ALTQ with transparent proxy on firewall

M

Magnesik

I have small network with few machines. It looks like this:

Code: 
Wan ---- rl0 [FREEBSD] rl1---- LAN

The problem is how to make dynamic shape of download and upload for these machines when on server is running trasnparent proxy (squid) Outgoing connections through rl0 (upload) look like from local machine (server) and queues for clients are useless. Is there any possible solution?
 
Code: 
ext_if="rl0"
int_if="rl1"


set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }


set skip on lo

altq on $ext_if   bandwidth 900Kb hfsc queue { std_out, www_out, dns_out, tcp_ack_out }

queue std_out     bandwidth  5% priority 3 qlimit 500 hfsc (default)
queue www_out     bandwidth 30% priority 4 qlimit 500 hfsc (realtime   30%)
queue dns_out     bandwidth 30% priority 5 qlimit 500 hfsc (realtime   20%)
queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime   30%)



nat on $ext_if from !($ext_if) to any -> ($ext_if)

rdr pass on $int_if inet proto {tcp, udp} from any to any port www -> 127.0.0.1 port 3128


block out on $ext_if
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SAFR keep state queue (std_out, tcp_ack_out)
pass out on $ext_if inet proto {udp icmp} from ($ext_if) to any keep state
pass out on $ext_if inet proto {tcp udp} from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port {80, 443} keep state queue (www_out, tcp_ack_out)

port 3128 is squid
 
I notice you have

Code: 
pass out on $ext_if inet proto tcp from ($ext_if)

I usually allow the internal network out i.e

Code: 
pass out on $ext_if inet proto tcp from $localnet

where $localnet is a macro representing the internal network in CIDR notation
 
As you can see my pf.conf shapes upload traffic only in general. It doesnt relate with each machine. The problem is how to - for example - write queue for relevant machine upload when the source of packet (which is going through the external interface) is from local machine (in this case from server)? Unfortunately squid hides computers behind him.
 
I may not be understanding properly.
Squid is on the internal interface of your server acting as a network gateway.
You want to shape traffic from a server behind the gateway server?
Even with squid in place you should be able to queue traffic to a destination port like port 80. Something like

Code: 
pass out on $ext_if inet proto tcp from $localnet to any port {80, 443} keep state queue (www_out, tcp_ack_out)
 
triumdh you have right but I want to divide upload equally and dynamically for existing users. For example we have 3 machines: 192.168.1.101-3. The maximum upload is 1Mbit.

300 kbit for 192.168.1.101
300 kbit for 192.168.1.102
300 kbit for 192.168.1.103
100 kbit for the rest

My present pf.conf has problem with shaping upload traffic because when some client use the whole of upload the rest of clients have problem with lags.

As I think the right queue to shapre traffic without squid should look like this:

Code: 
pass out on $ext_if inet proto tcp from 192.168.1.101 to any port {80, 443} keep state queue (www_out_1, tcp_ack_out_1)

It will not work because packets to port 80 are generated by squid and they look like they are sended by server not as client. (Am I right?)
 
Squid is not an issue with the firewall or shaping.

Type

Code: 
tcpdump rl0 port 80


and you should see your Internet traffic

Create queues (or sub-queues under the www_out queue) for individual IP addresses and it should work.
 
Does it have a sens?

Code: 
altq on $ext_if   bandwidth 900Kb hfsc queue {user1, user2, rest}

queue rest      bandwidth  10% priority 3 qlimit 500 hfsc (default)

queue user1     bandwidth 45% priority 6 qlimit 500 hfsc (realtime   30%) {std_out, www_out, dns_out, tcp_ack_out}
	
	queue std_out     bandwidth  5% priority 3 qlimit 500 hfsc 
	queue www_out     bandwidth 30% priority 4 qlimit 500 hfsc (realtime   30%)
	queue dns_out     bandwidth 30% priority 5 qlimit 500 hfsc (realtime   20%)
	queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime   30%)

queue user2     bandwidth 45% priority 6 qlimit 500 hfsc (realtime   30%) {std_out, www_out, dns_out, tcp_ack_out}
	
	queue std_out     bandwidth  5% priority 3 qlimit 500 hfsc 
	queue www_out     bandwidth 30% priority 4 qlimit 500 hfsc (realtime   30%)
	queue dns_out     bandwidth 30% priority 5 qlimit 500 hfsc (realtime   20%)
	queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime   30%)

If yes - how to write rules for childs?
 
I missed this earlier. You will need to tag redirected squid traffic.

Code: 
rdr pass on $int_if inet proto {tcp, udp} from any to any port www tag www_int_if -> 127.0.0.1 port 3128

and use the tagged traffic in your rules
 
Can somebody give me a clue how to write queues to shape traffic dynamically among i.e. 2 computers and at once (in their main queues) provide them priority of acks, dns and www?
 
This might help using hfsc. It is only an example but it works.

Code: 
altq on wan0 bandwidth 1Mb hfsc queue { q_pri, q_def, q_any }
 queue q_pri bandwidth 49%           priority 7 hfsc
 queue q_def bandwidth 49%           priority 5 hfsc (linkshare 49%) {q_1,q_2,ssh_login,q_3,q_4}
   queue ssh_login bandwidth 96%       priority 5 hfsc
   queue q_1    bandwidth 1%           priority 4 hfsc
   queue q_2    bandwidth 1%           priority 4 hfsc
   queue q_3    bandwidth 1%           priority 4 hfsc
   queue q_4    bandwidth 1%           priority 3 hfsc (default)
 queue q_any bandwidth  1% qlimit 25   priority 3 hfsc (upperlimit 272Kb)

Then

Code: 
pass out on wan0 inet proto { tcp, udp } from $localnet to any port $SSH keep state queue (ssh_login, q_pri)

The information is in the man pages.
 
triumdh said:
I missed this earlier. You will need to tag redirected squid traffic.

Code: 
rdr pass on $int_if inet proto {tcp, udp} from any to any port www tag www_int_if -> 127.0.0.1 port 3128

and use the tagged traffic in your rules
Click to expand...

Will packets still have the tags after they pass the squid? How can I check it?
 
You must log in or register to reply here.
Back
Top