PF ALTQ on 3 NIC's

[Magnesik]

I have machine with 3 cards: rl0(internet), rl1(Lan1), rl2(Lan2). ##rl1 and rl2 are NATed.## wrong --> rl0 is only NATed

The question is:

How to write altq queues so that the sum of download bandwidth from internet(rl0) will be dynamically shaped among computers in these two networks?

For example: let's assume that my internet connection is 1 Mbps of download. In this case I have no idea what sholud I set on rl1 and rl2 in bandwith. I've tried this one:

altq on ($int1_if $int2_if) bandwidth 1024Kb ....

int1_if = rl1
int2_if = rl2
There is no error but it doesnt work in max download . Network gets down.

 

[DutchDaemon]

Post the rest of the queue rules. You cannot shape inbound traffic, only outbound traffic. So you should have outbound queue rules on rl1 and rl2 limiting outbound bandwidth to (in total) 1 Mbps.

 

[Magnesik]

This is my pf.conf before I've added third network card - rl2:

#interfaces
ext_if="rl0"
int_if="rl1"

#users
comp1="192.168.1.1"
comp2="192.168.1.2"
comp3="192.168.1.3"
comp4="192.168.1.4"
comp5="192.168.1.5"
comp6="192.168.1.6"
comp7="192.168.1.7"
comp8="192.168.1.8"


set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }


set skip on lo0


### QUEUEING ###

altq on $ext_if bandwidth 850Kb hfsc queue { up_def up_comp1 up_comp2 up_comp3 up_comp4 up_comp5 up_comp6 up_comp7 up_comp8 }

queue up_def         bandwidth    4% hfsc (default)

queue up_comp1       bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp2     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp3     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp4     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp5     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 

 
queue up_comp6     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp7     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp8     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


altq on $int_if bandwidth 15000Kb hfsc queue { dn_def dn_comp1 dn_comp2 dn_comp3 dn_comp4 dn_comp5 dn_comp6 dn_comp7 dn_comp8 }

queue dn_def         bandwidth    4% hfsc (default)

queue dn_comp1       bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp2      bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp3     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp4     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp5     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 

 
queue dn_comp6     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp7     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp8     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


#NAT
nat on $ext_if from !($ext_if) to any -> ($ext_if)

no rdr


#Firewall

block all

#RULES

pass in quick on $int_if from $comp1 to any tag comp11 keep state queue dn_comp1
pass out quick on $ext_if tagged comp1 keep state queue up_comp1

pass in quick on $int_if from $comp2 to any tag comp21 keep state queue dn_comp2
pass out quick on $ext_if tagged comp21 keep state queue up_comp1

pass in quick on $int_if from $comp3 to any tag comp31 keep state queue dn_comp3
pass out quick on $ext_if tagged comp31 keep state queue up_comp1

pass in quick on $int_if from $comp4 to any tag comp41 keep state queue dn_comp4
pass out quick on $ext_if tagged comp41 keep state queue up_comp1

pass in quick on $int_if from $comp5 to any tag comp51 keep state queue dn_comp5
pass out quick on $ext_if tagged comp51 keep state queue up_comp1

pass in quick on $int_if from $comp6 to any tag comp61 keep state queue dn_comp6
pass out quick on $ext_if tagged comp61 keep state queue up_comp1

pass in quick on $int_if from $comp7 to any tag comp71 keep state queue dn_comp7
pass out quick on $ext_if tagged comp71 keep state queue up_comp1

pass in quick on $int_if from $comp8 to any tag comp81 keep state queue dn_comp8
pass out quick on $ext_if tagged comp81 keep state queue up_comp1

pass out on $int_if inet from ($int_if) to any keep state
pass out on $ext_if from ($ext_if) to any keep state queue dn_comp1

Now I have several machines on the rl2 and my pf.conf looks like this:

#interfaces
ext_if="rl0"
int_if="rl1"
int2_if="rl2"

