ALTQ and PF problems

H

HanX

Hi,

I'm using freebsd7, for a network bridge for a QOS.

My problem is :
- Separating interactive/non-interactive data doesn't work :\
Every packet goes in "q_datacenter_data", nothing in "q_datacenter_internet".

Other question,
to verify my rules, i use "pfctl -vvsq | grep ...". Other (better) solution possible?

Thanks,

HanX



My pf.conf:
===============================================
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set fingerprints "/etc/pf.os"
set skip on lo0
set state-policy if-bound
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ext_if = "em0"
int_if = "em1"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Define" Variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Datacenter
HEB_EXP_1 = "10.63.0.0/16"
HEB_EXP_2 = "10.64.0.0/16"
HEB_EXP_3 = "10.65.0.0/16"
HEB_EXP_4 = "10.66.0.0/16"
HEB_SAV_1 = "10.127.0.0/16"
HEB_SAV_2 = "10.128.0.0/16"
HEB_SAV_3 = "10.129.0.0/16"
HEB_SAV_4 = "10.130.0.0/16"
HEB_OLD = "172.16.0.0/14"

# Réseau Beaux-Tailleurs
LAN_BT = "192.168.0.0/24"
LAN2_BT = "192.168.1.0/24"
GUEST_BT = "192.168.3.0/24"
TEST_BT = "192.168.4.0/24"

# ~~~~~ A utiliser... ~~~~~
serv_voip = "192.168.0.50"
table <lan> const { $LAN_BT, $GUEST_BT, $TEST_BT, $LAN2_BT }
table <datacenter> const { $HEB_EXP_1, $HEB_EXP_2, $HEB_EXP_3, $HEB_EXP_4, $HEB_SAV_1, $HEB_SAV_2, $HEB_SAV_3, $HEB_SAV_4, $HEB_OLD }
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Queues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
altq on $ext_if cbq bandwidth 9.9Mb queue { q_voip, q_other }

queue q_voip bandwidth 1.4Mb priority 7 cbq(red)

queue q_other bandwidth 8.5Mb { q_lanbt, q_internet, q_datacenter }

queue q_lanbt bandwidth 2Mb priority 5 cbq(borrow red) { q_lan_bt_smb, q_lan_bt_other }
queue q_lan_bt_smb bandwidth 1Mb priority 3 cbq(borrow red)
queue q_lan_bt_other bandwidth 1Mb priority 4 cbq(borrow red)

queue q_datacenter bandwidth 3.5Mb priority 6 cbq(borrow red) { q_datacenter_login, q_datacenter_data }
queue q_datacenter_login bandwidth 1Mb priority 7 cbq(borrow red)
queue q_datacenter_data bandwidth 2.5Mb priority 3 cbq(borrow red)

queue q_internet bandwidth 3Mb priority 4 cbq(borrow default)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Règles de "filtrage" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Incoming from int_if
pass in quick on $int_if from any to any keep state

# Incomping from ext_if
pass in quick on $ext_if from any to any keep state

# VoIP (every udp data from a server)
pass out quick on $ext_if proto udp from $serv_voip to any keep state queue q_voip

# Lan BT
## Proto SMB
pass out quick on $ext_if proto { tcp, udp } from any to <lan> port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds } keep state queue q_lan_bt_smb
## Lan BT, every data (no SMB)...
pass out quick on $ext_if from any to <lan> keep state queue q_lan_bt_other

# LAN Datacenter
## Separates interactive and non interactive. Uses ToS, see ==> http://www.openbsd.org/faq/pf/fr/queueing.html#assign
## But it doesn't work (seperating non interactive)...
pass out quick on $ext_if proto tcp from any to <datacenter> port { 21, 22, 80, 443, 3389 } flags S/SA keep state queue(q_datacenter_data, q_datacenter_login)

## Other data to datacenter...
pass out quick on $ext_if from any to <datacenter> keep state queue q_datacenter_data

# Internet
pass out quick on $ext_if from any to any keep state queue q_internet
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============================================
 
First of all:
Install sysutils/pftop. Press the 8 once it's up. This shows you your queues.
Example:
Code: 
pfTop: Up Queue 1-8/8, View: queue, Cache: 10000                         08:15:43

QUEUE               BW SCH  PR   PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S  B/S
root_bfe0        1000K hfsc  0      0     0      0      0    0
 bulk             500K hfsc  0  1507K  993M     44  15098    0
 services         450K hfsc         0     0      0      0    0
  ssh             112K hfsc         0     0      0      0    0
  im_games        112K hfsc  3      0     0      0      0    0
  http            225K hfsc      4819  841K      0      0    0
   ssh_login     28125 hfsc  4    630 60132      0      0    0
   ssh_bulk      84375 hfsc    256488   20M      0      0    0

Could you provide that screen, would make it easier to debug.
Secondly, what are the chances there simply is no traffic level for q_internet. I think:
pass in quick on $int_if from any to any keep state

Is the culprit. Since it already is a state, it won't trigger "out on $ext_if".
 
You must log in or register to reply here.
Back
Top