Date: Thu, 19 May 2016 11:26:02 -0400 From: Ian FREISLICH <ian.freislich@capeaugusta.com> To: freebsd-pf@freebsd.org Subject: Re: Traffic shaping incomming traffic for all vlans Message-ID: <e1d2940d-e75f-7254-267e-aeb41a80e683@capeaugusta.com> In-Reply-To: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz> References: <262ED41F8198C0409ACB79946570FFCD1AA134055F@EXCHANGE.mail.starnet.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/19/16 05:48, Radek Krej=C4=8Da wrote:
> I have freebsd router with pf for NAT and firewall. There are 2 NICs, one=
for incomming traffic from internet and second for traffic to clients. On =
internal NIC are a lot of vlans.
>
> I need to make traffic shaping for all users based on src ip from interne=
t. But I have problem, it doesnt work.
>
> Working rule for block all traffic is:
>
> block quick proto { tcp, udp } from 192.168.52.0/24=20
>
> but the same rule with externa nic dosnt match: block quick on $ext_if pr=
oto { tcp, udp } from 192.168.52.0/24
> Why?
Remember that with PF the *last* rule to match wins and that the state
table is checked *before* rules are evaluated. If there is a state,
rules won't be checked. If there is a later rule that allows the
traffic that rule will be used. The quick modifier prevents further
evaluation of rules, but if you're using quick all over the place
perhaps an earlier rule allows the traffic. Unless you set
'state-policy if-bound' the default state-policy of floating will apply
and then any rule that matches allowing traffic into an interface will
result in matching state that will allow the traffic out of another
interface without the rules being checked.
> And second problem - how to set up (on which interface) altq queues?
The trouble with pf's bandwidth management is that it relies on state to
apply traffic flows to a queue. While this is nice in some respects
I've always had trouble implementing traffic rates in specific
directions. What happens is that you can only assign a rate to a class
of traffic, ie www gets 10Mbps total for traffic in both directions. In
the end I used PF for packet filtering and ipfw + dummynet for bandwidth
management.
I'd suggest to carefully read the 'QUEUEING' section in pf.conf(5) and
if you can't make it work post your rules.
Ian
--=20
Ian Freislich
--=20
=20
Cape Augusta Digital Properties, LLC a Cape Augusta Company
*Breach of confidentiality & accidental breach of confidentiality *
This email and any files transmitted with it are confidential and intended=
=20
solely for the use of the individual or entity to whom they are addressed.=
=20
If you have received this email in error please notify the system manager.=
=20
This message contains confidential information and is intended only for the=
=20
individual named. If you are not the named addressee you should not=20
disseminate, distribute or copy this e-mail. Please notify the sender=20
immediately by e-mail if you have received this e-mail by mistake and=20
delete this e-mail from your system. If you are not the intended recipient=
=20
you are notified that disclosing, copying, distributing or taking any=20
action in reliance on the contents of this information is strictly=20
prohibited.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e1d2940d-e75f-7254-267e-aeb41a80e683>