Stuart Henderson wrote:
Are you using altq?
Yes, using the hfsc scheduler. I think that was the hint I needed.
udp packets were all being assigned to the dns queue so I added another
match rule to put openvpn traffic into the default queue.
Here's what I have now:
match in all scrub (no-df max-mss 1440)
altq on $ext_if bandwidth $ext_bw hfsc queue { main }
queue main bandwidth 99% priority 7 qlimit 100 hfsc (realtime 20%,
linkshare 99%) \
{ q_pri, q_web, q_mail, q_def, q_dns }
queue q_pri bandwidth 4% priority 7 hfsc (realtime 0, linkshare 4%
red )
queue q_web bandwidth 50% priority 6 hfsc (realtime 30% linkshare
50% red)
queue q_def bandwidth 30% priority 5 hfsc (default realtime (100Kb
3000 30Kb) linkshare 30% red)
queue q_mail bandwidth 13% priority 1 hfsc (realtime (30Kb 3000
12Kb) linkshare 13% red)
queue q_dns bandwidth 3% priority 7 qlimit 100 hfsc (realtime (30Kb
3000 12Kb), \
linkshare 3%)
match out on $ext_if from $localnet nat-to $carp_if queue (q_def, q_pri)
match out on $ext_if proto tcp to port { www https } queue (q_web, q_pri)
match out on $ext_if proto udp to port { 1194 } queue (q_web, q_pri)
match out on $ext_if proto tcp to port smtp queue (q_mail, q_pri)
match out on $ext_if proto { tcp udp } to port domain queue (q_dns, q_pri)
match out on $ext_if proto icmp queue (q_dns, q_pri)
So, we'll see how that holds up over the course of the day.
Thanks, Stuart!
Jeff
