From owner-freebsd-pf@FreeBSD.ORG Mon Feb 9 11:06:56 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA116106566B for ; Mon, 9 Feb 2009 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8CB118FC26 for ; Mon, 9 Feb 2009 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n19B6u0H009208 for ; Mon, 9 Feb 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n19B6uHw009204 for freebsd-pf@FreeBSD.org; Mon, 9 Feb 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Feb 2009 11:06:56 GMT Message-Id: <200902091106.n19B6uHw009204@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 10 08:57:21 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF81D1065673 for ; Tue, 10 Feb 2009 08:57:21 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 8560E8FC21 for ; Tue, 10 Feb 2009 08:57:21 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1A8eg2L054664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 10 Feb 2009 03:40:49 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49913D89.8010801@uffner.com> Date: Tue, 10 Feb 2009 03:40:41 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/8967/Mon Feb 9 03:38:55 2009 on eris.uffner.com X-Virus-Status: Clean Subject: status of carpdev? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2009 08:57:22 -0000 what happened with the effort to port "ifconfig ... carpdev ..." to FreeBSD? the last messages mentioning it were posted a bit more than a year ago. if i remember correctly, there was a patch for IPv4 only. it was considered Beta test quality and a few people were using it. but since then i have not seen it mentioned anywhere, and nothing has been committed. what is the status, and is there a usable patch for 7.1? thanks, tom From owner-freebsd-pf@FreeBSD.ORG Thu Feb 12 09:26:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F9E0106566C for ; Thu, 12 Feb 2009 09:26:41 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 4B2E68FC28 for ; Thu, 12 Feb 2009 09:26:41 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1C9QQhc024991 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Feb 2009 04:26:27 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <4993EB42.2020503@uffner.com> Date: Thu, 12 Feb 2009 04:26:26 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: eculp References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> In-Reply-To: <20081203071940.324735uokbfgyh6o@econet.encontacto.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/8978/Wed Feb 11 00:29:20 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 09:26:41 -0000 eculp wrote: > I don't remember why but for some reason I have the idea that pf+altq is > not bidirectional. Am I mistaken? no solution that does not involve cooperation from your upstream connection(s) is truly bidirectional. it is easy to limit/shape your outbound traffic. on the other hand it is difficult if not impossible to unilaterally control the amount or sources of inbound data arriving at your border router(s) on it's way to various applications (mail servers, for example). you can _pretend_ to by dropping, queuing or otherwise limiting it once inside your network, but you cannot meaningfully prevent it from using your downlink bandwidth and potentially crowding out other, possibly more desirable, inbound data. From owner-freebsd-pf@FreeBSD.ORG Thu Feb 12 12:41:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96FC01065692 for ; Thu, 12 Feb 2009 12:41:46 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 46B768FC1D for ; Thu, 12 Feb 2009 12:41:46 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.4.168]) by ns2.bafirst.com with esmtp; Thu, 12 Feb 2009 06:31:42 -0600 id 000D4CF7.499416AE.000098BF Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Thu, 12 Feb 2009 06:31:41 -0600 id 0004AC18.499416AD.0000E164 Received: from local69.local.net.mx (local69.local.net.mx [192.168.1.69]) by econet.encontacto.net (Horde Framework) with HTTP; Thu, 12 Feb 2009 06:31:41 -0600 Message-ID: <20090212063141.11024jm7bsi7shio@econet.encontacto.net> Date: Thu, 12 Feb 2009 06:31:41 -0600 From: eculp To: Tom Uffner References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> In-Reply-To: <4993EB42.2020503@uffner.