ALTQ in firewall

Thread: ALTQ in firewall

Search this list only Search all lists
ALTQ in firewall
Sweden	2007-08-23 23:53:21
Hi, Our house has a shared internet connection (4M/512k ADSL) and the firewall is running NetBSD 3.1.1. Currently we are using the built-in IPF to perform all filtering. We have one public address for the external interface and 64 public addresses for the internal network. Now, from time to time, some users overload our uplink by sending e.g. large amount of digital photos to photo labs and this of course has negative effect for all our users as the TCP traffic slows down even though our downlink is not congested. I'm aware that PF supports ALTQ in NetBSD 4.0 but that would mean upgrade and I'd rather not upgrade because everything is very stable. So, is anyone using IPF with ALTQ in NetBSD 3.x? What queueing discipline should I use in this case? All real-life examples are welcome... Martti

Re: ALTQ in firewall
	2007-08-24 00:14:29
On Friday 2007-08-24 14:53 +1000, Martti Kuparinen output: :Our house has a shared internet connection (4M/512k ADSL) and the firewall is :running NetBSD 3.1.1. Currently we are using the built-in IPF to perform all :filtering. We have one public address for the external interface and 64 public :addresses for the internal network. : :I'm aware that PF supports ALTQ in NetBSD 4.0 but that would mean upgrade and :I'd rather not upgrade because everything is very stable. : :So, is anyone using IPF with ALTQ in NetBSD 3.x? What queueing discipline should :I use in this case? All real-life examples are welcome... I'm using IPF and ALTQ in -current. People have mentioned that ALTQ is somewhat unwieldy or slow though I don't have a problem (Pentium4 2GHz) given a slow uplink. Here's a snippet of something I use on a machine connected via 100Mb to a router on a 256Kb uplink. ------------------------------------------------------------ interface ex0 bandwidth 100M cbq class cbq ex0 root_class NULL priority 0 pbandwidth 100 class cbq ex0 def_class root_class borrow pbandwidth 95 default class cbq ex0 tcp_class def_class borrow pbandwidth 80 filter ex0 tcp_class 0 0 0 0 6 class cbq ex0 csl_class tcp_class exactbandwidth 192K filter ex0 csl_class 0 0 0 80 6 filter ex0 csl_class 0 0 0 110 6 filter ex0 csl_class 0 0 0 873 6 filter ex0 csl_class 0 0 0 995 6 class cbq ex0 smtp_class csl_class borrow exactbandwidth 160K filter ex0 smtp_class 0 25 0 0 6 class cbq ex0 local_class tcp_class borrow pbandwidth 70 filter ex0 local_class 192.168.0.0 netmask 0xffff0000 0 0 0 6 filter ex0 local_class a.b.c.0 netmask 0xffffff00 0 0 0 6 ------------------------------------------------------------ Regards, Geoff

Re: ALTQ in firewall
	2007-08-24 04:19:21
On 24 Aug 2007, at 7:53, Martti Kuparinen wrote: > Hi, > > Our house has a shared internet connection (4M/512k ADSL) and the firewall is > running NetBSD 3.1.1. Currently we are using the built-in IPF to perform all > filtering. We have one public address for the external interface and 64 public > addresses for the internal network. > > Now, from time to time, some users overload our uplink by sending e.g. large > amount of digital photos to photo labs and this of course has negative effect > for all our users as the TCP traffic slows down even though our downlink is not > congested. > > I'm aware that PF supports ALTQ in NetBSD 4.0 but that would mean upgrade and > I'd rather not upgrade because everything is very stable. > > So, is anyone using IPF with ALTQ in NetBSD 3.x? What queueing discipline should > I use in this case? All real-life examples are welcome... I'm using altq with 3.1 on a k6-400. I've tried various altq strategies but all seemed to make about the same difference which has been a considerable improvement in responsiveness. I've not touched it since Feb 23, and altq.conf indicates I tried hfsc, priq, fifoq and wfq and finished up with hfsc. I might have some traffic timings somewhere. I monitored uploads for latency and adjusted to greatly reduce the spike (my isp provides continuous line quality monitoring as a graph of lcp latency which made the job easy). I've no idea if settings used are optimum just that they made a very significant improvement. adsl kbit/s down = 2272 up = 288 ### altq.conf # # HFSC # hfsc configuration for hierarchical sharing # root ( 240K ) # \| # LG_class ( 90% 192K ) # \| # +---------+---------+ # \| \| \| # LG_LP LG_MP LG_HP # (20%) (60%) (10%) # (42700) (128000) (21300) # # interface le0 bandwidth 240K tbrsize 300 hfsc interface le0 bandwidth 240K tbrsize 1500 hfsc class hfsc le0 def_class root pshare 10 default class hfsc le0 LG_class root pshare 90 grate 192K # class hfsc le0 LG_LP LG_class pshare 20 grate 42700 filter le0 LG_LP 0 0 0 0 17 class hfsc le0 LG_MP LG_class pshare 60 grate 128000 filter le0 LG_MP 0 0 0 0 6 # class hfsc le0 LG_HP LG_class pshare 10 grate 21300 filter le0 LG_HP 0 123 0 0 6 filter le0 LG_HP 0 123 0 0 17 filter le0 LG_HP 0 53 0 0 6 filter le0 LG_HP 0 53 0 0 17 filter le0 LG_HP 0 22 0 0 6 filter le0 LG_HP 0 0 0 0 1 David

