From owner-freebsd-pf@FreeBSD.ORG Fri Feb 13 07:58:00 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA48D1065676 for ; Fri, 13 Feb 2009 07:58:00 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 708118FC13 for ; Fri, 13 Feb 2009 07:58:00 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n1D7vtOx005307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 13 Feb 2009 02:57:56 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <49952803.80404@uffner.com> Date: Fri, 13 Feb 2009 02:57:55 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.19) Gecko/20090125 SeaMonkey/1.1.14 MIME-Version: 1.0 To: eculp References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> In-Reply-To: <20090212063141.11024jm7bsi7shio@econet.encontacto.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/8981/Wed Feb 11 19:28:11 2009 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 07:58:01 -0000 eculp wrote: > Thanks for responding. As I read your answer and my question. I'm > pretty sure that I probably didn't ask the question properly. What I > need to do is be intermediary between my upstream ISP's and my customers > and would like to control the bandwidth hogs. > > Basically, I want certain outgoing traffic based on port to go to ISP1 > and all other, not blocked, ports to go to the other while limiting the > available internal bandwidth to each downstream client say to 64k if > and if borrowing is possible when traffic is low, great. I did > something like this with IPFW and dummynet maybe 6 or more years ago and > as I remember, worked and solved an immediate problem of downstream > demand not being distributed adequately or equitably. The major > differences were connection speed and there was only one isp. assuming that your BSD firewall/router has separate interfaces connected to each ISP, you can do the outgoing part of what you want several ways in pf, with or without using altq. you could write pass...route-to rules similar to the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you want to go out through each ISP, or you could tag the traffic on the way in your inside interface and use the tags to assign it to an altq queue for the proper outbound interface. as for rationing bandwidth to your downstream clients, there are several reasons why it doesn't make sense, and/or why altq is not the best tool, but it is possible. first, the objections: as many people have pointed out in this & other altq threads, altq has no convenient way of splitting bandwidth by IP like dummynet. you have to create a queue and a filter rule per address by hand which is tedious and increasingly inefficient as the number of clients grows. your lan border is the wrong place to try to fight bandwidth-hogs because they have already hogged the bandwidth on the small pipe from your provider and it is not really useful to limit them to a trickle in the much larger pipe that is your lan. if possible, it would be much better to convince your ISP(s) to let you co-locate a BSD appliance to queue the traffic at their end of your WAN link(s) where it will do much more good. also there are a few outstanding PRs on altq at this time: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-pf/20090208.freebsd-pf but if you choose to, the way to do it is to create an altq on your inside interface using cbq, borrow, and bandwidth equal to the sum of your ISP connections, then set up either a subqueue for each client, or subqueues for each class of service, and subqueues of those for the clients. i've seen some mentions that it is possible to use dummynet w/ pf. if have no idea how, but if true it might be a better option for you.