PF+ALTQ - how not to share bandwidth

[Владимир Капустин]

Hi all!

I want to make a list of rules for my localnet gateway and I desided to choose a PF to use its tables so as not to generate so many rules, equal to the number of users.

There is the part of my pfctl -s all output:


TRANSLATION RULES:
nat on xl0 inet from <not_shape> to any -> 192.168.1.21
nat on xl0 inet from <shape_64> to any -> 192.168.1.21
nat on xl0 inet from <shape_128> to any -> 192.168.1.21
nat on xl0 inet from <shape_256> to any -> 192.168.1.21

FILTER RULES:
anchor "real_ip" all
block drop on xl0 all
block drop on rl0 all
pass quick on lo0 all
pass inet from any to 192.168.0.2 queue shape_256_in
pass inet from any to 192.168.0.3 queue shape_256_in
pass inet from 192.168.0.2 to any queue shape_256_out
pass inet from 192.168.0.3 to any queue shape_256_out
pass quick inet from 192.168.1.21 to any
pass quick inet from any to 192.168.1.21
pass in quick on rl0 inet proto tcp from <admins> to 192.168.1.21
pass in quick on rl0 inet proto udp from <admins> to 192.168.1.21
pass out quick on rl0 inet proto tcp from 192.168.1.21 to <admins>
pass out quick on rl0 inet proto udp from 192.168.1.21 to <admins>

ALTQ:
queue root_xl0 bandwidth 20Mb priority 0 cbq( wrr root ) {not_shape_out, shape_64_out, shape_128_out, shape_256_out}
queue  not_shape_out bandwidth 64Kb cbq( borrow default )
queue  shape_64_out bandwidth 64Kb
queue  shape_128_out bandwidth 128Kb
queue  shape_256_out bandwidth 256Kb
queue root_rl0 bandwidth 20Mb priority 0 cbq( wrr root ) {not_shape_in, shape_64_in, shape_128_in, shape_256_in}
queue  not_shape_in bandwidth 64Kb cbq( borrow default )
queue  shape_64_in bandwidth 64Kb
queue  shape_128_in bandwidth 128Kb
queue  shape_256_in bandwidth 256Kb

TABLES:
admins
not_shape
shape_128
shape_256
shape_64


I must say that this is a test configuration and IP 192.168.1.21 is the prototype of my future real Internet IP.

The question is:

My two local IPs { 192.168.0.2, 192.168.0.3 } share the same internet channel, but I want them to have the same bandwidth (equal to the queue). What is the way to use the minimal number of rules and tables (as many as tariffs) and then to apply these rules to all the users in the tables accordingly to the contents of the tables?

here is the part of my test pf.conf :

ext_if = "xl0"
int_if = "rl0"
LAN_IP = "192.168.0.1"
WAN_IP = "192.168.1.21"
table <admins> file "/pf/admins"
table <not_shape> file "/pf/not_shape"
table <shape_64> file "/pf/shape_64"
table <shape_128> file "/pf/shape_128"
table <shape_256> file "/pf/shape_256"
##
##      QUEUEING
##
altq on $ext_if cbq bandwidth 20Mb queue { not_shape_out, shape_64_out, shape_128_out, shape_256_out }
queue not_shape_out bandwidth 64Kb cbq(default borrow)
queue shape_64_out bandwidth 64Kb
queue shape_128_out bandwidth 128Kb
queue shape_256_out bandwidth 256Kb
altq on $int_if cbq bandwidth 20Mb queue { not_shape_in, shape_64_in, shape_128_in, shape_256_in }
    queue not_shape_in bandwidth 64Kb cbq(default borrow)
    queue shape_64_in bandwidth 64Kb
    queue shape_128_in bandwidth 128Kb
    queue shape_256_in bandwidth 256Kb
##
##      NAT
##
nat on $ext_if from { <not_shape>, <shape_64>, <shape_128>, <shape_256> } to any -> 192.168.1.21
anchor real_ip
##
##      Default DENY policy
##
block on { $ext_if, $int_if } all
##
##      Pass loopback
##
pass quick on lo0 all
##
##	Test rules
##
pass quick from 192.168.1.110 to any
pass quick from any to 192.168.1.110
pass from any to { 192.168.0.2 192.168.0.3 } queue shape_256_in
pass from { 192.168.0.2 192.168.0.3 } to any queue shape_256_out
pass quick from 192.168.1.21 to any
pass quick from any to 192.168.1.21