[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic shaping in two directions on bridge



jared r r spiegel said:
> On Thu, Apr 22, 2004 at 09:21:51AM +0200, Per-Olov Sjöholm wrote:
>>
>> If you have a std firewall not set up as a bridge everything is clear
>> (shape on the outgoing interface).
>
>> But if you want to shape traffic on both directions on a bridge ?
>
>   so you're asking two questions at once it seems?
>
>   yeah, std firewall and you wanna queue your upload, shape on ISP-facing
>   interface.  if you want to shape traffic on both directions, you can
>   approach that by shaping your upload on ISP-facing iface and shaping
>   download on LAN-facing iface.
>
>   as far as shaping both on a bridge:
>
>> Let say fxp1 is on the outside and fxp0 on the inside.
> ...
>> Will you then pass everything in both directions on fxp0 and do ALL
>> rules
>> and shaping on fxp1 no matter of direction?
>> Will the shaping work in the bridge case for traffice coming IN to fxp1
>> ?
>> Is there any guidelines for bridge setups with PF ?
>> What is the wise way in this setup ?
>
>   i really don't know if the scenario is any different for a bridge, but
>   i do queueing on both packets from my LAN to the world ( upload )
>   and also on the LAN-facing (internal) interface, queueing on packets
>   which are either between the firewall and a LAN host as one set of
>   queues ( for 100Mb ), and for packets which are from the world and
>   going back to a LAN host ( for my ADSL download ).
>
>   for things like ftp proxy, that would normally match firewall<->LAN
>   rules, so i make a special rule for 'from firewall to lanhost user
> proxy'
>   which queues it to the "external/download" queue on the internal iface.
>
>   jared
>
> --
>
> [ openbsd 3.5 GENERIC ( mar 26 ) // i386 ]
>
Thanks for the answer.
I am "quite" familliar with PF and with the great altq shaping feature.
But I am not that familliar with queuing on bridges !
This is fact:
* Queue on the outgoing interface
* On a bridge it is according to the FAQ at OpenBSD "STRONGLY" recommended
to filter on just ONE interface and pass everything on the other. (Have
not read that much to take a debate on this...)
So... Do I need to break the recommendation to filter on just one
interface and filter on both (my brain say so) because I want to shape in
both directions ?
As said, I am not sure how the bridge behaves with queuing. Maybe the key
is to understand why the recommendation is to filter on just one
interface... Maybe somebody could explain why ? Why can't I filter as if
it's not a bridge ?
It would be much appreciated if somebody could come up with info regarding
queueing on bridges, espacially if you want to do it in both directions.
Thanks
Peo