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.0.5) Gecko/2009020709 Firefox/3.0.4, Ant.com Toolbar 1.2 X-IMP-Server: 189.129.4.168 X-Originating-IP: 192.168.1.69 X-Originating-User: eculp@encontacto.net Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 12:41:47 -0000 Quoting Tom Uffner : > eculp wrote: > >> I don't remember why but for some reason I have the idea that =20 >> pf+altq is not bidirectional. Am I mistaken? > > no solution that does not involve cooperation from your upstream > connection(s) is truly bidirectional. it is easy to limit/shape > your outbound traffic. on the other hand it is difficult if not > impossible to unilaterally control the amount or sources of inbound > data arriving at your border router(s) on it's way to various > applications (mail servers, for example). > > you can _pretend_ to by dropping, queuing or otherwise limiting it > once inside your network, but you cannot meaningfully prevent it from > using your downlink bandwidth and potentially crowding out other, > possibly more desirable, inbound data. > Hi, Tom. Thanks for responding. As I read your answer and my question. I'm =20 pretty sure that I probably didn't ask the question properly. What I =20 need to do is be intermediary between my upstream ISP's and my =20 customers and would like to control the bandwidth hogs. Basically, I want certain outgoing traffic based on port to go to ISP1 =20 and all other, not blocked, ports to go to the other while limiting =20 the available internal bandwidth to each downstream client say to 64k =20 if and if borrowing is possible when traffic is low, great. I did =20 something like this with IPFW and dummynet maybe 6 or more years ago =20 and as I remember, worked and solved an immediate problem of =20 downstream demand not being distributed adequately or equitably. The =20 major differences were connection speed and there was only one isp. I've looked at: http://www.openbsd.org/faq/pf/pools.html It ether doesn't do what I want or I don't understand how to make it =20 do what I want. I am considering going back to IPFW and dummynet but =20 now that I'm using PF, I am a bit lazy to try and integrate what I =20 have in pf to IPFW. Thanks for any help, advice, configuration examples, etc. ed From owner-freebsd-pf@FreeBSD.ORG Fri Feb 13 07:58:00 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA48D1065676 for ; Fri, 13 Feb 2009 07:58:00 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 708118FC13 for ; Fri, 13 Feb 2009 07:58:00 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1D7vtOx005307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 13 Feb 2009 02:57:56 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49952803.80404@uffner.com> Date: Fri, 13 Feb 2009 02:57:55 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: eculp References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> In-Reply-To: <20090212063141.11024jm7bsi7shio@econet.encontacto.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/8981/Wed Feb 11 19:28:11 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 07:58:01 -0000 eculp wrote: > Thanks for responding. As I read your answer and my question. I'm > pretty sure that I probably didn't ask the question properly. What I > need to do is be intermediary between my upstream ISP's and my customers > and would like to control the bandwidth hogs. > > Basically, I want certain outgoing traffic based on port to go to ISP1 > and all other, not blocked, ports to go to the other while limiting the > available internal bandwidth to each downstream client say to 64k if > and if borrowing is possible when traffic is low, great. I did > something like this with IPFW and dummynet maybe 6 or more years ago and > as I remember, worked and solved an immediate problem of downstream > demand not being distributed adequately or equitably. The major > differences were connection speed and there was only one isp. assuming that your BSD firewall/router has separate interfaces connected to each ISP, you can do the outgoing part of what you want several ways in pf, with or without using altq. you could write pass...route-to rules similar to the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you want to go out through each ISP, or you could tag the traffic on the way in your inside interface and use the tags to assign it to an altq queue for the proper outbound interface. as for rationing bandwidth to your downstream clients, there are several reasons why it doesn't make sense, and/or why altq is not the best tool, but it is possible. first, the objections: as many people have pointed out in this & other altq threads, altq has