- Posts: 27
- Thank you received: 0
ALTQ and PF
19 years 9 months ago #6805
by ReX
ALTQ and PF was created by ReX
I am trying to setup up my OpenBSD firewall to do some traffic shapping and prioritization. I would like to be able to download something and still use my phone (VIOP). I have 3 Mb download but only 256Kb upload so the phone cuts out like a bad cell connection if I have anything else going on. Any suggestions?
19 years 9 months ago #6806
by nske
Replied by nske on topic Re: ALTQ and PF
I would suggest to first try using simply priq scheduler to put VOIP traffic to top priority and the rest of the traffic to lower priority. In most cases that is sufficient for not so extreme traffic conditions. Still, if this is not enough in your case, you will have to use cbq scheduler (which is more complicated and powerful) to place specific limits (i.e. set the minimum amount of bandwidth to be commited for VoIP traffic). There are some helpful examples in the
PF User's Guide
, Packet Queueing and Prioritization section.
Let us know of your progress
Let us know of your progress
19 years 9 months ago #6977
by ReX
Replied by ReX on topic Re: ALTQ and PF
I have the rules mostly done, they need some fine tuning. I will try to get them posted soon. I think some one asked to see pf rules, and maybe I can get some suggestions on the tuning. They ended up a little more complicated then I originally thought
19 years 9 months ago #7001
by ReX
Replied by ReX on topic Re: ALTQ and PF
For any one interested here are the rules I came up with. Any suggestions welcome, I'm still working on them.
[code:1]
#Macros
#interfaces
int_if = "em1"
ext_if = "em0"
dmz_if = "sis0"
#machines
desktop = "192.168.2.1"
web_serv = "192.168.2.2"
voip = "192.168.2.200"
#Tables
table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
table <denied> persist file "/etc/denied"
#Options
#drop unwanted incoming packets
set block-policy drop
#Scrub
scrub on $ext_if all reassemble tcp min-ttl 15 max-mss 1400
#queues
altq on $ext_if cbq bandwidth 254Kb \
queue { voip, web_traf, std_out }
queue voip bandwidth 85Kb priority 2 cbq (default)
queue web_traf bandwidth 27% priority 5 cbq (borrow red)
queue std_out bandwidth 100Kb { std_bulk, std_pri }
queue std_bulk bandwidth 50% cbq (ecn)
queue std_pri bandwidth 50% priority 1 cbq (ecn)
#Nat
nat on $ext_if from $int_if:network to any -> ($ext_if)
#redirection
rdr on $ext_if proto tcp from any to port { ssh, 3030 } -> $web_serv
rdr on $ext_if proto tcp from any to port 5900 -> $desktop
#filtering
#default deny
block in on $ext_if all
block quick log on $ext_if from { <denied>, <rfc1918> }
#allow out
pass quick from lo0 all
antispoof quick for $int_if inet
pass out from $voip to any modulate state queue voip
pass out from $desktop to any \
modulate state queue(std_bulk, std_pri)
pass out proto UDP from $web_serv to any port 53 \
keep state queue std_pri
#allow in
#pass ssh and web requests on port 3030
pass in proto TCP from any to $web_serv port 3030 \
flags S/SA synproxy state queue web_traf
pass in log proto TCP from any to $web_serv port 22 \
flags S/SA synproxy state queue(std_bulk, std_pri)
#pass vnc to desktop
pass in log proto TCP from any to $desktop port 5900 \
keep state queue(std_bulk, std_pri)[/code:1]
[code:1]
#Macros
#interfaces
int_if = "em1"
ext_if = "em0"
dmz_if = "sis0"
#machines
desktop = "192.168.2.1"
web_serv = "192.168.2.2"
voip = "192.168.2.200"
#Tables
table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
table <denied> persist file "/etc/denied"
#Options
#drop unwanted incoming packets
set block-policy drop
#Scrub
scrub on $ext_if all reassemble tcp min-ttl 15 max-mss 1400
#queues
altq on $ext_if cbq bandwidth 254Kb \
queue { voip, web_traf, std_out }
queue voip bandwidth 85Kb priority 2 cbq (default)
queue web_traf bandwidth 27% priority 5 cbq (borrow red)
queue std_out bandwidth 100Kb { std_bulk, std_pri }
queue std_bulk bandwidth 50% cbq (ecn)
queue std_pri bandwidth 50% priority 1 cbq (ecn)
#Nat
nat on $ext_if from $int_if:network to any -> ($ext_if)
#redirection
rdr on $ext_if proto tcp from any to port { ssh, 3030 } -> $web_serv
rdr on $ext_if proto tcp from any to port 5900 -> $desktop
#filtering
#default deny
block in on $ext_if all
block quick log on $ext_if from { <denied>, <rfc1918> }
#allow out
pass quick from lo0 all
antispoof quick for $int_if inet
pass out from $voip to any modulate state queue voip
pass out from $desktop to any \
modulate state queue(std_bulk, std_pri)
pass out proto UDP from $web_serv to any port 53 \
keep state queue std_pri
#allow in
#pass ssh and web requests on port 3030
pass in proto TCP from any to $web_serv port 3030 \
flags S/SA synproxy state queue web_traf
pass in log proto TCP from any to $web_serv port 22 \
flags S/SA synproxy state queue(std_bulk, std_pri)
#pass vnc to desktop
pass in log proto TCP from any to $desktop port 5900 \
keep state queue(std_bulk, std_pri)[/code:1]
Time to create page: 0.122 seconds