[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf/altq performance on ADSL

To: <misc@openbsd.org>
Subject: pf/altq performance on ADSL
From: "Jordan Klein" <haplo@haplo.net>
Date: Thu, 19 Feb 2004 13:28:08 -0600

Hi, everyone.

I have a problem with pf/altq performance through my ADSL connection.  My
connection is 1.5Mb/s downlink and 256Kb/s uplink.  As such, I'm using
pf/altq to prioritize no load/ACK packets so my downloads don't get
throttled by uploading.  At first, I thought it was working, but now it
doesn't seem to be.  Unless I throttle my uploads with whatever app I'm
using, my download bandwidth is still throttled severely.  I've read the PF
FAQ several times on this issue, as well as having done quite a bit of
google searching, and everything I've found makes me believe that my pf.conf
is fine.

I am providing a copy of my pf.conf file here.  I would appreciate it very
much if someone can help me figure out why my pf/altq configuration isn't
working as it should.

Thanks in advance.

----------------- pf.conf -------------------
#       $Id: pf.conf,v 1.13 2004/02/18 20:57:30 root Exp $
#

# Macros: define common values, so they can be referenced and changed
easily.

ExtIF="xl0"
IntIF="xl1"
external_net="12.13.14.15/29"
internal_net="192.168.0.0/24"
external_addr="12.13.14.16"
dilbert_addr="192.168.0.2"
powerbook_addr="192.168.0.3"
NoRouteIPsExt="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16 }"
NoRouteIPsInt="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
dcc="59"
overnet1="4662"
overnet2="5175"

# Options: tune the behavior of pf, default values are given.

set block-policy return
set loginterface xl0

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.

scrub in all

# Queueing: rule-based bandwidth control.

altq on $ExtIF bandwidth 210Kb qlimit 250 priq queue { std_out, tcp_ack }
queue std_out priority 1 qlimit 200 priq(default)
queue tcp_ack priority 7

# Translation: specify how addresses are to be mapped or redirected.

nat on $ExtIF from $internal_net to any -> $external_addr

# rdr: packets coming in on $ext_if with destination $external_addr:1234
will

# Bitorrent redirections
rdr on $ExtIF proto tcp from any to any port 6881:6890 -> $dilbert_addr \
        port 6881:6890
rdr on $ExtIF proto tcp from any to any port 6891:6899 -> $powerbook_addr \
        port 6891:6899

# FTP proxy connections
rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ExtIF from $NoRouteIPsExt to any
block out log quick on $ExtIF from any to $NoRouteIPsExt
block in  log quick on $IntIF from $NoRouteIPsInt to any
block out log quick on $IntIF from any to $NoRouteIPsInt

# Block all inbound traffic not explicitly allowed
block in log on $ExtIF all

# Allow web traffic
pass in on $ExtIF proto tcp from any to any port { www, https } flags S/SA \
        keep state queue(std_out, tcp_ack)

# Allow SSH traffic
pass in on $ExtIF proto tcp from any to any port ssh flags S/SA keep state \
        queue(std_out, tcp_ack)

# Allow DNS queries
pass in on $ExtIF inet proto tcp from any to any port domain \
        flags S/SA keep state queue(std_out, tcp_ack)
pass in on $ExtIF inet proto udp from any to any port domain \
        keep state

# Allow incoming mail / relaying
pass in on $ExtIF inet proto tcp from any to any port smtp \
        flags S/SA keep state queue(std_out, tcp_ack)

# Allow imaps and pop3s (requires SSL support)
pass in on $ExtIF inet proto tcp from any to any port { pop3s, imaps } \
        flags S/SA keep state queue(std_out, tcp_ack)

# Allow identd traffic (for irc, mostly)
pass in on $ExtIF inet proto tcp from any to any port auth \
        flags S/SA keep state queue(std_out, tcp_ack)

# Allow DCC port 59 traffic (irc)
pass in on $ExtIF inet proto tcp from any to any port $dcc keep state \
        queue(std_out, tcp_ack)

# Allow high-port connections for active-mode ftp connections
pass in on $ExtIF inet proto tcp from any to any port >= 49152 \
        flags S/SA keep state queue(std_out, tcp_ack)

# Allow Bitorrent traffic
pass in on $ExtIF inet proto tcp from any to any port 6880><6900 \
         flags S/SA keep state queue(std_out, tcp_ack)

# Allow all ICMP for right now
pass in on $ExtIF inet proto icmp from any to any

# Block all outbound traffic by default
block out log on $ExtIF from any to any

# Configure as a stateful firewall
pass out on $ExtIF inet proto tcp  from any to any keep state
pass out on $ExtIF inet proto udp  from any to any keep state
pass out on $ExtIF inet proto icmp from any to any keep state

-- 
Jordan Klein                 ~  Beware of dragons
haplo@haplo.net              ~  for you are crunchy
Solaris / AIX / Linux Admin  ~  and go well with ketchup

Follow-Ups:
- Re: pf/altq performance on ADSL
  - From: Ed Wandasiewicz <wanded@breathemail.net>

Prev by Date: Re: The new apache license, et al.
Next by Date: Re: The new apache license
Prev by thread: Re: Xinstall of XFree86 4.3.0 can't work with extract/extract.exe!
Next by thread: Re: pf/altq performance on ADSL
Index(es):
- Date
- Thread