HanX
December 1st, 2008, 10:22
Hi,
I'm using freebsd7, for a network bridge for a QOS.
My problem is :
- Separating interactive/non-interactive data doesn't work :\
Every packet goes in "q_datacenter_data", nothing in "q_datacenter_internet".
Other question,
to verify my rules, i use "pfctl -vvsq | grep ...". Other (better) solution possible?
Thanks,
HanX
My pf.conf:
===============================================
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set fingerprints "/etc/pf.os"
set skip on lo0
set state-policy if-bound
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ext_if = "em0"
int_if = "em1"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Define" Variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Datacenter
HEB_EXP_1 = "10.63.0.0/16"
HEB_EXP_2 = "10.64.0.0/16"
HEB_EXP_3 = "10.65.0.0/16"
HEB_EXP_4 = "10.66.0.0/16"
HEB_SAV_1 = "10.127.0.0/16"
HEB_SAV_2 = "10.128.0.0/16"
HEB_SAV_3 = "10.129.0.0/16"
HEB_SAV_4 = "10.130.0.0/16"
HEB_OLD = "172.16.0.0/14"
# Réseau Beaux-Tailleurs
LAN_BT = "192.168.0.0/24"
LAN2_BT = "192.168.1.0/24"
GUEST_BT = "192.168.3.0/24"
TEST_BT = "192.168.4.0/24"
# ~~~~~ A utiliser... ~~~~~
serv_voip = "192.168.0.50"
table <lan> const { $LAN_BT, $GUEST_BT, $TEST_BT, $LAN2_BT }
table <datacenter> const { $HEB_EXP_1, $HEB_EXP_2, $HEB_EXP_3, $HEB_EXP_4, $HEB_SAV_1, $HEB_SAV_2, $HEB_SAV_3, $HEB_SAV_4, $HEB_OLD }
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Queues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
altq on $ext_if cbq bandwidth 9.9Mb queue { q_voip, q_other }
queue q_voip bandwidth 1.4Mb priority 7 cbq(red)
queue q_other bandwidth 8.5Mb { q_lanbt, q_internet, q_datacenter }
queue q_lanbt bandwidth 2Mb priority 5 cbq(borrow red) { q_lan_bt_smb, q_lan_bt_other }
queue q_lan_bt_smb bandwidth 1Mb priority 3 cbq(borrow red)
queue q_lan_bt_other bandwidth 1Mb priority 4 cbq(borrow red)
queue q_datacenter bandwidth 3.5Mb priority 6 cbq(borrow red) { q_datacenter_login, q_datacenter_data }
queue q_datacenter_login bandwidth 1Mb priority 7 cbq(borrow red)
queue q_datacenter_data bandwidth 2.5Mb priority 3 cbq(borrow red)
queue q_internet bandwidth 3Mb priority 4 cbq(borrow default)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Règles de "filtrage" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Incoming from int_if
pass in quick on $int_if from any to any keep state
# Incomping from ext_if
pass in quick on $ext_if from any to any keep state
# VoIP (every udp data from a server)
pass out quick on $ext_if proto udp from $serv_voip to any keep state queue q_voip
# Lan BT
## Proto SMB
pass out quick on $ext_if proto { tcp, udp } from any to <lan> port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds } keep state queue q_lan_bt_smb
## Lan BT, every data (no SMB)...
pass out quick on $ext_if from any to <lan> keep state queue q_lan_bt_other
# LAN Datacenter
## Separates interactive and non interactive. Uses ToS, see ==> http://www.openbsd.org/faq/pf/fr/queueing.html#assign
## But it doesn't work (seperating non interactive)...
pass out quick on $ext_if proto tcp from any to <datacenter> port { 21, 22, 80, 443, 3389 } flags S/SA keep state queue(q_datacenter_data, q_datacenter_login)
## Other data to datacenter...
pass out quick on $ext_if from any to <datacenter> keep state queue q_datacenter_data
# Internet
pass out quick on $ext_if from any to any keep state queue q_internet
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============================================
I'm using freebsd7, for a network bridge for a QOS.
