On 3/28/06, Jason Dixon <[EMAIL PROTECTED]> wrote: > I have a site with an OpenBSD firewall pair routing 12 internal VLANs > (11 client networks, 1 DMZ). All of the client HTTP traffic is > redirected to a Squid proxy on the DMZ. I'm using altq with cbq for > queuing all of the outbound traffic, but I can't seem to wrap my head > around a good way of queueing while using the proxy.
I've got basically the same setup, with more vlans and I'm only proxying SMTP/POP3 into the DMZ. > With the current ruleset, clients are properly assigned to the > "http_out" queue, but then the connection from the proxy is going to > duplicate their traffic in altq. Even if don't queue outbound > traffic from the proxy, the packets are going to be counted towards > the default queue, skewing my totals. Has anyone come up with an > effective QoS design for dealing with proxies handling multiple > networks? I'm not sure what the problem is here. Clients get thrown into an http_out queue on the DMZ interface, and the squid proxy will be put into a seperate http_out interface on the public-facing interface. So yes, client HTTP traffic will pass through your router twice (Client <-> DMZ, DMZ <-> public) using different queues on different interfaces as you've described. You mention totals, are you trying to do traffic accounting and getting caught on something? > (Note: I would post the ruleset, but it's over 600 lines long.) Mine is a similar size, mostly NAT and RDR rules for client<->DMZ traffic. -- Jon Simola Systems Administrator ABC Communications
