Lord Sporkton escribis:
2008/5/17 Jesus Sanchez <[EMAIL PROTECTED]>:
Hi, I'm using OpenBSD 4.2
Here my network to explain later:
[Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET]
I have a little problem when trying to setup a altq bandwidth shape with
pf. My intention is to give Joe only 100Kbs (bits) of the Internet total
bandwidth, and also I have set some local local servers on my OpenBSD to
give some services to Joe, but I also want to give it at the 100Kbs
speed mentioned before, even beign local network (up to 100Mbs).
The thing is that I have set the PF rules as manpages say, and
everything work as spected when Joe goes out of my box to the internet,
the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp
from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe
takes a file from my box, or my box from Joe, the speed is very very
much hight.
I have try several things but I don't find the key to this. One thing:
the speed factor when Joes connect to my OpenBSD is alwais 40x relative
to the bandwidth value I give to the altq.
my pf.conf (very simple, very unsafe, just to try this)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ext_if="rl0"
int_if="sk0"
scrub in all
altq on $int_if cbq bandwidth 100Kb queue main
queue main bandwidth 100% cbq(default)
nat on $ext_if from $int_if:network -> $ext_if
block all
pass queue main
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Thanks for your time
-Jesus
If Joe is accessing things on his local lan, that is, in his subnet,
you will not be able to police this traffic as it never even hits the
gateway(altq openbsd box), so the only limit will be the layer 2
hardware(your switch(s)). might i suggest putting your servers on a
dmz as a solution, then Joe will be forced through the gateway for any
server access. If your layer2 hardware is high end enough you may be
able to do bandwidth control in the layer2 hardware its self.
as a side note, i dont believe openbsd can do altq on anything other
than a physical interface, so if you put the servers on a dmz, make
sure to use a physical interface, not a vlan.
I don't want to disturb, but I think you're not right. I want to shape
the bandwidth of the full interface, I know that if joe it's in lan with
other PC, the speed limit its the hardware limit, but I just want to
limit one of the interfaces on my OpenBSD box to a certain number of Kbs
(100Kbs), so PF already made changes, but I saw this weird behaviour and
want to make the 100Kbs limit universal to all the interface transfers.
If Joe want a file from the OpenBSD gateway running a limit of 100Kbs
(pf+altq), even to get a file from the gateway box by FTP, the 100Kbs
limit should affect, or not? please, I'm really noob with this and I
don't want to bother anyone with my words, I just talk about what I
think, if I'm wrong, please let me know.
note: DMZ is not posible for this project, I only have the same
PC to make as OpenBSD and FTP server to the "joe" users.
Thanks for your time.
-Jesus
