[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Upload problem with altq enabled in pf.conf



Hi ya,
A friend of mine is using OpenBSD 3.4 (stable) for quite some time. I've
talked him
in to it to use PF with ALTQ. The problem is when he is just using the PF
rules
(without ALTQ enabled in pf.conf) then thing is working fine.
He then can upload up to 30kbps.
When he turns on ALTQ mechanism in pf.conf then his speeds drops back to
around 19kbps.
I've looked into it, but until now I can't pin point the problem.
Hopefully you guys
maybe know the answer.
I've include some info from his system (dmesg, pf.conf, pfctl -ss, pfctl
-sq -v, pfctl
-sr and netstat -ni)
[dmesg]
OpenBSD 3.4-stable (GENERIC) #0: Sun Jun  6 18:14:44 CEST 2004
    [email protected]*.xs4all.nl:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron (Mendocino) ("GenuineIntel" 686-class, 256KB L2 cache)
366 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 100184064 (97836K)
avail mem = 86913024 (84876K)
using 1248 buffers containing 5111808 bytes (4992K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ff) BIOS, date 11/30/99, BIOS32 rev. 0 @ 0xf0000
apm0 at bios0: Power Management spec V1.2 (BIOS managing devices)
apm0: AC on, no battery
pcibios0 at bios0: rev. 2.1 @ 0xf0000/0x1200
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf4a30/304 (17 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371AB PIIX4 ISA" rev
0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc0000/0x10000 0xd0000/0x1800
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX PCI-AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Mobility 1" rev 0x64
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cbb0 at pci0 dev 4 function 0 "Texas Instruments PCI1450 PCI-CardBus" rev
0x03: irq 11
cbb1 at pci0 dev 4 function 1 "Texas Instruments PCI1450 PCI-CardBus" rev
0x03: irq 11
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <IBM-DBCA-206480>
wd0: 16-sector PIO, LBA, 6194MB, 13424 cyl, 15 head, 63 sec, 12685680 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 1
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not configured
maestro0 at pci0 dev 8 function 0 "ESS Maestro 2E" rev 0x10: irq 11
ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D
audio0 at maestro0
fxp0 at pci0 dev 9 function 0 "Intel 82557" rev 0x09: irq 11, address
00:d0:59:0c:b5:cd
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
"AT&T/Lucent LTMODEM" rev 0x00 at pci0 dev 9 function 1 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 3 device 0 cacheline 0x8, lattimer 0x20
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 4840 netmask 4840 ttymask 58c2
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
dc0 at cardbus0 dev 0 function 0 irq 11 address 00:10:a4:e5:94:5b
tqphy0 at dc0 phy 0: 78Q2120 10/100 media interface, rev. 11
Xircom, CardBus Ethernet 10/100 + Modem 56, CBEM56G, 1.03 (manufacturer
0x105, product 0x1000) vendor "Xircom", unknown product 0x103 (class
communications subclass serial, rev 0x03) at cardbus0 dev 0 function 1 not
configured
[/dmesg]
[pf.conf]
#
#                                          ADSL
# ( Internal ) ---- dc0 [ OpenBSD ] fxp0 -------- ( Internet )
#
#
# Internal = 192.168.10.0/24
# ADSL     = xxx.xxx.xxx.xxx
#            2M/320k
#
# Order:
# 0x01 Macros
# 0x02 Tables
# 0x03 Options
# 0x04 Traffic Normalization
# 0x05 Queueing
# 0x06 Translation
# 0x07 Packet Filtering
#
## 0x01 Macros
ext_if = "fxp0"
int_if = "dc0"
## 0x02 Tables
## 0x03 Options
set block-policy return
## 0x04 Traffic Normalization
# Reassemble all fragmented packets
scrub in all fragment reassemble min-ttl 15 max-mss 1468
## 0x05 Queueing
# Prioritize all ACK packets on the ext_if. The queue only works on
# outgoing packets, once a packet arrives on an interface in the inbound
# direction it's already too late to queue it -- it's already consumed
# network bandwidth to get to the interface that just received it.
# Keep in mind though when you use keep state on inbound, the queue option
# will work, coz the packets also has to send back to the client.
# The maximum number of packets to hold in the queue is 100 (default is 50)
altq on $ext_if priq bandwidth 288Kb qlimit 100 queue { q_def, q_pri }
queue q_def priority 1 priq(default)