no convenient way of splitting bandwidth by IP like dummynet. you have to create a queue and a filter rule per address by hand which is tedious and increasingly inefficient as the number of clients grows. your lan border is the wrong place to try to fight bandwidth-hogs because they have already hogged the bandwidth on the small pipe from your provider and it is not really useful to limit them to a trickle in the much larger pipe that is your lan. if possible, it would be much better to convince your ISP(s) to let you co-locate a BSD appliance to queue the traffic at their end of your WAN link(s) where it will do much more good. also there are a few outstanding PRs on altq at this time: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-pf/20090208.freebsd-pf but if you choose to, the way to do it is to create an altq on your inside interface using cbq, borrow, and bandwidth equal to the sum of your ISP connections, then set up either a subqueue for each client, or subqueues for each class of service, and subqueues of those for the clients. i've seen some mentions that it is possible to use dummynet w/ pf. if have no idea how, but if true it might be a better option for you. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 13 10:52:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A33EB106566C for ; Fri, 13 Feb 2009 10:52:36 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 689018FC08 for ; Fri, 13 Feb 2009 10:52:35 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.4.168]) by ns2.bafirst.com with esmtp; Fri, 13 Feb 2009 04:52:33 -0600 id 000D515C.499550F1.0000FE2C Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Fri, 13 Feb 2009 04:52:31 -0600 id 0004AC1A.499550EF.0000BEDA Received: from local69.local.net.mx (local69.local.net.mx [192.168.1.69]) by econet.encontacto.net (Horde Framework) with HTTP; Fri, 13 Feb 2009 04:52:31 -0600 Message-ID: <20090213045231.18054m16fhi70z6s@econet.encontacto.net> Date: Fri, 13 Feb 2009 04:52:31 -0600 From: eculp To: Tom Uffner References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com> In-Reply-To: <49952803.80404@uffner.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.0.5) Gecko/2009020709 Firefox/3.0.4, Ant.com Toolbar 1.2 X-IMP-Server: 189.129.4.168 X-Originating-IP: 192.168.1.69 X-Originating-User: eculp@encontacto.net Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 10:52:37 -0000 Quoting Tom Uffner : > eculp wrote: >> Thanks for responding. As I read your answer and my question. I'm =20 >> pretty sure that I probably didn't ask the question properly. What =20 >> I need to do is be intermediary between my upstream ISP's and my =20 >> customers and would like to control the bandwidth hogs. >> >> Basically, I want certain outgoing traffic based on port to go to =20 >> ISP1 and all other, not blocked, ports to go to the other while =20 >> limiting the available internal bandwidth to each downstream client =20 >> say to 64k if and if borrowing is possible when traffic is low, =20 >> great. I did something like this with IPFW and dummynet maybe 6 or =20 >> more years ago and as I remember, worked and solved an immediate =20 >> problem of downstream demand not being distributed adequately or =20 >> equitably. The major differences were connection speed and there =20 >> was only one isp. > > assuming that your BSD firewall/router has separate interfaces connected t= o > each ISP, you can do the outgoing part of what you want several ways in pf= , > with or without using altq. you could write pass...route-to rules similar = to > the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you > want to go out through each ISP, or you could tag the traffic on the way i= n > your inside interface and use the tags to assign it to an altq queue for t= he > proper outbound interface. > > as for rationing bandwidth to your downstream clients, there are several > reasons why it doesn't make sense, and/or why altq is not the best tool, > but it is possible. > > first, the objections: > > as many people have pointed out in this & other altq threads, altq has no > convenient way of splitting bandwidth by IP like dummynet. you have to > create a queue and a filter rule per address by hand which is tedious and > increasingly inefficient as the number of clients grows. > > your lan border is the wrong place to try to fight bandwidth-hogs because > they have already hogged the bandwidth on the