Re: PF: can't make queueing and priority work as expected

Thu, 07 Jan 2016 12:35:11 -0800 

On Thu, Jan 7, 2016 at 1:28 PM, Marko Cupać <[email protected]> wrote:

> Hi,
>
> I am setting up gateway for a small network which has two main types of
> traffic: p2p and http(s). The idea is to give p2p traffic all the
> available bandwidth until there is http(s) traffic, in which case p2p
> should be throttled down and http(s) should be given all the available
> bandwidth.
>
> The problem is that p2p does not get throttled down when http(s) is on
> wire. I spent days re-reading QUEUEING section of pf.conf and
> chapter #7 of 3rd edition of "Book of PF" but I still couldn't make it
> work. From 'systat queues' I can conclude that traffic seem to be
> assigned to appropriate queues, but queue bandwidth does not seem to be
> respected. What am I doing wrong?
>
> Snapshot of 'systat queues' and active pf.conf below:
>
> QUEUE             BW SCH P  PKTS BYTES DROP_P DROP_B QLEN P/S  B/S
> upload on pppoe 860K           0     0      0      0    0   0    0
>  ack             10K        228K   12M      0      0    0 364  20K
>  fast            20K          60  5397      0      0    0   0    0
>  bulk           800K         263  110K      0      0    0 0.6  417
>  slow            30K       34234   35M      0      0    0  59  67K
> download on re2   8M           0     0      0      0    0   0    0
>  ack            100K       18314 1205K      0      0    0  34 2388
>  fast           200K          51 15491      0      0    0   0    0
>  bulk             8M       29014   41M      0      0    0  57  85K
>  slow           500K        317K  457M      0      0    0 523 771K
>
>
> # INTERFACE MACROS
> if_int  = "re2"
> if_ext  = "pppoe0"
>
> # HOST MACROS
> efreet    = "{ 192.168.33.20 }"
> rpi       = "{ 192.168.33.22 }"
>
> # PORT MACROS
> p2p     = "{ 10000:65535 }"
> prpi    = "{ 40000:40100 }"
> ipsec   = "{ 500 4500 }"
> web     = "{ 80 443 }"
> mail    = "{ 25 110 143 587 993 995 }"
> xmpp    = "{ 5222 }"
>
> # TABLES
> table <zlice>   persist
>
> # RUNTIME OPTIONS
> set ruleset-optimization none
> set loginterface $if_ext
>
> # QUEUES
> queue upload  on $if_ext                 bandwidth  860K
>    queue ack  parent upload   qlimit 50  bandwidth   10K
>    queue fast parent upload   qlimit 50  bandwidth   20K
>    queue bulk parent upload   qlimit 50  bandwidth  800K default
>    queue slow parent upload   qlimit 50  bandwidth   30K
> queue download on $if_int                bandwidth 8800K
>    queue ack  parent download qlimit 50  bandwidth  100K
>    queue fast parent download qlimit 50  bandwidth  200K
>    queue bulk parent download qlimit 50  bandwidth 8000K default
>    queue slow parent download qlimit 50  bandwidth  500K
>
> # QUICKS AND BLOCKS
> block log quick inet6
> block log quick from <zlice>
> antispoof for $if_int
> antispoof for $if_ext
>
> # SCRUB & NAT
> match in all scrub ( no-df random-id max-mss 1440 )
> match out on egress inet from $if_int:network to any nat-to ($if_ext:0)
>
> # SHAPING
> match proto icmp               set ( queue   fast       prio   4     )
> match proto tcp  to port 22    set ( queue ( fast ack ) prio ( 4 5 ) )
> match proto tcp  to port 53    set ( queue ( fast ack ) prio ( 4 5 ) )
> match proto udp  to port 53    set ( queue   fast       prio   4     )
> match proto tcp  to port $web  set ( queue ( bulk ack ) prio ( 3 5 ) )
> match proto tcp  to port $mail set ( queue ( bulk ack ) prio ( 3 5 ) )
> match proto tcp  to port $xmpp set ( queue ( bulk ack ) prio ( 3 5 ) )
> match proto tcp  to port $p2p  set ( queue ( slow ack ) prio ( 0 5 ) )
> match proto udp  to port $p2p  set ( queue   slow       prio   0     )
>
> # RULES
> block log all
>
> pass in  on $if_int inet proto icmp from $if_int:network to any
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>          port 22
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>          port 53
> pass in  on $if_int inet proto udp  from $if_int:network to any \
>          port 53
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>          port $web
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>          port $mail
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>          port $xmpp
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>          port $p2p
> pass in  on $if_int inet proto udp  from $if_int:network to any \
>          port $p2p
>
> pass out on $if_ext inet proto icmp from ($if_ext:0) to any
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>          port 22
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>          port 53
> pass out on $if_ext inet proto udp  from ($if_ext:0) to any \
>          port 53
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>          port $web
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>          port $mail
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>          port $xmpp
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>          port $p2p
> pass out on $if_ext inet proto udp  from ($if_ext:0) to any \
>          port $p2p
>
> pass in  on $if_ext inet proto icmp from any to ($if_ext:0)
> pass in  on $if_ext inet proto tcp  from any to ($if_ext:0) \
>          port 22
> pass in  on $if_ext inet proto tcp  from any to ($if_ext:0) \
>          port $prpi rdr-to $rpi
> pass in  on $if_ext inet proto udp  from any to ($if_ext:0) \
>          port $prpi rdr-to $rpi
>
> pass out on $if_int inet proto tcp  from any to $if_int:network \
>          port $prpi
> pass out on $if_int inet proto udp  from any to $if_int:network \
>          port $prpi
>
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>
>
have you tried prio instead of queue ?

--
() ascii ribbon campaign - against html e-mail
/\

Reply via email to