Date: Fri, 22 Aug 2008 19:10:25 +0100 From: assetburned <freebsd@assetburned.de> To: freebsd-questions@freebsd.org Subject: PF traffic management on two devices + VPN Message-ID: <8E840E6F-C998-4C92-A5C3-D9611407B72E@assetburned.de>
next in thread | raw e-mail | index | archive | help
Hi, I use PF to manage the traffic going through a VPN connection (ng0 to ng1). I am also able to manage the traffic on the device where I expect the VPN traffic (ed1 and ed2). But now my problems starts I also want to manage the outgoing traffic on ed0 to the WAN side. On my router s Squid installed, so I thought that all packages generated by my FreeBSD machine could be put into a queue for ed0. If i check the settings with pftop than everything looks fine. But it looks like the limits for the upper limit are totally ignored. So I did a check from the other side. I installed an Apache on that server and tried to download a file from that server. And hey there is my bandwidth management. So I am confused. How can I handle the traffic generated by the squid on the router on the WAN interface? cu assetburned ---- my pf.config ---- # # Version 2008-08-22-014 # based on https://calomel.org/pf_config.html # manual at: http://www.openbsd.org/faq/pf/ ### some basics ### # following line is onlz possible if the two variables are defined before these line! # IntIF = "{" $IntIF1 $IntIF2 "}" # # following line is not possible. there have to be at least two variables! # ExtIF = "{" $ExtIF1 "}" # # following line is not possible because there would be {something {something, something}} # Whatever = "{" $ExtIF1 $IntIF "}" ##### Interfaces ##### ExtIF1 = "ed0" # this is the WAN connection IntIF1 = "ed1" # this is the real connection to all 192.168.4.x IntIF2 = "ed2" # this is the real connection to all 192.168.3.x LocIF = "lo0" ExtIF = "ed0" IntIF = "{" $IntIF1 $IntIF2 "}" VPNIF0 = "ng0" VPNIF1 = "ng1" # keep in mind this is only usable for nat and rdr and not for the pass rules because of the different queues! VPNIF = "{" $VPNIF0 $VPNIF1 "}" ##### Speeds #### ### Interface ### E1_speed = "1Mb" IntIF1_speed = "10Mb" IntIF2_speed = "10Mb" VPN_speed = "3Mb" ### Protocol ### VPN_green = "1Mb" VPN_yello = "512Kb" VPN_red = "256Kb" ##### Hosts ##### # for the case there are internel servers H_squid = "192.168.5.5" H_sshd = "192.168.4.5" H_vpnd = "192.168.4.5" H_apache = "192.168.4.5" H_apacheV = "192.168.5.5" # the proxy where the PAC file is hosted inside the VPN H_mail = "10.10.98.217" # have to check that, this is another lab computer! # spechial LSBU server (green listed) H_LOVE_MA = "10.10.60.60" # mail. H_LOVE_BB = "10.10.76.13" # H_LOVE_EC = "10.10.98.146" # H_LOVE_PB = "10.10.109.128" # H_LOVE_WW = "10.10.109.120" # H_LOVE_LB = "10.10.109.180" # H_LOVE_LP = "10.10.109.178" # H_LOVE_LR = "10.10.109.181" # H_LOVE_DH = "any" # the DHCP server H_LOVE = "{" $H_LOVE_MA $H_LOVE_BB $H_LOVE_EC $H_LOVE_PB $H_LOVE_WW $H_LOVE_LB $H_LOVE_LP $H_LOVE_LR "}" #### Protocols #### # Well known ports P_squid = "3128" P_msproxy = "8080" P_proxy = "{" $P_squid $P_msproxy "}" P_http = "80" P_https = "443" P_brows = "{" $P_http $P_https "}" P_pop3 = "110" P_pop3s = "995" P_imaps = "993" P_imap = "143" P_smtp = "25" P_smtps = "465" P_mail = "{" $P_pop3 $P_pop3s $P_imaps $P_imap $P_smtp $P_smtps "}" P_ssh = "22" P_dns = "53" P_vpnd = "1723" P_samba = "{ 137, 138, 139 }" ## Low Priority Squid ## P_LPS = "31280" #### Host & Port combinations #### HP_squid = $H_squid " port " $P_squid HP_LPS = $H_squid " port " $P_LPS HP_apache = $H_apache " port " $P_http HP_apacheV = $H_apacheV " port " $P_http HP_vpnd = $H_vpnd " port " $P_vpnd