From owner-freebsd-pf@FreeBSD.ORG Mon Feb 20 11:02:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9149E16A420 for ; Mon, 20 Feb 2006 11:02:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 407BE43D48 for ; Mon, 20 Feb 2006 11:02:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1KB2i5J083645 for ; Mon, 20 Feb 2006 11:02:44 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1KB2h0i083639 for freebsd-pf@freebsd.org; Mon, 20 Feb 2006 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Feb 2006 11:02:43 GMT Message-Id: <200602201102.k1KB2h0i083639@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2006 11:02:44 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 12:44:29 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03B1316A420 for ; Wed, 22 Feb 2006 12:44:29 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7837D43D4C for ; Wed, 22 Feb 2006 12:44:28 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 6022 invoked by uid 15); 22 Feb 2006 12:44:26 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 22 Feb 2006 12:44:26 -0000 From: Tiago Cruz To: freebsd-pf@FreeBSD.org Content-Type: text/plain Date: Wed, 22 Feb 2006 09:44:25 -0300 Message-Id: <1140612265.5617.25.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit Cc: Subject: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 12:44:29 -0000 Hello guys, Following this link: http://www.nimlabs.org/~nim/dirtynat.html I learn that I can do some "dirty NAT trick" with my firewall to make this: "You have a corporate LAN. You want to set up a VPN (in this case OpenVPN) into the LAN for your road-warriors. However, your LAN is numbered with one of the very common private subnets, such as 192.168/16. Your road-warriors often get addresses in the same private subnet from their coffee-shops, and this breaks things horribly." So.. How can I manage the PREROUTING and POSTROUTING rules in PF? iptables -v -t nat -A PREROUTING -d 192.168.8.0/24 -j NETMAP --to 10.22.8.0/24 iptables -v -t nat -A PREROUTING -i tap0 -d 10.22.0.0/16 -j NETMAP --to 192.168.0.0/16 iptables -v -t nat -A POSTROUTING -o tap0 -s 192.168.0.0/16 -j NETMAP --to 10.22.0.0/16 iptables -v -t nat -A POSTROUTING -o eth0 -s 10.22.0.0/16 -j NETMAP --to 192.168.0.0/16 Thank you! -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 13:26:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29ECE16A437 for ; Wed, 22 Feb 2006 13:26:50 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C1A143D55 for ; Wed, 22 Feb 2006 13:26:47 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.252]) by smtp.nildram.co.uk (Postfix) with ESMTP id 0B854258907 for ; Wed, 22 Feb 2006 13:26:40 +0000 (GMT) From: "Greg Hennessy" To: Date: Wed, 22 Feb 2006 13:26:53 -0000 Message-ID: <000001c637b3$a54b0a70$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcY3sBVu3WcCdc32TbmzoC3m7p7LFgAA2Ucg In-Reply-To: <1140612265.5617.25.camel@localhost.localdomain> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-OriginalArrivalTime: 22 Feb 2006 13:26:53.0862 (UTC) FILETIME=[A54D5460:01C637B3] Subject: RE: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 13:26:50 -0000 How is this a problem ? Surely the default route is through the tunnel interface when the tunnel is up ? I fail to see how this 'breaks things horribly'. > > "You have a corporate LAN. You want to set up a VPN (in this case > OpenVPN) into the LAN for your road-warriors. However, your > LAN is numbered with one of the very common private subnets, > such as 192.168/16. Your road-warriors often get addresses in > the same private subnet from their coffee-shops, and this > breaks things horribly." From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 13:57:37 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1540F16A422 for ; Wed, 22 Feb 2006 13:57:37 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8876843D45 for ; Wed, 22 Feb 2006 13:57:36 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 20566 invoked by uid 15); 22 Feb 2006 13:57:34 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 22 Feb 2006 13:57:34 -0000 From: Tiago Cruz To: freebsd-pf@FreeBSD.org In-Reply-To: <000001c637b3$a54b0a70$0a00a8c0@thebeast> References: <000001c637b3$a54b0a70$0a00a8c0@thebeast> Content-Type: text/plain Date: Wed, 22 Feb 2006 10:57:34 -0300 Message-Id: <1140616654.5617.35.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit Cc: Subject: RE: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 13:57:37 -0000 On Wed, 2006-02-22 at 13:26 +0000, Greg Hennessy wrote: > How is this a problem ? Surely the default route is through the tunnel > interface when the tunnel is up ? > > I fail to see how this 'breaks things horribly'. The problem is more detailed here: http://lists.freebsd.org/pipermail/freebsd-net/2006-February/009645.html Whats happen? If my network is 192.168.0.0/22 and the network for my client is 192.168.0.0/24 for example, the network does not work :-( So, I need to do some "dirty NAT trick" in PF and I would like to you help... Thank you! -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 14:46:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C1B316A420 for ; Wed, 22 Feb 2006 14:46:05 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id D23C043D45 for ; Wed, 22 Feb 2006 14:46:04 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.253]) by smtp.nildram.co.uk (Postfix) with ESMTP id 6C03B26770C for ; Wed, 22 Feb 2006 14:42:08 +0000 (GMT) From: "Greg Hennessy" To: Date: Wed, 22 Feb 2006 14:42:12 -0000 Message-ID: <000001c637be$2a676190$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcY3uHfLTplACLqKTfW7xf/mOycCOQABPbMg In-Reply-To: <1140616654.5617.35.camel@localhost.localdomain> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-OriginalArrivalTime: 22 Feb 2006 14:42:12.0137 (UTC) FILETIME=[2A676190:01C637BE] Subject: RE: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 14:46:05 -0000 Have you tried adding a /32 route to the remote end through the tunnel interface ? > The problem is more detailed here: > http://lists.freebsd.org/pipermail/freebsd-net/2006-February/0 09645.html > > Whats happen? If my network is 192.168.0.0/22 and the network > for my client is 192.168.0.0/24 for example, the network does > not work :-( > > So, I need to do some "dirty NAT trick" in PF and I would > like to you help... > > Thank you! > > -- > Tiago Cruz > http://linuxrapido.org > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 15:08:04 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3002816A42D for ; Wed, 22 Feb 2006 15:08:04 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from tensor.andric.com (tensor.andric.com [213.154.244.69]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFCE543D46 for ; Wed, 22 Feb 2006 15:08:03 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from [192.168.0.3] (kilgore.lan.dim [192.168.0.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTP id D836FB80C; Wed, 22 Feb 2006 16:08:01 +0100 (CET) Message-ID: <43FC7E4E.1070103@andric.com> Date: Wed, 22 Feb 2006 16:07:58 +0100 From: Dimitry Andric User-Agent: Thunderbird 1.5 (Windows/20060112) MIME-Version: 1.0 To: Tiago Cruz References: <1140612265.5617.25.camel@localhost.localdomain> In-Reply-To: <1140612265.5617.25.camel@localhost.localdomain> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enig384E9DAC7A4A9E0A8312E697" Cc: freebsd-pf@FreeBSD.