On 2022-02-18, Matthias Pressfreund <m...@fn.de> wrote: > On 2022-02-17 18:56, Stuart Henderson wrote: >> On 2022-02-17, Matthias Pressfreund <m...@fn.de> wrote: >>> On a server with 3 LAN interfaces (re0/1/2): >>> * re0 connected to the ISP >>> * re1 connected to the internal network >>> * re2 so far unused >>> >>> I was setting up pf queues for bandwidth control as follows: >>> * one queue on re0 for outgoing traffic >>> * another queue on re1 for incoming traffic >>> >>> Now, I would like to connect a wireless LAN router to re2 offering a >>> guest network. As far as I understood, a pf queue has to be bound to >>> exactly one network interface. So I'm wondering if there is another way >>> to include incoming traffic on re2 into the very same bandwidth control >>> currently realized by the queue on re1. >> >> A queue is bound to one interface, but, you can have multiple queues >> with the same name. "queue foo on em0", "queue foo on em1". >> >> An assignment in PF e.g. "queue foo" will then use whichever is the >> relevant "foo on $iface" when packets are transmitted which match >> the PF state created by that rule. >> > > Just for curiosity... What happens if after binding "queue foo on em0", there > is a rule like "pass out on em1 set queue foo"? Will a packet passed out here > (on em1) go into the bandwidth control bound on queue foo even though bound > to em0?
The queue is attached to a firewall state and all packets matching that state will pick it up. So if you have a named queue present on em0 but not em1, and match with "pass out on em1 set queue foo", packets transmitted on em1 will not be queued, but packets matching that state (return packets via em0) _will_ be queued. I suggest making some rules that will match a speed test of some sort (tcpbench is easy and in base on openbsd) and play around to get a feel for what works. Probably helpful to watch "pfctl -vvsq" and/or "systat queues". -- Please keep replies on the mailing list.
