[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using altq for rate limiting on certain ports across multiple
darren david wrote:
> My /guess/ is that i need 2 queues - one on $EXT_IF inbound and one on
> $PRIV_IF outbound. Or perhaps i simply need to be tagging packets?
> $PRIV_NET is NATed, as one might expect.
You seem to be confused, as I was, about the possibilities of the queue
You cannot queue packets coming into your firewall / shaper. Once they
have arrived, it is too late to ask them not to arrive. No doubt your
ISP is using queuing of some sort, but you have no influence over that.
So, first of all, you need to realise that you can only queue stuff
*leaving the firewall*.
Secondly, now you know this, you need to realise that you needn't
consider queues that affect both interfaces. It's not possible to have a
queue that affects an internal and external interface (because you
cannot queue packets entering the firewall), so you don't need to worry
about trying to accomplish this.
If what you are hoping to do is limit the download bandwidth of a
machine on $PRIV_NET, for instance $dev_box, you just limit the rate
that $dev_box can draw packets out of the firewall. Which requires only
a queue that affects $PRIV_IF, because (sing along now) you cannot
affect the rate at which packets are received from your ISP.
If you want to limit the upload rate of $dev_box, then you want a queue
that acts on $EXT_IF. Because NAT is working on $EXT_IF, you will not be
able to check the local address of packets on $EXT_IF, so if you need to
limit the upload rate of a specific private address, tag those packets
using a rule that acts on the internal interface. Tags in PF remain the
whole time the packet is in the firewall, and are not transmitted
outside of the firewall.
Because of what is described above, it is probably not possible to
precisely limit the download rate of the firewall machine (when
downloading CVSup data, for instance). It might be possible to reduce
the downstream bandwidth the firewall uses by limiting its upstream
bandwidth (which is tricky because a packet can only be tagged once),
but unless your firewall is likely to be downloading a lot, it's
probably unnecessary to do so.
Hopefully I haven't confused you worse than before. I've just finished
(well, tinkering continues) configuring my PF firewall, so for the
moment I'm full of wisdom that will quickly fall out of my spongy brain.