################################################# # Searchable Keywords: QOS limit shaping altq # ################################################# Aug 2013 --------------------------------------------------------- ! This documnet is incomplete. I have not finished this ! Also, altq maynot be relevant in curretn version --------------------------------------------------------- Rate limiting, Quality of service or traffic shaping. All of this is done in the /etc/pf.conf file. So my simple explanation for this is right out of a pf.conf file that has been heavily commented. myhost% cat /etc/pf.conf #=======================================================================# # My PF filter rules # #=======================================================================# # -- Interfaces -- # Internal interface int_if="fxp0" # Wireless inteface wlan_if="ath0" # Bridge interface br_if="bridge0" #------------------------------------------------------------------------# # ------------------------ # Aternate Queueing - altq # ------------------------ # # ------------------ # LAN side interface # ----------------- #---------------- CLass based queing ------------------# # NOTE: Class based queuing is more suited for inteface limiting # reallocating bandwidth to interfaces # # altq on fxp0 cbq bandwidth 10Mb queue { lan_out, wlan_out } # Full bandwidth(at least 8Mb) by default queue lan_out bandwidth 8Mb cbq ( default borrow ) ##Full Bandwidth for WLAN## queue wlan_out bandwidth 2Mb cbq ( red ) # Rate limit wireless lan to XXKb ## queue wlan_out bandwidth 90Kb cbq ( red ) ## queue wlan_out bandwidth 120Kb cbq ( red ) ## queue wlan_out bandwidth 124Kb cbq ( red ) ## queue wlan_out bandwidth 500Kb cbq ( red ) # # Matching queue rule ## pass in log all tagged stewie queue wlan_out # #----------------------- Priority Queuing --------------------------# # # NOTE: Priority queueing is for very percise prioritizing protcols (VOIP) # not so much for limiting interface bandwidth. # ## altq on fxp0 priq bandwidth 10Mb queue { std_out, tcp_out, icmp_out, udp_out, dns_out } ## queue std_out priq(default) ## queue tcp_out priority 4 priq(red) ## queue udp_out priority 5 ## queue icmp_out priority 6 ## queue dns_out priority 7 # -- filter rules for fxp0 outbound -- # block out on fxp0 all ## pass out on fxp0 inet proto tcp from (fxp0) to any queue(std_out, tcp_out) ## pass out on fxp0 inet proto { udp icmp } from (fxp0) to any queue(udp_out, icmp_out) ## pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \ # keep state queue dns_out # #--------------------------------------------------------------------# # # --------------------- # Limited interface side # --------------------- #---------------- CLass based queing ------------------# altq on ath0 cbq bandwidth 2Mb queue { wlan_in } ##Full bandwidth for WLAN (at least 2Mb)## queue wlan_in bandwidth 2Mb cbq (default red) # This will rate limit the WLAN interface ## queue wlan_in bandwidth 90Kb cbq ( default red ) ## queue wlan_in bandwidth 124Kb cbq ( default red ) ## queue wlan_in bandwidth 500Kb cbq ( default red ) # # Matching rule for queue ## pass out log all tagged stewie queue wlan_in # #---------------------- Priority Queuing --------------------------# # NOTES: see priority queueing notes above # # After setting up the outbound internet facing inteface.(see above) # Then use class based queuing on the internal limited interface # for each protocol ## altq on ath0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, mylink_in } ## queue std_in bandwidth 1.6Mb cbq(default) ## queue ssh_im_in bandwidth 200Kb priority 4 ## queue dns_in bandwidth 120Kb priority 5 ## queue mylink_in bandwidth 80Kb cbq(borrow) # -- filter rules for ath0 inbound -- ## block in on ath0 all ## pass in on ath0 from 192.168.1.0/24 # filter rules for ath0 outbound ## block out on ath0 all ## pass out on ath0 from any to 192.168.1.0/24 ## pass out on ath0 proto { tcp udp } from any port domain to 192.168.1.0/24 \ ## queue dns_in ## pass out on ath0 proto tcp from any port $ssh_ports to 192.168.1.0/24 \ ## queue(std_in, ssh_im_in) #------------------------------------------------------------------------# # dhcp_ports="{67,68}" #---------------------------- Working ----------------------------------# # Redirect DHCP request to LAN rdr on $br_if proto {tcp,udp} from any to any port $dhcp_ports -> 192.168.1.13 #-----------------------------------------------------------------------# ## rdr on $int_if proto {tcp,udp} from any to any port $dhcp_ports -> 192.168.1.13 ## rdr on $wlan_if proto {tcp,udp} from any to any port $dhcp_ports -> 192.168.1.13 ## scrub in #--------------- Working ---------------# # Setup default blocking protocol block in log all block out log all #---------------------------------------# # pass everything from the loopback pass in quick on lo0 all pass out quick on lo0 all # pass in log on $br_if tagged stewie label "MAC filter" # pass in log on $wlan_if proto udp from 192.168.1.13/32 to any ## pass in log on $wlan_if tagged stewie #### pass in log on $br_if tagged stewie #--------------------------- Working ---------------------# ######pass in log all tagged stewie queue wlan_in pass in log all tagged stewie queue wlan_out pass in log on $int_if from any to any #---------------------------------------------------------# ## pass in log on $wlan_if tagged stewie ## pass in log on $int_if tagged stewie # For now we pass everything till we start MAC filtering # You will need to comment the next lilne out when you MAC filter ## pass in all modulate state # pass out all modulate state #----------------------- Working ------------------------# ###### pass out log all tagged stewie queue wlan_out ######### pass out log all tagged stewie queue WLan_out pass out log all tagged stewie queue wlan_in ## pass out log on $wlan_if proto udp from any to any port $dhcp_ports queue WLan_out pass out log on $wlan_if proto udp from any to any port $dhcp_ports pass out log on $int_if from any to any #--------------------------------------------------------# #### pass out log on $br_if tagged stewie ## pass out log on $wlan_if tagged stewie ## pass out log on $int_if tagged stewie