[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf/altq performance on ADSL
----- Original Message -----
From: "Ed Wandasiewicz" <wanded@breathemail.net>
To: "Jordan Klein" <haplo@haplo.net>
Cc: <misc@openbsd.org>
Sent: Thursday, February 19, 2004 2:46 PM
Subject: Re: pf/altq performance on ADSL
> On Thu, Feb 19, 2004 at 01:28:08PM -0600, Jordan Klein wrote:
> > Hi, everyone.
> >
> > I have a problem with pf/altq performance through my ADSL connection.
My
> > connection is 1.5Mb/s downlink and 256Kb/s uplink. As such, I'm using
> > pf/altq to prioritize no load/ACK packets so my downloads don't get
> > throttled by uploading. At first, I thought it was working, but now it
> > doesn't seem to be. Unless I throttle my uploads with whatever app I'm
> > using, my download bandwidth is still throttled severely. I've read the
PF
> > FAQ several times on this issue, as well as having done quite a bit of
> > google searching, and everything I've found makes me believe that my
pf.conf
> > is fine.
> >
> > I am providing a copy of my pf.conf file here. I would appreciate it
very
> > much if someone can help me figure out why my pf/altq configuration
isn't
> > working as it should.
> >
> > Thanks in advance.
> >
> > ----------------- pf.conf -------------------
> > # $Id: pf.conf,v 1.13 2004/02/18 20:57:30 root Exp $
> > #
> >
> > # Macros: define common values, so they can be referenced and changed
> > easily.
> >
> > ExtIF="xl0"
> > IntIF="xl1"
> > external_net="12.13.14.15/29"
> > internal_net="192.168.0.0/24"
> > external_addr="12.13.14.16"
> > dilbert_addr="192.168.0.2"
> > powerbook_addr="192.168.0.3"
> > NoRouteIPsExt="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8,
192.168.0.0/16 }"
> > NoRouteIPsInt="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
> > dcc="59"
> > overnet1="4662"
> > overnet2="5175"
> >
> > # Options: tune the behavior of pf, default values are given.
> >
> > set block-policy return
> > set loginterface xl0
> >
> > # Normalization: reassemble fragments and resolve or reduce traffic
> > ambiguities.
> >
> > scrub in all
> >
> > # Queueing: rule-based bandwidth control.
> >
> > altq on $ExtIF bandwidth 210Kb qlimit 250 priq queue { std_out,
tcp_ack }
> > queue std_out priority 1 qlimit 200 priq(default)
> > queue tcp_ack priority 7
> >
> > # Translation: specify how addresses are to be mapped or redirected.
> >
> > nat on $ExtIF from $internal_net to any -> $external_addr
> >
> > # rdr: packets coming in on $ext_if with destination $external_addr:1234
> > will
> >
> > # Bitorrent redirections
> > rdr on $ExtIF proto tcp from any to any port 6881:6890 -> $dilbert_addr
\
> > port 6881:6890
> > rdr on $ExtIF proto tcp from any to any port 6891:6899 ->
$powerbook_addr \
> > port 6891:6899
> >
> > # FTP proxy connections
> > rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> >
> > # don't allow anyone to spoof non-routeable addresses
> > block in log quick on $ExtIF from $NoRouteIPsExt to any
> > block out log quick on $ExtIF from any to $NoRouteIPsExt
> > block in log quick on $IntIF from $NoRouteIPsInt to any
> > block out log quick on $IntIF from any to $NoRouteIPsInt
> >
> > # Block all inbound traffic not explicitly allowed
> > block in log on $ExtIF all
> >
> > # Allow web traffic
> > pass in on $ExtIF proto tcp from any to any port { www, https } flags
S/SA \
> > keep state queue(std_out, tcp_ack)
> >
> > # Allow SSH traffic
> > pass in on $ExtIF proto tcp from any to any port ssh flags S/SA keep
state \
> > queue(std_out, tcp_ack)
> >
> > # Allow DNS queries
> > pass in on $ExtIF inet proto tcp from any to any port domain \
> > flags S/SA keep state queue(std_out, tcp_ack)
> > pass in on $ExtIF inet proto udp from any to any port domain \
> > keep state
> >
> > # Allow incoming mail / relaying
> > pass in on $ExtIF inet proto tcp from any to any port smtp \
> > flags S/SA keep state queue(std_out, tcp_ack)
> >
> > # Allow imaps and pop3s (requires SSL support)
> > pass in on $ExtIF inet proto tcp from any to any port { pop3s, imaps } \
> > flags S/SA keep state queue(std_out, tcp_ack)
> >
> > # Allow identd traffic (for irc, mostly)
> > pass in on $ExtIF inet proto tcp from any to any port auth \
> > flags S/SA keep state queue(std_out, tcp_ack)
> >
> > # Allow DCC port 59 traffic (irc)
> > pass in on $ExtIF inet proto tcp from any to any port $dcc keep state \
> > queue(std_out, tcp_ack)
> >
> > # Allow high-port connections for active-mode ftp connections
> > pass in on $ExtIF inet proto tcp from any to any port >= 49152 \
> > flags S/SA keep state queue(std_out, tcp_ack)
> >
> > # Allow Bitorrent traffic
> > pass in on $ExtIF inet proto tcp from any to any port 6880><6900 \
> > flags S/SA keep state queue(std_out, tcp_ack)
> >
> > # Allow all ICMP for right now
> > pass in on $ExtIF inet proto icmp from any to any
> >
> > # Block all outbound traffic by default
> > block out log on $ExtIF from any to any
> >
> > # Configure as a stateful firewall
> > pass out on $ExtIF inet proto tcp from any to any keep state
> > pass out on $ExtIF inet proto udp from any to any keep state
> > pass out on $ExtIF inet proto icmp from any to any keep state
> >
> > --
> > Jordan Klein ~ Beware of dragons
> > haplo@haplo.net ~ for you are crunchy
> > Solaris / AIX / Linux Admin ~ and go well with ketchup
> >
>
> Your outbound tcp packets need to be assigned to a queue.
>
> Check out http://www.benzedrine.cx/ackpri.html and test it works okay.
>
> Ed.
>
> Don't you just love it when a plan comes together.
> Hannibal - The A Team.
>
I had tried that already and it didn't work. I tested a lot of different
bandwidth speeds, too. Unfortunately, I forgot to mention that I spent
hours testing and tweaking to no avail.
--
Jordan Klein ~ Beware of dragons
haplo@haplo.net ~ for you are crunchy
Solaris / AIX / Linux Admin ~ and go well with ketchup