<facepalm> And here I've been doing it the hard way! I'll definitely give this a whirl on my next break. I don't recall ever seeing anything in the PF FAQ or manpage regarding identical naming of queues across interfaces. Is this the intended behavior, or a happy coincidence?
Thanks for the insight! Breen -----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson Sent: Wednesday, November 21, 2012 7:47 AM To: misc@openbsd.org Subject: Re: PF altq and limiting traffic among multiple interfaces On 2012-11-21, openbsd2012 <openbsd2...@breeno.net> wrote: > In short, the problem with keeping state across interfaces (PF's > default) is that it makes it impractical, if not impossible, to have > packets in different queues on both your internal and external network > interfaces. To fix this, you need to configure PF to keep state on a > per interface basis. This is done with a declaration in PF of "set > state-policy if-bound". There's another way which I think is better: Give the queues the *same names* on the different interfaces. Here's a slightly tweaked excert from one of my pf.conf files. The hfsc config may be a bit wrong as I only have a rough idea how to write hfsc rules (pieced together from posts on pfsense forums and Jacek Artymiak's old book), but it works OK in practice and is enough to show the idea. Also, I find it much easier to deal with queue assignment in one place, separate from the filter rules, so I do this all in one block using match rules. altq on pppoe0 hfsc bandwidth 820Kb queue {fast, med, low, bulk} queue fast on pppoe0 bandwidth 30% priority 8 qlimit 20 hfsc (realtime 180Kb) queue med on pppoe0 bandwidth 5% priority 4 qlimit 40 hfsc (realtime (200Kb, 10000, 60Kb)) queue low on pppoe0 bandwidth 20% priority 2 qlimit 50 hfsc (realtime (200Kb, 10000, 60Kb) default) queue bulk on pppoe0 bandwidth 5% priority 1 qlimit 50 hfsc altq on vr3 hfsc bandwidth 80Mb queue {local, internet} queue local on vr3 bandwidth 1% priority 8 qlimit 50 hfsc (realtime 50Mb upperlimit 50Mb) queue internet on vr3 bandwidth 3Mb priority 8 qlimit 50 hfsc (realtime 3Mb upperlimit 3Mb) {fast, med, low, bulk} queue fast on vr3 bandwidth 1% priority 8 qlimit 50 hfsc (realtime 256Kb) queue med on vr3 bandwidth 1% priority 4 qlimit 50 hfsc (realtime (800Kb, 10000, 256Kb) upperlimit 800Kb) queue low on vr3 bandwidth 1% priority 2 qlimit 50 hfsc (realtime (500Kb, 10000, 256Kb) upperlimit 500Kb default) queue bulk on vr3 bandwidth 1% priority 1 qlimit 50 hfsc match proto tcp queue (low fast) match proto tcp to port {http https} queue (med fast) match proto udp from port {ntp domain snmp} queue (fast) match proto udp to port {ntp domain snmp} queue (fast) match proto tcp from port domain queue (fast) match proto tcp to port domain queue (fast) match proto tcp from port smtp queue (bulk) match proto tcp to port smtp queue (bulk) match proto udp from $pbx queue fast match proto udp to $pbx queue fast
