mirobe
September 28th, 2003, 10:11
Hello, I have problems with my configuration.
I'm using pf.conf configuration from http://openbsd.org/faq/pf/queueing.html (the first one example).
Of course I've replaced interface names with proper one.
---------
#####
local_net = "192.168.0.0/24"
ssh_ports = "{ 22 2022 }"
im_ports = "{ 1863 5190 5222 }"
ext_if="ed0"
int_if="xl0"
scrub in all no-df
altq on $ext_if priq bandwidth 100Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
altq on $int_if cbq bandwidth 510Kb queue { std_in, ssh_im_in, dns_in, bob_in }
queue std_in cbq(default)
queue ssh_im_in priority 4
queue dns_in priority 5
nat on $ext_if from $int_if/24 to any -> $ext_if
## Przekierowanie portow dla DC, GG , icq itp
rdr on $ext_if proto tcp from any to $ext_if port 4000:4005 -> 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 1551 -> 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 416 -> 192.168.0.6
rdr on $ext_if proto udp from any to $ext_if port 416 -> 192.168.0.6
# reguły filtrujące dla przychodzącego ruchu na $ext_if
block in on $ext_if all
# reguły filtrujące dla wychodzącego ruchu na $ext_if
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \
keep state queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \
keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \
flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
# reguły filtrujące dla przychodzącego ruchu na $int_if
block in on $int_if all
pass in on $int_if from $local_net
# reguły filtrujące dla wychodzącego ruchu na $int_if
block out on $int_if all
pass out on $int_if from any to $local_net
pass out on $int_if proto { tcp udp } from any port domain to $local_net \
queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to $local_net \
queue ssh_im_in
---
All I want to achieve by this configuration is a no lagged ssh output.
I'm using ADSL 512/128 connection, and I would like to be able
to connect external SSH ports with no delays.
When I'm uploading some file from my local computer (192.168.0.6) to
host in Internet e.g 212.160.150.190 my ssh connection to eg. 212.140.158.190 becomes lagged.
According to rules, it should work without any delays?.
Maybe I'm wrong, is it possible to achieve this ?
PS. I'm using pf+altq merged for FreeBSD 5.1 Release
Rules are being loaded with no errors, packets are being counted properly.
Maybe you could provide me with the simplest ssh + tcp ack highest priority config ?.
I've spent few weeks on trying to solve this problem :-(
Thanks!
I'm using pf.conf configuration from http://openbsd.org/faq/pf/queueing.html (the first one example).
Of course I've replaced interface names with proper one.
---------
#####
local_net = "192.168.0.0/24"
ssh_ports = "{ 22 2022 }"
im_ports = "{ 1863 5190 5222 }"
ext_if="ed0"
int_if="xl0"
scrub in all no-df
altq on $ext_if priq bandwidth 100Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
altq on $int_if cbq bandwidth 510Kb queue { std_in, ssh_im_in, dns_in, bob_in }
queue std_in cbq(default)
queue ssh_im_in priority 4
queue dns_in priority 5
nat on $ext_if from $int_if/24 to any -> $ext_if
## Przekierowanie portow dla DC, GG , icq itp
rdr on $ext_if proto tcp from any to $ext_if port 4000:4005 -> 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 1551 -> 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 416 -> 192.168.0.6
rdr on $ext_if proto udp from any to $ext_if port 416 -> 192.168.0.6
# reguły filtrujące dla przychodzącego ruchu na $ext_if
block in on $ext_if all
# reguły filtrujące dla wychodzącego ruchu na $ext_if
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \
keep state queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \
keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \
flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
# reguły filtrujące dla przychodzącego ruchu na $int_if
block in on $int_if all
pass in on $int_if from $local_net
# reguły filtrujące dla wychodzącego ruchu na $int_if
block out on $int_if all
pass out on $int_if from any to $local_net
pass out on $int_if proto { tcp udp } from any port domain to $local_net \
queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to $local_net \
queue ssh_im_in
---
All I want to achieve by this configuration is a no lagged ssh output.
I'm using ADSL 512/128 connection, and I would like to be able
to connect external SSH ports with no delays.
When I'm uploading some file from my local computer (192.168.0.6) to
host in Internet e.g 212.160.150.190 my ssh connection to eg. 212.140.158.190 becomes lagged.
According to rules, it should work without any delays?.
Maybe I'm wrong, is it possible to achieve this ?
PS. I'm using pf+altq merged for FreeBSD 5.1 Release
Rules are being loaded with no errors, packets are being counted properly.
Maybe you could provide me with the simplest ssh + tcp ack highest priority config ?.
I've spent few weeks on trying to solve this problem :-(
Thanks!