Stuart Henderson wrote:
> Use the same queue names for up & down and you can use the default "keep
> state".
>
Wouldn't that mean they get the same bandwidth up and down? We also provide
"SDSL" and
that costs more!
Matthew
> On 2008-11-24, Matthew Sibson <[EMAIL PROTECTED]> wrote:
>> Hi,
>>
>> We provide an "ADSL" service to our clients in our shared building at 1:20
>> contention from
>> our 10MB symmetric leased line. For some of our clients we also handle
>> packet filtering,
>> rather than leaving it open for their own router to cope with. My problem is
>> that I cannot
>> find a way to both have asymmetric bandwidth limits and provide filtering at
>> the same
>> time. We're using OpenBSD 4.4, here is a basic pf.conf that I have been
>> using to test:
>>
>>
>> ext = "vlan13"
>> int = "vlan10"
>>
>>
>> #Total Upload = 10Mbit (queue at 97%)
>> altq on $ext bandwidth 9.7Mb hfsc queue { default_up, adsl_up }
>>
>> queue default_up bandwidth 9.4Mb hfsc(default)
>>
>> queue adsl_up bandwidth 256Kb hfsc(upperlimit 256Kb) { client1_up,
>> client2_up }
>> queue client1_up bandwidth 5% hfsc(realtime 5%)
>> queue client2_up bandwidth 5% hfsc(realtime 5%)
>>
>> #Total Download = 10Mbit (queue at 97%)
>> altq on $int bandwidth 9.7Mb hfsc queue { default_down, adsl_down }
>>
>> queue default_down bandwidth 7.7Mb hfsc(default)
>>
>> queue adsl_down bandwidth 2Mb hfsc(upperlimit 2Mb) { client1_down,
>> client2_down }
>> queue client1_down bandwidth 5% hfsc(realtime 5%)
>> queue client2_down bandwidth 5% hfsc(realtime 5%)
>>
>> pass out on $ext from $client_router to any no state queue (client1_up)
>> pass out on $int from any to $client_router no state queue (client1_down)
>>
>> I've replaced the test IP with $client_router which would be the IP for the
>> router at the
>> client end. VLAN13 is our connection to the leased line end equipment,
>> VLAN10 is our
>> connection out to the client.
>>
>> I've added "no state" to turn off the default addition of "flags S/SA keep
>> state". As I
>> understand it, if I did have "keep state" on either or both of these rules,
>> a connection
>> initiated from the internet to the client would be limited at 2Mbit in both
>> directions and
>> a connection initiated from the client to outside would be limited at
>> 256Kbit as
>> appropriate. A state is tagged with the queue of the rule that created that
>> state and
>> future packets bypass the filter altogether, if this is not correct or 100%
>> accurate
>> please let me know, this might be where I'm going wrong!
>>
>> If there were no bandwidth limits involved, I'd do the following:
>>
>> pass out on $ext from $client_router to any
>> pass out on $int from <table-of-ips> to $client_router
>>
>> Obviously, assume there are appropriate blocking rules preventing contact to
>> and from the
>> $client_router without these rules, and we're also using OpenBSD 4.4 which
>> adds "flags
>> S/SA keep state" by default. Replies as a result of outgoing connections
>> would be caught
>> by state, and new connections incoming only from the tabled IPs would be
>> allowed back to
>> the router.
>>
>> There also seems to be problems even in the basic configuration without
>> trying to firewall
>> connections. I can get upload limited to 256Kb but download will shoot up to
>> 8Mb for
>> example, but that's another post! There have been a few posts on the mailing
>> list re:
>> queueing, some just this last week but I shall post again on this issue once
>> I have
>> reviewed those posts. I mention it only as a symptom that I might be doing
>> something wrong
>> elsewhere...
>>
>> If anyone has any insight on how I could get around this that'd be great. I
>> know in Linux
>> IPTables the existing/related states have to be handled in the firewall
>> rules and I could
>> easily check the IPs involved. If there is some way to feed back through the
>> filter this
>> way in PF that'd work, but the PF FAQ seems to point out that once there is
>> state no rule
>> processing occurs.
>>
>>
>>
>> Thanks for all help received!
>>
>> Matthew Sibson