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 15:08:04 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig384E9DAC7A4A9E0A8312E697 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Tiago Cruz wrote: > Following this link: http://www.nimlabs.org/~nim/dirtynat.html > I learn that I can do some "dirty NAT trick" with my firewall to make > this: Read pf.conf(5), especially the parts about binat. This is probably what you want. --------------enig384E9DAC7A4A9E0A8312E697 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFD/H5UsF6jCi4glqMRAxjuAJ9QaiiJ10jUqVUqHRsPMIzgwasi3QCfVAPF sUGRkSyMsWaAvf5akwkC6FA= =5C+G -----END PGP SIGNATURE----- --------------enig384E9DAC7A4A9E0A8312E697-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 17:29:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C74AA16A423 for ; Wed, 22 Feb 2006 17:29:18 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 29B1343D58 for ; Wed, 22 Feb 2006 17:29:17 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 5048 invoked from network); 22 Feb 2006 17:29:15 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 22 Feb 2006 17:29:15 -0000 Message-ID: <43FC9F63.5070009@xecu.net> Date: Wed, 22 Feb 2006 12:29:07 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 17:29:18 -0000 I've been trying to get hfsc working properly, but I'm obviously doing something wrong because I keep getting errors like this: pfctl: link-sharing sc exceeds parent's sc Here's my current configuration: altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2, queue3 } queue queue1 bandwidth 500Kb priority 7 hfsc(realtime 128Kb red) queue queue2 { queue2_1, queue2_2, queue2_3, queue2_4, queue2_5 } queue queue2_1 priority 5 hfsc(realtime 3Mb linkshare 100% default red) queue queue2_2 bandwidth 1.5Mb priority 3 hfsc(red) queue queue2_3 bandwidth 1Mb hfsc(red) queue queue2_4 bandwidth 4Mb hfsc(red) queue queue2_5 priority 3 hfsc(linkshare 100% red) queue queue3 { queue3_1, queue3_2 } queue queue3_1 hfsc(linkshare 100% red) queue queue3_2 hfsc(linkshare 100% red) I've given some minimum bandwidth to queues. I want queue2_1, 2_5, 3_1, 3_2 to be able to utilize all of the spare bandwidth when they need it. I've read over the man pages, however, documentation on hfsc seems fairly limited. Chris From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 17:34:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE4CD16A423 for ; Wed, 22 Feb 2006 17:34:59 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47D4643D72 for ; Wed, 22 Feb 2006 17:34:52 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 12214 invoked by uid 15); 22 Feb 2006 17:34:50 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 22 Feb 2006 17:34:50 -0000 From: Tiago Cruz To: Greg Hennessy In-Reply-To: <000001c637be$2a676190$0a00a8c0@thebeast> References: <000001c637be$2a676190$0a00a8c0@thebeast> Content-Type: text/plain Date: Wed, 22 Feb 2006 14:34:50 -0300 Message-Id: <1140629690.4852.4.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: RE: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 17:35:00 -0000 On Wed, 2006-02-22 at 14:42 +0000, Greg Hennessy wrote: > Have you tried adding a /32 route to the remote end through the tunnel > interface ? Yes, the route is like this: route delete 10.8.0.0 &> /dev/null route add -net 10.8.0.0 -netmask 255.255.255.0 192.168.0.253 &>/dev/null 192.168.0.253 is the my CARP backup firewall... Thank you! -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 17:57:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CDFE16A420 for ; Wed, 22 Feb 2006 17:57:40 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75ECC43D49 for ; Wed, 22 Feb 2006 17:57:28 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id m3so801703ugc for ; Wed, 22 Feb 2006 09:57:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nUvHg+VunceJv8cC1TNV3C1brQGMj9/fCE/ntcC0wKCF3dghxjzhTDa8IHg7GQHzGDZrwWDtE7Vrps/rLuWTiOg5cS9ivWa1gyNBGhuyUtdvHhD5pgSgKscUpQUhrc458kFnwwpeqB6JYS3iKYKTDy3pIUq9T01JNnRPZgGaFMs= Received: by 10.66.250.9 with SMTP id x9mr3248440ugh; Wed, 22 Feb 2006 09:57:26 -0800 (PST) Received: by 10.66.223.20 with HTTP; Wed, 22 Feb 2006 09:57:26 -0800 (PST) Message-ID: <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> Date: Wed, 22 Feb 2006 09:57:26 -0800 From: "Jon Simola" Sender: jsimola@gmail.com To: "Christopher McGee" In-Reply-To: <43FC9F63.5070009@xecu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43FC9F63.5070009@xecu.net> Cc: freebsd-pf@freebsd.org Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 17:57:40 -0000 On 2/22/06, Christopher McGee wrote: > I've been trying to get hfsc working properly, but I'm obviously doing > something wrong because I keep getting errors like this: > > pfctl: link-sharing sc exceeds parent's sc Yeah, the percentages in link-sharing are calculated against the physical interface, but bandwidth is against the parent queue (usually). Here's my working sample, which does not make any great sense either. I had just started playing with upperlimit, which should be settable on multiple queues. # backbone queueing altq on em0 hfsc bandwidth 100Mb queue { q_em0_high, q_em0_high_bulk, q_em0_med, q_em0_med_bulk, q_em0_low, q_em0_low_bulk } queue q_em0_high bandwidth 10% hfsc(linkshare 1%) priority 7 queue q_em0_high_bulk bandwidth 40% hfsc(linkshare 4%) priority 6 queue q_em0_med bandwidth 10% hfsc(linkshare 1%) priority 5 queue q_em0_med_bulk bandwidth 20% hfsc(linkshare 2%) priority 4 queue q_em0_low bandwidth 10% hfsc(linkshare 1%) priority 1 queue q_em0_low_bulk bandwidth 10% hfsc(linkshare 1% default) priority 0 # vlan trunk queueing altq on em1 hfsc(ecn upperlimit 500Mb) queue { q_cust, q_dmz } queue q_cust hfsc(ecn realtime 2Mb upperlimit 40Mb ) \ { q_cust_h, q_cust_hb, q_cust_m, q_cust_mb, q_cust_l, q_cust_lb } queue q_cust_h bandwidth 10% hfsc(linkshare 1%) priority 5 queue q_cust_hb bandwidth 40% hfsc(linkshare 4%) priority 4 queue q_cust_m bandwidth 10% hfsc(linkshare 1%) priority 4 queue q_cust_mb bandwidth 20% hfsc(linkshare 2%) priority 2 queue q_cust_l bandwidth 10% hfsc(linkshare 1%) priority 1 queue q_cust_lb bandwidth 5% hfsc(linkshare 1% default) priority 0 queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } queue q_dmz_h bandwidth 10% hfsc(linkshare 5%) priority 7 queue q_dmz_hb bandwidth 40% hfsc(linkshare 10%) priority 4 queue q_dmz_l bandwidth 10% hfsc(linkshare 2%) priority 3 queue q_dmz_lb bandwidth 20% hfsc(linkshare 5% ) priority 0 > Here's my current configuration: > > altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2, queue3 } > queue queue1 bandwidth 500Kb priority 7 hfsc(realtime 128Kb red) > queue queue2 { queue2_1, queue2_2, queue2_3, queue2_4, queue2_5 } > queue queue2_1 priority 5 hfsc(realtime 3Mb linkshare 100% default red) > queue queue2_2 bandwidth 1.5Mb priority 3 hfsc(red) > queue queue2_3 bandwidth 1Mb hfsc(red) > queue queue2_4 bandwidth 4Mb hfsc(red) > queue queue2_5 priority 3 hfsc(linkshare 100% red) > queue queue3 { queue3_1, queue3_2 } > queue queue3_1 hfsc(linkshare 100% red) > queue queue3_2 hfsc(linkshare 100% red) > > I've given some minimum bandwidth to queues. I want queue2_1, 2_5, 3_1, > 3_2 to be able to utilize all of