My problem is :
- Separating interactive/non-interactive data doesn't work :\
Every packet goes in "q_datacenter_data", nothing in "q_datacenter_internet".
Other question,
to verify my rules, i use "pfctl -vvsq | grep ...". Other (better) solution possible?
Thanks,
HanX
My pf.conf:
===============================================
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set fingerprints "/etc/pf.os"
set skip on lo0
set state-policy if-bound
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ext_if = "em0"
int_if = "em1"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Define" Variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Datacenter
HEB_EXP_1 = "10.63.0.0/16"
HEB_EXP_2 = "10.64.0.0/16"
HEB_EXP_3 = "10.65.0.0/16"
HEB_EXP_4 = "10.66.0.0/16"
HEB_SAV_1 = "10.127.0.0/16"
HEB_SAV_2 = "10.128.0.0/16"
HEB_SAV_3 = "10.129.0.0/16"
HEB_SAV_4 = "10.130.0.0/16"
HEB_OLD = "172.16.0.0/14"
# Réseau Beaux-Tailleurs
LAN_BT = "192.168.0.0/24"
LAN2_BT = "192.168.1.0/24"
GUEST_BT = "192.168.3.0/24"
TEST_BT = "192.168.4.0/24"
# ~~~~~ A utiliser... ~~~~~
serv_voip = "192.168.0.50"
table <lan> const { $LAN_BT, $GUEST_BT, $TEST_BT, $LAN2_BT }
table <datacenter> const { $HEB_EXP_1, $HEB_EXP_2, $HEB_EXP_3, $HEB_EXP_4, $HEB_SAV_1, $HEB_SAV_2, $HEB_SAV_3, $HEB_SAV_4, $HEB_OLD }
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Queues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
altq on $ext_if cbq bandwidth 9.9Mb queue { q_voip, q_other }
queue q_voip bandwidth 1.4Mb priority 7 cbq(red)
queue q_other bandwidth 8.5Mb { q_lanbt, q_internet, q_datacenter }
queue q_lanbt bandwidth 2Mb priority 5 cbq(borrow red) { q_lan_bt_smb, q_lan_bt_other }
queue q_lan_bt_smb bandwidth 1Mb priority 3 cbq(borrow red)
queue q_lan_bt_other bandwidth 1Mb priority 4 cbq(borrow red)
queue q_datacenter bandwidth 3.5Mb priority 6 cbq(borrow red) { q_datacenter_login, q_datacenter_data }
queue q_datacenter_login bandwidth 1Mb priority 7 cbq(borrow red)
queue q_datacenter_data bandwidth 2.5Mb priority 3 cbq(borrow red)
queue q_internet bandwidth 3Mb priority 4 cbq(borrow default)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Règles de "filtrage" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Incoming from int_if
pass in quick on $int_if from any to any keep state
# Incomping from ext_if
pass in quick on $ext_if from any to any keep state
# VoIP (every udp data from a server)
pass out quick on $ext_if proto udp from $serv_voip to any keep state queue q_voip
# Lan BT
## Proto SMB
pass out quick on $ext_if proto { tcp, udp } from any to <lan> port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds } keep state queue q_lan_bt_smb
## Lan BT, every data (no SMB)...
pass out quick on $ext_if from any to <lan> keep state queue q_lan_bt_other
# LAN Datacenter
## Separates interactive and non interactive. Uses ToS, see ==> http://www.openbsd.org/faq/pf/fr/queueing.html#assign
## But it doesn't work (seperating non interactive)...
pass out quick on $ext_if proto tcp from any to <datacenter> port { 21, 22, 80, 443, 3389 } flags S/SA keep state queue(q_datacenter_data, q_datacenter_login)
## Other data to datacenter...
pass out quick on $ext_if from any to <datacenter> keep state queue q_datacenter_data
# Internet
pass out quick on $ext_if from any to any keep state queue q_internet
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============================================