[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using altq for rate limiting on certain ports across multiple

darren david wrote:
> My /guess/ is that i need 2 queues - one on $EXT_IF inbound and one on 
> $PRIV_IF outbound. Or perhaps i simply need to be tagging packets? 
> $PRIV_NET is NATed, as one might expect.
You seem to be confused, as I was, about the possibilities of the queue 
You cannot queue packets coming into your firewall / shaper. Once they 
have arrived, it is too late to ask them not to arrive. No doubt your 
ISP is using queuing of some sort, but you have no influence over that.
So, first of all, you need to realise that you can only queue stuff 
*leaving the firewall*.
Secondly, now you know this, you need to realise that you needn't 
consider queues that affect both interfaces. It's not possible to have a 
queue that affects an internal and external interface (because you 
cannot queue packets entering the firewall), so you don't need to worry 
about trying to accomplish this.
If what you are hoping to do is limit the download bandwidth of a 
machine on $PRIV_NET, for instance $dev_box, you just limit the rate 
that $dev_box can draw packets out of the firewall. Which requires only 
a queue that affects $PRIV_IF, because (sing along now) you cannot 
affect the rate at which packets are received from your ISP.
If you want to limit the upload rate of $dev_box, then you want a queue 
that acts on $EXT_IF. Because NAT is working on $EXT_IF, you will not be 
able to check the local address of packets on $EXT_IF, so if you need to 
limit the upload rate of a specific private address, tag those packets 
using a rule that acts on the internal interface. Tags in PF remain the 
whole time the packet is in the firewall, and are not transmitted 
outside of the firewall.
Because of what is described above, it is probably not possible to 
precisely limit the download rate of the firewall machine (when 
downloading CVSup data, for instance). It might be possible to reduce 
the downstream bandwidth the firewall uses by limiting its upstream 
bandwidth (which is tricky because a packet can only be tagged once), 
but unless your firewall is likely to be downloading a lot, it's 
probably unnecessary to do so.
Hopefully I haven't confused you worse than before. I've just finished 
(well, tinkering continues) configuring my PF firewall, so for the 
moment I'm full of wisdom that will quickly fall out of my spongy brain.