small pipe from your provide= r > and it is not really useful to limit them to a trickle in the much larger > pipe that is your lan. > > if possible, it would be much better to convince your ISP(s) to let you > co-locate a BSD appliance to queue the traffic at their end of your WAN > link(s) where it will do much more good. > > also there are a few outstanding PRs on altq at this time: =20 > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D0+0+archive/2009/freebsd-pf= /20090208.freebsd-pf > > but if you choose to, the way to do it is to create an altq on your inside > interface using cbq, borrow, and bandwidth equal to the sum of your ISP > connections, then set up either a subqueue for each client, or subqueues > for each class of service, and subqueues of those for the clients. > > i've seen some mentions that it is possible to use dummynet w/ pf. if have > no idea how, but if true it might be a better option for you. > Tom, thanks for confirming all that I had hoped was not true;) I'm =20 going to look a bit closer at using dummynet with altq or just go back =20 to IPFW. Thanks again, ed From owner-freebsd-pf@FreeBSD.ORG Fri Feb 13 12:17:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10EA6106566B for ; Fri, 13 Feb 2009 12:17:30 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id BC7108FC08 for ; Fri, 13 Feb 2009 12:17:29 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by yx-out-2324.google.com with SMTP id 31so699846yxl.13 for ; Fri, 13 Feb 2009 04:17:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=/qYK+2UqVH6XeZmP4eJ6n54KUSuw1g9qtu1GbfXu3B0=; b=OzmdS4j/PoHoDlx+ksCMUM/qwT+6oz9WDi9zC/DgUkrJM4KUsX8vcqp81h/zbBa5zT E+1otwtEgSktAR+GX0gc+awNqpH0ER/SRNephs7813WG8ah6a2FPpgSKzEZHQ5SaOoKw kGRlgula8Bf6oZdLosT/wSUNI8a5MGz5hyaIQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=DHjFWIDhatavqa86n55DEZzPOYywhZa87oVdQS2++LCGkPof3xsFDv5ndC7GAMFdoY pk20s5I7ylQxeacW/yK73PFXyeXRZTl+BxV9SDWaG/F6t8bK1JDEWxpax+xQAtt5LTJS WrlF33YZe3EpeWFGaFwvFjsRGcgntCtxgp8eo= MIME-Version: 1.0 Received: by 10.151.98.11 with SMTP id a11mr644735ybm.125.1234526188453; Fri, 13 Feb 2009 03:56:28 -0800 (PST) In-Reply-To: References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> Date: Fri, 13 Feb 2009 11:56:28 +0000 Message-ID: <11167f520902130356u629ab076q8b29a640216780d3@mail.gmail.com> From: "Sam Fourman Jr." To: Scott Ullrich Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org, david_5073@yahoo.com, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 12:17:30 -0000 >> So I would like to hear some ideas on how we could use FreeBSD or any other BSD >> to limit bandwidth per customer( say one customer (with root access) >> per server ) >> > There was not much to report at that point. However, pfSense 2.0 has > per user bandwidth ported from DragonFlyBSD. If you would like to > test the patch, it is located here: > http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_1/fairq.RELENG_7.diff?rev=1.3;content-type=text%2Fplain Does any one know if there are plans to merge dragonfly's fairq into FreeBSD -CURRENT? Matt, made it sound like Max was thinking about putting it in FreeBSD here: http://archive.netbsd.se/?ml=dfbsd-kernel&a=2008-04&m=6979148 also does anyone happen to have a patch to apply NetBSD's Window scale to FreeBSD? Sam Fourman Jr. Fourman Networks From owner-freebsd-pf@FreeBSD.ORG Fri Feb 13 15:18:45 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B110910656DF for ; Fri, 13 Feb 2009 15:18:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bw0-f170.google.com (mail-bw0-f170.google.com [209.85.218.170]) by mx1.freebsd.org (Postfix) with ESMTP id 01D1F8FC19 for ; Fri, 13 Feb 2009 15:18:44 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by bwz18 with SMTP id 18so2261084bwz.19 for ; Fri, 13 Feb 2009 07:18:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=s6/Z8itpc9/tdzSw1RgNhYoYF4qX9xCmIhxXvVkeNk8=; b=jHVCciLE+78QxDDvg3+BuiN2kJUFMRCgRjLn7vIbC4NU32XSR6GuQ2u44px2rY+7hj hI4KFQ5WRew+etk3HMwzMXjKJIzc9G56sjztkJeDto0ceI7sUoD5Y5nAj8fLMHs9pCC0 Pc3L+f8cFyUtaTGE6BuEWD4La4eqthZHk6L9E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=qXgw6hq1xUUvTQfN2FAgqsnjOKkpIiMR6kRbj5W2i/9uY1mZw+6F6EbBaHz96S0Edq vUZAwTDJmG7JBmVk/PCLrhFcFlzLA6jjzCQX7yMQgymOdtTb1f8i0HD7ezvt8fbR0cbT 0e5/hrCcdy0TqKm8XF3La4qnuRLp1bsWPnfp8= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.86.95.20 with SMTP id s20mr317312fgb.43.1234536680700; Fri, 13 Feb 2009 06:51:20 -0800 (PST) In-Reply-To: <11167f520902130356u629ab076q8b29a640216780d3@mail.gmail.