Re: ALTQ in firewall
Chile	2007-08-25 11:33:34
ON FRI, 24 AUG 2007 07:53:21 +0300 MARTTI KUPARINEN <MARTTI.KUPARINENIKI.FI> WROTE: > HI, > OUR HOUSE HAS A SHARED INTERNET CONNECTION (4M/512K ADSL) AND THE FIREWALL IS > RUNNING NETBSD 3.1.1. CURRENTLY WE ARE USING THE BUILT-IN IPF TO PERFORM ALL > FILTERING. WE HAVE ONE PUBLIC ADDRESS FOR THE EXTERNAL INTERFACE AND 64 PUBLIC > ADDRESSES FOR THE INTERNAL NETWORK. > NOW, FROM TIME TO TIME, SOME USERS OVERLOAD OUR UPLINK BY SENDING E.G. LARGE > AMOUNT OF DIGITAL PHOTOS TO PHOTO LABS AND THIS OF COURSE HAS NEGATIVE EFFECT > FOR ALL OUR USERS AS THE TCP TRAFFIC SLOWS DOWN EVEN THOUGH OUR DOWNLINK IS NOT > CONGESTED. > I'M AWARE THAT PF SUPPORTS ALTQ IN NETBSD 4.0 BUT THAT WOULD MEAN UPGRADE AND > I'D RATHER NOT UPGRADE BECAUSE EVERYTHING IS VERY STABLE. > SO, IS ANYONE USING IPF WITH ALTQ IN NETBSD 3.X? WHAT QUEUEING DISCIPLINE SHOULD > I USE IN THIS CASE? ALL REAL-LIFE EXAMPLES ARE WELCOME... > MARTTI I HAVE A 256K OF UPLOAD ADSL IN MY HOUSE AND TWO LOADS (YOU KNOW) BEHIND MY IPF FIREWALL AND ROUTER. I HAVE A WEB SERVER, FTP SERVER AND SOME DAEMONS LIKE SSH. THIS IS MY ALTQ.CONF. AT THE END OF THE FILE, THERE IS AN EVIL ATTEMPT TO USE THE CONDITIONER FILTER, WITHOUT SUCCESS. ALTQ WORKS REALLY GOOD, STOPPING THE BULK TRAFFIC WHEN INTERACTIVE TRAFFIC GOES OUT. ONE THING I WANTED TO KNOW IS IF THE BULK TRAFFIC SLOWS DOWN WHEN I AM LOOKING SOME EXTERNAL WEBSITE. ### ALTQ.CONF INTERFACE PPPOE0 BANDWIDTH 240K CBQ CLASS CBQ PPPOE0 ROOT NULL PBANDWIDTH 100 ### META-CLASS FOR PPPOE0 CLASS CBQ PPPOE0 CTL_CLASS ROOT PRIORITY 7 PBANDWIDTH 5 CONTROL CLASS CBQ PPPOE0 DEF_CLASS ROOT PRIORITY 6 PBANDWIDTH 95 DEFAULT ### SUB-CLASSES CLASS CBQ PPPOE0 HEAVY DEF_CLASS PRIORITY 0 BORROW PBANDWIDTH 0 RED FILTER PPPOE0 HEAVY 0 0 0 0 6 # OTRO TCP FILTER PPPOE0 HEAVY 0 0 0 0 17 # OTRO UDP CLASS CBQ PPPOE0 PREFE DEF_CLASS PRIORITY 6 BORROW PBANDWIDTH 90 FILTER PPPOE0 PREFE 0 25 0 0 6 # SMTP FILTER PPPOE0 PREFE 0 0 0 80 6 # HTTP FILTER PPPOE0 PREFE 0 80 0 0 6 # HTTP FILTER PPPOE0 PREFE 0 0 0 443 6 # HTTPS FILTER PPPOE0 PREFE 0 443 0 0 6 # HTTPS FILTER PPPOE0 PREFE 0 2401 0 0 6 # CVS CLASS CBQ PPPOE0 INTER DEF_CLASS PRIORITY 7 BORROW PBANDWIDTH 5 FILTER PPPOE0 INTER 0 22 0 0 6 # SSH FILTER PPPOE0 INTER 0 43 0 0 6 # WHOIS FILTER PPPOE0 INTER 0 0 0 53 6 # DNS FILTER PPPOE0 INTER 0 53 0 0 6 # DNS FILTER PPPOE0 INTER 0 0 0 53 17 # DNS/UDP FILTER PPPOE0 INTER 0 53 0 0 17 # DNS/UDP FILTER PPPOE0 INTER 0 0 0 113 6 # AUTH FILTER PPPOE0 INTER 0 113 0 0 6 # AUTH FILTER PPPOE0 INTER 0 0 0 706 6 # SILC FILTER PPPOE0 INTER 0 706 0 0 6 # SILC FILTER PPPOE0 INTER 0 993 0 0 6 # IMAPS FILTER PPPOE0 INTER 0 1863 0 0 6 # MSN FILTER PPPOE0 INTER 0 0 0 6667 6 # IRC FILTER PPPOE0 INTER 0 6667 0 0 6 # IRC ### CONDITIONER #INTERFACE NFE0 #CONDITIONER NFE0 COND <TBMETER 1M 32K <PASS> <DROP>> # FILTER NFE0 COND 192.168.1.XX 0 0 0 0 # REGARDS -- CéSAR CATRIáN CARREñO

[1-4]

about | contact Other archives ( Real Estate discussion Medical topics )