Shaping per host example
-
somebody have pfsense rules & firewall configured something like that:
enable queueing on the external interface to control traffic going to
the Internet. use the priq scheduler to control only priorities. set
the bandwidth to 610Kbps to get the best performance out of the TCP
ACK queue.
altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out,
tcp_ack_out }define the parameters for the child queues.
std_out - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.ssh_im_out - interactive SSH and various instant message traffic.
dns_out - DNS queries.
tcp_ack_out - TCP ACK packets with no data payload.
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6enable queueing on the internal interface to control traffic coming in
from the Internet. use the cbq scheduler to control bandwidth. max
bandwidth is 2Mbps.
altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
define the parameters for the child queues.
std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.ssh_im_in - interactive SSH and various instant message traffic.
dns_in - DNS replies.
bob_in - bandwidth reserved for Bob's workstation. allow him to
# borrow.
queue std_in bandwidth 1.6Mb cbq(default)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in bandwidth 120Kb priority 5
queue bob_in bandwidth 80Kb cbq(borrow)… in the filtering section of pf.conf ...
alice = "192.168.0.2"
bob = "192.168.0.3"
charlie = "192.168.0.4"
local_net = "192.168.0.0/24"
ssh_ports = "{ 22 2022 }"
im_ports = "{ 1863 5190 5222 }"filter rules for fxp0 inbound
block in on fxp0 all
filter rules for fxp0 outbound
block out on fxp0 all
pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA
keep state queue(std_out, tcp_ack_out)
pass out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain
keep state queue dns_out
pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports
flags S/SA keep state queue(std_out, ssh_im_out)
pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)filter rules for dc0 inbound
block in on dc0 all
pass in on dc0 from $local_netfilter rules for dc0 outbound
block out on dc0 all
pass out on dc0 from any to $local_net
pass out on dc0 proto { tcp udp } from any port domain to $local_net
queue dns_in
pass out on dc0 proto tcp from any port $ssh_ports to $local_net
queue(std_in, ssh_im_in)
pass out on dc0 proto tcp from any port $im_ports to $local_net
queue ssh_im_in
pass out on dc0 from any to $bob queue bob_in