From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:39:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD9B216A402 for ; Fri, 18 May 2007 08:39:43 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 73B0F13C489 for ; Fri, 18 May 2007 08:39:43 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 5503C128829 for ; Fri, 18 May 2007 10:39:37 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 65CC63F4E8; Fri, 18 May 2007 10:39:14 +0200 (CEST) Message-ID: <464D6631.7000606@vwsoft.com> Date: Fri, 18 May 2007 10:39:13 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: llt@recol.com X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf+altq for bandwidth control X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:39:43 -0000 > My setup is as follow: > LAN {test server} -> xl1 {FreeBSD} xl0 -> router -> net > xl0 and xl1 are functioning as a transparent bridge. kernel has pf and altq > compiled. > > pf.conf: > ext_if = "xl0" > int_if = "xl1" > pc = "any" > set loginterface $ext_if > > # to net > altq on $ext_if cbq bandwidth 100Mb queue { std_ext, test_ext } > queue std_ext bandwidth 3Mb qlimit 1000 priority 5 cbq(default red ecn) > queue test_ext bandwidth 2Mb priority 1 cbq(red ecn) > > pass out on $ext_if from $pc to any keep state queue test_ext > --- > The problem I'm having is that all outbound traffic from "test server" > matches the "queue std_ext" instead of "queue test_ext" rule. It appears > the cbq(default) child rule is overriding the other rule. Lan, to get a clear answer, we need to see your whole ruleset, not just a snippet (will write this into a signature, soon as it's the most often used phrase). Just a few guesses: You don't 'pass quick' and another rule matches later, which does set it into a different queue. Also you're using state-policy floating and a rule is creating state when the packet comes into your box, which queues different. You may probably want to use if-bound state policy. Another thing to care about is your rules may create state in the middle of a stream as you're not creating state on SYN. Last guess: I think you've set $pc to any just for testing. If you're using NAT and setting this to anything different (any of your local IP addresses), this rule will never match as the packet is being processed _after_ NAT processing. HTH Volker PS: Does anybody know what's wrong with the mailing list? Did not receive the digest messages for the last 36 hours.