From: Mikkel C. Simonsen <none@mcs--post5.tele.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Subject: pf og altq opsætning Date: Thu, 27 Jan 2011 19:29:00 +0100
Jeg har forsøgt at opsætte en router/firewall. Trafikken
kommer fint igennem, men båndbreddestyringen fungerer ikke.
Alt trafikken kører gennem bulk køerne (kan jeg se med
systat queues).
Systemet er OpenBSD 4.8 med GENERIC kerne.
tdcif er forbundet til et VDSL modem, og sirif er forbundet
til de forskellige servere. Min pf.conf er inkluderet
herunder. Indholdet i files er en kombination af opsætningen
på den gamle router, lidt fra man-siden, og noget fra
nettet. Der er sikkert en simpel og åbenlys fejl et sted,
men hvor? Det er første gang jeg har forsøgt mig med altq,
men ikke pf...
Jeg ved godt det giver problemer med styringen at .164 er
med i både web og dns, men det er et midlertidigt problem.
Venlig hilsen
Mikkel C. Simonsen
sirif="fxp0"
tdcif="fxp1"
table <web> const {1.2.3.171, 1.2.3.164}
table <post> const {1.2.3.165, 1.2.3.168}
table <sirocco> const {1.2.3.172}
table <sir> const {1.2.3.160/28}
table <dns> const {1.2.3.170, 1.2.3.164}
table <dina> const {1.2.3.162}
altq on $tdcif hfsc bandwidth 10.5Mb queue { voip_out,
dns_out, bulk_out, web_out, mail_out }
queue voip_out bandwidth 5% priority 7 qlimit 500 hfsc
(realtime 5%)
queue dns_out bandwidth 5% priority 6 qlimit 500 hfsc
(realtime 5%)
queue bulk_out bandwidth 25% priority 4 qlimit 500 hfsc
(upperlimit 50% default)
queue web_out bandwidth 40% priority 5 qlimit 500 hfsc
(realtime 30%)
queue mail_out bandwidth 25% priority 3 qlimit 500 hfsc
(upperlimit 50%)
altq on $sirif hfsc bandwidth 13.5Mb queue { voip_in,
dns_in, bulk_in, web_in, mail_in }
queue voip_in bandwidth 4% priority 7 qlimit 500 hfsc
(realtime 4%)
queue dns_in bandwidth 5% priority 6 qlimit 500 hfsc
(realtime 5%)
queue bulk_in bandwidth 30% priority 4 qlimit 500 hfsc
(upperlimit 50% default)
queue web_in bandwidth 20% priority 5 qlimit 500 hfsc
(realtime 15%)
queue mail_in bandwidth 41% priority 3 qlimit 500 hfsc
(upperlimit 50%)
set skip on lo
set skip on rl0
pass in quick on $tdcif proto tcp from 2.105.54.144/29 to
any port telnet queue bulk_in
block in quick on $tdcif proto tcp to <web> port smtp
block in quick on $tdcif proto tcp to <sirocco> port 500
block in quick on $tdcif proto tcp to <post> port 275
block in quick on $tdcif proto tcp to any port telnet
block in quick on $tdcif proto tcp to any port 717
block in quick on $tdcif proto tcp from 89.104.217.210 to
1.2.3.165 port smtp
pass in quick on $tdcif proto udp from any to <dina> queue
voip_in
pass in quick on $tdcif proto { tcp, udp } from any to <dns>
port domain queue dns_in
pass in quick on $tdcif proto tcp from any to <web> port
{80, 443} queue web_in
pass in quick on $tdcif proto tcp from any to <post> queue
mail_in
pass in quick queue bulk_in
pass out quick on $sirif proto udp from <dina> to any queue
voip_out
pass out quick on $sirif proto tcp from <web> to any queue
web_out
pass out quick on $sirif from <dns> to any queue dns_out
pass out quick on $sirif proto tcp from <mail> to any queue
mail_out
pass out quick queue bulk_out
This archive was generated by hypermail 2b30 : Mon 31 Jan 2011 - 23:00:00 CET