-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/7/07 7:54 AM, mail-lists wrote:
> I'm attempting to set up pf for a voip system. In order to prioritize
> VoIP packets I have this queue:
>
> altq on $ext_if priq bandwidth 1.4Mb queue {std_out, voip_out,
> tos_lowdelay_out}
> queue std_out priq(default)
> queue voip_out priority 11
> queue tos_lowdelay_out priority 12
>
> This normally works very well. I'm planning to allow all inbound
> traffic to my VOIP Server like this:
>
> pass in quick log on $ext_if proto {tcp,udp} from any to $VOIP_SERVERS
> port $VOIP_PORTS
>
> This rule works. I then wish to pass all OUTGOING traffic back out
> through the queue, like this:
>
> pass out log quick on $ext_if proto {tcp,udp} from $VOIP_SERVERS to any
> port $VOIP_PORTS queue (voip_out, tos_lowdelay_out)
>
> Here's is where my problem arises. I'm assuming that when the packet
> comes in through the first rule it creates a state entry. That way the
> outgoing rule is never applied and packets never enter the voip_out
> queue. They all just go out through the std_out queue. I could of course
> append the "no state" option to the first rule but considering the
> amount of small packets voip produces it would be better to have state
> entries created.
>
> Does anyone know of a simple way to handle this? Is the no state option
> the best (or only) way to ensure the outgoing rule is applied? Maybe I'm
> just overlooking something absurdly silly.
1. I believe "keep state" is still needed when using queuing. The
pf.conf manpage says it must be specified explicitly to apply options to
a rule.
2. The "queue (class1, class2)" syntax assumes class1 TOS == 0 and
class2 TOS != 0. In your pass out rule, it looks like you're assuming
voip_out traffic will have a TOS value of 0, which may not be what you
intended.
3. priq works well at protecting whatever class of traffic it treats as
high priority, but it can lead to "starving" for lower-priority traffic
classes. You might consider using hfsc instead. There's an example here:
http://www.bastard.net/~kos/pf-voip.html
4. Is $VOIP_PORTS a macro for some huge range? Better to classify on
source subnet or IP instead. (Please ignore if you're using IAX2 instead
of SIP or H.323.)
dn
iD8DBQFG4XEXyPxGVjntI4IRApagAJ9pcMrMtNjTQ/4vrJ6mN6nMH02OOACfbCoo
vAfuiJDeXD1GKOq1D3vpFHk=
=7CIC
-----END PGP SIGNATURE-----
