Traffic shaping incomming traffic for all vlans

[Ian FREISLICH]

On 05/19/16 05:48, Radek Krejča wrote:
> I have freebsd router with pf for NAT and firewall. There are 2 NICs, one for incomming traffic from internet and second for traffic to clients. On internal NIC are a lot of vlans.
>
> I need to make traffic shaping for all users based on src ip from internet. But I have problem, it doesnt work.
>
> Working rule for block all traffic is:
>
> block quick proto { tcp, udp } from 192.168.52.0/24 
>
> but the same rule with externa nic dosnt match: block quick on $ext_if proto { tcp, udp } from 192.168.52.0/24
> Why?
Remember that with PF the *last* rule to match wins and that the state
table is checked *before* rules are evaluated.  If there is a state,
rules won't be checked.  If there is a later rule that allows the
traffic that rule will be used.  The quick modifier prevents further
evaluation of rules, but if you're using quick all over the place
perhaps an earlier rule allows the traffic.  Unless you set
'state-policy if-bound' the default state-policy of floating will apply
and then any rule that matches allowing traffic into an interface will
result in matching state that will allow the traffic out of another
interface without the rules being checked.
> And second problem - how to set up (on which interface) altq queues?

The trouble with pf's bandwidth management is that it relies on state to
apply traffic flows to a queue.  While this is nice in some respects
I've always had trouble implementing traffic rates in specific
directions.  What happens is that you can only assign a rate to a class
of traffic, ie www gets 10Mbps total for traffic in both directions.  In
the end I used PF for packet filtering and ipfw + dummynet for bandwidth
management.

I'd suggest to carefully read the 'QUEUEING' section in pf.conf(5) and
if you can't make it work post your rules.

Ian

-- 
Ian Freislich


-- 
 

Cape Augusta Digital Properties, LLC a Cape Augusta Company

*Breach of confidentiality & accidental breach of confidentiality *

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.