Hi there,
As we all know, there is only one way to shape the bandwidth the right way: the outgoing traffic (egress). Today I got in situation with PF in which it seems to not be working the right way.
Here are my rules:
Rules are as simple, as they can be (I didn't show the macros definitions, but it seems obvious, that it is not necessary).
So the problem is with the FTP rule: As soon as I try these rules, FTP outgoing traffic goes to the std_up queue. Why? Download traffic goes into the right one. If I test the sig_lin_wan rule, it goes into the right queue.
And it keeps going there whatever I do.
So I decided to try to cheat it and added this rule right after my first LAN rule:
From my network experience it is the wrong way of shaping (as traffic first gets in, then it is shaped), but it is the only way I can get it working.
So is this a bug or some other specific PF and FTP problem? My FTP uses passive mode, all ports are redirected and matching passive ports defined in proftpd.conf. Also have the MasqueradeAddres in proftpd.conf matching my $ftp_wan in pf.conf
Any ideas? The OS is FreeBSD 9.0.
As we all know, there is only one way to shape the bandwidth the right way: the outgoing traffic (egress). Today I got in situation with PF in which it seems to not be working the right way.
Here are my rules:
Code:
altq on em0 hfsc bandwidth 10Mb queue {std_up ftp_up sig_up}
queue std_up bandwidth 8% hfsc (default realtime 2% ecn )
queue ftp_up bandwidth 46% hfsc (realtime 39% ecn)
queue sig_up bandwidth 46% hfsc (realtime 39% ecn)
altq on em1 hfsc bandwidth 10Mb queue { std_down ftp_down sig_down}
queue std_down bandwidth 8% hfsc (default realtime 2% ecn )
queue ftp_down bandwidth 46% hfsc (realtime 39% ecn)
queue sig_down bandwidth 46% hfsc (realtime 39% ecn)
#FTP
nat on $ext_if from $ftp_lan to any -> $ftp_wan
#RDR
#FTP
rdr pass on $ext_if proto tcp from any to $ftp_wan port 21 -> $ftp_lan port 21
rdr pass on $ext_if proto tcp from any to $ftp_wan port 51000:65534 -> ftp_lan port 51000:65534
#RULES
block in log all
pass out
################### WAN RULES ##########################
#discard traffic from or to bogon nets on external interfaces
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
#drop any ipv6 as not implemented in our net
block drop in log quick proto ipv6
################## LAN RULES #########################
pass in on vlan1112 from vlan1112:network no state
############### Shaping
#Upload shaping pipe (external interface)
pass out on vlan1041 from $ftp_wan queue ftp_up
pass out on vlan1041 from $sig_lin_wan queue sig_up
pass out on vlan1041 from $sig_win_wan queue sig_up
#Download shaping pipe (outgoing to lan)
pass out on vlan1112 to $ftp_lan queue ftp_down no state
pass out on vlan1112 to $sig_lin_lan queue sig_down no state
pass out on vlan1112 to $sig_win_lan queue sig_down no state
Rules are as simple, as they can be (I didn't show the macros definitions, but it seems obvious, that it is not necessary).
So the problem is with the FTP rule: As soon as I try these rules, FTP outgoing traffic goes to the std_up queue. Why? Download traffic goes into the right one. If I test the sig_lin_wan rule, it goes into the right queue.
Code:
QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S
root_em0 10M hfsc 0 0 0 0 0 0 0 0
std_up 800K hfsc 2680 3970890 11 16654 0 17 25235
ftp_up 4600K hfsc 0 0 0 0 0 0 0
sig_up 4600K hfsc 0 0 0 0 0 0 0
root_em1 10M hfsc 0 0 0 0 0 0 0 0
std_down 800K hfsc 0 0 0 0 0 0 0
ftp_down 4600K hfsc 1424 79468 0 0 0 7 431
sig_down 4600K hfsc 0 0 0 0 0 0 0
And it keeps going there whatever I do.
So I decided to try to cheat it and added this rule right after my first LAN rule:
Code:
pass in on vlan1112 from $ftp_lan queue ftp_up no state
So is this a bug or some other specific PF and FTP problem? My FTP uses passive mode, all ports are redirected and matching passive ports defined in proftpd.conf. Also have the MasqueradeAddres in proftpd.conf matching my $ftp_wan in pf.conf
Any ideas? The OS is FreeBSD 9.0.