Subject: Re: ALTQ in firewall
To: Martti Kuparinen <martti.kuparinen@iki.fi>
From: =?UTF-8?Q?C=C3=A9sar_Catri=C3=A1n_Carre=C3=B1o?= <ccatrian@eml.cc>
List: netbsd-help
Date: 08/25/2007 12:33:34
--Signature=_Sat__25_Aug_2007_12_33_34_-0400_=eXR.xJM1ilT10sz
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, 24 Aug 2007 07:53:21 +0300
Martti Kuparinen <martti.kuparinen@iki.fi> wrote:
> Hi,
> Our house has a shared internet connection (4M/512k ADSL) and the firewal=
l is=20
> running NetBSD 3.1.1. Currently we are using the built-in IPF to perform =
all=20
> filtering. We have one public address for the external interface and 64 p=
ublic=20
> addresses for the internal network.
> Now, from time to time, some users overload our uplink by sending e.g. la=
rge=20
> amount of digital photos to photo labs and this of course has negative ef=
fect=20
> for all our users as the TCP traffic slows down even though our downlink =
is not=20
> congested.
> I'm aware that PF supports ALTQ in NetBSD 4.0 but that would mean upgrade=
and=20
> I'd rather not upgrade because everything is very stable.
> So, is anyone using IPF with ALTQ in NetBSD 3.x? What queueing discipline=
should=20
> I use in this case? All real-life examples are welcome...
> Martti
I have a 256K of upload ADSL in my house and two loads (you know) behind
my IPF firewall and router. I have a web server, ftp server and some
daemons like SSH.
This is my altq.conf. At the end of the file, there is an evil attempt
to use the conditioner filter, without success.
ALTQ works really good, stopping the bulk traffic when interactive
traffic goes out. One thing I wanted to know is if the bulk traffic
slows down when I am looking some external website.
### altq.conf
interface pppoe0 bandwidth 240k cbq
class cbq pppoe0 root NULL pbandwidth 100
### meta-class for pppoe0
class cbq pppoe0 ctl_class root priority 7 pbandwidth 5 control
class cbq pppoe0 def_class root priority 6 pbandwidth 95 default
### sub-classes
class cbq pppoe0 heavy def_class priority 0 borrow pbandwidth 0 red
filter pppoe0 heavy 0 0 0 0 6 # otro tcp
filter pppoe0 heavy 0 0 0 0 17 # otro udp
class cbq pppoe0 prefe def_class priority 6 borrow pbandwidth 90
filter pppoe0 prefe 0 25 0 0 6 # smtp
filter pppoe0 prefe 0 0 0 80 6 # http
filter pppoe0 prefe 0 80 0 0 6 # http
filter pppoe0 prefe 0 0 0 443 6 # https
filter pppoe0 prefe 0 443 0 0 6 # https
filter pppoe0 prefe 0 2401 0 0 6 # cvs
class cbq pppoe0 inter def_class priority 7 borrow pbandwidth 5
filter pppoe0 inter 0 22 0 0 6 # ssh
filter pppoe0 inter 0 43 0 0 6 # whois
filter pppoe0 inter 0 0 0 53 6 # dns
filter pppoe0 inter 0 53 0 0 6 # dns
filter pppoe0 inter 0 0 0 53 17 # dns/udp
filter pppoe0 inter 0 53 0 0 17 # dns/udp
filter pppoe0 inter 0 0 0 113 6 # auth
filter pppoe0 inter 0 113 0 0 6 # auth
filter pppoe0 inter 0 0 0 706 6 # silc
filter pppoe0 inter 0 706 0 0 6 # silc
filter pppoe0 inter 0 993 0 0 6 # imaps
filter pppoe0 inter 0 1863 0 0 6 # msn
filter pppoe0 inter 0 0 0 6667 6 # irc
filter pppoe0 inter 0 6667 0 0 6 # irc
### Conditioner
#interface nfe0
#conditioner nfe0 cond <tbmeter 1M 32K <pass> <drop>>
# filter nfe0 cond 192.168.1.XX 0 0 0 0 #
Regards
--
C=C3=A9sar Catri=C3=A1n Carre=C3=B1o
--Signature=_Sat__25_Aug_2007_12_33_34_-0400_=eXR.xJM1ilT10sz
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)
iD8DBQFG0Fne0CA0DpFTlnERAoWpAJ9EifwxBkhspkZ2+99+5dNXr1iujwCeK6OF
2xGsky0TmOjWOByyvmaymDI=
=/2+u
-----END PGP SIGNATURE-----
--Signature=_Sat__25_Aug_2007_12_33_34_-0400_=eXR.xJM1ilT10sz--