I am running FreeBSD 5.1 with PF 1.65 /w ALTQ and a transparent filtering bridge.

the bridge runs great so far, however my ALTQ configuration is not working right,

I have followed the various altq configuration IN tthe pf.conf documentations
but nothing shows up any queue other than the default queue.

Can someone help me figure out what the problem is?

hednod.

Welcome to S.E. Any chance you can post your ruleset?

Sure thing, here it is. ip's replaced with x's

#Set Variable for Interfaces
ext = "fxp0"
int = "ed0"
admin = "ed1"
loop = "lo0"

set timeout { frag 15, interval 5 }
set limit { frags 2500, states 5000 }
set optimization aggressive
set block-policy drop
set loginterface $ext

scrub in on $ext
scrub out on $ext no-df random-id min-ttl 24 max-mss 1492

#Packet normalization.
scrub in all

# Traffic management
altq on $ext cbq bandwidth 244Kb queue { q_std }
queue q_std bandwidth 100% cbq { q_def, q_web, q_pri }
queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn)
queue q_web bandwidth 25% priority 2 cbq(borrow)
queue q_pri bandwidth 50% priority 3 cbq(borrow)

#Set Variables for IP addresses
badIP = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 0.0.0.0/8, \
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 127.0.0.0/8 }"
bcast = "{ 10.0.255.255, 209.98.239.47 }"
badport = "{ 67, 68, 427, 135, 137, 138, 139, 161, 1433, 1434, 3389, 31335, 31337}"
WWWHosts = "{xxx.xx.xxx.xx }"
WWWPorts = "{ 80, 443 }"
MAILHosts = "{ xxx.xx.xxx.xx }"
MAILPorts = "{ 143, 993, 389, 636, 110, 995, 25, 465, 119, 563 }"
DNSHosts = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
DNSPorts = "{ 53 }"
SSHHosts = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
SSHPorts = "{ 22 }"
AUTHPorts = "{ 113 }"
AUTHHosts = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
NTPHosts = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
NTPPorts = "{ 123 }"
FTPHosts = "{ xxx.xxx.xxx.xxx }"
FTPPorts = "{ 19 >< 22 }"
USERHosts = "{ xxx.xxx.xxx.xxx/29 }"
USERPorts = "{ >= 1024 }"

#Set Variables for Our IP'S
ournet = "{ xxx.xxx.xxx.xxx/29 }"

# catchall block for everything else
block in all

#Allow loopback addresses for this box
pass in quick on $loop from any to any
pass out quick on $loop from any to any

#Open up internal and admin interfaces (blocking happens on external Interface)
pass in quick on $int inet proto { tcp, udp } from $ournet to any keep state
pass in quick on $int inet proto { icmp } from $ournet to any keep state
pass out quick on $int inet proto { tcp, udp } from any to any keep state
pass out quick on $int inet proto { icmp } from any to any keep state
pass in quick on $admin inet proto { tcp, udp } from any to any keep state
pass in quick on $admin inet proto { icmp } from any to any keep state
pass out quick on $admin inet proto { tcp, udp } from any to any keep state
pass out quick on $admin inet proto { icmp } from any to any keep state

#Open up for Web, Mail, DNS, SSH, Ident, Ntp. Ftp services
pass in quick on $ext inet proto { tcp, udp } from any to $WWWHosts port $WWWPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $MAILHosts port $MAILPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $DNSHosts port $DNSPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $SSHHosts port $SSHPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $AUTHHosts port $AUTHPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $NTPHosts port $NTPPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $FTPHosts port $FTPPorts keep state

# Open up userland range
pass in quick on $ext inet proto { tcp, udp } from any to $USERHosts port $USERPorts keep state

#Altq proccessing for outgoing packets#?
pass out quick on $ext inet proto { tcp, udp } from $WWWHosts to any port $WWWPorts keep state queue q_web
pass out quick on $ext inet proto { tcp, udp } from $MAILHosts to any port $MAILPorts keep state queue q_web
pass out quick on $ext inet proto { tcp, udp } from $DNSHosts port $DNSPorts keep state queue q_pri
pass out quick on $ext inet proto { tcp, udp } from $SSHHosts port $SSHPorts keep state queue q_pri


##Egress Filtering
block out log quick on $ext inet from $badIP to any
block out quick on $ext inet from $bcast to any
block out quick on $ext inet proto { tcp, udp } from any to any port $badport
pass out quick on $ext inet from $ournet to any keep state