HP_mail = $H_mail " port {" $P_pop3 $P_pop3s $P_imaps $P_imap $P_smtp $P_smtps "}" #### Networks #### N_ExtIF1 = "10.10.0.0/16" N_IntIF1 = "192.168.4.0/24" N_IntIF2 = "192.168.3.0/24" N_VPN = "192.168.5.0/24" # I don't know why it isn't possible to use the variables from above. N_intern = "{ 192.168.4.0/24 , 192.168.3.0/24 }" N_priv1 = "127.0.0.0/8" N_priv2 = "172.16.0.0/12" N_priv3 = "169.254.0.0/16" N_priv4 = "192.168.0.0/16" N_privat = "{ 127.0.0.0/8 , 172.16.0.0/12 , 169.254.0.0/16 , 192.168.0.0/16 }" ### States & Queues ### SynState = "flags S/SAFR synproxy state" TcpState = "flags S/SAFR modulate state" UdpState = "keep state" ### Stateful Tracking Options ### ExtIfSTO = "(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 254)" IntIfSTO = "(max 250, source-track rule, max-src-conn 100, max-src-nodes 254, max-src-conn-rate 75/20)" ### Options ### set optimization aggressive set block-policy drop set ruleset-optimization basic ##### Normalization ##### # to hide what is going on in the LAN # and to be sure that an optimum of payload is send by each packet. scrub log on $ExtIF all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble #### queueing #### # check for exampe: http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained # check for more: http://puffer.sru.ac.th/OpenBSD/firewall page 213ff # check also : https://calomel.org/pf_config.html ## physical interfaces ## altq on $ExtIF1 bandwidth $E1_speed hfsc(linkshare $E1_speed upperlimit $E1_speed) queue {E1_Imp, E1_LSB, E1_Ext, E1_def } queue E1_Imp bandwidth 10% qlimit 500 priority 9 hfsc( linkshare 10% ) {E1_ICM, E1_DNS} queue E1_ICM bandwidth 2% priority 8 hfsc(realtime 2% ) queue E1_DNS bandwidth 8% priority 8 hfsc(realtime 8% ) queue E1_LSB bandwidth 50% priority 8 hfsc( linkshare 50% ) {E1_LSS, E1_PUB, E1_OTH} queue E1_LSS bandwidth 5% qlimit 500 priority 7 hfsc(realtime 5% ) {E1_SLO, E1_SBU} queue E1_SLO bandwidth 1% priority 6 hfsc queue E1_SBU bandwidth 4% priority 6 hfsc queue E1_PUB bandwidth 30% qlimit 500 priority 7 hfsc(realtime 30% ) {E1_PCO, E1_PBU} queue E1_PCO bandwidth 10% priority 6 hfsc queue E1_PBU bandwidth 20% priority 6 hfsc queue E1_OTH bandwidth 15% qlimit 500 priority 6 hfsc(realtime 15% ) {E1_OCO, E1_OBU} queue E1_OCO bandwidth 10% priority 5 hfsc queue E1_OBU bandwidth 5% priority 5 hfsc queue E1_Ext bandwidth 35% priority 7 hfsc( linkshare 35% ) {E1_GOO, E1_BAD} queue E1_GOO bandwidth 30% qlimit 500 priority 6 hfsc(realtime 30% ) {E1_GCO, E1_GBU} queue E1_GCO bandwidth 10% priority 5 hfsc queue E1_GBU bandwidth 20% priority 5 hfsc queue E1_BAD bandwidth 5% priority 5 hfsc(realtime 5% ) {E1_BCO, E1_BBU} queue E1_BCO bandwidth 2% priority 4 hfsc queue E1_BBU bandwidth 3% priority 4 hfsc queue E1_def bandwidth 5% priority 1 hfsc(realtime 5% upperlimit 20% default) altq on $IntIF1 bandwidth $IntIF1_speed hfsc(linkshare $IntIF1_speed upperlimit $IntIF1_speed) queue {I1_VPN, I1_non, I1_def} queue I1_VPN bandwidth 80% priority 9 hfsc( linkshare 80% ) queue I1_non bandwidth 19% priority 5 hfsc( linkshare 18% ) queue I1_def bandwidth 1% priority 1 hfsc(realtime 1% linkshare 2% default) altq on $IntIF2 bandwidth $IntIF2_speed hfsc(linkshare $IntIF2_speed upperlimit $IntIF2_speed) queue {I2_VPN, I2_non, I2_def} queue I2_VPN bandwidth 80% priority 9 hfsc( linkshare 80% ) queue I2_non bandwidth 19% priority 5 hfsc( linkshare 18% ) queue I2_def bandwidth 1% priority 1 hfsc(realtime 1% linkshare 2% default) ## vpn interfaces ## altq on $VPNIF0 bandwidth $VPN_speed hfsc(linkshare $VPN_speed upperlimit $VPN_speed) queue {VPNIF0_green, VPNIF0_yello, VPNIF0_red} queue VPNIF0_green bandwidth $VPN_green priority 9 hfsc( linkshare $VPN_green ) queue VPNIF0_yello bandwidth $VPN_yello priority 5 hfsc( linkshare $VPN_yello ) queue VPNIF0_red bandwidth $VPN_red priority 1 hfsc(realtime $VPN_red linkshare $VPN_red upperlimit $VPN_red default) altq on $VPNIF1 bandwidth $VPN_speed hfsc(linkshare $VPN_speed upperlimit $VPN_speed) queue {VPNIF1_green, VPNIF1_yello, VPNIF1_red} queue VPNIF1_green bandwidth $VPN_green priority 9 hfsc( linkshare $VPN_green ) queue VPNIF1_yello bandwidth $VPN_yello priority 5 hfsc( linkshare $VPN_yello ) queue VPNIF1_red bandwidth $VPN_red priority 1 hfsc(realtime $VPN_red linkshare $VPN_red upperlimit $VPN_red default) ##### Translation ##### ## NAT ## nat on $ExtIF from $N_intern to $N_ExtIF1 port $P_dns -> ($ExtIF1) nat on $ExtIF from $N_VPN to $N_ExtIF1 port $P_brows -> ($ExtIF1) nat on $ExtIF from $N_VPN to $H_mail/32 port $P_mail -> ($ExtIF1) ## RDR ## no rdr on $LocIF from any to any # all local traffic to proxies or webpages should be redirected to the local Apache rdr on $IntIF1 inet proto tcp from any to any port $P_brows -> $H_apache port 80 rdr on $IntIF2 inet proto tcp from any to any port $P_brows -> $H_apache port 80 rdr on $IntIF3 inet proto tcp from any to any port $P_brows -> $H_apache port 80 rdr on $IntIF4 inet proto tcp from any to any port $P_brows -> $H_apache port 80 ## first global blocking rules ## # remember because there is no quick in this rule this rule can be overwritten! # block on $ExtIF block on $IntIF block on $VPNIF # block some bad ssh hacker # table <denyhosts> persist file "/var/db/denyhosts" block drop in quick from <denyhosts> to any ## do not send or recive LAN traffic on the WAN ## block in quick on $ExtIF1 inet from any to $N_privat block in quick on $ExtIF1 inet from $N_privat to any block out quick on $ExtIF1 inet from any to $N_privat block out quick on $ExtIF1 inet from $N_privat to any # now let the blocking rules more precise # # i know it is useless, but nice to see in the pftop and maybe somewhen this should be converted to pass rules # ## Samba is not allowed ## block in inet proto tcp from any port $P_samba to any block in inet proto udp from any port $P_samba to any block out inet proto tcp from any to any port $P_samba block out inet proto udp from any to any port $P_samba ## Pass rules for physical interfaces ## # allow users without an VPN connection to see the VPN servers login page pass in quick on $IntIF1 inet proto tcp from $IntIF1:network to $HP_apache keep state queue (I1_non, I1_VPN) pass in quick on $IntIF2 inet proto tcp from $IntIF2:network to $HP_apache keep state queue (I2_non, I2_VPN) pass in quick on $IntIF3 inet proto tcp from $IntIF3:network to $HP_apache keep state queue (I3_non, I3_VPN) pass in quick on $IntIF4 inet proto tcp from $IntIF4:network to $HP_apache keep state queue (I4_non, I4_VPN) # put the VPN traffic in it's own queue on the right interface pass out quick on $IntIF1 inet proto gre from $H_vpnd to $IntIF1:network queue I1_VPN pass out quick on $IntIF2 inet proto gre from $H_vpnd to $IntIF2:network queue I2_VPN pass out quick on $IntIF3 inet proto gre from $H_vpnd to $IntIF3:network queue I3_VPN pass out quick on $IntIF4 inet proto gre from $H_vpnd to $IntIF4:network queue I4_VPN ## Pass rules for VPN interfaces ## pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_apacheV queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_squid queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_LPS queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF0 inet proto udp from ($VPNIF0:peer) to any port $P_dns queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $H_LOVE