the spare bandwidth when they need it. > I've read over the man pages, however, documentation on hfsc seems > fairly limited. > > Chris > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 18:04:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92D8216A420 for ; Wed, 22 Feb 2006 18:04:49 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 25A6543D45 for ; Wed, 22 Feb 2006 18:04:48 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 30329 invoked from network); 22 Feb 2006 18:04:48 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 22 Feb 2006 18:04:48 -0000 Message-ID: <43FCA7B8.3090300@xecu.net> Date: Wed, 22 Feb 2006 13:04:40 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Simola References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> In-Reply-To: <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 18:04:49 -0000 Jon Simola wrote: >On 2/22/06, Christopher McGee wrote: > > >>I've been trying to get hfsc working properly, but I'm obviously doing >>something wrong because I keep getting errors like this: >> >>pfctl: link-sharing sc exceeds parent's sc >> >> > >Yeah, the percentages in link-sharing are calculated against the >physical interface, but bandwidth is against the parent queue >(usually). > >Here's my working sample, which does not make any great sense either. >I had just started playing with upperlimit, which should be settable >on multiple queues. > ># backbone queueing >altq on em0 hfsc bandwidth 100Mb queue { q_em0_high, q_em0_high_bulk, >q_em0_med, q_em0_med_bulk, q_em0_low, q_em0_low_bulk } >queue q_em0_high bandwidth 10% hfsc(linkshare 1%) priority 7 >queue q_em0_high_bulk bandwidth 40% hfsc(linkshare 4%) priority 6 >queue q_em0_med bandwidth 10% hfsc(linkshare 1%) priority 5 >queue q_em0_med_bulk bandwidth 20% hfsc(linkshare 2%) priority 4 >queue q_em0_low bandwidth 10% hfsc(linkshare 1%) priority 1 >queue q_em0_low_bulk bandwidth 10% hfsc(linkshare 1% default) priority 0 > ># vlan trunk queueing >altq on em1 hfsc(ecn upperlimit 500Mb) queue { q_cust, q_dmz } >queue q_cust hfsc(ecn realtime 2Mb upperlimit 40Mb ) \ > { q_cust_h, q_cust_hb, q_cust_m, q_cust_mb, q_cust_l, q_cust_lb } >queue q_cust_h bandwidth 10% hfsc(linkshare 1%) priority 5 >queue q_cust_hb bandwidth 40% hfsc(linkshare 4%) priority 4 >queue q_cust_m bandwidth 10% hfsc(linkshare 1%) priority 4 >queue q_cust_mb bandwidth 20% hfsc(linkshare 2%) priority 2 >queue q_cust_l bandwidth 10% hfsc(linkshare 1%) priority 1 >queue q_cust_lb bandwidth 5% hfsc(linkshare 1% default) priority 0 >queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ > { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } >queue q_dmz_h bandwidth 10% hfsc(linkshare 5%) priority 7 >queue q_dmz_hb bandwidth 40% hfsc(linkshare 10%) priority 4 >queue q_dmz_l bandwidth 10% hfsc(linkshare 2%) priority 3 >queue q_dmz_lb bandwidth 20% hfsc(linkshare 5% ) priority 0 > > > > >>Here's my current configuration: >> >>altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2, queue3 } >>queue queue1 bandwidth 500Kb priority 7 hfsc(realtime 128Kb red) >>queue queue2 { queue2_1, queue2_2, queue2_3, queue2_4, queue2_5 } >> queue queue2_1 priority 5 hfsc(realtime 3Mb linkshare 100% default red) >> queue queue2_2 bandwidth 1.5Mb priority 3 hfsc(red) >> queue queue2_3 bandwidth 1Mb hfsc(red) >> queue queue2_4 bandwidth 4Mb hfsc(red) >> queue queue2_5 priority 3 hfsc(linkshare 100% red) >>queue queue3 { queue3_1, queue3_2 } >> queue queue3_1 hfsc(linkshare 100% red) >> queue queue3_2 hfsc(linkshare 100% red) >> >>I've given some minimum bandwidth to queues. I want queue2_1, 2_5, 3_1, >>3_2 to be able to utilize all of the spare bandwidth when they need it. >>I've read over the man pages, however, documentation on hfsc seems >>fairly limited. >> >>Chris >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> I can move the queues to 1 level. I've even tried. It seems the problem has something to do with allowing multiple queues to have 90 or 100% linkshare. This is where I'm stuck because I'm just not sure how to make multiple queues all share the same pool without doing it that way. Chris From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 18:42:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1708C16A422 for ; Wed, 22 Feb 2006 18:42:20 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9734143D45 for ; Wed, 22 Feb 2006 18:42:19 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id h29so1104133wxd for ; Wed, 22 Feb 2006 10:42:19 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jLG7iMpyL4hNMw0+ky98PNkA+5+FDSghkBSpQwfAf0xBJo82d0Bev764U1em/qMJ6DoV8WYXhWb5gm/V88vlDOnD1tb5obc3mBU/tSHAcTDmRd/g99VE5fCJIBxcM8TB1gW7BILgnxDhZdyJqWanWdem/wzyvLofdkEv+eUefck= Received: by 10.70.66.10 with SMTP id o10mr6658827wxa; Wed, 22 Feb 2006 10:42:18 -0800 (PST) Received: by 10.70.89.11 with HTTP; Wed, 22 Feb 2006 10:42:17 -0800 (PST) Message-ID: <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> Date: Wed, 22 Feb 2006 12:42:17 -0600 From: "Bill Marquette" To: "Christopher McGee" In-Reply-To: <43FCA7B8.3090300@xecu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> <43FCA7B8.3090300@xecu.net> Cc: freebsd-pf@freebsd.org, Jon Simola Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 18:42:20 -0000 On 2/22/06, Christopher McGee wrote: > Jon Simola wrote: > > >On 2/22/06, Christopher McGee wrote: > > > > > >>I've been trying to get hfsc working properly, but I'm obviously doing > >>something wrong because I keep getting errors like this: > >> > >>pfctl: link-sharing sc exceeds parent's sc > >> > >> > > > >Yeah, the percentages in link-sharing are calculated against the > >physical interface, but bandwidth is against the parent queue > >(usually). > > > >Here's my working sample, which does not make any great sense either. > >I had just started playing with upperlimit, which should be settable > >on multiple queues. > > > ># backbone queueing > >altq on em0 hfsc bandwidth 100Mb queue { q_em0_high, q_em0_high_bulk, > >q_em0_med, q_em0_med_bulk, q_em0_low, q_em0_low_bulk } > >queue q_em0_high bandwidth 10% hfsc(linkshare 1%) priority 7 > >queue q_em0_high_bulk bandwidth 40% hfsc(linkshare 4%) priority 6 > >queue q_em0_med bandwidth 10% hfsc(linkshare 1%) priority 5 > >queue q_em0_med_bulk bandwidth 20% hfsc(linkshare 2%) priority 4 > >queue q_em0_low bandwidth 10% hfsc(linkshare 1%) priority 1 > >queue q_em0_low_bulk bandwidth 10% hfsc(linkshare 1% default) priority 0 > > > ># vlan trunk queueing > >altq on em1 hfsc(ecn upperlimit 500Mb) queue { q_cust, q_dmz } > >queue q_cust hfsc(ecn realtime 2Mb upperlimit 40Mb ) \ > > { q_cust_h, q_cust_hb, q_cust_m, q_cust_mb, q_cust_l, q_cust_lb } > >queue q_cust_h bandwidth 10% hfsc(linkshare 1%) priority 5 > >queue q_cust_hb bandwidth 40% hfsc(linkshare 4%) priority 4 > >queue q_cust_m bandwidth 10% hfsc(linkshare 1%) priority 4 > >queue q_cust_mb bandwidth 20% hfsc(linkshare 2%) priority 2 > >queue q_cust_l bandwidth 10% hfsc(linkshare 1%) priority 1 > >queue q_cust_lb bandwidth 5% hfsc(linkshare 1% default) priority 0 > >queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ > > { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } > >queue q_dmz_h bandwidth 10% hfsc(linkshare 5%) priority 7 > >queue q_dmz_hb bandwidth 40% hfsc(linkshare 