queue q_pri priority 7
## 0x06 Translation
# Redirect all ftp traffic to the local proxy
rdr on $int_if inet proto tcp from $int_if:network to any port ftp \
 -> 127.0.0.1 port 8021
# NAT PROXYING
# Map outgoing packets' source port to an assigned proxy port instead of
# an arbitrary port.
# In this case, proxy outgoing isakmp with port 500 on the gateway.
nat on $ext_if proto udp from any port isakmp to any -> $ext_if port isakmp
# Translate all traffic coming from the Wireless network (int_if)
nat on $ext_if inet from $int_if:network to any -> $ext_if
## 0x07 Packet filtering
block in log all
block drop in log on $ext_if all flags FUP/FUP
block drop in log on $ext_if all flags SF/SAFR
block drop in quick log on $ext_if all flags /SAFR
block drop in quick log on $ext_if from no-route to any
## Internal rules
# Allow traffic from Wireless network
pass in quick on $int_if inet proto udp from 0.0.0.0 port bootpc to \
 255.255.255.255 port bootps
pass in quick on $int_if inet proto udp from $int_if:network to any \
 port domain keep state queue (q_def, q_pri)
pass in quick on $int_if inet proto tcp from $int_if:network to $int_if \
 port ssh flags S/SAFR keep state
# Anybody
pass in quick on $int_if inet proto tcp from $int_if:network to any \
 modulate state queue (q_def, q_pri)
## PPTP rules
pass in on $int_if proto gre keep state
pass in on $int_if proto tcp from any to any port 1723 keep state
pass out on $ext_if proto gre keep state queue (q_def, q_pri)
pass out on $ext_if proto tcp from any to any port 1723 keep state queue
(q_def, q_pri)
## VPN
pass in quick on $int_if inet proto udp from $int_if:network port isakmp \
 to any port isakmp keep state queue (q_def, q_pri)
pass in quick on $int_if inet proto esp from $int_if:network to any \
 keep state queue (q_def, q_pri)
## oBSD
# Allow queries from DNS daemon
pass out quick on $ext_if inet proto udp from $ext_if to any \
 port domain keep state queue (q_def, q_pri)
# Allow FTP connections to the proxy (ftp-proxy)
pass in quick on $ext_if inet proto tcp from any to $ext_if \
 port 54999 >< 64999 user proxy keep state queue (q_def, q_pri)
# Allow ntp connections
pass out quick on $ext_if inet proto udp from $ext_if to any \
 port ntp keep state
# icmp-type 0 : echo reply (ping reply) RFC 792
# icmp-type 3 : Destination Unreachable RFC 792
# icmp-type 4 : Source Quench RFC 792
# icmp-type 8 : echo request (ping request) RFC 792
# icmp-type 11: time exceeded (traceroute) RFC 792
pass out quick on $ext_if inet proto icmp from $ext_if to any \
 icmp-type 8 code 0 keep state
pass out quick on $ext_if inet proto icmp from $ext_if to any \
 icmp-type 0 code 0 keep state
pass in quick on $ext_if inet proto icmp from any to $ext_if \
 icmp-type 3 keep state
pass in quick on $ext_if inet proto icmp from any to $ext_if \
 icmp-type 4 code 0 keep state
pass in quick on $ext_if inet proto icmp from any to $ext_if \
 icmp-type 11 keep state
## Local
pass in quick on lo0 all
pass out quick on lo0 all
## Admin
# Allow a ssh connection from the XS1 and XS6 server (Xs4All)
pass in quick on $ext_if inet proto tcp from { 194.xxx.xxx.xxx,
194.xxx.xxx.xxx } to \
 $ext_if port ssh flags S/SA keep state queue (q_def, q_pri)
[/pf.conf]
[pfctl -sr]
scrub in all min-ttl 15 max-mss 1468 fragment reassemble
block return in log all
block drop in log on fxp0 all flags FPU/FPU
block drop in log on fxp0 all flags FS/FSRA
block drop in log quick on fxp0 all flags /FSRA
block drop in log quick on fxp0 from no-route to any
pass in quick on dc0 inet proto udp from 0.0.0.0 port = bootpc to
255.255.255.255 port = bootps
pass in quick on dc0 inet proto udp from 192.168.10.0/24 to any port =
domain keep state queue(q_def, q_pri)
pass in quick on dc0 inet proto tcp from 192.168.10.0/24 to 192.168.10.1
port = ssh flags S/FSRA keep state
pass in quick on dc0 inet proto tcp from 192.168.10.0/24 to any modulate
state queue(q_def, q_pri)
pass in on dc0 proto gre all keep state
pass in on dc0 proto tcp from any to any port = pptp keep state
pass out on fxp0 proto gre all keep state queue(q_def, q_pri)