port $P_brows queue VPNIF0_green pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $HP_mail queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF0 inet proto tcp from ($VPNIF0:peer) to $N_ExtIF1 port $P_brows queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF0 inet proto icmp from ($VPNIF0:peer) to $N_ExtIF1 icmp-type 8 code 0 queue (VPNIF0_yello, VPNIF0_green) pass out quick on $VPNIF0 inet proto icmp from any to ($VPNIF0:peer) icmp-type 8 code 0 queue (VPNIF0_yello, VPNIF0_green) pass in quick on $VPNIF1 inet proto tcp from ($VPNIF0:peer) to $HP_apacheV queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $HP_squid queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $HP_LPS queue (VPNIF1_yello, VPNIF1_green) pass in quick on $VPNIF1 inet proto udp from ($VPNIF1:peer) to any port $P_dns queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $H_LOVE port $P_brows queue VPNIF1_green pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $HP_mail queue (VPNIF1_yello, VPNIF1_green) pass in quick on $VPNIF1 inet proto tcp from ($VPNIF1:peer) to $N_ExtIF1 port $P_brows queue (VPNIF1_yello, VPNIF1_green) pass in quick on $VPNIF1 inet proto icmp from ($VPNIF1:peer) to $N_ExtIF1 icmp-type 8 code 0 queue (VPNIF1_yello, VPNIF1_green) pass out quick on $VPNIF1 inet proto icmp from any to ($VPNIF1:peer) icmp-type 8 code 0 queue (VPNIF1_yello, VPNIF1_green) pass in on $ExtIF1 inet proto tcp from $N_ExtIF1 to ($ExtIF1) $TcpState $ExtIfSTO queue (E1_OBU, E1_OCO) pass in on $ExtIF1 inet proto tcp from $H_LOVE to ($ExtIF1) port $P_brows $TcpState $ExtIfSTO queue (E1_PBU, E1_PCO) pass in on $ExtIF1 inet proto tcp from $N_ExtIF1 to ($ExtIF1) port $P_ssh $TcpState $ExtIfSTO queue (E1_SLO, E1_SBU) pass in on $ExtIF1 inet proto udp from $N_ExtIF1 to ($ExtIF1) port $P_dns $UdpState $ExtIfSTO queue E1_DNS pass in on $ExtIF1 inet proto icmp from $N_ExtIF1 to ($ExtIF1) icmp-type 8 code 0 $UdpState $ExtIfSTO queue E1_ICM pass in on $ExtIF1 inet proto tcp from ! $N_ExtIF1 to ($ExtIF1) $TcpState $ExtIfSTO queue (E1_BBU, E1_BCO) pass in on $ExtIF1 inet proto tcp from ! $N_ExtIF1 to ($ExtIF1) port $P_brows $TcpState $ExtIfSTO queue (E1_GBU, E1_GCO) pass in on $ExtIF1 inet proto udp from ! $N_ExtIF1 to ($ExtIF1) port $P_dns $UdpState $ExtIfSTO queue E1_DNS pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to $N_ExtIF1 $TcpState $ExtIfSTO queue (E1_OBU, E1_OCO) pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to $H_LOVE port $P_brows $TcpState $ExtIfSTO queue (E1_PBU, E1_PCO) pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to $N_ExtIF1 port $P_ssh $TcpState $ExtIfSTO queue (E1_SLO, E1_SBU) pass out on $ExtIF1 inet proto udp from ($ExtIF1) to $N_ExtIF1 port $P_dns $UdpState $ExtIfSTO queue E1_DNS pass out on $ExtIF1 inet proto icmp from ($ExtIF1) to $N_ExtIF1 icmp-type 8 code 0 $UdpState $ExtIfSTO queue E1_ICM pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to !$N_ExtIF1 $TcpState $ExtIfSTO queue (E1_BBU, E1_BCO) pass out on $ExtIF1 inet proto tcp from ($ExtIF1) to !$N_ExtIF1 port $P_brows $TcpState $ExtIfSTO queue (E1_GBU, E1_GCO) pass out on $ExtIF1 inet proto udp from ($ExtIF1) to !$N_ExtIF1 port $P_dns $UdpState $ExtIfSTO queue E1_DNS # # still to optimize # pass in on $IntIF1 queue I1_non pass in on $IntIF2 queue I2_non pass in on $IntIF3 queue I3_non pass in on $IntIF4 queue I4_non pass in on lo0 pass out on lo0 pass out on $IntIF1 queue I1_non pass out on $IntIF2 queue I2_non pass out on $IntIF3 queue I3_non pass out on $IntIF4 queue I4_non ## EOF ##
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8E840E6F-C998-4C92-A5C3-D9611407B72E>