pf.conf + altq problem

Volker volker at vwsoft.com
Thu Nov 9 13:57:38 UTC 2006 

On 37378-12-23 20:59, Muhammad Reza wrote:
> still not work with pass in rule.
> 
> add info with this rule set:
> 
> altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out}
> queue int_out       bandwidth 3Mb
> queue dflt_out      bandwidth  16Kb cbq (default)
> 
> altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in}
> queue int_in       bandwidth 3Mb
> queue dflt_in      bandwidth 16Kb cbq (default)
> 
> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep  state flags
> S/SA queue (int_out)
> pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags
> S/SA queue (int_in)
> 
> if i only enabled altq on in one interface only (xl1 or xl2) , traffic
> limitation that i want is can be done.
> 
> Is there something that can be done with ALTQ and PF or my rule is
> bad ???
> 
> please help me...
> 
> 
>> Try this rules:
>> pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep  state flags
>> S/SA queue (int_out)
>> pass in log on xl2 from 172.16.0.228 to 202.57.14.1 keep  state flags
>> S/SA queue (int_in)
>>
>> Gilberto
>>
>>
>> 2006/11/6, Muhammad Reza <beastie at mra.co.id>:
>>> Dear All.
>>>
>>> I start with the simple rule set in my pf bridge machine to limit
>>> bandwidth 3Mbps  from my server on lan to internet and from internet to
>>> my server on lan
>>> this my setup:
>>>
>>> Internet ---xl1 xl2---LAN
>>>
>>> and my pf.conf
>>>
>>> lan="172.16.0.0/24"
>>> #ALTQ at outgoing interface to limit traffic 3 MBps from lan to internet
>>> altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out}
>>> queue int_out       bandwidth 3Mb
>>> queue dflt_out      bandwidth  16Kb cbq (default)
>>> #ALTQ at lan interface to limit traffic 3 MBps from internet to lan
>>> altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in}
>>> queue int_in       bandwidth 3Mb   cbq (default)
>>> queue dflt_in      bandwidth  16Kb
>>>
>>> block on xl1
>>> pass in on xl1  from any to $lan
>>> pass out on xl1 from $lan to any
>>> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep  state flags S/SA queue (int_out)
>>>
>>> block on xl2
>>> pass in on xl2 from $lan to any keep state
>>> pass out on xl2  from any to $lan  keep state
>>> #pass  out  log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags S/SA queue (int_in)
>>>
>>> I have done some test with iperf with no luck.
>>> Is there something wrong with this rule set to acompilished my need ?
>>> Please help
>>>
>>> Regards
>>> Reza

Reza,

you're really using just one queue:

> block on xl1
> pass in on xl1  from any to $lan
> pass out on xl1 from $lan to any
> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep  state
flags S/SA queue (int_out)

As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out)
catches all the packets you're wanting for queue int_out.

HTH,

Volker

More information about the freebsd-pf mailing list