[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

altq-(ipv6 tunnel|multiple ifs) questions



hi list,
just a few quick questions, if i may...
i have a 4 legged (~3.3ish) router (with one "external" interface, nat'ed)
doing altq (cbq) on said external interface. i classify packets for
queueing with rules that match on $ext_if (for incoming connections to
rdr'ed ports) and on the other interfaces (for outgoing connections that
will leave the firewall via $ext_if). so far, all is well and works as
expected.
i do have a few "how do i do this" questions, though..
the router talks ipv6 to boxen behind three of the interfaces (not
$ext_if). my external ipv6 connectivity is via a tunnel over v4 (via
$ext_if, obviously). it is fairly simple to classify the traffic of
outgoing ipv6 connections (i just make a "pass out on gif0 ... queue
(q_on_ext_if)" rule, and it gets put in the right queue as it goes out on
$ext_if), but can't think of a way to do this for incoming v6 connections
(other than sticking the whole tunnel in the same queue, which would lump
all the v6 traffic together and that is not what i want). any hints?
i don't suppose pf can look "inside" the tunnel as the packets pass in on
$ext_if..
another altq question. i want to take this setup to the next level and make
altq partition my downlink as well. is this possible when there is more
than one "internal" interface? i need to make a queue that transcends the
interfaces, i.e. to cap bandwidth for a group of connections regardless of
what interface they live on.
even if this is possible, how will i classify this traffic? some of the
rules that create the relevant states already have queue keywords for the
altq on $ext_if...
hmm, wouldn't this also be a problem in the case that there is only one
internal interface? unless you only classify traffic with rules that match
on the same if that the queue is attached to, which would severely limit
the usefulness of altq (atleast if you need to do nat, too)..
now that i think about it, packet tagging might solve that last problem.
i'll have to unfubar my tree and bump it to -current so i can play with
tagging..
</brain dump>
ps. kudos to all the coders for making pf own :)
thanks,
b bee