Date: Thu, 16 Sep 2004 03:52:27 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pfaltq FreeBSD (merged) problem Message-ID: <20030930032151.GA4661@kt-is.co.kr> In-Reply-To: <20030928164955.GA50979@toudi.cisovanet.pl> References: <20030928164955.GA50979@toudi.cisovanet.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 28, 2003 at 06:49:55PM +0200, Robert Krasicki wrote: > Hello,=20 > I have problems with my configuration.=20 >=20 > I'm using pf.conf configuration from http://openbsd.org/faq/pf/queuein= g.html (the first one example).=20 >=20 > Of course I've replaced interface names with proper one.=20 >=20 > ---------=20 > #####=20 > local_net =3D "192.168.0.0/24"=20 > ssh_ports =3D "{ 22 2022 }"=20 > im_ports =3D "{ 1863 5190 5222 }"=20 > ext_if=3D"ed0"=20 > int_if=3D"xl0"=20 >=20 > scrub in all no-df=20 >=20 > altq on $ext_if priq bandwidth 100Kb queue { std_out, ssh_im_out, dns_= out, \=20 > tcp_ack_out }=20 > queue std_out priq(default)=20 > queue ssh_im_out priority 4 priq(red)=20 > queue dns_out priority 5=20 > queue tcp_ack_out priority 6=20 >=20 > altq on $int_if cbq bandwidth 510Kb queue { std_in, ssh_im_in, dns_in,= bob_in }=20 > queue std_in cbq(default)=20 > queue ssh_im_in priority 4=20 > queue dns_in priority 5=20 >=20 > nat on $ext_if from $int_if/24 to any -> $ext_if=20 >=20 > rdr on $ext_if proto tcp from any to $ext_if port 4000:4005 -> 192.168= .0.6=20 > rdr on $ext_if proto tcp from any to $ext_if port 1551 -> 192.168.0.6=20 > rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.6=20 > rdr on $ext_if proto tcp from any to $ext_if port 416 -> 192.168.0.6=20 > rdr on $ext_if proto udp from any to $ext_if port 416 -> 192.168.0.6=20 >=20 > block in on $ext_if all=20 >=20 > block out on $ext_if all=20 > pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \=20 > keep state queue(std_out, tcp_ack_out)=20 > pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep= state=20 > pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port = domain \=20 > keep state queue dns_out=20 > pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_por= ts \=20 > flags S/SA keep state queue(std_out, ssh_im_out)=20 > pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_port= s \=20 > flags S/SA keep state queue(ssh_im_out, tcp_ack_out)=20 >=20 > block in on $int_if all=20 > pass in on $int_if from $local_net=20 >=20 > block out on $int_if all=20 > pass out on $int_if from any to $local_net=20 > pass out on $int_if proto { tcp udp } from any port domain to $local_n= et \=20 > queue dns_in=20 > pass out on $int_if proto tcp from any port $ssh_ports to $local_net \= =20 > queue(std_in, ssh_im_in)=20 > pass out on $int_if proto tcp from any port $im_ports to $local_net \=20 > queue ssh_im_in=20 > ---=20 >=20 > All I want to achieve by this configuration is a no lagged ssh output.= =20 > I'm using ADSL 512/128 connection, and I would like to be able=20 > to connect external SSH ports with no delays.=20 > When I'm uploading some file from my local computer (192.168.0.6) to=20 > host in Internet e.g 212.160.150.190 my ssh connection to eg. 212.140.= 158.190 becomes lagged.=20 >=20 > According to rules, it should work without any delays?.=20 > Maybe I'm wrong, is it possible to achieve this ?=20 >=20 I have not tried your rule set. I'm running -CURRENT so ALTQ is not supported. In addition, there might be some problems with ATLQ patched ed, xl driver. At the moment, ATLQ driver set for 5.1R is not perfect.(IMO) Maybe other people in this list can help you. Also note, I can't see any tun or ng interface in your rule set. You must use pseudo interface tun(if you use ppp(8)) or ng(in case of mpd) instead of your real external interface ed. > PS. I'm using pf+altq merged for FreeBSD 5.1 Release=20 >=20 > Rules are being loaded with no errors, packets are being counted prope= rly.=20 >=20 Loading without errors does not necessarily mean it work ok. You may want to insert 'log' keyword in your ruleset. Always start from simplest rule and add additional rules only after you can sure it work as expected. > Maybe you could provide me with the simplest ssh + tcp ack highest pri= ority config ?.=20 You may want to see http://www.benzedrine.cx/ackpri.html. It explains the use of prioritizing empty TCP ACKs with ALTQ. Of course, if ALTQ driver for tun do not work, you have no luck. (However, I believe tun interface is capable of ALTQ.) > I've spent few weeks on trying to solve this problem =20 >=20 > Thanks! > Rob >=20 Regards, Pyun YongHyeon --=20 Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030930032151.GA4661>