10%) priority 4 > >queue q_dmz_l bandwidth 10% hfsc(linkshare 2%) priority 3 > >queue q_dmz_lb bandwidth 20% hfsc(linkshare 5% ) priority 0 > > > > > > > > > >>Here's my current configuration: > >> > >>altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2, queue3 } > >>queue queue1 bandwidth 500Kb priority 7 hfsc(realtime 128Kb red) > >>queue queue2 { queue2_1, queue2_2, queue2_3, queue2_4, queue2_5 } > >> queue queue2_1 priority 5 hfsc(realtime 3Mb linkshare 100% default re= d) > >> queue queue2_2 bandwidth 1.5Mb priority 3 hfsc(red) > >> queue queue2_3 bandwidth 1Mb hfsc(red) > >> queue queue2_4 bandwidth 4Mb hfsc(red) > >> queue queue2_5 priority 3 hfsc(linkshare 100% red) > >>queue queue3 { queue3_1, queue3_2 } > >> queue queue3_1 hfsc(linkshare 100% red) > >> queue queue3_2 hfsc(linkshare 100% red) > >> > >>I've given some minimum bandwidth to queues. I want queue2_1, 2_5, 3_1, > >>3_2 to be able to utilize all of the spare bandwidth when they need it. > >>I've read over the man pages, however, documentation on hfsc seems > >>fairly limited. > >> > >>Chris > >>_______________________________________________ > >>freebsd-pf@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > >> > >> > I can move the queues to 1 level. I've even tried. It seems the > problem has something to do with allowing multiple queues to have 90 or > 100% linkshare. This is where I'm stuck because I'm just not sure how > to make multiple queues all share the same pool without doing it that way= . Yeah, the link share percentages need to add up to less than 100%.=20 Upperlimit is what you want to set, I've never managed to get linkshare to do anything (apparently) useful. --Bill From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 19:07:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E3A516A420 for ; Wed, 22 Feb 2006 19:07:04 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 4C51B43D76 for ; Wed, 22 Feb 2006 19:06:54 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 952 invoked from network); 22 Feb 2006 19:06:54 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 22 Feb 2006 19:06:53 -0000 Message-ID: <43FCB645.5000508@xecu.net> Date: Wed, 22 Feb 2006 14:06:45 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bill Marquette References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> <43FCA7B8.3090300@xecu.net> <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> In-Reply-To: <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org, Jon Simola Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 19:07:04 -0000 Bill Marquette wrote: >On 2/22/06, Christopher McGee wrote: > > >>Jon Simola wrote: >> >> >> >>>On 2/22/06, Christopher McGee wrote: >>> >>> >>> >>> >>>>I've been trying to get hfsc working properly, but I'm obviously doing >>>>something wrong because I keep getting errors like this: >>>> >>>>pfctl: link-sharing sc exceeds parent's sc >>>> >>>> >>>> >>>> >>>Yeah, the percentages in link-sharing are calculated against the >>>physical interface, but bandwidth is against the parent queue >>>(usually). >>> >>>Here's my working sample, which does not make any great sense either. >>>I had just started playing with upperlimit, which should be settable >>>on multiple queues. >>> >>># backbone queueing >>>altq on em0 hfsc bandwidth 100Mb queue { q_em0_high, q_em0_high_bulk, >>>q_em0_med, q_em0_med_bulk, q_em0_low, q_em0_low_bulk } >>>queue q_em0_high bandwidth 10% hfsc(linkshare 1%) priority 7 >>>queue q_em0_high_bulk bandwidth 40% hfsc(linkshare 4%) priority 6 >>>queue q_em0_med bandwidth 10% hfsc(linkshare 1%) priority 5 >>>queue q_em0_med_bulk bandwidth 20% hfsc(linkshare 2%) priority 4 >>>queue q_em0_low bandwidth 10% hfsc(linkshare 1%) priority 1 >>>queue q_em0_low_bulk bandwidth 10% hfsc(linkshare 1% default) priority 0 >>> >>># vlan trunk queueing >>>altq on em1 hfsc(ecn upperlimit 500Mb) queue { q_cust, q_dmz } >>>queue q_cust hfsc(ecn realtime 2Mb upperlimit 40Mb ) \ >>> { q_cust_h, q_cust_hb, q_cust_m, q_cust_mb, q_cust_l, q_cust_lb } >>>queue q_cust_h bandwidth 10% hfsc(linkshare 1%) priority 5 >>>queue q_cust_hb bandwidth 40% hfsc(linkshare 4%) priority 4 >>>queue q_cust_m bandwidth 10% hfsc(linkshare 1%) priority 4 >>>queue q_cust_mb bandwidth 20% hfsc(linkshare 2%) priority 2 >>>queue q_cust_l bandwidth 10% hfsc(linkshare 1%) priority 1 >>>queue q_cust_lb bandwidth 5% hfsc(linkshare 1% default) priority 0 >>>queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ >>> { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } >>>queue q_dmz_h bandwidth 10% hfsc(linkshare 5%) priority 7 >>>queue q_dmz_hb bandwidth 40% hfsc(linkshare 10%) priority 4 >>>queue q_dmz_l bandwidth 10% hfsc(linkshare 2%) priority 3 >>>queue q_dmz_lb bandwidth 20% hfsc(linkshare 5% ) priority 0 >>> >>> >>> >>> >>> >>> >>>>Here's my current configuration: >>>> >>>>altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2, queue3 } >>>>queue queue1 bandwidth 500Kb priority 7 hfsc(realtime 128Kb red) >>>>queue queue2 { queue2_1, queue2_2, queue2_3, queue2_4, queue2_5 } >>>> queue queue2_1 priority 5 hfsc(realtime 3Mb linkshare 100% default red) >>>> queue queue2_2 bandwidth 1.5Mb priority 3 hfsc(red) >>>> queue queue2_3 bandwidth 1Mb hfsc(red) >>>> queue queue2_4 bandwidth 4Mb hfsc(red) >>>> queue queue2_5 priority 3 hfsc(linkshare 100% red) >>>>queue queue3 { queue3_1, queue3_2 } >>>> queue queue3_1 hfsc(linkshare 100% red) >>>> queue queue3_2 hfsc(linkshare 100% red) >>>> >>>>I've given some minimum bandwidth to queues. I want queue2_1, 2_5, 3_1, >>>>3_2 to be able to utilize all of the spare bandwidth when they need it. >>>>I've read over the man pages, however, documentation on hfsc seems >>>>fairly limited. >>>> >>>>Chris >>>>_______________________________________________ >>>>freebsd-pf@freebsd.org mailing list >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>>> >>>> >>>> >>>> >>I can move the queues to 1 level. I've even tried. It seems the >>problem has something to do with allowing multiple queues to have 90 or >>100% linkshare. This is where I'm stuck because I'm just not sure how >>to make multiple queues all share the same pool without doing it that way. >> >> > >Yeah, the link share percentages need to add up to less than 100%. >Upperlimit is what you want to set, I've never managed to get >linkshare to do anything (apparently) useful. > >--Bill > > I might be going about this the wrong way, but, this is ultimately what I'm trying to do. One queue has guaranteed 3Mb, another has a guaranteed 4Mb, another has 3Mb guarantee, which leaves about 90Mb as a pool for all of them. If they are backlogged, I want the first 2 queues to be able to utilize the entire 90Mb, and the 3rd queue should be able to utilize about 25Mb of it. This is a simplified example of what I sent earlier. But if I can do this, I can accomplish what I'm trying to and build off it later. Chris From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 19:57:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C535616A420 for ; Wed, 22 Feb 2006 19:57:34 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AD4F43D49 for ; Wed, 22 Feb 2006 19:57:33 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id y2so813464uge for ; Wed, 22 Feb 2006 