On Tuesday 27 February 2007 11:31 am, Albert Chin wrote:
> I have the following setup:
> | (67.95.100.16 - fxp4)
> | (67.95.100.17 - fxp4)
>
> ----------------
>
> | EXTERNAL |
> | FIREWALL |
>
> ----------------
>
> | (192.168.10.2 - fxp1)
>
> (192.168.10.1) |
> ---------------- |
>
> | WWW/FTP | |
> | SERVER |--------+
>
> ----------------
>
> The 67.95.100.17 IP address belongs to 'EXTERNAL FIREWALL' on fxp4.
> The 67.95.100.16 IP address is an alias on fxp4 to redirect www/ftp
> traffic to an internal server. I'd like to limit bandwidth to
> 67.95.100.16 depending on the protocol used.
>
> Traffic navigates to 'WWW/FTP SERVER' via a rdr rule for the ftp
> traffic (reverse ftp-proxy):
> rdr pass log on fxp4 proto tcp from any to 67.95.100.16 \
> port = http -> 192.168.10.1
> rdr pass log on fxp4 proto tcp from any to 67.95.100.16 \
> port = ftp -> 127.0.0.1 port 8022
>
> The reverse ftp-proxy is running as:
> # /usr/sbin/ftp-proxy -R 192.168.10.1 -p 8022
>
> I created a queue to limit traffic on the internal interface
> connecting 'EXTERNAL FIREWALL' to 'WWW/FTP SERVER':
> altq on fxp1 cbq bandwidth 1.5Mb queue \
> { queue_std, queue_ftp, queue_http }
You are queueing on fxp1 on the external firewall. This should affect traffic
going from the external firewall to the www/ftp server, however it sounds
like you are trying to affect traffice moving the opposite direction. To
quote from the pf faq,
"Note that queueing is only useful for packets in the outbound direction. Once
a packet arrives on an interface in the inbound direction it's already too
late to queue it -- it's already consumed network bandwidth to get to the
interface that just received it. The only solution is to enable queueing on
the adjacent router or, if the host that received the packet is acting as a
router, to enable queueing on the internal interface where packets exit the
router."
>
> queue queue_std bandwidth 1.48Mb cbq(default)
> queue queue_ftp bandwidth 10Kb
> queue queue_http bandwidth 10Kb cbq(red)
>
> And, the rules allowing traffic to 'WWW/FTP SERVER':
> pass in log on fxp1 proto { tcp, udp } from any to any \
> port = domain keep state
> pass out log on fxp1 proto tcp from any to any \
> port = http keep state queue queue_http
> pass out log on fxp1 proto tcp from any to any \
> port = ftp keep state queue queue_ftp
> pass out log on fxp1 inet proto icmp all \
> icmp-type $icmp_types keep state queue queue_std
>
> From an external server, I attempted to download a file with curl
> using ftp and www from 'WWW/FTP SERVER' server. Curl reports that
> downloading via ftp shows no bandwidth limiting. As for www, the
> bandwidth seems limited to ~30Kb/s. Why isn't my 10Kb bandwidth being
> honoured?
--
Tim Kuhlman
Network Administrator
ColoradoVnet.com
