Hi,

I have an issue with one of my computers on my LAN in where I need to limit
the bandwidth its allowed to use (for upload). The reason being is my cable
provider has capped my upload speed at 128kbits, but allows the full 10Mbit
down. The user of this machine often sends large emails (often 3 meg or
more)
and when this happens , the rest of the network chokes. is there a way I can
limit the upload
speed of a particular machine to say 4k/s max? Does PF have some feature for
this?!?

"Paul" <paul@rtfm.org> writes:

> down. The user of this machine often sends large emails (often 3 meg
> or more) and when this happens , the rest of the network chokes. is
> there a way I can limit the upload speed of a particular machine to
> say 4k/s max? Does PF have some feature for this?!?

Yes. altq is what you are looking for.

If all you want to do is limit the bandwidth for a simgle machine, you
can set up a default queue with total bandwidth equal to total outgoing
capacity, then set up a subqueue with the max bandwidth you want that
machine to use, then write one or more rules which pass the traffic from
that machine on the smaller queue. Let the rest of the traffic you pass
use the default queue.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:86u0o39yx1.fsf@amidala.datadok.no...
> "Paul" <paul@rtfm.org> writes:
>
>> down. The user of this machine often sends large emails (often 3 meg
>> or more) and when this happens , the rest of the network chokes. is
>> there a way I can limit the upload speed of a particular machine to
>> say 4k/s max? Does PF have some feature for this?!?
>
> Yes. altq is what you are looking for.
>
> If all you want to do is limit the bandwidth for a simgle machine, you
> can set up a default queue with total bandwidth equal to total outgoing
> capacity, then set up a subqueue with the max bandwidth you want that
> machine to use, then write one or more rules which pass the traffic from
> that machine on the smaller queue. Let the rest of the traffic you pass
> use the default queue.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

I'll have a look at this. I bought a book called "Absolute OpenBSD". Now
that
I know its ALTQ, I'll read up on it :-)

Thanks!

I would add a rule in my NAT section correct? So pass packets outbound
from 192.168.1.10 to queue blah blah and inbound NAT packets destined
to 192.168.1.10 to whatever queue?


"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:86u0o39yx1.fsf@amidala.datadok.no...
> "Paul" <paul@rtfm.org> writes:
>
>> down. The user of this machine often sends large emails (often 3 meg
>> or more) and when this happens , the rest of the network chokes. is
>> there a way I can limit the upload speed of a particular machine to
>> say 4k/s max? Does PF have some feature for this?!?
>
> Yes. altq is what you are looking for.
>
> If all you want to do is limit the bandwidth for a simgle machine, you
> can set up a default queue with total bandwidth equal to total outgoing
> capacity, then set up a subqueue with the max bandwidth you want that
> machine to use, then write one or more rules which pass the traffic from
> that machine on the smaller queue. Let the rest of the traffic you pass
> use the default queue.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Ok.. I have an issue, the traffic I am wanting to limit is NAT'd traffic.
Is this still possible to do?

"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:86u0o39yx1.fsf@amidala.datadok.no...
> "Paul" <paul@rtfm.org> writes:
>
>> down. The user of this machine often sends large emails (often 3 meg
>> or more) and when this happens , the rest of the network chokes. is
>> there a way I can limit the upload speed of a particular machine to
>> say 4k/s max? Does PF have some feature for this?!?
>
> Yes. altq is what you are looking for.
>
> If all you want to do is limit the bandwidth for a simgle machine, you
> can set up a default queue with total bandwidth equal to total outgoing
> capacity, then set up a subqueue with the max bandwidth you want that
> machine to use, then write one or more rules which pass the traffic from
> that machine on the smaller queue. Let the rest of the traffic you pass
> use the default queue.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

"Paul" <paul@rtfm.org> writes:

> Ok.. I have an issue, the traffic I am wanting to limit is NAT'd traffic.
> Is this still possible to do?