11:57:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Jb6pnCRI0CMmI0H5ft+5H5491P/h12X5WMCsy35rt6Gyjeyv6sRghvGZ4/g+UA5Hiq5svqVG33MGYAzToWtVVIGKHwEop11Dqz+TW1A2m1muEDmBEg1pmUG6aNU6i5k7M6qg80tO+bBFVHzGkNnDcWlExG81kHaTzQa2Ob/sZUc= Received: by 10.66.164.4 with SMTP id m4mr3385178uge; Wed, 22 Feb 2006 11:57:30 -0800 (PST) Received: by 10.66.223.20 with HTTP; Wed, 22 Feb 2006 11:57:29 -0800 (PST) Message-ID: <8eea04080602221157h18555b9bxc2719b5a12f7362a@mail.gmail.com> Date: Wed, 22 Feb 2006 11:57:29 -0800 From: "Jon Simola" Sender: jsimola@gmail.com To: "Christopher McGee" In-Reply-To: <43FCB645.5000508@xecu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> <43FCA7B8.3090300@xecu.net> <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> <43FCB645.5000508@xecu.net> Cc: freebsd-pf@freebsd.org Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 19:57:34 -0000 On 2/22/06, Christopher McGee wrote: > I might be going about this the wrong way, but, this is ultimately what > I'm trying to do. One queue has guaranteed 3Mb, another has a > guaranteed 4Mb, another has 3Mb guarantee, which leaves about 90Mb as a > pool for all of them. If they are backlogged, I want the first 2 queues > to be able to utilize the entire 90Mb, and the 3rd queue should be able > to utilize about 25Mb of it. This is a simplified example of what I > sent earlier. But if I can do this, I can accomplish what I'm trying to > and build off it later. If you're guaranteeing bandwidth allocation, then you want realtime, and probably avoid the bandwidth declarations which are not quite the same. HFSC is not trivial to get your head wrapped around and is poorly documented because of that. It took me reading the man pages and the PF guide several times over a couple months to get it together. Another example for you to peruse: queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } queue q_dmz_h hfsc(realtime 10% upperlimit 90%) priority 7 queue q_dmz_hb hfsc(realtime 20% upperlimit 90%) priority 4 queue q_dmz_l hfsc(realtime 5% upperlimit 90%) priority 3 queue q_dmz_lb hfsc(realtime 10% upperlimit 90%) priority 0 Leave out the linkshare and bandwidth, just use realtime and upperlimit. And the priority of the queues matters, in the above each of the queues can go as high as 81Mb (90% of 90Mb) but if more than one tries to go above 45Mb, the one with the higher priority gets first chance at available bandwidth. Linkshare is another override; in the above it is easily possible that the q_dmz_lb queue will get quite backlogged as it gets last chance, adding linkshare would allow it to bypass the priorities of the other queues. You may not want to even use priorities, using just realtime and upperlimit is probably a lot easier for your simplified example. Using the service curves is even more complex. This is all based on my experience and research, so it may not be correct, but it's the explanation that I use. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 22:00:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C0D416A420 for ; Wed, 22 Feb 2006 22:00:17 +0000 (GMT) (envelope-from chris@xecu.net) Received: from mss2.myactv.net (mss2.myactv.net [24.89.0.27]) by mx1.FreeBSD.org (Postfix) with SMTP id B3D0C43D55 for ; Wed, 22 Feb 2006 22:00:16 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 8168 invoked from network); 22 Feb 2006 22:00:16 -0000 Received: from dyn-24-13.myactv.net (HELO ?192.168.1.86?) (24.89.24.13) by mss2.myactv.net with SMTP; 22 Feb 2006 22:00:15 -0000 Message-ID: <43FCDEE7.2010802@xecu.net> Date: Wed, 22 Feb 2006 17:00:07 -0500 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Simola References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> <43FCA7B8.3090300@xecu.net> <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> <43FCB645.5000508@xecu.net> <8eea04080602221157h18555b9bxc2719b5a12f7362a@mail.gmail.com> In-Reply-To: <8eea04080602221157h18555b9bxc2719b5a12f7362a@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 22:00:17 -0000 Jon Simola wrote: >On 2/22/06, Christopher McGee wrote: > > > >>I might be going about this the wrong way, but, this is ultimately what >>I'm trying to do. One queue has guaranteed 3Mb, another has a >>guaranteed 4Mb, another has 3Mb guarantee, which leaves about 90Mb as a >>pool for all of them. If they are backlogged, I want the first 2 queues >>to be able to utilize the entire 90Mb, and the 3rd queue should be able >>to utilize about 25Mb of it. This is a simplified example of what I >>sent earlier. But if I can do this, I can accomplish what I'm trying to >>and build off it later. >> >> > >If you're guaranteeing bandwidth allocation, then you want realtime, >and probably avoid the bandwidth declarations which are not quite the >same. HFSC is not trivial to get your head wrapped around and is >poorly documented because of that. It took me reading the man pages >and the PF guide several times over a couple months to get it >together. > >Another example for you to peruse: > >queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ > { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } >queue q_dmz_h hfsc(realtime 10% upperlimit 90%) priority 7 >queue q_dmz_hb hfsc(realtime 20% upperlimit 90%) priority 4 >queue q_dmz_l hfsc(realtime 5% upperlimit 90%) priority 3 >queue q_dmz_lb hfsc(realtime 10% upperlimit 90%) priority 0 > >Leave out the linkshare and bandwidth, just use realtime and >upperlimit. And the priority of the queues matters, in the above each >of the queues can go as high as 81Mb (90% of 90Mb) but if more than >one tries to go above 45Mb, the one with the higher priority gets >first chance at available bandwidth. Linkshare is another override; in >the above it is easily possible that the q_dmz_lb queue will get quite >backlogged as it gets last chance, adding linkshare would allow it to >bypass the priorities of the other queues. You may not want to even >use priorities, using just realtime and upperlimit is probably a lot >easier for your simplified example. > >Using the service curves is even more complex. This is all based on my >experience and research, so it may not be correct, but it's the >explanation that I use. > >-- >Jon Simola >Systems Administrator >ABC Communications > > This information is very helpful. Here is my modified configuration, unfortunately it still gets the same errors: altq on $ext_if bandwidth 100Mb hfsc queue { high_pri, med_pri, junk } queue high_pri hfsc(realtime 128Kb upperlimit 500Kb red) priority 7 queue med_pri hfsc(realtime 5Mb upperlimit 99% default ecn red) priority 5 queue junk hfsc(upperlimit 95% red) Just to clarify what I'm trying to do... I'm trying to guarantee 128K for high_pri stuff(ssh, carp, etc..) and allow up to 500Kfor it. Other services, like web traffic etc.. falls in med_pri, which gets 5Mb all the time but can use up to 99Mb. All other traffic, like cvsup, ftp, etc... will get no guarantees, but can use up to 95Mb if it's available. From all my reading, this seems correct but I still get the parent sc errors. Chris From owner-freebsd-pf@FreeBSD.ORG Wed Feb 22 23:18:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C398216A420 for ; Wed, 22 Feb 2006 23:18:54 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7564B43D68 for ; Wed, 22 Feb 2006 23:18:43 