* Giancarlo Razzolini <grazzol...@gmail.com> [2014-08-05 00:02]: > On 04-08-2014 18:09, Eric Dilmore wrote: > > I just set up a new OpenBSD 5.5 gateway for a small nonprofit. The > > gateway has one external interface and one internal, with the internal > > network split into several VLANs: one for secure traffic, one for > > guests, one for internal phones, and one for our external Asterisk phone > > server. > Vlans work, but they add complexity. I'd prefer physical interfaces > separating the networks, both for performance and security reasons.
the 90s are over. > > However, I believe that pf queues are tied to an outbound interface. > > None of the rules I have attempted on the internal interface have > > matched at all. I can specify each vlan explicitly, but the internal > > interface itself doesn't seem to match any packets. tcpdump shows > > traffic passing both in and out when I specify the internal interface. > The most indicated way is to queue your downloads on the internal > interface and your uploads on the external interface. If I'm not > mistaken, you need to set the queues on each vlan if. you are mistaken, queueing on vlan is pretty meaningless. however, classification can happen anywhere, so assign queues on your vlan interface and create them on the physical one, things will Just Work (tm). sth like "match out on vlanX queue foo" really just tags the packet "should go to queue foo". once the packet hits an outbound interface, we check wether queue foo exists there and if so use it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
