Hi.
I have about 10 OpenBSD gateway units (from different towns, connected
over Internet),
and 1 central gateway ("primary gateway") in primary office.
Now I want to use ALTQ on this primary gateway to achieve evenly
distributed bandwidth between these rest gateways.
These gateways hold IPSec connections with the primary gateway ("star"
topology), so offices share one big LAN. Let's say 10.0.0.0/24 on
primary gateway's office, 10.0.1.0/24 on first unit, and so on.
Primary gateway has external NIC, let's say fxp0 (connected to ADSL),
and the internal NIC, let's say xl0 on 10.0.0.1. And IPSec's
interface, enc0.
How to organize pf and altq rules to achieve evenly distributed bandwidth?
I think about this:
altq on fxp0 cbq bandwidth 700Kb {std, ssh_im, web, ... units}
queue std bandwidth 10% priority 1 cbq (default red)
queue ssh_im bandwidth 30% priority 10 cbq (borrow)
queue web bandwidth 30% priority 5 cbq (borrow)
queue units bandwidth 30% priority 5 cbq (borrow) {unit_1, unit_2,
... unit_10}
queue unit_1 bandwidth 10% cbq (borrow)
queue unit_2 bandwidth 10% cbq (borrow)
...
queue unit_10 bandwidth 10% cbq (borrow)
...
block in on fxp0
pass in on fxp0 inet proto esp from $GATE_1 to $G_0 keep state queue(unit_1)
pass out on fxp0 inet proto esp from $G_0 to $GATE_1 keep state queue(unit_1)
pass in on fxp0 inet proto esp from $GATE_2 to $GATE_0 keep state
queue(unit_2)
pass out on fxp0 inet proto esp from $G_0 to $GATE_2 keep state queue(unit_2)
...
pass in on fxp0 inet proto esp from $GATE_10 to $G_0 keep state queue(unit_10)
pass out on fxp0 inet proto esp from $G_0 to $G_10 keep state queue(unit_10)
Here, I think that I achieve evenly distributed bandwidth between
units. Further, I need to slice traffic in each IPSec tunnel between
primary gateway and each unit. For msrdp unit's traffic - 30% of this
unit's tunnel bandwidth, 70% for the rest. Is it useful to altq on
enc0?
This is in my mind:
altq on enc0 cbq bandwidth 230Kb {i_unit_1, i_unit_2, ... i_unit_10}
queue i_unit_1 bandwidth 10% cbq (borrow) {i_unit_1_def, i_unit_1_msrdp}
queue i_unit_1_def bandwidth 70% cbq (borrow)
queue i_unit_1_msrdp bandwidth 30% cbq (borrow)
queue i_unit_2 bandwidth 10% cbq (borrow) {i_unit_2_def, i_unit_2_msrdp}
queue i_unit_2_def bandwidth 70% cbq (borrow)
queue i_unit_2_msrdp bandwidth 30% cbq (borrow)
...
block in on enc0
pass in on enc0 inet proto {tcp, udp} from $GATE_1_NET to $G_0_NET
keep state queue (i_unit_1_def)
pass in on enc0 inet proto tcp from $GATE_1_NET to $G_0_NET port
3389 keep state queue (i_unit_1_msrdp)
pass in on enc0 inet proto {tcp, udp} from $GATE_2_NET to $G_0_NET
keep state queue (i_unit_2_def)
pass in on enc0 inet proto tcp from $GATE_2_NET to $G_0_NET port 3389
keep state queue (i_unit_2_msrdp)
...
----------------------------------------
Is it useful to do altq on enc0? It it useful for my purposes?
What bandwidth set to "altq on enc0" (I set here 230Kb as _about_ 30% of 700Kb)?
Or maybe I need to use altq on fxp0 somehow (if I not understand something)?
Please, explain for me, how pf.conf should be organized.
--
engineer
