0

I currently have a FreeBSD 8.2 media server set up on my LAN that I use to stream my music from.

I also have an SSH login that I use to do file transfers to and from this server remotely. I would like to set up ALTQ (and have gotten this working) to limit my outgoing bandwidth from the server for SSH traffic. However, configuring ALTQ this way is also limiting my internal traffic (and thus interfering with my music streaming) since I am only using a single network interface.

Can anyone show me how I would use PF and ALTQ to limit outgoing WAN traffic while allowing all internal LAN traffic to go through unhindered?

ext_if="eth0"
int_if="eth0"

altq on eth0 cbq bandwidth 1Mb queue { std, ssh }

queue std bandwidth 80% cbq(default)
queue ssh bandwidth 20% cbq(ecn)

pass out on eth0 proto tcp to port 22 queue ssh

eth0 is my LAN interface, my total WAN bandwidth on my cable connection is 1Mb/s, and my internal network is 10/100.

Edit: perhaps it will be more clear if I illustrate my network:

I have four total machines on my network all hooked up to a standard wireless router (no dd-wrt or anything on it yet): 1) XBMC box that needs wifi access 2) Normal desktop PC running windows 3) Laptop that would like wireless access to the firewall 4) Fileserver running freebsd with 1 NIC that needs limiting.

The fileserver has one NIC. All I really need to do is limit the total outgoing bandwidth to the WAN on my fileserver to an arbitrary percentage of my total broadband connection without applying the same limits to LAN file transfers. To do this, I really need PF to be able to distinguish LAN-destined packets from WAN-destined packets.

Edit: This is what I've been working with lately but it doesn't seem to be properly putting stuff into the WAN queue:

my_net = 192.168.0.0/24

altq on eth0 cbq bandwidth 100Mb queue { wan, lan }

queue lan bandwidth 99500Kb cbq(default) 
queue wan bandwidth 500Kb cbq(ecn) 

pass out on eth0 from any to !$my_net queue lan
javanix
  • 247
  • 4
  • 15

1 Answers1

0

Your rules are fundamentally sound, just not specific enough -- You have one interface (this isn't your firewall, right?), so you want to limit the stuff you assign to the "SSH" queue by destination. For example:

my_net=10.0.0.0/8
pass out on eth0 proto tcp from any to !$my_net port 22 queue ssh

Two other things you may also want to consider:

  • Add "borrow" to the "std" queue so you have more speed for other stuff when SSH isn't sucking bandwidth
  • If streaming is the really important functionality you may want to reverse your logic
    (create a "music" queue that reserves the amount of bandwidth needed to ensure reliable streaming, let everything else fight over the remainder.)
voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • You can also forego the traffic shaping on this box if it's just a host inside your LAN (do the traffic shaping on the firewall instead) -- this is usually preferable as it creates less complex rulesets. If this *IS* your firewall you really ought to get a second NIC :-) – voretaq7 Jan 04 '11 at 21:33
  • Yeah, the problem is I don't really have a second machine to use as a firewall - I'm just using my standard wireless router to block everything off except SSH. The fileserver is just a host within my LAN, but it talks to the outside world enough that I need to tone it down a bit. – javanix Jan 05 '11 at 03:38
  • yeah, if you're dealing with a situation like that what I have above is probbly as good as you can get (make an "outside world" queue that's got limited bandwidth and drop everything to `!$my_net` into that queue) -- You want the bandwidth on the actual interface to be the true available bandwidth so the other queue(s) can use it. As you've seen limiting bandwidth on the interface itself artificially caps all your traffic. – voretaq7 Jan 06 '11 at 20:12