Hi all,
thanks for your help and tips.
I have do some testing when I add some free time.
I finally got it working by creating the queue on my internal
if (now em1 instead of re1)
altq on $int_if hfsc bandwidth 97Mb qlimit 500 queue { main, second }
queue main on $int_if bandwidth 1Mb qlimit 250 priority 4
hfsc(upperlimit 97Mb default)
queue second on $int_if bandwidth 1Mb qlimit 250 priority 0
hfsc(upperlimit 1Mb)
and using the following rules
pass out on $ext_if from $my_ip queue depri
2 things I don't understand :
1 - pass out on external if = traffic going out on WAN
this should be upload then
download should be pass in on external if or
out on internal if, right ?
Why must I use a rule on upload to shape download ?
Also, on the bob exemple of queue faq :
http://openbsd.org/faq/pf/queueing.html
Queue is on external if (just like me) but rules
pass out on dc0 to $bob queue bob_in
is also out on internal if.
Why must I do my out rules on external if ?
Is the FAQ wrong ?
2 - I can't use match to transfert traffic in a queue ?
If I use
match out on $ext_if from $my_ip queue depri
instead of
pass out on $ext_if from $my_ip queue depri
then it doesn't work anymore
From what I understand from match rule, it should always
be apply like a quick rule without altering pass or block rule.
Am I wrong ? That would be perfect for my queue rules
because queue will change dynamically. I know I could do
my shaping rules without match but I will have more
exception to take care of.
Also, I can see on a mail from william.dun...@gmail.com
subject : Re: match queue ignored
After further experimentation, I found out the following:
"match queue" overrides:
- a previous "match queue" assignment
- the default queue
Was it add on 5.0 ?
I'm using 4.9
My rule set that work fine from pftop output
after a speed test :
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES
MAX INFO
0 Pass In Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
1 Pass In Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
2 Pass Out Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
3 Pass Out Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
4 Pass In Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
5 Pass Out Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
6 Pass Out Q K 0 0
0 from <admin> to any flags S/SA
7 Pass Out Q K 0 0
0 inet from 192.168.3.0/24 to any flags S/SA
8 Pass In Q K 3 571
2 from <admin> to any flags S/SA
9 Pass In Q K 6 354
6 inet from 192.168.3.0/24 to any flags S/SA
10 Pass In ext_if K 0 0
0 all flags S/SA
11 Pass Out ext_if K 0 0
0 all flags S/SA
12 Pass In int_if K 0 0
0 all flags S/SA
13 Pass Out int_if K 0 0
0 all flags S/SA
14 Pass Out em0 K 7070 6572775
24 inet from 10.254.200.2/32 to any flags S/SA queue depri
PFtop -v rules output after a other speed test
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES
MAX INFO
0 Pass In Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
1 Pass In Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
2 Pass Out Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
3 Pass Out Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
4 Pass In Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
5 Pass Out Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
6 Pass Out Q K 20 1120
0 from <admin> to any flags S/SA
7 Pass Out Q K 0 0
0 inet from 192.168.3.0/24 to any flags S/SA
8 Pass In Q K 1 78
1 from <admin> to any flags S/SA
9 Pass In Q K 4 384
3 inet from 192.168.3.0/24 to any flags S/SA
10 Pass In ext_if K 0 0
0 all flags S/SA
11 Pass Out ext_if K 0 0
0 all flags S/SA
12 Pass In int_if K 0 0
0 all flags S/SA
13 Pass Out int_if K 0 0
0 all flags S/SA
14 Match Out em0 0 0
0 inet from 10.254.200.2/32 to any queue depri
Thanks
Michel