pass out on fxp0 proto tcp from any to any port = pptp keep state
queue(q_def, q_pri)
pass in quick on dc0 inet proto udp from 192.168.10.0/24 port = isakmp to
any port = isakmp keep state queue(q_def, q_pri)
pass in quick on dc0 inet proto esp from 192.168.10.0/24 to any keep state
queue(q_def, q_pri)
pass out quick on fxp0 inet proto udp from 80.xxx.xxx.xxx to any port =
domain keep state queue(q_def, q_pri)
pass in quick on fxp0 inet proto tcp from any to 80.xxx.xxx.xxx port 54999
>< 64999 user = 71 keep state queue(q_def, q_pri)
pass out quick on fxp0 inet proto udp from 80.xxx.xxx.xxx to any port =
ntp keep state
pass out quick on fxp0 inet proto icmp from 80.xxx.xxx.xxx to any
icmp-type echoreq code 0 keep state
pass out quick on fxp0 inet proto icmp from 80.xxx.xxx.xxx to any
icmp-type echorep code 0 keep state
pass in quick on fxp0 inet proto icmp from any to 80.xxx.xxx.xxx icmp-type
unreach keep state
pass in quick on fxp0 inet proto icmp from any to 80.xxx.xxx.xxx icmp-type
squench code 0 keep state
pass in quick on fxp0 inet proto icmp from any to 80.xxx.xxx.xxx icmp-type
timex keep state
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on fxp0 inet proto tcp from 194.xxx.xxx.xxx to
80.xxx.xxx.xxx port = ssh flags S/SA keep state queue(q_def, q_pri)
pass in quick on fxp0 inet proto tcp from 194.xxx.xxx.xxx to
80.xxx.xxx.xxx port = ssh flags S/SA keep state queue(q_def, q_pri)
[/pfctl -sr]
[pfctl -sq -v]
queue q_def priq( default )
  [ pkts:       1266  bytes:    1732868  dropped pkts:      0 bytes:      0 ]
  [ qlength:   9/ 50 ]
queue q_pri priority 7
  [ pkts:        105  bytes:       6194  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
[/pfctl -sq -v]
[netstat -ni]
Name    Mtu   Network     Address              Ipkts Ierrs    Opkts Oerrs
Colls
lo0     33224 <Link>                               2     0        2     0 
   0
lo0     33224 127/8       127.0.0.1                2     0        2     0 
   0
lo0     33224 ::1/128     ::1                      2     0        2     0 
   0
lo0     33224 fe80::%lo0/ fe80::1%lo0              2     0        2     0 
   0
lo1*    33224 <Link>                               0     0        0     0 
   0
fxp0    1500  <Link>      00:d0:59:0c:b5:cd     1154     0     1570     0 
   0
fxp0    1500  80.xxx.xxx. 80.xxx.xxx.xxx        1154     0     1570     0 
   0
fxp0    1500  fe80::%fxp0 fe80::2d0:59ff:fe     1154     0     1570     0 
   0
pflog0  33224 <Link>                               0     0        0     0 
   0
pfsync0 1896  <Link>                               0     0        0     0 
   0
sl0*    296   <Link>                               0     0        0     0 
   0
sl1*    296   <Link>                               0     0        0     0 
   0
ppp0*   1500  <Link>                               0     0        0     0 
   0
ppp1*   1500  <Link>                               0     0        0     0 
   0
tun0*   3000  <Link>                               0     0        0     0 
   0
tun1*   3000  <Link>                               0     0        0     0 
   0
enc0*   1536  <Link>                               0     0        0     0 
   0
bridge0 1500  <Link>                               0     0        0     0 
   0
bridge1 1500  <Link>                               0     0        0     0 
   0
vlan0*  1500  <Link>      00:00:00:00:00:00        0     0        0     0 
   0
vlan1*  1500  <Link>      00:00:00:00:00:00        0     0        0     0 
   0
gre0*   1450  <Link>                               0     0        0     0 
   0
gif0*   1280  <Link>                               0     0        0     0 
   0
gif1*   1280  <Link>                               0     0        0     0 
   0
gif2*   1280  <Link>                               0     0        0     0 
   0
gif3*   1280  <Link>                               0     0        0     0 
   0
dc0     1500  <Link>      00:10:a4:e5:94:5b     2305     0     2216     0 
   0
dc0     1500  192.168.10/ 192.168.10.1          2305     0     2216     0 
   0
dc0     1500  fe80::%dc0/ fe80::210:a4ff:fe     2305     0     2216     0 
   0
[/netstat -ni]