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by uproxy.gmail.com with SMTP id m2so840467ugc for ; Wed, 22 Feb 2006 15:18:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UJUXGNUuqKbeoW/eEQZPb35/Jb1czxcCelB/JND9r/REM5IwyioJlR8Z+AMJQzYwA0DZouDOpJ7zSkiYmLi9+De/O4r/AxyVLLW+3isLPoPJHIraEH6ouIufwprxAOfr3wZDkuQt+1RmM6xIWU3jLPMJVvFi+EHrib5YUQy+M/c= Received: by 10.66.250.9 with SMTP id x9mr3470723ugh; Wed, 22 Feb 2006 15:18:41 -0800 (PST) Received: by 10.66.223.20 with HTTP; Wed, 22 Feb 2006 15:18:41 -0800 (PST) Message-ID: <8eea04080602221518x34da8bds88b713282ba52c74@mail.gmail.com> Date: Wed, 22 Feb 2006 15:18:41 -0800 From: "Jon Simola" Sender: jsimola@gmail.com To: "Christopher McGee" In-Reply-To: <43FCDEE7.2010802@xecu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> <43FCA7B8.3090300@xecu.net> <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> <43FCB645.5000508@xecu.net> <8eea04080602221157h18555b9bxc2719b5a12f7362a@mail.gmail.com> <43FCDEE7.2010802@xecu.net> Cc: freebsd-pf@freebsd.org Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2006 23:18:54 -0000 On 2/22/06, Christopher McGee wrote: > Jon Simola wrote: > > >On 2/22/06, Christopher McGee wrote: > > > > > > > >>I might be going about this the wrong way, but, this is ultimately what > >>I'm trying to do. One queue has guaranteed 3Mb, another has a > >>guaranteed 4Mb, another has 3Mb guarantee, which leaves about 90Mb as a > >>pool for all of them. If they are backlogged, I want the first 2 queue= s > >>to be able to utilize the entire 90Mb, and the 3rd queue should be able > >>to utilize about 25Mb of it. This is a simplified example of what I > >>sent earlier. But if I can do this, I can accomplish what I'm trying t= o > >>and build off it later. > >> > >> > > > >If you're guaranteeing bandwidth allocation, then you want realtime, > >and probably avoid the bandwidth declarations which are not quite the > >same. HFSC is not trivial to get your head wrapped around and is > >poorly documented because of that. It took me reading the man pages > >and the PF guide several times over a couple months to get it > >together. > > > >Another example for you to peruse: > > > >queue q_dmz hfsc(ecn realtime 50Mb upperlimit 90Mb) \ > > { q_dmz_h, q_dmz_hb, q_dmz_l, q_dmz_lb } > >queue q_dmz_h hfsc(realtime 10% upperlimit 90%) priority 7 > >queue q_dmz_hb hfsc(realtime 20% upperlimit 90%) priority 4 > >queue q_dmz_l hfsc(realtime 5% upperlimit 90%) priority 3 > >queue q_dmz_lb hfsc(realtime 10% upperlimit 90%) priority 0 > > > >Leave out the linkshare and bandwidth, just use realtime and > >upperlimit. And the priority of the queues matters, in the above each > >of the queues can go as high as 81Mb (90% of 90Mb) but if more than > >one tries to go above 45Mb, the one with the higher priority gets > >first chance at available bandwidth. Linkshare is another override; in > >the above it is easily possible that the q_dmz_lb queue will get quite > >backlogged as it gets last chance, adding linkshare would allow it to > >bypass the priorities of the other queues. You may not want to even > >use priorities, using just realtime and upperlimit is probably a lot > >easier for your simplified example. > > > >Using the service curves is even more complex. This is all based on my > >experience and research, so it may not be correct, but it's the > >explanation that I use. > > > >-- > >Jon Simola > >Systems Administrator > >ABC Communications > > > > > This information is very helpful. Here is my modified configuration, > unfortunately it still gets the same errors: > > altq on $ext_if bandwidth 100Mb hfsc queue { high_pri, med_pri, junk } > queue high_pri hfsc(realtime 128Kb upperlimit 500Kb red) priority 7 > queue med_pri hfsc(realtime 5Mb upperlimit 99% default ecn red) priority = 5 > queue junk hfsc(upperlimit 95% red) Yet this compiles fine on my 5.3-STABLE box: # pfctl -vvnAf test.pf altq on em0 hfsc bandwidth 100Mb tbrsize 12000 queue { high_pri med_pri jun= k } queue high_pri bandwidth 1% priority 7 hfsc( red realtime 128Kb upperlimit 500Kb ) queue med_pri bandwidth 1% priority 5 hfsc( red ecn default realtime 5Mb upperlimit 99% ) queue junk bandwidth 1% hfsc( red upperlimit 95% ) And a related sillier config on an OpenBSD 3.8 box (bandwidth 0%): # pfctl -vvnAf test.pf altq on em0 hfsc bandwidth 100Mb tbrsize 12000 queue { high_pri med_pri jun= k } queue high_pri bandwidth 0 b priority 7 hfsc( red realtime 128Kb upperlimit 500Kb ) queue med_pri bandwidth 0 b priority 5 hfsc( red ecn default realtime 5Mb upperlimit 99% ) queue junk bandwidth 0 b hfsc( red upperlimit 95% ) > Just to clarify what I'm trying to do... I'm trying to guarantee 128K > for high_pri stuff(ssh, carp, etc..) and allow up to 500Kfor it. Other > services, like web traffic etc.. falls in med_pri, which gets 5Mb all > the time but can use up to 99Mb. All other traffic, like cvsup, ftp, > etc... will get no guarantees, but can use up to 95Mb if it's > available. From all my reading, this seems correct but I still get the > parent sc errors. For some reason adding bandwidth lets it compile. I've got no idea what that actually will do (non-sensical numbers). If you use some sensible numbers for bandwidth and specify the realtime/upperlimit for hfsc, I'd certainly be interested to hear how it goes for you. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Thu Feb 23 00:40:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E2E416A420 for ; Thu, 23 Feb 2006 00:40:25 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 957AA43D45 for ; Thu, 23 Feb 2006 00:40:24 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id s7so63913wxc for ; Wed, 22 Feb 2006 16:40:24 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MWdU+e2JsvfP6LAWnHXJZSfelx7oR9fjp8+mjKVZxNWLpln1Kxvb3wC/05vY478y39gUymwWBAZJiBs0k/Ir0+eOHJiozcgQ7C1fzKRv+SeT05BCQdwWAQR73EhM+Ttxs6yqONnIen+maWrRa6rYgHQM0q2mMZEg6RDksBl/oto= Received: by 10.70.89.7 with SMTP id m7mr4793463wxb; Wed, 22 Feb 2006 16:40:22 -0800 (PST) Received: by 10.70.89.11 with HTTP; Wed, 22 Feb 2006 16:40:22 -0800 (PST) Message-ID: <55e8a96c0602221640u24a58694mf644c0948e16f354@mail.gmail.com> Date: Wed, 22 Feb 2006 18:40:22 -0600 From: "Bill Marquette" To: "Jon Simola" In-Reply-To: <8eea04080602221157h18555b9bxc2719b5a12f7362a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43FC9F63.5070009@xecu.net> <8eea04080602220957v46f9d11ev2544e8cbe893365d@mail.gmail.com> <43FCA7B8.3090300@xecu.net> <55e8a96c0602221042re25f819g1e3815384c022590@mail.gmail.com> <43FCB645.5000508@xecu.net> <8eea04080602221157h18555b9bxc2719b5a12f7362a@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Hfsc configuration problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2006 00:40:25 -0000 On 2/22/06, Jon Simola wrote: > Leave out the linkshare and bandwidth, just use realtime and > upperlimit. And the priority of the queues matters, in the above each > of the queues can go as high as 81Mb (90% of 90Mb) but if more than > one tries to go above 45Mb, the one with the higher priority gets > first chance at available bandwidth. Linkshare is another override; in > the above it is easily possible that the q_dmz_lb queue will get quite > backlogged as it gets last chance, adding linkshare would allow it to > bypass the priorities of the other queues. You may not want to even > use priorities, using just realtime and upperlimit is probably a lot > easier for your simplified example. Interesting, priority works if you don't use linkshare? I'll give that a shot! Thanks for the info. --Bill From owner-freebsd-pf@FreeBSD.ORG Thu Feb 23 14:19:57 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E88E916A420 for ; Thu, 23 Feb 2006 14:19:57 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6188C43D45 for ; Thu, 23 Feb 2006 14:19:57 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 9162 invoked by uid 15); 23 Feb 2006 14:19:50 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 23 Feb 2006 14:19:50 -0000 From: Tiago Cruz To: Dimitry Andric In-Reply-To: <43FC7E4E.1070103@andric.com> References: <1140612265.5617.25.camel@localhost.localdomain> <43FC7E4E.1070103@andric.com> Content-Type: text/plain Date: Thu, 23 Feb 2006 11:19:54 -0300 Message-Id: <1140704394.4824.13.