[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT queue {in,out} still no love



I tried the latest snapshot { may 8 } with the same results as the release
3.3. :( I'm really going crazy trying to get traffic that comes from the
inside interface { inbound to the int_if } { NAT 192.168.1.x/32 } to grab
the queue that lives on the external interface for the specific traffic {
tech0 }.
I have done exactly as the pf.faq, and Henning suggests:
---------------------------------------------------------------------------
Note that queue tagging can happen on an interface other than the one 
defined in the altq on directive:
    altq on fxp0 cbq bandwidth 2Mb queue { std, ftp }
    queue std cbq(default)
    queue ftp bandwidth 1.5Mb
    pass in on dc0 from any to any port 21 queue ftp
Queuing is enabled on fxp0 but the tagging takes place on dc0. If packets 
matching the pass rule exit from interface fxp0, they will be queued in 
the ftp queue. This type of queuing can be very useful on routers.
---------------------------------------------------------------------------
#################################
### Queue  EXT_IF  External   ###
#################################
altq on $ext_if cbq bandwidth 1Mb qlimit 100 tbrsize 100  queue {  tech0, \
sonic0, std0 }
        queue tech0 bandwidth 100Kb
        queue sonic0 bandwidth 200Kb
        queue std0 bandwidth 100Kb cbq(default)
#################################   
### Queue  Int_if  Internal   ###   
#################################   
altq on $int_if cbq bandwidth 1Mb qlimit 100 tbrsize 100  queue { tech1, \
std1 }
        queue tech1 bandwidth 100Kb 
        queue std1 bandwidth 20Kb cbq(default)
<rules>
scrub in all fragment reassemble 
pass in log quick on de0 inet proto tcp from <man_hosts> to x.x.x.x/32 \
port = ssh flags S/SA modulate state label "tcp managment_if from man_hosts" 
<important lines>
pass in log-all quick on dc0 all queue tech0 
pass out log-all quick on dc0 all queue tech1 
</important lines>
pass out log-all on dc0 all queue std1 
pass out log-all on de0 all queue std0 
</rules>
---------------------------------------------------------------------------
# note #
I get matches on my rules for tech0 and tech1 like I should
:/home/coldiso% pfctl -vs rules
scrub in all fragment reassemble 
[ Evaluations: 894       Packets: 417       Bytes: 0           States: 0     ]
pass in log quick on de0 inet proto tcp from <man_hosts> to x.x.x/32 
port = ssh flags S/SA modulate state label "tcp managment_if from 
man_hosts" 
[ Evaluations: 89        Packets: 0         Bytes: 0           States: 0     ]
pass in log-all quick on dc0 all queue tech0 
[ Evaluations: 83        Packets: 44        Bytes: 5066        States: 0     ]
pass out log-all quick on dc0 all queue tech1 
[ Evaluations: 45        Packets: 39        Bytes: 21263       States: 0     ]
pass out log-all on dc0 all queue std1 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass out log-all on de0 all queue std0 
[ Evaluations: 6         Packets: 77        Bytes: 24217       States: 6     ]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# note #
I get nothing in queue tech0 for the outbound traffic that should be in 
that queue ?
:/home/coldiso% pfctl -vs queu
queue root_de0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) {tech0, sonic0, std0}
[ pkts:        674  bytes:     208200  dropped pkts:      0 bytes:      0 ]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech0 bandwidth 100Kb 
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  sonic0 bandwidth 200Kb 
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  std0 bandwidth 100Kb cbq( default ) 
[ pkts:        674  bytes:     208200  dropped pkts:      9 bytes:   1670 ]
[ qlength:   0/ 50  borrows:      0  suspends:     44 ]
queue root_dc0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) {tech1, std1}
[ pkts:        161  bytes:      67335  dropped pkts:      0 bytes:      0 ]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech1 bandwidth 100Kb 
[ pkts:        161  bytes:      67335  dropped pkts:      0 bytes:      0 ]
[ qlength:   0/ 50  borrows:      0  suspends:      5 ]
queue  std1 bandwidth 20Kb cbq( default ) 
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
Is anyone else trying to do in/out queue on a NAT box? If you are your 
suggestions as to where I am going wrong would be more than greatly 
appreciated.
Thanks,
Jason Houx
:/home/coldiso% pfctl -gsr
@0 scrub in all fragment reassemble 
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@0 pass in log quick on de0 inet proto tcp from <man_hosts:2> to 
216.201.43.116 port = ssh flags S/SA modulate state label "tcp 
managment_if from man_hosts" 
[ Skip steps: d=2 sp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@1 pass in log-all quick on dc0 all queue tech0 
[ Skip steps: i=4 f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname=tech0 qid=2 pqname= pqid=2 ]
@2 pass out log-all quick on dc0 all queue tech1 
[ Skip steps: i=4 d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname=tech1 qid=4 pqname= pqid=4 ]
@3 pass out log-all on dc0 all queue std1 
[ Skip steps: d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname=std1 qid=4294967293 pqname= pqid=4294967293 ]
@4 pass out log-all on de0 all queue std0 
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname=std0 qid=4294967293 pqname= pqid=4294967293 ]
:/home/coldiso% pfctl -gsq
queue root_de0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) {tech0, 
sonic0, std0}
[ qid=4294967294 ifname=de0 ifbandwidth=1Mb ]
queue  tech0 bandwidth 100Kb 
[ qid=2 ifname=de0 ifbandwidth=1Mb ]
queue  sonic0 bandwidth 200Kb 
[ qid=3 ifname=de0 ifbandwidth=1Mb ]
queue  std0 bandwidth 100Kb cbq( default ) 
[ qid=4294967293 ifname=de0 ifbandwidth=1Mb ]
queue root_dc0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) {tech1, 
std1}
[ qid=4294967294 ifname=dc0 ifbandwidth=1Mb ]
queue  tech1 bandwidth 100Kb 
[ qid=4 ifname=dc0 ifbandwidth=1Mb ]
queue  std1 bandwidth 20Kb cbq( default ) 
[ qid=4294967293 ifname=dc0 ifbandwidth=1Mb ]