FreeBSD ALTQ + PF Problem

Shane James shane at virtek.co.za
Sun Nov 14 08:27:58 PST 2004 

Sorry about that one, here is my current rule set.. it's small as I'm just 
trying to get it to work, for now.

 Macros
uplink_if="sis0" # External Interface
hosting_if="rl0" # Internal Interface
access_if="rl1" # Access Network

# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization
scrub in all

# ALTQ
altq on $uplink_if bandwidth 10Mb hfsc queue { dflt_u, argon_u }
queue argon_u bandwidth 32Kb hfsc(realtime 64Kb upperlimit 64Kb)
queue dflt_u hfsc(default upperlimit 128Kb)

altq on $hosting_if bandwidth 10Mb hfsc queue { dflt_d, argon_d }
queue argon_d bandwidth 32Kb hfsc(realtime 64Kb upperlimit 64Kb)
queue dflt_d hfsc(default upperlimit 128Kb)

# argon.virtek.co.za
pass out on $uplink_if from 196.23.168.137 to any keep state queue argon_u
pass out on $hosting_if from any to 196.23.168.137 keep state queue argon_d
block in on $uplink_if proto tcp from any to 196.23.168.137 port 22


On Saturday 13 November 2004 21:58, Shane James wrote:
> Hey guys,
>
> I'm having a problem with pf + altq on FreeBSD 5.2.1 (FreeBSD
> uplink-rtr-jhb.virtek.co.za 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 
> #1:
> Sat Nov 13 15:59:38 SAST 2004
> root at uplink-rtr-jhb.virtek.co.za:/usr/src/sys.altq/i386/compile/UPLINK
> i386)
>
> The Traffic I assign to queue's does not get limited according to the
> specific limit, it only get's limited by the global bandwidth limited
> assign to the specific NIC.
> e.g. I assign traffic to a queue(argon_d) which is limited to 128Kb... but
> it performs at 256Kb which is what the NIC is set to. therefore not being
> assigned to it's designated queue. is it at all possible that this is a
> problem perhaps with my Network cards... if not... any suggestions?
>
> pf.conf
>
> altq on $uplink_if bandwidth 256Kb hfsc queue { dflt_u, argon_u }
> queue argon_u hfsc(realtime 64Kb upperlimit 64Kb)
> queue dflt_u hfsc(default upperlimit 128Kb)
>
> altq on $hosting_if bandwidth 256Kb hfsc queue { dflt_d, argon_d }
> queue argon_d hfsc(realtime 64Kb upperlimit 64Kb)
> queue dflt_d hfsc(default upperlimit 128Kb)
>
> #assign argon traffic
> pass out on $uplink_if from 196.23.168.137 to any keep state queue argon_u
> pass out on $hosting_if from any to 196.23.168.137 keep state queue 
> argon_d

I assume that is not your *complete* ruleset?!? Can everybody please post
complete rulesets when asking for help? It is okay to emphasize the parts
that you think are important as it will help to understand the problem, but
giving advice or debugging it impossible without the complete ruleset.

Other than that, what does "$pfctl -vvsq" tell you? Does it show that 
traffic
is being assigned to the small queue at all?

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-pf mailing list