The scenario I'm working on is as follows. There are 3 PC (virtual) one of which is running FreeBSD 10.1. Other two machines are connected via interfaces 192.168.64.1, 192.168.66.1. With queueing off, everything works just as expected. I'd like to create two queues - one with higher priority than the other. They should serve all types of traffic but the higher priority queue must handle certain addresses while the lower priority must handle traffic originating from any other IP address.
Here's my ALTQ (and PF) config:
The problem with it is that it seem to work only when the traffic is low. When higher, packets are dropped instead of being served by either of the queues.
I guess the best testing scenario is to flood the interface with traffic, here's what happens:
and the resulting stats on the "server":
I also tried spoofing IP address:
which results in:
Any lead much appreciated.
Here's my ALTQ (and PF) config:
Code:
altq on em0 priq bandwidth 100Mb queue { em0_hp, em0_lp }
altq on em1 priq bandwidth 100Mb queue { em1_hp, em1_lp }
queue em0_hp priority 15 qlimit 5000 priq
queue em0_lp priority 0 qlimit 5000 priq(default)
queue em1_hp priority 15 qlimit 5000 priq
queue em1_lp priority 0 qlimit 5000 priq(default)
blacklist = "{192.168.64.50}"
pass in quick on em0 from $blacklist to any queue(em0_lp) no state
pass in on em0 from any to any queue(em0_hp) no state
pass in quick on em1 from $blacklist to any queue(em1_lp) no state
pass in on em1 from any to any queue(em1_hp) no stateThe problem with it is that it seem to work only when the traffic is low. When higher, packets are dropped instead of being served by either of the queues.
I guess the best testing scenario is to flood the interface with traffic, here's what happens:
Code:
root@client:~# hping3 192.168.64.2 --icmp --flood
HPING 192.168.64.2 (eth1 192.168.64.2): icmp mode set, 28 headers + 0 data bytes
hping in flood mode, no replies will be shown
--- 192.168.64.2 hping statistic ---
6188249 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 msand the resulting stats on the "server":
Code:
[root@server~]# pfctl -s rules -v
pass in quick on em0 inet from 192.168.64.50 to any no state queue em0_lp
[ Evaluations: 6169061 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 40708 State Creations: 0 ]
pass in on em0 all no state queue em0_hp
[ Evaluations: 6164234 Packets: 6164234 Bytes: 172598552 States: 0 ]
[ Inserted: uid 0 pid 40708 State Creations: 0 ]
pass in quick on em1 inet from 192.168.64.50 to any no state queue em1_lp
[ Evaluations: 6164285 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 40708 State Creations: 0 ]
pass in on em1 all no state queue em1_hp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 40708 State Creations: 0 ]
[root@server ~]# pfctl -s queue -v
queue em0_hp on em0 priority 15 qlimit 5000
[ pkts: 4776 bytes: 200592 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]
queue em0_lp on em0 priority 0 qlimit 5000 priq( default )
[ pkts: 1 bytes: 42 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]
queue em1_hp on em1 priority 15 qlimit 5000
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]
queue em1_lp on em1 priority 0 qlimit 5000 priq( default )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]I also tried spoofing IP address:
Code:
root@client:~# hping3 192.168.64.2 --icmp --flood --spoof 192.168.64.50
HPING 192.168.64.2 (eth1 192.168.64.2): icmp mode set, 28 headers + 0 data bytes
hping in flood mode, no replies will be shown
--- 192.168.64.2 hping statistic ---
7575372 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 mswhich results in:
Code:
[root@server ~]# pfctl -s rules -v
pass in quick on em0 inet from 192.168.64.50 to any no state queue em0_lp
[ Evaluations: 7561384 Packets: 7555583 Bytes: 211556324 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
pass in on em0 all no state queue em0_hp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
pass in quick on em1 inet from 192.168.64.50 to any no state queue em1_lp
[ Evaluations: 30 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
pass in on em1 all no state queue em1_hp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
[root@mxlab65 ~]# pfctl -s rules -v
pass in quick on em0 inet from 192.168.64.50 to any no state queue em0_lp
[ Evaluations: 7561404 Packets: 7555583 Bytes: 211556324 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
pass in on em0 all no state queue em0_hp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
pass in quick on em1 inet from 192.168.64.50 to any no state queue em1_lp
[ Evaluations: 50 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
pass in on em1 all no state queue em1_hp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 41443 State Creations: 0 ]
[root@server ~]# pfctl -s queue -v
queue em0_hp on em0 priority 15 qlimit 5000
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]
queue em0_lp on em0 priority 0 qlimit 5000 priq( default )
[ pkts: 30 bytes: 1260 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]
queue em1_hp on em1 priority 15 qlimit 5000
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]
queue em1_lp on em1 priority 0 qlimit 5000 priq( default )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/5000 ]Any lead much appreciated.