##Ingress Filtering
block in log quick on $ext inet from $badIP to any
block in quick on $ext inet from $bcast to any
block in quick on $ext inet proto { tcp, udp } from any to any port $badport
block in log quick on $ext inet from $ournet to any
pass in quick on $ext inet from xxx.xxx.xxx.xxx to any

# hydroponics
pass out quick on $ext inet proto { tcp, udp } from xxx.xx.xxx.xx to any queue q_pri

sorry hednod for not replying sooner. I forgot about this post :(

Let's have a look here:



#Altq proccessing for outgoing packets#?
pass out quick on $ext inet proto { tcp, udp } from $WWWHosts to any port $WWWPorts keep state queue q_web
pass out quick on $ext inet proto { tcp, udp } from $MAILHosts to any port $MAILPorts keep state queue q_web
pass out quick on $ext inet proto { tcp, udp } from $DNSHosts port $DNSPorts keep state queue q_pri
pass out quick on $ext inet proto { tcp, udp } from $SSHHosts port $SSHPorts keep state queue q_pri



I think you need to specify the queue like so:

[code:1:2642b403de]
pass out quick on $ext inet proto { tcp, udp } from $WWWHosts to any port $WWWPorts keep state queue (q_web)
pass out quick on $ext inet proto { tcp, udp } from $MAILHosts to any port $MAILPorts keep state queue (q_web)
pass out quick on $ext inet proto { tcp, udp } from $DNSHosts port $DNSPorts keep state queue (q_pri)
pass out quick on $ext inet proto { tcp, udp } from $SSHHosts port $SSHPorts keep state queue (q_pri)
[/code:1:2642b403de]

Try that see if it works. If not, let me know. Most of my queueing experience thus far has been with priq and not cbq.

no, originaly I had that in my ruleset but i was on irc.freenode.net #pf asking about it and they asked why i was using queue (q_web) with just 1 queue, apparently you don't need the () unless you are using 2 queues such as "queue (q_web, q_ack)

ok well let's look at this then.



#Open up for Web, Mail, DNS, SSH, Ident, Ntp. Ftp services
pass in quick on $ext inet proto { tcp, udp } from any to $WWWHosts port $WWWPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $MAILHosts port $MAILPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $DNSHosts port $DNSPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $SSHHosts port $SSHPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $AUTHHosts port $AUTHPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $NTPHosts port $NTPPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $FTPHosts port $FTPPorts keep state

# Open up userland range
pass in quick on $ext inet proto { tcp, udp } from any to $USERHosts port $USERPorts keep state

#Altq proccessing for outgoing packets#?
pass out quick on $ext inet proto { tcp, udp } from $WWWHosts to any port $WWWPorts keep state queue q_web
pass out quick on $ext inet proto { tcp, udp } from $MAILHosts to any port $MAILPorts keep state queue q_web
pass out quick on $ext inet proto { tcp, udp } from $DNSHosts port $DNSPorts keep state queue q_pri
pass out quick on $ext inet proto { tcp, udp } from $SSHHosts port $SSHPorts keep state queue q_pri



look at those lines. You're passing traffic out before it makes it to a queue. You don't need the following section.


#Open up for Web, Mail, DNS, SSH, Ident, Ntp. Ftp services
pass in quick on $ext inet proto { tcp, udp } from any to $WWWHosts port $WWWPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $MAILHosts port $MAILPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $DNSHosts port $DNSPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $SSHHosts port $SSHPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $AUTHHosts port $AUTHPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $NTPHosts port $NTPPorts keep state
pass in quick on $ext inet proto { tcp, udp } from any to $FTPHosts port $FTPPorts keep state

you are confusing pass in and pass out rules i think.

if i take those pass in rules out, no traffic can get in.

and the pass out rules are to apply queue to OUTgoing traffic

and the pass userrange set is to pass 1025-65535, which is not being passed anywhere else.

if i look at my ruleset and traffic passing through all the rulesets are getting traffic. the ones with queue included.

DOH! :oops: you are right, I mis-read that completely sorry about that man.

*EDIT*
I don't know what I was thinking with that. I could've swore they were both pass in rules. I guess if you're gonna screw up, screw up big. That was a big one for me.
*/EDIT*