Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shaping per host example

    Scheduled Pinned Locked Moved Traffic Shaping
    1 Posts 1 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lowcypl
      last edited by

      somebody have pfsense rules & firewall configured something like that:

      enable queueing on the external interface to control traffic going to

      the Internet. use the priq scheduler to control only priorities. set

      the bandwidth to 610Kbps to get the best performance out of the TCP

      ACK queue.

      altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out,
      tcp_ack_out }

      define the parameters for the child queues.

      std_out      - the standard queue. any filter rule below that does not

      #                explicitly specify a queue will have its traffic added
      #                to this queue.

      ssh_im_out   - interactive SSH and various instant message traffic.

      dns_out      - DNS queries.

      tcp_ack_out  - TCP ACK packets with no data payload.

      queue std_out     priq(default)
      queue ssh_im_out  priority 4 priq(red)
      queue dns_out     priority 5
      queue tcp_ack_out priority 6

      enable queueing on the internal interface to control traffic coming in

      from the Internet. use the cbq scheduler to control bandwidth. max

      bandwidth is 2Mbps.

      altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }

      define the parameters for the child queues.

      std_in      - the standard queue. any filter rule below that does not

      #               explicitly specify a queue will have its traffic added
      #               to this queue.

      ssh_im_in   - interactive SSH and various instant message traffic.

      dns_in      - DNS replies.

      bob_in      - bandwidth reserved for Bob's workstation. allow him to

      #               borrow.

      queue std_in    bandwidth 1.6Mb cbq(default)
      queue ssh_im_in bandwidth 200Kb priority 4
      queue dns_in    bandwidth 120Kb priority 5
      queue bob_in    bandwidth 80Kb cbq(borrow)

      … in the filtering section of pf.conf ...

      alice         = "192.168.0.2"
      bob           = "192.168.0.3"
      charlie       = "192.168.0.4"
      local_net     = "192.168.0.0/24"
      ssh_ports     = "{ 22 2022 }"
      im_ports      = "{ 1863 5190 5222 }"

      filter rules for fxp0 inbound

      block in on fxp0 all

      filter rules for fxp0 outbound

      block out on fxp0 all
      pass  out on fxp0 inet proto tcp from (fxp0) to any flags S/SA
      keep state queue(std_out, tcp_ack_out)
      pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
      pass  out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain
      keep state queue dns_out
      pass  out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports
      flags S/SA keep state queue(std_out, ssh_im_out)
      pass  out on fxp0 inet proto tcp from (fxp0) to any port $im_ports
      flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

      filter rules for dc0 inbound

      block in on dc0 all
      pass  in on dc0 from $local_net

      filter rules for dc0 outbound

      block out on dc0 all
      pass  out on dc0 from any to $local_net
      pass  out on dc0 proto { tcp udp } from any port domain to $local_net
      queue dns_in
      pass  out on dc0 proto tcp from any port $ssh_ports to $local_net
      queue(std_in, ssh_im_in)
      pass  out on dc0 proto tcp from any port $im_ports to $local_net
      queue ssh_im_in
      pass  out on dc0 from any to $bob queue bob_in

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.