Date: Sun, 08 Apr 2007 11:12:39 -0700 From: Drew Tomlinson <drew@mykitchentable.net> To: freebsd-pf@freebsd.org Subject: Re: pf and ALTQ - I Don't Understand Message-ID: <46193097.2040303@mykitchentable.net> In-Reply-To: <4619226E.1030105@mykitchentable.net> References: <4619226E.1030105@mykitchentable.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/8/2007 10:12 AM Drew Tomlinson said the following: > I am struggling to get pf set up correctly. Specifically I don't > understand why I don't see any packets in the "pfctl -vs queue" output > for a queue I named "voip_out". I see the packets matching rule 61 & > rule 62 when viewing the log with "tcpdump -netttti pflog0": > > 2007-04-08 09:54:25.392552 rule 61/0(match): pass in on dc0: > 192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394 > 2007-04-08 09:54:54.580693 rule 62/0(match): pass in on dc0: > 192.168.1.7 > 192.168.1.2: ICMP echo request, id 16724, seq 43514, > length 40 > 2007-04-08 09:55:13.532744 rule 61/0(match): pass in on dc0: > 192.168.1.7.5060 > 72.165.163.9.5060: SIP, length: 394 > > Rules 61 & 62 are: > > @61 pass log quick inet proto udp from 192.168.1.7 to any keep state > queue voip_out > [ Evaluations: 7237 Packets: 44 Bytes: 18502 > States: 1 ] > @62 pass log quick inet proto icmp from 192.168.1.7 to any keep state > queue voip_out > [ Evaluations: 331 Packets: 142 Bytes: 8520 > States: 1 ] > > Yet here is the "pfctl -vs queue" output: > > queue voip_out bandwidth 175Kb priority 6 hfsc( realtime 140Kb ) > [ pkts: 0 bytes: 0 dropped pkts: 0 > bytes: 0 ] > [ qlength: 0/ 50 ] > [ measured: 0.0 packets/s, 0 b/s ] > > I have rules to prioritize http traffic and queuing works as expected > there. Can anyone please explain to me why I am seeing this > behavior? And is there some way to actually watch traffic passing > through the queues? OK, I've done some more digging and maybe I understand now. I was missing the fact that NAT occurs BEFORE filtering (yes, now I see where it's written in the OpenBSD PF FAQ). :) So with this in mind, is there a way to write a rule to put traffic from a node on the internal network in a specific queue? For example, I want my VoIP phone (192.168.1.7) device to have outbound priority over all other traffic. My network is configured like this: internal network ----- dc0 - FBSD router - dc1 ----- Internet So what's happening is that the traffic from the VoIP device enters the router via dc0 and matches rule 61 as listed above. But then NAT occurs and now the packet is no longer from 192.168.1.7 but my public IP and thus it doesn't match rule 61. It matches rule 75 which is: @75 pass log-all quick inet proto udp from 66.205.146.210 to any keep state queue(std_out, ack_out) I can also see via tcpdump that the destination ports are either 5060 or 5200 so I guess I could filter on that. But I really don't want to prioritize traffic to 5060 or 5200 from ALL nodes on my internal network, just from 192.168.1.7. Plus what about the case where a destination port might be random? Then how would one filter? Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46193097.2040303>