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2006 14:19:58 -0000 On Wed, 2006-02-22 at 16:07 +0100, Dimitry Andric wrote: > Read pf.conf(5), especially the parts about binat. This is probably > what you want. Ok, thank you... I'm reading about but think that I some of some example... reading the FAQ of OpenVPN I saw this one: ======================================================================================= Does anybody know how to remap local addresses, if I want to connect two networks with an overlap in the private address range? Using iptables 1.2.7a+ and the NETMAP target: iptables -t nat -A PREROUTING -d 192.168.0.0/24 -j NETMAP --to 192.168.1.0/24 or iptables -t nat -A POSTROUTING -d 192.168.1.0/24 -j NETMAP --to 192.168.0.0/24 ======================================================================================= Maybe is some like this? binat on $vpn_if from any to 192.168.0.1 -> 192.168.1.0 But... I have this error: pfctl: Syntax error in config file: pf rules not loaded Well... I'm a little bit of lost... is someone have some tip... Thanks! -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Thu Feb 23 14:37:45 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B3D116A425 for ; Thu, 23 Feb 2006 14:37:45 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from tensor.andric.com (tensor.andric.com [213.154.244.69]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3701943D60 for ; Thu, 23 Feb 2006 14:37:43 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from [192.168.0.3] (kilgore.lan.dim [192.168.0.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTP id 650B1B80C; Thu, 23 Feb 2006 15:37:40 +0100 (CET) Message-ID: <43FDC8AF.8050709@andric.com> Date: Thu, 23 Feb 2006 15:37:35 +0100 From: Dimitry Andric User-Agent: Thunderbird 1.5 (Windows/20060112) MIME-Version: 1.0 To: Tiago Cruz References: <1140612265.5617.25.camel@localhost.localdomain> <43FC7E4E.1070103@andric.com> <1140704394.4824.13.camel@localhost.localdomain> In-Reply-To: <1140704394.4824.13.camel@localhost.localdomain> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enig0181389D43831695E6385ECA" Cc: freebsd-pf@FreeBSD.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2006 14:37:45 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0181389D43831695E6385ECA Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Tiago Cruz wrote: > Maybe is some like this? > binat on $vpn_if from any to 192.168.0.1 -> 192.168.1.0 Maybe you can try this: binat on $vpn_if from 192.168.0.1/24 to any -> 192.168.1.0/24 --------------enig0181389D43831695E6385ECA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFD/ciysF6jCi4glqMRA97gAKDudzn4FCR8mkInQcRuDHzxI7P9pACfXR25 FvT38hNcg6iecuFYVl9kyZI= =GB43 -----END PGP SIGNATURE----- --------------enig0181389D43831695E6385ECA-- From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 01:06:52 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A92B716A420 for ; Fri, 24 Feb 2006 01:06:52 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D5AA43D46 for ; Fri, 24 Feb 2006 01:06:52 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 9A8C81CC2B; Thu, 23 Feb 2006 20:08:34 -0500 (EST) Date: Thu, 23 Feb 2006 20:08:34 -0500 From: Adam McDougall To: pf@freebsd.org Message-ID: <20060224010834.GC83891@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 Cc: Subject: pf no-df breaking all tcp traffic through bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 01:06:52 -0000 I have setup if_bridge and pf on a server with dual em interfaces running FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006. rc.conf relevant items: (The IP's are just for temporary management from either side of the firewall as needed) ifconfig_em0="inet 10.0.0.80 netmask 0xffffff00" ifconfig_em0_alias0="inet 35.9.44.100 netmask 0xffffff00" ifconfig_em1="inet 10.0.1.80 netmask 0xffffff00" cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 up" I have narrowed my ruleset down to a simple config for testing: ext_if="em0" int_if="em1" scrub in on $ext_if no-df pass in all pass out all pass quick on lo0 # pfctl -Rf /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled # pfctl -sr No ALTQ support in kernel ALTQ related functions disabled scrub in on em0 all no-df fragment reassemble pass in all pass out all pass quick on lo0 all Whenever I have no-df in the scrub line, the bridging firewall still passes my ssh SYN packet to the host behind the firewall, but the receiving host discards it due to a bad IP checksum (I believe). Using tcpdump on em0 and em1 on the firewall, I see the packet come in with DF set, and leave with DF unset however the IP checksum is reported bad on the em1 side according to ethereal. Running tcpdump on the receiving host shows the SYN packet, but trying to use -w to save it to a file results in nothing captured. I'm not sure how easy it would be to get the receiving host to print a debug message when an IP packet would be dropped due to bad IP sum. All systems involved are FreeBSD so far, and the symptoms persist going both directions across the bridge. ping still works. I am trying to get no-df to work because documentation indicates it is needed to pass NFS which will be a requirement for me. I didn't get very far with attempting to exclude just NFS traffic from being scrubbed, but it seems to be that a firewall munging packets ought to produce ones with valid checksums. Please let me know if I need to provide more information or what else I can do to debug this further. