PF + ALTQ - Bandwidth per customer

eculp eculp at encontacto.net
Fri Feb 13 02:52:37 PST 2009


Quoting Tom Uffner <tom at uffner.com>:

> eculp wrote:
>> Thanks for responding.  As I read your answer and my question.  I'm  
>> pretty sure that I probably didn't ask the question properly.  What  
>> I need to do is be intermediary between my upstream ISP's and my  
>> customers and would like to control the bandwidth hogs.
>>
>> Basically, I want certain outgoing traffic based on port to go to  
>> ISP1 and all other, not blocked, ports to go to the other while  
>> limiting the available internal bandwidth to each downstream client  
>> say to 64k if  and if borrowing is possible when traffic is low,  
>> great.  I did something like this with IPFW and dummynet maybe 6 or  
>> more years ago and as I remember, worked and solved an immediate  
>> problem of downstream demand not being distributed adequately or  
>> equitably.  The major differences were connection speed and there  
>> was only one isp.
>
> assuming that your BSD firewall/router has separate interfaces connected to
> each ISP, you can do the outgoing part of what you want several ways in pf,
> with or without using altq. you could write pass...route-to rules similar to
> the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you
> want to go out through each ISP, or you could tag the traffic on the way in
> your inside interface and use the tags to assign it to an altq queue for the
> proper outbound interface.
>
> as for rationing bandwidth to your downstream clients, there are several
> reasons why it doesn't make sense, and/or why altq is not the best tool,
> but it is possible.
>
> first, the objections:
>
> as many people have pointed out in this & other altq threads, altq has no
> convenient way of splitting bandwidth by IP like dummynet. you have to
> create a queue and a filter rule per address by hand which is tedious and
> increasingly inefficient as the number of clients grows.
>
> your lan border is the wrong place to try to fight bandwidth-hogs because
> they have already hogged the bandwidth on the small pipe from your provider
> and it is not really useful to limit them to a trickle in the much larger
> pipe that is your lan.
>
> if possible, it would be much better to convince your ISP(s) to let you
> co-locate a BSD appliance to queue the traffic at their end of your WAN
> link(s) where it will do much more good.
>
> also there are a few outstanding PRs on altq at this time:  
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-pf/20090208.freebsd-pf
>
> but if you choose to, the way to do it is to create an altq on your inside
> interface using cbq, borrow, and bandwidth equal to the sum of your ISP
> connections, then set up either a subqueue for each client, or subqueues
> for each class of service, and subqueues of those for the clients.
>
> i've seen some mentions that it is possible to use dummynet w/ pf. if have
> no idea how, but if true it might be a better option for you.
>

Tom, thanks for confirming all that I had hoped was not true;)  I'm  
going to look a bit closer at using dummynet with altq or just go back  
to IPFW.

Thanks again,

ed


More information about the freebsd-pf mailing list