PF + ALTQ - Bandwidth per customer

Thu Feb 12 23:58:01 PST 2009

eculp wrote:
> Thanks for responding.  As I read your answer and my question.  I'm 
> pretty sure that I probably didn't ask the question properly.  What I 
> need to do is be intermediary between my upstream ISP's and my customers 
> and would like to control the bandwidth hogs.
> 
> Basically, I want certain outgoing traffic based on port to go to ISP1 
> and all other, not blocked, ports to go to the other while limiting the 
> available internal bandwidth to each downstream client say to 64k if  
> and if borrowing is possible when traffic is low, great.  I did 
> something like this with IPFW and dummynet maybe 6 or more years ago and 
> as I remember, worked and solved an immediate problem of downstream 
> demand not being distributed adequately or equitably.  The major 
> differences were connection speed and there was only one isp.

assuming that your BSD firewall/router has separate interfaces connected to
each ISP, you can do the outgoing part of what you want several ways in pf,
with or without using altq. you could write pass...route-to rules similar to
the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you
want to go out through each ISP, or you could tag the traffic on the way in
your inside interface and use the tags to assign it to an altq queue for the
proper outbound interface.

as for rationing bandwidth to your downstream clients, there are several
reasons why it doesn't make sense, and/or why altq is not the best tool,
but it is possible.

first, the objections:

as many people have pointed out in this & other altq threads, altq has no
convenient way of splitting bandwidth by IP like dummynet. you have to
create a queue and a filter rule per address by hand which is tedious and
increasingly inefficient as the number of clients grows.

your lan border is the wrong place to try to fight bandwidth-hogs because
they have already hogged the bandwidth on the small pipe from your provider
and it is not really useful to limit them to a trickle in the much larger
pipe that is your lan.

if possible, it would be much better to convince your ISP(s) to let you
co-locate a BSD appliance to queue the traffic at their end of your WAN
link(s) where it will do much more good.

also there are a few outstanding PRs on altq at this time: 
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-pf/20090208.freebsd-pf

but if you choose to, the way to do it is to create an altq on your inside
interface using cbq, borrow, and bandwidth equal to the sum of your ISP
connections, then set up either a subqueue for each client, or subqueues
for each class of service, and subqueues of those for the clients.

i've seen some mentions that it is possible to use dummynet w/ pf. if have
no idea how, but if true it might be a better option for you.