[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: pf queuing/bandwidth control question
From:       Stuart Henderson <stu.lists () spacehopper ! org>
Date:       2022-02-18 21:10:09
Message-ID: slrnt102ph.1gv5.stu.lists () naiad ! spacehopper ! org
[Download RAW message or body]

On 2022-02-18, Matthias Pressfreund <mpfr@fn.de> wrote:
> On 2022-02-17 18:56, Stuart Henderson wrote:
> > On 2022-02-17, Matthias Pressfreund <mpfr@fn.de> wrote:
> > > On a server with 3 LAN interfaces (re0/1/2):
> > > * re0 connected to the ISP
> > > * re1 connected to the internal network
> > > * re2 so far unused
> > > 
> > > I was setting up pf queues for bandwidth control as follows:
> > > * one queue on re0 for outgoing traffic
> > > * another queue on re1 for incoming traffic
> > > 
> > > Now, I would like to connect a wireless LAN router to re2 offering a
> > > guest network. As far as I understood, a pf queue has to be bound to
> > > exactly one network interface. So I'm wondering if there is another way
> > > to include incoming traffic on re2 into the very same bandwidth control
> > > currently realized by the queue on re1.
> > 
> > A queue is bound to one interface, but, you can have multiple queues
> > with the same name. "queue foo on em0", "queue foo on em1".
> > 
> > An assignment in PF e.g. "queue foo" will then use whichever is the
> > relevant "foo on $iface" when packets are transmitted which match
> > the PF state created by that rule.
> > 
> 
> Just for curiosity... What happens if after binding "queue foo on em0", there is a \
> rule like "pass out on em1 set queue foo"? Will a packet passed out here (on em1) \
> go into the bandwidth control bound on queue foo even though bound to em0?

The queue is attached to a firewall state and all packets matching
that state will pick it up. So if you have a named queue present on em0
but not em1, and match with "pass out on em1 set queue foo", packets
transmitted on em1 will not be queued, but packets matching that state
(return packets via em0) _will_ be queued.

I suggest making some rules that will match a speed test of some sort
(tcpbench is easy and in base on openbsd) and play around to get a
feel for what works. Probably helpful to watch "pfctl -vvsq" and/or
"systat queues".

-- 
Please keep replies on the mailing list.


[prev in list] [next in list] [prev in thread] [next in thread]