#On rl1
comp1="192.168.1.1"
comp2="192.168.1.2"
comp3="192.168.1.3"
comp4="192.168.1.4"
#On rl2
comp5="10.0.1.1"
comp6="10.0.1.2"
comp7="10.0.1.3"
comp8="10.0.1.4"


set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }


set skip on lo0


### QUEUEING ###

altq on $ext_if bandwidth 850Kb hfsc queue { up_def up_comp1 up_comp2 up_comp3 up_comp4 up_comp5 up_comp6 up_comp7 up_comp8 }

queue up_def         bandwidth    4% hfsc (default)

queue up_comp1       bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp2     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp3     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp4     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp5     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 

 
queue up_comp6     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp7     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue up_comp8     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


altq on ($int_if $int2_if) bandwidth 15000Kb hfsc queue { dn_def dn_comp1 dn_comp2 dn_comp3 dn_comp4 dn_comp5 dn_comp6 dn_comp7 dn_comp8 }

queue dn_def         bandwidth    4% hfsc (default)

queue dn_comp1       bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp2      bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp3     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp4     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp5     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 

 
queue dn_comp6     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp7     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


queue dn_comp8     bandwidth  12% hfsc (realtime 10% upperlimit 100%) 


#NAT
nat on $ext_if from !($ext_if) to any -> ($ext_if)

no rdr


#Firewall

block all

#RULES

pass in quick on $int_if from $comp1 to any tag comp11 keep state queue dn_comp1
pass out quick on $ext_if tagged comp1 keep state queue up_comp1

pass in quick on $int_if from $comp2 to any tag comp21 keep state queue dn_comp2
pass out quick on $ext_if tagged comp21 keep state queue up_comp1

pass in quick on $int_if from $comp3 to any tag comp31 keep state queue dn_comp3
pass out quick on $ext_if tagged comp31 keep state queue up_comp1

pass in quick on $int_if from $comp4 to any tag comp41 keep state queue dn_comp4
pass out quick on $ext_if tagged comp41 keep state queue up_comp1

pass in quick on $int2_if from $comp5 to any tag comp51 keep state queue dn_comp5
pass out quick on $ext_if tagged comp51 keep state queue up_comp1

pass in quick on $int2_if from $comp6 to any tag comp61 keep state queue dn_comp6
pass out quick on $ext_if tagged comp61 keep state queue up_comp1

pass in quick on $int2_if from $comp7 to any tag comp71 keep state queue dn_comp7
pass out quick on $ext_if tagged comp71 keep state queue up_comp1

pass in quick on $int2_if from $comp8 to any tag comp81 keep state queue dn_comp8
pass out quick on $ext_if tagged comp81 keep state queue up_comp1


pass out on $int_if from any to any keep state
pass out on $int2_if from any to any keep state

pass out on $ext_if from ($ext_if) to any keep state queue dn_comp1

In above code there is:

-added new interface rl2
-$int2_if added in download altq queue
-in "pass in" rules from 5 to 8 comp is changed "from" to int2_if (because these computers are at rl2 side)

I want to shape dynamicaly inbound traffic which comes from rl0 (internet) among rl1 and rl2.

My solution for this problem is not working. I mean "altq on ($int_if $int2_if) bandwidth 15000Kb ..."

 

[DutchDaemon]

http://www.openbsd.org/faq/pf/queueing.html contains some examples about dividing up bandwidth. As I said above: it needs to be done on outbound traffic (from the Internet to the LAN clients).

 

[Magnesik]

Unfortunately I don't see solution for me there. There are queues with static value of bandwidth. (I mean second example) In this example the sum of outbound traffic both interfaces behind server (dc0 and fxp1) is total download of T1 line (1.5 Mbps).

In my case I need to shape incomming (download) traffic dynamically between rl1 and rl2. If no one is downloading form internet behind rl1 then computers behind rl2 will have max of download (15 mbit) and vice versa. I don't want to divide bandwidth on static pieces.

My english is not well but I hope my post is enough understandable