Newbie question - Both Ingress & Egress traffic shaping on WAN link needed ?

John Mok jmok at attglobal.net
Wed Apr 25 15:26:13 UTC 2007 

Hi,

I have a newbie question. I would like to shape the traffic between the 
local subnet and the WAN link (e.g. Frame Relay or ATM ) of the company 
private network. The bandwidth of the WAN link is only 512Kbps, and the 
bandwidth of local subnet is 100Mbps.

Uplink router ----WAN link 512K---- Downlink router --- local subnet
(HQ subnet)                    (local subnet)

I would like to deploy a FreeBSD bridge + PF between the downlink router 
and the main switch of the local subnet, such that the chance of network 
congestion on the WAN link / uplink router is kept to minimum and make 
the interactive applications ( e.g. Internet proxy access, or mail 
client ) more responsive :-

altq on $bridge_if hfsc bandwidth 512Kb queue ( icmp, dns, mail, other )
....
queue icmp hfsc (linkshare (2Kb) upperlimit (4Kb) ) queue ( icmp_in, 
icmp_out )
queue dns hfsc (linkshare (4Kb) upperlimit (8Kb) ) queue ( dns_in, dns_out )
queue mail ( linkshare (250Kb) ) queue ( mail_in, mail_out )
queue other ( default ) queue ( other_in, other_out )
....
queue icmp_in priority 10 priq(red)
queue icmp_out priority 5 priq(red)
queue dns_in priority 10 priq(red)
queue dns_out priority 5 priq(red)
queue mail_in priority 10 priq(red)
queue mail_out priority 5 priq(red)
....
pass out quick on $bridge_if inet proto (icmp) from $int_net  to any 
queue icmp_out
pass out quick on $bridge_if inet proto (icmp) from !$int_net  to any 
queue icmp_in
pass out quick on $bridge_if inet proto (tcp, udp) from $int_net to any 
port 53 queue dns_out
pass out quick on $bridge_if inet proto (tcp, udp) from !$int_net to any 
port 53 queue dns_in
pass out quick on $bridge_if inet proto (tcp, udp) from $int_net to any 
port { 25, 109, 110, 143, 220, 995 } queue mail_out
pass out quick on $bridge_if inet proto (tcp, udp) from !$int_net to any 
port { 25, 109, 110, 143, 220, 995 } queue mail_in
....

My question is that, if it is necessary to account for the incoming 
traffic to the queue, such that the outgoing traffic could give way to 
the incoming traffic. For example, the smtp gateway could utilize the 
full 512Kb to deliver the mails to the local mail server, rather than 
being used by the file sharing traffic. In that situation, without 
accounting for the incoming traffic as above and shape the outgoing 
traffic (i.e. almost completely discarded), would it cause network 
congestion on the uplink router when someone shares the bandwidth for 
file copying?

Thanks a lot.

John Mok

More information about the freebsd-pf mailing list