Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ALTQ and PF

ALTQ and PF 11 years 8 months ago #6805

  • ReX
  • ReX's Avatar
  • Offline
  • Frequent Member
  • Posts: 27
  • Karma: 0
I am trying to setup up my OpenBSD firewall to do some traffic shapping and prioritization. I would like to be able to download something and still use my phone (VIOP). I have 3 Mb download but only 256Kb upload so the phone cuts out like a bad cell connection if I have anything else going on. Any suggestions?
The administrator has disabled public write access.

Re: ALTQ and PF 11 years 8 months ago #6806

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
I would suggest to first try using simply priq scheduler to put VOIP traffic to top priority and the rest of the traffic to lower priority. In most cases that is sufficient for not so extreme traffic conditions. Still, if this is not enough in your case, you will have to use cbq scheduler (which is more complicated and powerful) to place specific limits (i.e. set the minimum amount of bandwidth to be commited for VoIP traffic). There are some helpful examples in the PF User's Guide, Packet Queueing and Prioritization section.

Let us know of your progress :)
The administrator has disabled public write access.

Re: ALTQ and PF 11 years 7 months ago #6977

  • ReX
  • ReX's Avatar
  • Offline
  • Frequent Member
  • Posts: 27
  • Karma: 0
I have the rules mostly done, they need some fine tuning. I will try to get them posted soon. I think some one asked to see pf rules, and maybe I can get some suggestions on the tuning. They ended up a little more complicated then I originally thought :D
The administrator has disabled public write access.

Re: ALTQ and PF 11 years 7 months ago #7001

  • ReX
  • ReX's Avatar
  • Offline
  • Frequent Member
  • Posts: 27
  • Karma: 0
For any one interested here are the rules I came up with. Any suggestions welcome, I'm still working on them.

[code:1]
#Macros
#interfaces
int_if = "em1"
ext_if = "em0"
dmz_if = "sis0"
#machines
desktop = "192.168.2.1"
web_serv = "192.168.2.2"
voip = "192.168.2.200"
#Tables
table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
table <denied> persist file "/etc/denied"

#Options
#drop unwanted incoming packets
set block-policy drop
#Scrub
scrub on $ext_if all reassemble tcp min-ttl 15 max-mss 1400

#queues
altq on $ext_if cbq bandwidth 254Kb \
queue { voip, web_traf, std_out }
queue voip bandwidth 85Kb priority 2 cbq (default)
queue web_traf bandwidth 27% priority 5 cbq (borrow red)
queue std_out bandwidth 100Kb { std_bulk, std_pri }
queue std_bulk bandwidth 50% cbq (ecn)
queue std_pri bandwidth 50% priority 1 cbq (ecn)

#Nat
nat on $ext_if from $int_if:network to any -> ($ext_if)
#redirection
rdr on $ext_if proto tcp from any to port { ssh, 3030 } -> $web_serv
rdr on $ext_if proto tcp from any to port 5900 -> $desktop
#filtering
#default deny
block in on $ext_if all
block quick log on $ext_if from { <denied>, <rfc1918> }

#allow out
pass quick from lo0 all
antispoof quick for $int_if inet
pass out from $voip to any modulate state queue voip
pass out from $desktop to any \
modulate state queue(std_bulk, std_pri)
pass out proto UDP from $web_serv to any port 53 \
keep state queue std_pri
#allow in
#pass ssh and web requests on port 3030
pass in proto TCP from any to $web_serv port 3030 \
flags S/SA synproxy state queue web_traf
pass in log proto TCP from any to $web_serv port 22 \
flags S/SA synproxy state queue(std_bulk, std_pri)
#pass vnc to desktop
pass in log proto TCP from any to $desktop port 5900 \
keep state queue(std_bulk, std_pri)[/code:1]
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup