Hi, I'm trying to setup queues on my LTE interface. This machine is firewall machine with two interfaces: wan and lan. Egress traffic is queueing without a problem. Rules like
match out on $i_wan proto {tcp udp} to any port $p_dns set queue
q_lte_out_dns set prio 6
work as intended and I can see that rules are being matched in systat queue
and rules.
Problem is with ingress packets. Yes, I know people say it makes no sense to
do it, but I belive it can work for TCP traffic. The slower program is
receiving data, the slower it will ACK, the slower server will be sending
data, and there should be more space for other packets.
Anyway, it does not seem to work for me. I try the most basic rules:
queue q_lte_in_root on $i_lan bandwidth 20M max 20M qlimit 50
This works as intended, speedtests do indeed show my speed is more or less
20Mbit. Now I add 2 more queues, default and for http
queue q_lte_in_std parent q_lte_in_root bandwidth 512K default qlimit 50
queue q_lte_in_http parent q_lte_in_root bandwidth 512K qlimit 50
And I create match rule:
match out on $i_lan all set queue q_lte_in_http set prio 0
And this rule is matched only by a handful of packets. systat queue
shows that majority of packets go through q_lte_in_std, and only some
of the packets go through q_lte_in_http. systat rules also shows only
some of the packets are being matched by that rule.
I don't know, it looks like only packets without state match "match"
rule and are being queued properly? I know filtering will be skipped
for packets that have state but queueing is not skipped. So why can't
I queue packets ingressing on LTE that are being egressed on LAN
interface?
Is there any way to limit ingress on some ips/ports? I'd like to limit
greedy apps like youtube or netflix from taking all the bandwidth.
I read pf.conf man and searched the whole net but I couldn't find
answer to my question. I think I could make it work if I made pf
stateless by default? Performance is not an issue here, machine
can take it, but I couldn't find a way to do stateless by default.
Any ideas? Maybe I didn't read something carefully enough?
--
.-----------------.-------------------.---------------------.------------------.
| Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source |
| +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter |
| https://bofc.pl `----.--------------: 50-078 Wroclaw, Pol | /`'\ & |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer |
`----------------------^--------------^---------------------^------------------'
signature.asc
Description: PGP signature
