PF + ALTQ - Bandwidth per customer

Александр Шевченко alexander.shevchenko at itv.ru
Tue Dec 2 02:30:26 PST 2008 

Using ipfw+dummynet you could easily limit bandwidth per ip:

$IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff
$IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff
$IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in
$IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out


Using pf+altq you could limit easily  bandwith for all clients:

altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_inet }
queue powernet_local bandwidth 95% cbq(default)
queue powernet_inet bandwidth 40Mb

pass out on $int_if from <neighbors_net> to <internal_net> queue
powernet_local
pass out on $int_if from !<neighbors_net> to <internal_net> queue
powernet_inet

But you could not limit bandwidth per ip using PF.

Ryan McBride wrote in
it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbsd-p
f/msg/512d1eba9683cea6?hl=ru&dmode=source)

> P.S. By the way, no chance to shaping like ipfw(dummynet), by getting
> mask for all ip addresses? It's the last reason to stay with ipfw:

No, there is nothing like this in PF right now. It's on my list of
things to look at, but that list grows faster than I can get things
done...
 
-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On
Behalf Of Andrei Kolu
Sent: Tuesday, December 02, 2008 11:42 AM
To: Peter Jeremy; freebsd-pf at freebsd.org; freebsd-isp at freebsd.org
Subject: Re: PF + ALTQ - Bandwidth per customer

ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no 
shaping going on), because instead of limiting bandwidth it will drop 
packets to simulate bad connection. I hear many years about "trivial" 
configuration per user bandwidth limit with pf+altq but never saw ANY 
code... You can't set bandwidth limit with PF like 3Mbit per 100 clients 
if your lan card is 100Mbit. This is just lame- in reality clients never 
use all bandwidth and never all clients are connected all the time. Even 
Linux ipfilter does it for years with insane cryptic commandline but it 
just works.

More information about the freebsd-pf mailing list