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 01:36:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D62DB16A420 for ; Fri, 24 Feb 2006 01:36:36 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C33843D4C for ; Fri, 24 Feb 2006 01:36:36 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by pproxy.gmail.com with SMTP id w49so238710pyg for ; Thu, 23 Feb 2006 17:36:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=d3LJCM+EZRgKFZvlOloTrdvBF5SL2WYjLY2Hv80s1aoXxFyCTkn/x8iSPG1ugfVgvcBG0YCV1bH2iWekAdJpxYnnVrWoRgqfPD5P7wmJJKIWbxWWzntd+8Egl++sfFN8g0+iP+VNAlEMwRd7esJ8VCGeOf9RmTx/vjJBdZPgwfw= Received: by 10.35.107.20 with SMTP id j20mr601402pym; Thu, 23 Feb 2006 03:36:51 -0800 (PST) Received: by 10.35.30.16 with HTTP; Thu, 23 Feb 2006 03:36:51 -0800 (PST) Message-ID: Date: Thu, 23 Feb 2006 05:36:51 -0600 From: "Travis H." To: "Greg Hennessy" In-Reply-To: <000001c637b3$a54b0a70$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> Cc: freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 01:36:37 -0000 On 2/22/06, Greg Hennessy wrote: > How is this a problem ? Surely the default route is through the tunnel > interface when the tunnel is up ? Yes, but a more-specific route (the locally attached network) takes precedence over the default. And he can't change that or he won't be able to get his packets out of LAN. His iptables rules change the destination IP temporarily, just for routing purposes. By the way, if setting up a network with RFC 1918 addresses, I recommend choosing something from within 172.17-31.x.x --- for some reason very few people choose the class B, whereas 10/8 and 192.168.x are much more popular. OP: As Brian Candler pointed out, you can do this with a binat to a fictitious network on the client, then a binat back on the VPN server. I don't know what he means by "reversing the in/out sense", as binat is bidirectional. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Sat Feb 25 00:48:22 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1D5616A429 for ; Sat, 25 Feb 2006 00:48:22 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C9D343D45 for ; Sat, 25 Feb 2006 00:48:22 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by zproxy.gmail.com with SMTP id i28so449062nzi for ; Fri, 24 Feb 2006 16:48:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=QxZMkmUHgKmgsKQTUULffUEw4XjMfovx5yPDleSH75Wh2QrtwRIuGDSfXULC2sS56QG5mG1atxDnAbLCzNK/6ksU/rRNLaZEjNdCdz38HDNLLE+mQmlsORYF3Y4mSYs1YNVoFHtcY7RqPZCtu0wcozICSlyc6pgAIGQ2op+YTDE= Received: by 10.35.18.4 with SMTP id v4mr378504pyi; Fri, 24 Feb 2006 16:48:21 -0800 (PST) Received: by 10.35.38.9 with HTTP; Fri, 24 Feb 2006 16:48:21 -0800 (PST) Message-ID: <79722fad0602241648y24a4d578h23d2ea536d634210@mail.gmail.com> Date: Sat, 25 Feb 2006 02:48:21 +0200 From: "Vlad GALU" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: reply-to doesn't seem to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2006 00:48:23 -0000 I have a machine with two interfaces. On one of them there is a webserver listening for client connections. The machine's default route is through the other interface. Let's assume the interfaces are called if1, if2 and that the webserver is listening on if2. I have a rule like this: pass in quick on $if2 reply-to ($if2 $if2gw) inet proto tcp from any to ($if2) port =3D 80 flags S/SA keep state. The replies should leave the box through if2, right ? Well, they don't. I had to add a rule like this: pass out quick on $if1 route-to ($if2 $if2gw) inet from ($if2) to any I can see the reply-to rule creating states, and yet it doesn't work as advertised. Ideas, anybody ? -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 25 00:49:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C05C816A467 for ; Sat, 25 Feb 2006 00:49:37 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F18343D49 for ; Sat, 25 Feb 2006 00:49:35 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so418929wra for ; Fri, 24 Feb 2006 16:49:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T4zG7dieYxMfnwBR8M4KNQpfgkJFyUSTS1FfYJ2nphRewXhQjoim+sfdh6zXPD+iB4PkRaxyis0RBjRh144G5Kdyc7308lF3kJCG4iDtLtFiDjVYOwggR6O0d3qa+xByEiv0wI+D8HbI/QxMNXMawc1U8k0FdZjjR3USAlm9MWo= Received: by 10.35.50.9 with SMTP id c9mr380482pyk; Fri, 24 Feb 2006 16:49:35 -0800 (PST) Received: by 10.35.38.9 with HTTP; Fri, 24 Feb 2006 16:49:35 -0800 (PST) Message-ID: <79722fad0602241649n3864eb94w3c2e06e72283c22c@mail.gmail.com> Date: Sat, 25 Feb 2006 02:49:35 +0200 From: "Vlad GALU" To: freebsd-pf@freebsd.org In-Reply-To: <79722fad0602241648y24a4d578h23d2ea536d634210@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <79722fad0602241648y24a4d578h23d2ea536d634210@mail.gmail.com> Subject: Re: reply-to doesn't seem to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2006 00:49:37 -0000 On 2/25/06, Vlad GALU wrote: [...] Sorry, I forgot to mention that this happens on 6.1-PRERELEASE. I couldn't check on other versions, unfortunately. -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 25 22:45:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16AA616A420 for ; Sat, 25 Feb 2006 22:45:43 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5A6D43D45 for ; Sat, 25 Feb 2006 22:45:42 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id t11so402665wxc for ; Sat, 25 Feb 2006 14:45:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=LIZ9awEDOenx30zR+DTJWN9Im18JYn5MDPPbgRJoamxhRfLMJ0HsVbwITkQD4VDsNa1naL2wk1E4opzJDEg0whyoEKm4HAJUGzJFfbyzXyv751feIB1FH000slYbUuUk5mpSQgU8Qs+YzbH6fI6UoAIOyczoJ0wi5j0D5m4svZI= Received: by 10.70.124.12 with SMTP id w12mr3001099wxc; Sat, 25 Feb 2006 14:45:41 -0800 (PST) Received: by 10.70.89.11 with HTTP; Sat, 25 Feb 2006 14:45:41 -0800 (PST) Message-ID: <55e8a96c0602251445g68376abay3b58bec7f3160113@mail.gmail.com> Date: Sat, 25 Feb 2006 16:45:41 -0600 From: "Bill Marquette" To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: HFSC issues in RELENG_6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2006 22:45:43 -0000 I've been having massive issues with HFSC for a while. I finally spent some time working on it this weekend. I'm testing by using my VOIP phone with a 90Kb codec. Here's a stripped down config that works perfectly: altq on sis1 hfsc(upperlimit 768Kb) queue { qWANdef } altq on sis0 hfsc(upperlimit 6000Kb) queue { qLANdef } queue qWANdef priority 6 hfsc(default realtime 128Kb ) queue qLANdef priority 6 hfsc(default realtime 128Kb ) pfctl -vvsq output with a call in progress queue root_sis1 bandwidth 10Mb priority 0 hfsc( upperlimit 768Kb ) {qWANdef= } [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue qWANdef bandwidth 10Mb priority 6 hfsc( default realtime 128Kb ) [ pkts: 29409 bytes: 6216336 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 51.6 packets/s, 87.33Kb/s ] queue root_sis0 bandwidth 10Mb priority 0 hfsc( upperlimit 6Mb ) {qLANdef} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue qLANdef bandwidth 10Mb priority 6 hfsc( default realtime 128Kb ) [ pkts: 30231 bytes: 6349924 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 53.0 packets/s, 89.25Kb/s ] This gives me broken calls (lag, dropped packets, etc) altq on sis1 hfsc(upperlimit 768Kb) queue { qWANdef } altq on sis0 hfsc(upperlimit 6000Kb) queue { qLANdef } queue qWANdef priority 6 hfsc(default realtime 128Kb upperlimit 512Kb ) queue qLANdef priority 6 hfsc(default realtime 128Kb upperlimit 512Kb ) Here's from an earlier test from the above rule (wife is on the phone right now, can't get a full pfctl -vvsq output, sorry) queue qWANdef bandwidth 768Kb priority 6 hfsc( default realtime 128Kb upperlimit 512Kb ) [ pkts: 549 bytes: 96910 dropped pkts: 282 bytes: 60434 ] qlength gets up to 50/50, which suggests to me that the queue is getting limited. Why, I don't know - this was practically an idle circuit during the testing. What's really interesting here is that I've played with the upperlimit settings on the WAN/LANdef queues a fair amount. With qLANdef upperlimit set to 1280Kb, I don't see qlength on the qLANdef queue filling up (and call quality is fine). I don't have an easy way right this second to try this on OpenBSD. --Bill