2c2b ALTQ with transparent proxy on firewall [Archive] - The FreeBSD Forums
PDA

View Full Version : ALTQ with transparent proxy on firewall

Magnesik
August 27th, 2010, 15:56
I have small network with few machines. It looks like this:

Wan ---- rl0 [FREEBSD] rl1---- LAN

The problem is how to make dynamic shape of download and upload for these machines when on server is running trasnparent proxy (squid) Outgoing connections through rl0 (upload) look like from local machine (server) and queues for clients are useless. Is there any possible solution?
triumdh
August 28th, 2010, 04:23
Can you post your pf.conf?
Magnesik
August 28th, 2010, 10:28
ext_if="rl0"
int_if="rl1"


set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }


set skip on lo

altq on $ext_if bandwidth 900Kb hfsc queue { std_out, www_out, dns_out, tcp_ack_out }

queue std_out bandwidth 5% priority 3 qlimit 500 hfsc (default)
queue www_out bandwidth 30% priority 4 qlimit 500 hfsc (realtime 30%)
queue dns_out bandwidth 30% priority 5 qlimit 500 hfsc (realtime 20%)
queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime 30%)



nat on $ext_if from !($ext_if) to any -> ($ext_if)

rdr pass on $int_if inet proto {tcp, udp} from any to any port www -> 127.0.0.1 port 3128


block out on $ext_if
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SAFR keep state queue (std_out, tcp_ack_out)
pass out on $ext_if inet proto {udp icmp} from ($ext_if) to any keep state
pass out on $ext_if inet proto {tcp udp} from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port {80, 443} keep state queue (www_out, tcp_ack_out)




port 3128 is squid
triumdh
August 28th, 2010, 14:40
I notice you have

pass out on $ext_if inet proto tcp from ($ext_if)

I usually allow the internal network out i.e

pass out on $ext_if inet proto tcp from $localnet

where $localnet is a macro representing the internal network in CIDR notation
Magnesik
August 28th, 2010, 16:11
As you can see my pf.conf shapes upload traffic only in general. It doesnt relate with each machine. The problem is how to - for example - write queue for relevant machine upload when the source of packet (which is going through the external interface) is from local machine (in this case from server)? Unfortunately squid hides computers behind him.
triumdh
August 29th, 2010, 00:25
I may not be understanding properly.
Squid is on the internal interface of your server acting as a network gateway.
You want to shape traffic from a server behind the gateway server?
Even with squid in place you should be able to queue traffic to a destination port like port 80. Something like

pass out on $ext_if inet proto tcp from $localnet to any port {80, 443} keep state queue (www_out, tcp_ack_out)
Magnesik
August 29th, 2010, 10:31
triumdh you have right but I want to divide upload equally and dynamically for existing users. For example we have 3 machines: 192.168.1.101-3. The maximum upload is 1Mbit.

300 kbit for 192.168.1.101
300 kbit for 192.168.1.102
300 kbit for 192.168.1.103
100 kbit for the rest

My present pf.conf has problem with shaping upload traffic because when some client use the whole of upload the rest of clients have problem with lags.

As I think the right queue to shapre traffic without squid should look like this:

pass out on $ext_if inet proto tcp from 192.168.1.101 to any port {80, 443} keep state queue (www_out_1, tcp_ack_out_1)

It will not work because packets to port 80 are generated by squid and they look like they are sended by server not as client. (Am I right?)
triumdh
August 29th, 2010, 15:11
Squid is not an issue with the firewall or shaping.

Type

tcpdump rl0 port 80


and you should see your Internet traffic

Create queues (or sub-queues under the www_out queue) for individual IP addresses and it should work.
triumdh
August 29th, 2010, 15:12
That should be

tcpdump -i r10 port 80
Magnesik
August 29th, 2010, 17:17
Does it have a sens?

altq on $ext_if bandwidth 900Kb hfsc queue {user1, user2, rest}

queue rest bandwidth 10% priority 3 qlimit 500 hfsc (default)

queue user1 bandwidth 45% priority 6 qlimit 500 hfsc (realtime 30%) {std_out, www_out, dns_out, tcp_ack_out}

queue std_out bandwidth 5% priority 3 qlimit 500 hfsc
queue www_out bandwidth 30% priority 4 qlimit 500 hfsc (realtime 30%)
queue dns_out bandwidth 30% priority 5 qlimit 500 hfsc (realtime 20%)
queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime 30%)

queue user2 bandwidth 45% priority 6 qlimit 500 hfsc (realtime 30%) {std_out, www_out, dns_out, tcp_ack_out}

queue std_out bandwidth 5% priority 3 qlimit 500 hfsc
queue www_out bandwidth 30% priority 4 qlimit 500 hfsc (realtime 30%)
queue dns_out bandwidth 30% priority 5 qlimit 500 hfsc (realtime 20%)
queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime 30%)

If yes - how to write rules for childs?
triumdh
August 30th, 2010, 04:04
pfctl -vvsq

Will give you information on what your queues are doing
triumdh
August 31st, 2010, 11:55
I missed this earlier. You will need to tag redirected squid traffic.

rdr pass on $int_if inet proto {tcp, udp} from any to any port www tag www_int_if -> 127.0.0.1 port 3128

and use the tagged traffic in your rules
Magnesik
September 4th, 2010, 10:09
Can somebody give me a clue how to write queues to shape traffic dynamically among i.e. 2 computers and at once (in their main queues) provide them priority of acks, dns and www?
triumdh
September 5th, 2010, 16:02
This might help using hfsc. It is only an example but it works.

altq on wan0 bandwidth 1Mb hfsc queue { q_pri, q_def, q_any }
queue q_pri bandwidth 49% priority 7 hfsc
queue q_def bandwidth 49% priority 5 hfsc (linkshare 49%) {q_1,q_2,ssh_login,q_3,q_4}
queue ssh_login bandwidth 96% priority 5 hfsc
queue q_1 bandwidth 1% priority 4 hfsc
queue q_2 bandwidth 1% priority 4 hfsc
queue q_3 bandwidth 1% priority 4 hfsc
queue q_4 bandwidth 1% priority 3 hfsc (default)
queue q_any bandwidth 1% qlimit 25 priority 3 hfsc (upperlimit 272Kb)


Then

pass out on wan0 inet proto { tcp, udp } from $localnet to any port $SSH keep state queue (ssh_login, q_pri)

The information is in the man pages.
Magnesik
September 14th, 2010, 12:32
I missed this earlier. You will need to tag redirected squid traffic.

rdr pass on $int_if inet proto {tcp, udp} from any to any port www tag www_int_if -> 127.0.0.1 port 3128

and use the tagged traffic in your rules

Will packets still have the tags after they pass the squid? How can I check it?
0