On 04-08-2014 18:09, Eric Dilmore wrote: > I just set up a new OpenBSD 5.5 gateway for a small nonprofit. The > gateway has one external interface and one internal, with the internal > network split into several VLANs: one for secure traffic, one for > guests, one for internal phones, and one for our external Asterisk phone > server. Vlans work, but they add complexity. I'd prefer physical interfaces separating the networks, both for performance and security reasons. > > I'm trying to use queues to set up QoS for the Asterisk server. There is > limited bandwidth in our location, and we would like to ensure that the > Asterisk server has priority over other traffic. I would prefer a > bandwidth specification over a simple priority, but either would be > fine. I suggest you first try prio, and only if it doesn't work, use queues. I've used queues, but recently, I've been using only prio. It almost always does the job. > > However, I believe that pf queues are tied to an outbound interface. > None of the rules I have attempted on the internal interface have > matched at all. I can specify each vlan explicitly, but the internal > interface itself doesn't seem to match any packets. tcpdump shows > traffic passing both in and out when I specify the internal interface. The most indicated way is to queue your downloads on the internal interface and your uploads on the external interface. If I'm not mistaken, you need to set the queues on each vlan if. > > I am confused about the relationship between the physical interface and > the vlan interfaces in pf. I would also like to know if there are any > suggestions for how to set up the queues in order to provide QoS for > phone traffic. When using VLAN you'll almost always only filter on the vlan interfaces. As I already mentioned, you'll mostly get away with prio. > > My current pf.conf is hosted in a gist here: > https://gist.github.com/geppettodivacin/8fc8dc044b122154d137 I've took a quick look and you are on the right direction. You'll just need to invert your queues. As I mentioned, use your queues on the vlans for connections initiated by your networks. And queue on the external interface connections coming from the internet.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
