4. Shaping per host example

Shaping per host example

  • L

    somebody have pfsense rules & firewall configured something like that:

    enable queueing on the external interface to control traffic going to

    the Internet. use the priq scheduler to control only priorities. set

    the bandwidth to 610Kbps to get the best performance out of the TCP

    ACK queue.

    altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out,
    tcp_ack_out }

    define the parameters for the child queues.

    std_out      - the standard queue. any filter rule below that does not

    #                explicitly specify a queue will have its traffic added
    #                to this queue.

    ssh_im_out   - interactive SSH and various instant message traffic.

    dns_out      - DNS queries.

    tcp_ack_out  - TCP ACK packets with no data payload.

    queue std_out     priq(default)
    queue ssh_im_out  priority 4 priq(red)
    queue dns_out     priority 5
    queue tcp_ack_out priority 6

    enable queueing on the internal interface to control traffic coming in

    from the Internet. use the cbq scheduler to control bandwidth. max

    bandwidth is 2Mbps.

    altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }

    define the parameters for the child queues.

    std_in      - the standard queue. any filter rule below that does not

    #               explicitly specify a queue will have its traffic added
    #               to this queue.

    ssh_im_in   - interactive SSH and various instant message traffic.

    dns_in      - DNS replies.

    bob_in      - bandwidth reserved for Bob's workstation. allow him to

    #               borrow.

    queue std_in    bandwidth 1.6Mb cbq(default)
    queue ssh_im_in bandwidth 200Kb priority 4
    queue dns_in    bandwidth 120Kb priority 5
    queue bob_in    bandwidth 80Kb cbq(borrow)

    … in the filtering section of pf.conf ...

    alice         = "192.168.0.2"
    bob           = "192.168.0.3"
    charlie       = "192.168.0.4"
    local_net     = "192.168.0.0/24"
    ssh_ports     = "{ 22 2022 }"
    im_ports      = "{ 1863 5190 5222 }"

    filter rules for fxp0 inbound

    block in on fxp0 all

    filter rules for fxp0 outbound

    block out on fxp0 all
    pass  out on fxp0 inet proto tcp from (fxp0) to any flags S/SA
    keep state queue(std_out, tcp_ack_out)
    pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
    pass  out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain
    keep state queue dns_out
    pass  out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports
    flags S/SA keep state queue(std_out, ssh_im_out)
    pass  out on fxp0 inet proto tcp from (fxp0) to any port $im_ports
    flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

    filter rules for dc0 inbound

    block in on dc0 all
    pass  in on dc0 from $local_net

    filter rules for dc0 outbound

    block out on dc0 all
    pass  out on dc0 from any to $local_net
    pass  out on dc0 proto { tcp udp } from any port domain to $local_net
    queue dns_in
    pass  out on dc0 proto tcp from any port $ssh_ports to $local_net
    queue(std_in, ssh_im_in)
    pass  out on dc0 proto tcp from any port $im_ports to $local_net
    queue ssh_im_in
    pass  out on dc0 from any to $bob queue bob_in

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy