[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf/altq on a fast link



Good Day Anthony and pf list
As everyone already covered some very good points and some good links.  I
thought I would pass along something that would get you started.  
Basically I work for a ISP/LEC and we have started using OpenBSD for
traffic shaping on customers that we will run some fiber to and put a
OpenBSD box at one end to regulate the traffic.  IE GigE to a customer but
we cap their bandwidth as if they where buying T1's, DS3, ext (fiber
converters are nice!).  This example does do some privatization and
regulates bandwidth.
A basic config would look like this:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
####################
# Interface macros #
####################
br0_if= "em0"
br1_if= "em1"
########################################################################
# Define IP address or Range IP in Tables to use for your queues later #
########################################################################
table <customerX_bridge> const { 2xx.1xx.xx.0/25, 2xx.2xx.x1.0/24, \
	2xx.255.4x.0/24, xx6.xx1.3x.0/24, 2xx.xx1.2x.0/24, 2xx.2xx.x3.0/24, \ 
	2xx.2xx.xx4.0/24 }
###########################################################################
# Each network will be different - utilize pfstat and pftop to tweak      #
# These timeouts for best performance - IE knock up your vpn connections  # 
# for a long time but kill off dead traceroutes (unix udp) quickly.  This #
# usually takes some time to tweak out - This is really vanilla but a     #
# good start for anyone wanting to tweak the timeouts                     # 
###########################################################################
set timeout { interval 30, frag 10 } 
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } 
set timeout { tcp.closing 500, tcp.finwait 45, tcp.closed 40 } 
set timeout { udp.first 60, udp.single 30, udp.multiple 60 } 
set timeout { icmp.first 20, icmp.error 10 } 
set timeout { other.first 60, other.single 30, other.multiple 60 } 
set limit { states 200000, frags 5000 } 
set loginterface $br0_if 
set block-policy drop set
require-order yes
######################
# Normalize traffic  #
######################
# might as well clean up the traffic
scrub all
###################
# Internet Uplink #
###################
altq on $br0_if cbq bandwidth 80Mb qlimit 100 tbrsize 1000 queue { std0, customerX_0 }
queue customerX_0 bandwidth 11Mb cbq(red,ecn) { customerX_0_bulk, customerX_0_ack }
queue customerX_0_ack priority 7
queue customerX_0_bulk priority 0
# we set this high because if we ever want to make a rule change all the 
# old states will then fall into this queue - they timeout quickly enough 
# that we only see about 5Mb for the first 2 minutes then it drops to about 
# 2Mb after 10min - after 1 hour the std queue is back to normal
queue std0 bandwidth 10Mb cbq(default)
#####################
# Customer Downlink #
#####################
altq on $br1_if cbq bandwidth 80Mb qlimit 100 tbrsize 1000 queue { std1, customerX_1 }
queue customerX_1 bandwidth 11Mb cbq(red,ecn) { customerX_1_bulk, customerX_1_ack }
queue customerX_1_ack priority 7
queue customerX_1_bulk priority 0
# we set this high because if we ever want to make a rule change all the  
# old states will then fall into this queue - they timeout quickly enough   
# that we only see about 5Mb for the first 2 minutes then it drops to about
# 2Mb after 10min - after 1 hour the std queue is back to normal
queue std1 bandwidth 10Mb cbq(default)
##############################################################################
# Rules to rate adapt someone						     #
# Here you would probably create a bunch of rules based on tables of all     #
# your customers IP address and then break down based on protocol and src/dst# 
# ports   								     #
##############################################################################
pass out on $br0_if from { <customerX_bridge> } to any keep state queue ( customerX_0_bulk, customerX_0_ack ) label "customerX_internet"
pass out on $br1_if from any to { <customerX_bridge> } keep state queue ( customerX_1_bulk, customerX_1_ack ) label "customerX_customer"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
As Henning said the priority only works on saturated links but this setup
is a Wireless Service Provider that lives inside of our Network.  They
have no policy management at all on their Network and Mostly P2P products
destroy their bandwidth.  We put the priority in there just to make
anyones live who tries to ssh or telnet somewhere a little bit nicer
during saturation.  They usually hit and max out there bandwidth on a
nightly basis.
Hope this gets you going in the right direction along with all the great 
documentation that has already been talked about.  The docs truely are 
magnificent - props to everyone that keeps them so clear.
Jason Houx
On Sat, 31 May 2003, Tony Faoro wrote:
> 
> Good day,
> 
> I operate a web-hosting/colocation/game server hosting company with a
> generous amount of available banwidth. I have a OpenBSD bridge firewalling
> my network but after reading about the 'Prioritizing empty TCP ACKs with
> pf and ALTQ' I began to realize that there may be more I can do to speed
> things up on my link.
> 
> If anyone out there would be so kind as to share a pf.conf they are using
> in a similar circumstance that would be great. I'm somewhat new to the
> packet prioritizing world and would love some real world examples you all
> have had success with.
> 
> Thanks for your time,
> 
> -t
> 
> +----------- --  -  - -
> | Anthony M. Faoro II
> : CIO, Adtaq Internet
> . tmf at adtaq dot com
>   425.444.8787 VOICE
> . 800.861.1834 FAX
>