[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf/altq performance on ADSL

To: Jordan Klein <haplo@haplo.net>
Subject: Re: pf/altq performance on ADSL
From: Ed Wandasiewicz <wanded@breathemail.net>
Date: Thu, 19 Feb 2004 20:46:27 +0000
Cc: misc@openbsd.org
Content-Disposition: inline
References: <000601c3f71e$811d0c70$0200a8c0@haplo.net>
User-Agent: Mutt/1.4.1i

On Thu, Feb 19, 2004 at 01:28:08PM -0600, Jordan Klein wrote:
> Hi, everyone.
> 
> I have a problem with pf/altq performance through my ADSL connection.  My
> connection is 1.5Mb/s downlink and 256Kb/s uplink.  As such, I'm using
> pf/altq to prioritize no load/ACK packets so my downloads don't get
> throttled by uploading.  At first, I thought it was working, but now it
> doesn't seem to be.  Unless I throttle my uploads with whatever app I'm
> using, my download bandwidth is still throttled severely.  I've read the PF
> FAQ several times on this issue, as well as having done quite a bit of
> google searching, and everything I've found makes me believe that my pf.conf
> is fine.
> 
> I am providing a copy of my pf.conf file here.  I would appreciate it very
> much if someone can help me figure out why my pf/altq configuration isn't
> working as it should.
> 
> Thanks in advance.
> 
> ----------------- pf.conf -------------------
> #       $Id: pf.conf,v 1.13 2004/02/18 20:57:30 root Exp $
> #
> 
> # Macros: define common values, so they can be referenced and changed
> easily.
> 
> ExtIF="xl0"
> IntIF="xl1"
> external_net="12.13.14.15/29"
> internal_net="192.168.0.0/24"
> external_addr="12.13.14.16"
> dilbert_addr="192.168.0.2"
> powerbook_addr="192.168.0.3"
> NoRouteIPsExt="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16 }"
> NoRouteIPsInt="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
> dcc="59"
> overnet1="4662"
> overnet2="5175"
> 
> # Options: tune the behavior of pf, default values are given.
> 
> set block-policy return
> set loginterface xl0
> 
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> 
> scrub in all
> 
> # Queueing: rule-based bandwidth control.
> 
> altq on $ExtIF bandwidth 210Kb qlimit 250 priq queue { std_out, tcp_ack }
> queue std_out priority 1 qlimit 200 priq(default)
> queue tcp_ack priority 7
> 
> # Translation: specify how addresses are to be mapped or redirected.
> 
> nat on $ExtIF from $internal_net to any -> $external_addr
> 
> # rdr: packets coming in on $ext_if with destination $external_addr:1234
> will
> 
> # Bitorrent redirections
> rdr on $ExtIF proto tcp from any to any port 6881:6890 -> $dilbert_addr \
>         port 6881:6890
> rdr on $ExtIF proto tcp from any to any port 6891:6899 -> $powerbook_addr \
>         port 6891:6899
> 
> # FTP proxy connections
> rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> 
> # don't allow anyone to spoof non-routeable addresses
> block in  log quick on $ExtIF from $NoRouteIPsExt to any
> block out log quick on $ExtIF from any to $NoRouteIPsExt
> block in  log quick on $IntIF from $NoRouteIPsInt to any
> block out log quick on $IntIF from any to $NoRouteIPsInt
> 
> # Block all inbound traffic not explicitly allowed
> block in log on $ExtIF all
> 
> # Allow web traffic
> pass in on $ExtIF proto tcp from any to any port { www, https } flags S/SA \
>         keep state queue(std_out, tcp_ack)
> 
> # Allow SSH traffic
> pass in on $ExtIF proto tcp from any to any port ssh flags S/SA keep state \
>         queue(std_out, tcp_ack)
> 
> # Allow DNS queries
> pass in on $ExtIF inet proto tcp from any to any port domain \
>         flags S/SA keep state queue(std_out, tcp_ack)
> pass in on $ExtIF inet proto udp from any to any port domain \
>         keep state
> 
> # Allow incoming mail / relaying
> pass in on $ExtIF inet proto tcp from any to any port smtp \
>         flags S/SA keep state queue(std_out, tcp_ack)
> 
> # Allow imaps and pop3s (requires SSL support)
> pass in on $ExtIF inet proto tcp from any to any port { pop3s, imaps } \
>         flags S/SA keep state queue(std_out, tcp_ack)
> 
> # Allow identd traffic (for irc, mostly)
> pass in on $ExtIF inet proto tcp from any to any port auth \
>         flags S/SA keep state queue(std_out, tcp_ack)
> 
> # Allow DCC port 59 traffic (irc)
> pass in on $ExtIF inet proto tcp from any to any port $dcc keep state \
>         queue(std_out, tcp_ack)
> 
> # Allow high-port connections for active-mode ftp connections
> pass in on $ExtIF inet proto tcp from any to any port >= 49152 \
>         flags S/SA keep state queue(std_out, tcp_ack)
> 
> # Allow Bitorrent traffic
> pass in on $ExtIF inet proto tcp from any to any port 6880><6900 \
>          flags S/SA keep state queue(std_out, tcp_ack)
> 
> # Allow all ICMP for right now
> pass in on $ExtIF inet proto icmp from any to any
> 
> # Block all outbound traffic by default
> block out log on $ExtIF from any to any
> 
> # Configure as a stateful firewall
> pass out on $ExtIF inet proto tcp  from any to any keep state
> pass out on $ExtIF inet proto udp  from any to any keep state
> pass out on $ExtIF inet proto icmp from any to any keep state
> 
> -- 
> Jordan Klein                 ~  Beware of dragons
> haplo@haplo.net              ~  for you are crunchy
> Solaris / AIX / Linux Admin  ~  and go well with ketchup
> 

Your outbound tcp packets need to be assigned to a queue.

Check out http://www.benzedrine.cx/ackpri.html and test it works okay.

Ed.

Don't you just love it when a plan comes together.
Hannibal - The A Team.

Follow-Ups:
- Re: pf/altq performance on ADSL
  - From: "Jordan Klein" <haplo@haplo.net>

References:
- pf/altq performance on ADSL
  - From: "Jordan Klein" <haplo@haplo.net>

Prev by Date: Re: The new apache license
Next by Date: Re: remote kernel debug of OpenBSD
Prev by thread: pf/altq performance on ADSL
Next by thread: Re: pf/altq performance on ADSL
Index(es):
- Date
- Thread