On 2015-08-20, Paulo Coimbra <[email protected]> wrote: > Well, considering that only outbound packets can be queued, I've changed > some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is > upload. Packets that are "outgoing" at vlan100 is download, all right? My > changed pf.conf below: (but even with these changes, doesn´t work for me, I > getting 300Mb+ each direction.). Am I a dumb? (LMFAO).
Some tips: - Use the state table to your advantage. Get rid of the "no state", when you understand the other tips you'll see why you don't need it. - With "pass ... queue XX" (or match/whatever), when a packet matches that rule, it creates PF state which is "tagged" with the queue name. When traffic traffic is transmitted out of *any* interface, if a queue of the "tagged" name exists on that interface, it will be used to throttle transmission. match from vlan100:network queue vlan100_traffic match to vlan100:network queue vlan100_traffic (or similar with "pass", I just find it easier to split these things up) - The "queue XX on YY" line relates to *where* on the path through the network stack the queue takes place. This should normally be on the physical interface (if you have "vlandev em2" then queue on em2) not the vlan itself. - You can have the same queue name on more than one interface, e.g. queue Internet on em0 bandwidth 10M queue vlan100_traffic on em0 parent Internet bandwidth 5M max 5M default queue vlan101_traffic on em0 parent Internet bandwidth 1M max 1M default queue em1_root VLANs on em1 bandwidth 1G queue vlan100_traffic on em1 parent em1_root bandwidth 5M max 5M default queue vlan101_traffic on em1 parent em1_root bandwidth 1M max 1M default etc. Troubleshooting: - Use "systat q" and check traffic is being assigned to the queues you expect. - If packets aren't in the expected queues, identify which rules are creating PF state. (pfctl -ss -v, check the rule number, pfctl -sr -R ##). If states are being created by unexpected rules, use "match log(matches)" and something like "tcpdump -neipflog0 -v" to help debug your ruleset.
