[solved] question about how the pfsense traffic shaper works
-
Hi. This isn't a pfsense question per se, but rather a question about pf and altq in general. Sorry if this isn't the right section.
I used pfsense for a long time as a firewall and traffic shaper. Recently I tried OpenBSD in order to gain a better understanding of pf, altq and BSD in general. In OpenBSD I have been able to set up everything as I had it in pfsense except for traffic shaping.
My network is very simple and looks something like this:
internet
|
|
|
[WAN if :firewall: LAN if]
|
|
|
LAN hosts (192.168.1.X/24)In pfsense the traffic shaper makes two sets of queues–one for traffic leaving the WAN interface, and one for traffic leaving the LAN interface. This allows one to tailor the upstream and downstream queues for asymmetric internet connections. But in OpenBSD I haven't been able to figure out how to do this.
In pf I create rules to allocate traffic to queues. When a packet matches one of those rules, a state is created. That state is labelled with the queue I specified, so all traffic belonging to that state---both upstream and downstream---will be placed in a queue of that name. However, this means that I can only use one set of queues for both LAN and WAN interfaces.
For example, I have a rule which passes traffic out on the WAN interface on port 80 and places it into the "http" queue. When a packet matches this rule, a state is created and all traffic matching that state will go into the http queue. However, since it's actually all traffic belonging to that TCP connection that matches the state, incoming traffic on the WAN interface and hence leaving the LAN interface will also be placed in the "http" queue. If I wanted to have two separate queues for WAN and LAN---something like "http_up" and "http_down"---it wouldn't work. Even if I had two different rules in my pf config allocating traffic exiting WAN to "http_up" and traffic exiting LAN to "http_down", as soon as traffic was passed by one rule the state created by it would cause all subsequent packets to ignore the ruleset; e.g. once a packet gets put into the "http_up" queue all subsequent traffic of that TCP connection---even traffic leaving LAN---will be put into "http_up".
The only way I can think of making this work would be to disable the rules from creating a state, but I know that pfsense definitely keeps its states. So if anyone could shed some light on how pfsense does this I would be very grateful.
EDIT: nevermind, I think I have answered my own question after much googling. I will leave this for future reference though.
The syntax in pf.conf is like so (i call the queues "ack" because prioritising tcp acks on an asymmetric link is probably why one would do this):
altq on $WAN_if bandwidth=500Kb hfsc queue {ack, default}
altq on $LAN_if bandwidth=2000Kb hfsc queue {ack, default}
queue http on $WAN_if priority 7 bandwidth 40% hfsc
queue http on $LAN_if priority 7 bandwidth 5% hfsc