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <11167f520902130356u629ab076q8b29a640216780d3@mail.gmail.com> Date: Fri, 13 Feb 2009 06:51:20 -0800 X-Google-Sender-Auth: 7b709265abf8035e Message-ID: <9a542da30902130651lf62e2d5vfd3dbf3ce3a61e24@mail.gmail.com> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: "Sam Fourman Jr." Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-isp@freebsd.org, david_5073@yahoo.com, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 15:18:48 -0000 On Fri, Feb 13, 2009 at 3:56 AM, Sam Fourman Jr. wrote= : >>> So I would like to hear some ideas on how we could use FreeBSD or any o= ther BSD >>> to limit bandwidth per customer( say one customer (with root access) >>> per server ) >>> >> There was not much to report at that point. =A0 However, pfSense 2.0 has >> per user bandwidth ported from DragonFlyBSD. =A0If you would like to >> test the patch, it is located here: >> http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_1/fairq= .RELENG_7.diff?rev=3D1.3;content-type=3Dtext%2Fplain > > > Does any one know if there are plans to merge dragonfly's fairq into > FreeBSD -CURRENT? > > Matt, made it sound like Max was thinking about putting it in FreeBSD her= e: > http://archive.netbsd.se/?ml=3Ddfbsd-kernel&a=3D2008-04&m=3D6979148 > http://snapshots.pfsense.org/FreeBSD7/HEAD/ has images of pfSense based on FreeBSD7 which have ALTQ_FAIRQ/dummynet for = pf. If you want to go the hard way of using patches i have explained it in another thread on the freebsd-pf list on how to get the single patches from pfSense repository. They are for FreeBSD 7 as of now. > also does anyone happen to have a patch to apply NetBSD's Window scale > to FreeBSD? - Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Feb 13 19:29:02 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB31A1065677 for ; Fri, 13 Feb 2009 19:29:02 +0000 (UTC) (envelope-from matheusber@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 93E1A8FC24 for ; Fri, 13 Feb 2009 19:29:02 +0000 (UTC) (envelope-from matheusber@gmail.com) Received: by qw-out-2122.google.com with SMTP id 3so350554qwe.7 for ; Fri, 13 Feb 2009 11:29:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received:received :message-id:in-reply-to:references:date:subject:from:to:user-agent :mime-version:content-type:content-transfer-encoding:x-priority :importance; bh=VvXP5425uc7KsZn4GjnU8q140sT04+RfbFXYn+xol4c=; b=Sprpo8I7Bew6CMMtZl0OHyNlcfdMjy5Ye/M7/8wOAlcg44oSQp2wmXcBMRRwIwWyln v0Nciaxktd5v90rsQbIjixJ+ijMIlyZDWzqyvi27tjgPXg3YYYWGrbqZqOYiyhG+1Cuc ykIRgVMufDYn5FyabOr/vzzSaFLFrTLNx0D2A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:in-reply-to:references:date:subject:from:to :user-agent:mime-version:content-type:content-transfer-encoding :x-priority:importance; b=f77NRapvFeWfq/XS1Hcbi9unJZVEfCJo3bPQIkaqpSqcHChL52UtfkPtbkwf/xC3P8 b7b0AlTZZXLhIBexAFYqnshhcmJizwDDT0U+ogp+PUJRAa5H9DA8Ld7l4UIspSioduAG OM5abKQa5bVzW/6jPbultLgrrd2UbF30wUn6U= Received: by 10.229.73.194 with SMTP id r2mr849409qcj.29.1234551524251; Fri, 13 Feb 2009 10:58:44 -0800 (PST) Received: from cygnus.homeunix.com ([189.71.57.209]) by mx.google.com with ESMTPS id 5sm2836180ywd.49.2009.02.13.10.58.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 13 Feb 2009 10:58:43 -0800 (PST) Sender: Nenhum_de_Nos Received: by cygnus.homeunix.com (Postfix, from userid 80) id 98085B8061; Fri, 13 Feb 2009 15:58:39 -0300 (BRT) Received: from 189.59.75.37 (proxying for 10.12.3.13, 10.12.1.3) (SquirrelMail authenticated user matheus) by cygnus.homeunix.com with HTTP; Fri, 13 Feb 2009 16:58:39 -0200 (BRST) Message-ID: <596e4ca92b10c5b088934cc8f48a0bdc.squirrel@cygnus.homeunix.com> In-Reply-To: <20090213045231.18054m16fhi70z6s@econet.encontacto.net> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com> <20090213045231.18054m16fhi70z6s@econet.encontacto.net> Date: Fri, 13 Feb 2009 16:58:39 -0200 (BRST) From: "Nenhum_de_Nos" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 19:29:05 -0000 > Tom, thanks for confirming all that I had hoped was not true;) I'm > going to look a bit closer at using dummynet with altq or just go back > to IPFW. if you get to use pf+dummynet for real please broadcast. I once searched for it but no luck in finding :) it may help me do some things at home ;) matheus -- We will call you cygnus, The God of balance you shall be