Howdy folks,
I've been following an example in the Absolute OpenBSD book on how to
setup two separate child queues for traffic going to two different
networks over the same interface.
This server runs OpenBSD 3.8(Generic kernel with raidframe and MP),
has two NICs (internal/external) and serves as a NAT firewall to the
internet for a small private network. It also has a few local
services like NFS and web.
Here are the relevant portions of /etc/pf.conf:
### queues setup here:
altq on $int_if cbq bandwidth 1000Mb queue { local, internet }
queue local bandwidth 998500Kb cbq
queue internet bandwidth 1500Kb { std_in, ssh_im_in, dns_in, imap_in }
queue std_in bandwidth 65% cbq(borrow, default)
queue ssh_im_in bandwidth 10% priority 4 cbq(ecn, borrow)
queue dns_in bandwidth 5% priority 5 cbq(red, borrow)
queue imap_in bandwidth 20% priority 6 cbq(red, borrow)
local_net = "{172.20.13.0/16 172.22.13.0/16 172.23.13.0/16}"
ssh_ports = "{ 22 2112 }"
# filter rules for $int_if outbound
pass out on $int_if proto { tcp udp } from any port domain to $local_net \
queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
pass out on $int_if from any to $local_net queue std_in
pass out on $int_if from $local_net to $local_net keep state queue local
So, because this server serves as both firewall and file server, I
would like to treat local traffic without the same bandwidth
restrictions as internet traffic.
The problem is that with this setup, local http and ssh traffic is
allowed to pass at full speed, but local NFS traffic is restricted to
'queue std_in' rates just like internet traffic is.
somehow, that last filter rule is not getting local NFS traffic into
the 'local' queue. I don't understand this as the NFS traffic should
look just like the http and ssh traffic with regards to that filter
rule.
I've been banging on this one for a week and feel like I've exhausted
all other resources. If anyone has any ideas, I'd love to hear'em!
thanks,
Dave
