Hi,
We provide an "ADSL" service to our clients in our shared building at 1:20
contention from
our 10MB symmetric leased line. For some of our clients we also handle packet
filtering,
rather than leaving it open for their own router to cope with. My problem is
that I cannot
find a way to both have asymmetric bandwidth limits and provide filtering at
the same
time. We're using OpenBSD 4.4, here is a basic pf.conf that I have been using
to test:
ext = "vlan13"
int = "vlan10"
#Total Upload = 10Mbit (queue at 97%)
altq on $ext bandwidth 9.7Mb hfsc queue { default_up, adsl_up }
queue default_up bandwidth 9.4Mb hfsc(default)
queue adsl_up bandwidth 256Kb hfsc(upperlimit 256Kb) { client1_up,
client2_up }
queue client1_up bandwidth 5% hfsc(realtime 5%)
queue client2_up bandwidth 5% hfsc(realtime 5%)
#Total Download = 10Mbit (queue at 97%)
altq on $int bandwidth 9.7Mb hfsc queue { default_down, adsl_down }
queue default_down bandwidth 7.7Mb hfsc(default)
queue adsl_down bandwidth 2Mb hfsc(upperlimit 2Mb) { client1_down,
client2_down }
queue client1_down bandwidth 5% hfsc(realtime 5%)
queue client2_down bandwidth 5% hfsc(realtime 5%)
pass out on $ext from $client_router to any no state queue (client1_up)
pass out on $int from any to $client_router no state queue (client1_down)
I've replaced the test IP with $client_router which would be the IP for the
router at the
client end. VLAN13 is our connection to the leased line end equipment, VLAN10
is our
connection out to the client.
I've added "no state" to turn off the default addition of "flags S/SA keep
state". As I
understand it, if I did have "keep state" on either or both of these rules, a
connection
initiated from the internet to the client would be limited at 2Mbit in both
directions and
a connection initiated from the client to outside would be limited at 256Kbit as
appropriate. A state is tagged with the queue of the rule that created that
state and
future packets bypass the filter altogether, if this is not correct or 100%
accurate
please let me know, this might be where I'm going wrong!
If there were no bandwidth limits involved, I'd do the following:
pass out on $ext from $client_router to any
pass out on $int from <table-of-ips> to $client_router
Obviously, assume there are appropriate blocking rules preventing contact to
and from the
$client_router without these rules, and we're also using OpenBSD 4.4 which adds
"flags
S/SA keep state" by default. Replies as a result of outgoing connections would
be caught
by state, and new connections incoming only from the tabled IPs would be
allowed back to
the router.
There also seems to be problems even in the basic configuration without trying
to firewall
connections. I can get upload limited to 256Kb but download will shoot up to
8Mb for
example, but that's another post! There have been a few posts on the mailing
list re:
queueing, some just this last week but I shall post again on this issue once I
have
reviewed those posts. I mention it only as a symptom that I might be doing
something wrong
elsewhere...
If anyone has any insight on how I could get around this that'd be great. I
know in Linux
IPTables the existing/related states have to be handled in the firewall rules
and I could
easily check the IPs involved. If there is some way to feed back through the
filter this
way in PF that'd work, but the PF FAQ seems to point out that once there is
state no rule
processing occurs.
Thanks for all help received!
Matthew Sibson
