue: > block on xl1 > pass in on xl1 from any to $lan > pass out on xl1 from $lan to any > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out) catches all the packets you're wanting for queue int_out. HTH, Volker