From owner-freebsd-pf@FreeBSD.ORG Wed Apr 25 15:26:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1AD2E16A400 for ; Wed, 25 Apr 2007 15:26:13 +0000 (UTC) (envelope-from jmok@attglobal.net) Received: from hanghau.pacific.net.hk (hanghau.pacific.net.hk [202.64.33.147]) by mx1.freebsd.org (Postfix) with ESMTP id A7C4913C4AE for ; Wed, 25 Apr 2007 15:26:12 +0000 (UTC) (envelope-from jmok@attglobal.net) Received: from [192.168.16.50] ([210.17.159.154]) by hanghau.pacific.net.hk with ESMTP id l3PFQAhc017249 for ; Wed, 25 Apr 2007 23:26:11 +0800 Message-ID: <462F7311.3040306@attglobal.net> Date: Wed, 25 Apr 2007 23:26:09 +0800 From: John Mok User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Newbie question - Both Ingress & Egress traffic shaping on WAN link needed ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2007 15:26:13 -0000 Hi, I have a newbie question. I would like to shape the traffic between the local subnet and the WAN link (e.g. Frame Relay or ATM ) of the company private network. The bandwidth of the WAN link is only 512Kbps, and the bandwidth of local subnet is 100Mbps. Uplink router ----WAN link 512K---- Downlink router --- local subnet (HQ subnet) (local subnet) I would like to deploy a FreeBSD bridge + PF between the downlink router and the main switch of the local subnet, such that the chance of network congestion on the WAN link / uplink router is kept to minimum and make the interactive applications ( e.g. Internet proxy access, or mail client ) more responsive :- altq on $bridge_if hfsc bandwidth 512Kb queue ( icmp, dns, mail, other ) .... queue icmp hfsc (linkshare (2Kb) upperlimit (4Kb) ) queue ( icmp_in, icmp_out ) queue dns hfsc (linkshare (4Kb) upperlimit (8Kb) ) queue ( dns_in, dns_out ) queue mail ( linkshare (250Kb) ) queue ( mail_in, mail_out ) queue other ( default ) queue ( other_in, other_out ) .... queue icmp_in priority 10 priq(red) queue icmp_out priority 5 priq(red) queue dns_in priority 10 priq(red) queue dns_out priority 5 priq(red) queue mail_in priority 10 priq(red) queue mail_out priority 5 priq(red) .... pass out quick on $bridge_if inet proto (icmp) from $int_net to any queue icmp_out pass out quick on $bridge_if inet proto (icmp) from !$int_net to any queue icmp_in pass out quick on $bridge_if inet proto (tcp, udp) from $int_net to any port 53 queue dns_out pass out quick on $bridge_if inet proto (tcp, udp) from !$int_net to any port 53 queue dns_in pass out quick on $bridge_if inet proto (tcp, udp) from $int_net to any port { 25, 109, 110, 143, 220, 995 } queue mail_out pass out quick on $bridge_if inet proto (tcp, udp) from !$int_net to any port { 25, 109, 110, 143, 220, 995 } queue mail_in .... My question is that, if it is necessary to account for the incoming traffic to the queue, such that the outgoing traffic could give way to the incoming traffic. For example, the smtp gateway could utilize the full 512Kb to deliver the mails to the local mail server, rather than being used by the file sharing traffic. In that situation, without accounting for the incoming traffic as above and shape the outgoing traffic (i.e. almost completely discarded), would it cause network congestion on the uplink router when someone shares the bandwidth for file copying? Thanks a lot. John Mok