Hi All,
I have the following OpenBSD multi-tenant firewall setup:
|
+-----+---------------+----+----+---------------+---+
| | vlan10 | | | vlan11 | |
| | 195.188.200.a |--(em0)--| 195.188.201.a | |
| | 195.188.200.b | | 195.188.201.b | |
| | rdomain 1 | | rdomain 2 | |
| +---------------+ +---------------+ |
| |
| +---------------+ +---------------+ |
| | vlan160 | | vlan161 | |
| | 10.1.160.1 |--(em1)--| 10.1.160.1 | |
| | rdomain 160 | | | rdomain 161 | |
+-----+---------------+----+----+---------------+---+
|
vlan10 and vlan11 represent the PUBLIC side of the firewall and each
vlan has a separate rdomain. A customer could be assigned IP addresses
from both vlan10 and vlan11. Traffic from vlans 160 and 161 is then
natted out of vlan10 and vlan11 using pf rules (and vice-verse, with
some tagging). vlan160 and vlan161 represent the customer side of the
firewall, ip addresses on this side can only be rfc1918, but can be
the same subnets in each vlan (hence separate rdomains). What I'd like
to be able to do is queue traffic as it leaves the firewall, both
north and south, but I'm unsure as to where to enable altq. Should I
do:
# "out" being out of em0
altq on em0 cbq bandwidth 300Mb queue { INT_em0, queue1_out, queue2_out }
queue INT_em0 bandwidth 100Mb cbq(default)
queue queue1_out bandwidth 100Mb cbq(ecn)
queue queue2_out bandwidth 100Mb cbq(ecn)
# Using pass in to keep state for packets coming back out of vlan10
pass in on vlan10 from any to 195.188.200.a queue queue1_out
pass in on vlan10 from any to 195.188.200.b queue queue2_out
# "in" being out of em1
altq on em1 cbq bandwidth 300Mb queue { INT_em1, queue1_in, queue2_in }
queue INT_em1 bandwidth 100Mb cbq(default)
queue queue1_in bandwidth 100Mb cbq(ecn)
queue queue2_in bandwidth 100Mb cbq(ecn)
# Using pass in to keep state for packets coming back out of vlan160 or vlan161
pass in on vlan160 from any to any queue queue1_in
pass in on vlan160 from any to any queue queue2_in
or should I do:
altq on vlan10 cbq bandwidth 300MB queue { INT_vlan10, queue1_out, queue2_out }
queue INT_vlan10 bandwidth 100Mb cbq(default)
queue queue1_out bandwidth 100Mb cbq(ecn)
queue queue2_out bandwidth 100Mb cbq(ecn)
# Using pass in to keep state for packets coming back out of vlan10
pass in on vlan10 from any to 195.188.200.a queue queue1_out
pass in on vlan10 from any to 195.188.200.b queue queue2_out
# "in" being out of vlan160
altq on vlan160 cbq bandwidth 100Mb queue { INT_vlan160 }
queue INT_vlan160 bandwidth 100Mb cbq(default)
# Using pass in to keep state for packets coming back out of vlan160 or vlan161
pass in on vlan160 from any to any queue queue1_in
pass in on vlan160 from any to any queue queue2_in
With altq statements for each vlan interface.
Ideally I'd want to do altq on the vlan parent interface.
Thanks,
Peter
