[pf4freebsd] pfaltq FreeBSD (merged) problem

Robert Krasicki wstud at wp.pl
Wed Sep 15 20:51:52 PDT 2004 

Hello, 
I have problems with my configuration. 

I'm using pf.conf configuration from http://openbsd.org/faq/pf/queueing.html (the first one example). 

Of course I've replaced interface names with proper one. 

--------- 
##### 
local_net = "192.168.0.0/24" 
ssh_ports = "{ 22 2022 }" 
im_ports = "{ 1863 5190 5222 }" 
ext_if="ed0" 
int_if="xl0" 

scrub in all no-df 

altq on $ext_if priq bandwidth 100Kb queue { std_out, ssh_im_out, dns_out, \ 
tcp_ack_out } 
queue std_out priq(default) 
queue ssh_im_out priority 4 priq(red) 
queue dns_out priority 5 
queue tcp_ack_out priority 6 

altq on $int_if cbq bandwidth 510Kb queue { std_in, ssh_im_in, dns_in, bob_in } 
queue std_in cbq(default) 
queue ssh_im_in priority 4 
queue dns_in priority 5 

nat on $ext_if from $int_if/24 to any -> $ext_if 

rdr on $ext_if proto tcp from any to $ext_if port 4000:4005 -> 192.168.0.6 
rdr on $ext_if proto tcp from any to $ext_if port 1551 -> 192.168.0.6 
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.6 
rdr on $ext_if proto tcp from any to $ext_if port 416 -> 192.168.0.6 
rdr on $ext_if proto udp from any to $ext_if port 416 -> 192.168.0.6 

block in on $ext_if all 

block out on $ext_if all 
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \ 
keep state queue(std_out, tcp_ack_out) 
pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state 
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \ 
keep state queue dns_out 
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \ 
flags S/SA keep state queue(std_out, ssh_im_out) 
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \ 
flags S/SA keep state queue(ssh_im_out, tcp_ack_out) 

block in on $int_if all 
pass in on $int_if from $local_net 

block out on $int_if all 
pass out on $int_if from any to $local_net 
pass out on $int_if proto { tcp udp } from any port domain to $local_net \ 
queue dns_in 
pass out on $int_if proto tcp from any port $ssh_ports to $local_net \ 
queue(std_in, ssh_im_in) 
pass out on $int_if proto tcp from any port $im_ports to $local_net \ 
queue ssh_im_in 
--- 

All I want to achieve by this configuration is a no lagged ssh output. 
I'm using ADSL 512/128 connection, and I would like to be able 
to connect external SSH ports with no delays. 
When I'm uploading some file from my local computer (192.168.0.6) to 
host in Internet e.g 212.160.150.190 my ssh connection to eg. 212.140.158.190 becomes lagged. 

According to rules, it should work without any delays?. 
Maybe I'm wrong, is it possible to achieve this ? 

PS. I'm using pf+altq merged for FreeBSD 5.1 Release 

Rules are being loaded with no errors, packets are being counted properly. 

Maybe you could provide me with the simplest ssh + tcp ack highest priority config ?. 
I've spent few weeks on trying to solve this problem  

Thanks!
Rob

More information about the freebsd-pf mailing list