Whether you NAT or not should not affect your queueing. Your pass rule will
be something like

pass from $bandwidth_hogger to any port $allowed_ports \
keep state queue thin_pipe
pass from $rest_of_lan to any port $allowed_ports \
keep state queue big_pipe

- assuming of course you have defined bandwidth_hogger, allowed_ports,
rest_of_lan and the queues thin_pipe, big_pipe already.

My PF tutorial (http://www.bgnett.no/~peter/pf/en/) contains a few
reasonably clear examples lifted from real world use which are slightly
less complex than the ones in the excellent PF user guide.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

I have set it up like so..

bandwidth_hogger="192.168.1.20"

# Queueing: rule-based bandwidth control.
altq on rl1 bandwidth 10Mb cbq queue {dflt, limited_pipe}
queue dflt bandwidth 9Mb cbq(default)
queue limited_pipe bandwidth 56Kb

and the rule I have set for this machine is:

pass from $bandwidth_hogger to any keep state queue limited_pipe

bandwidth hogger is still happily getting download speeds of 700k a second
:/

What have I missed?


"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:86d5ur9vu1.fsf@amidala.datadok.no...
> "Paul" <paul@rtfm.org> writes:
>
>> Ok.. I have an issue, the traffic I am wanting to limit is NAT'd
>> traffic.
>> Is this still possible to do?
>
> Whether you NAT or not should not affect your queueing. Your pass rule
> will
> be something like
>
> pass from $bandwidth_hogger to any port $allowed_ports \
> keep state queue thin_pipe
> pass from $rest_of_lan to any port $allowed_ports \
> keep state queue big_pipe
>
> - assuming of course you have defined bandwidth_hogger, allowed_ports,
> rest_of_lan and the queues thin_pipe, big_pipe already.
>
> My PF tutorial (http://www.bgnett.no/~peter/pf/en/) contains a few
> reasonably clear examples lifted from real world use which are slightly
> less complex than the ones in the excellent PF user guide.
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

"Paul" <paul@rtfm.org> writes:

> bandwidth hogger is still happily getting download speeds of 700k a second

"download" would be incoming traffic, right? You would need another rule
for "from any to $bandwidth_hogger", then.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

I have,

pass out from $bandwidth_hogger to any keep state queue limited_pipe
pass in from any to $bandwidth_hogger keep state queue limited_pipe

Interface rl1 is connected to a cable modem, interface rl0 is just for LAN
traffic to and from the gateway. If I set altq on either interface it makes
no
difference.

each time I try something I do a:

pfctl -F all
pfctl -f /etc/pf.conf

So restarting the gateway shouldnt be necessary right?

I set the altq on rl0 as a test, then ftp'd into the gateway and
pulled a file down, it went at full speed. So it seems, its not even
limiting LAN traffic to that machine even if I want it to.

My rules start like this... Its as if the rules I have put in there
to pass the traffic onto the queue are being ignored.

# Filtering: the implicit first two rules are

block in log all
block out log all
antispoof log for rl1
pass on lo0 from any to any
pass out from $bandwidth_hogger to any keep state queue limited_pipe
pass in from any to $bandwidth_hogger keep state queue limited_pipe
pass out on rl1 to any #allow all outbound connections to the internet
pass on rl0 from any to any #allow LAN to breathe
pass in proto tcp from any to rl1 port {113,6667}
<snip the rest>

Can you see anything wrong with how I have set it up? Should I have the
queue
assigned to rl0 or rl1? I am not worried about the machine having full sped
across the LAN,
I am worried about it having full access to the bandwidth available in rl1,
if its only possible
for me to limit the bandwidth to that machine from rl0 then I am willing to
do that


"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:867jkz9u7w.fsf@amidala.datadok.no...
> "Paul" <paul@rtfm.org> writes:
>
>> bandwidth hogger is still happily getting download speeds of 700k a
>> second
>
> "download" would be incoming traffic, right? You would need another rule
> for "from any to $bandwidth_hogger", then.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

> I'll have a look at this. I bought a book called "Absolute OpenBSD". Now
> that
> I know its ALTQ, I'll read up on it :-)
>

Paul, you should read this article:
http://www.benzedrine.cx/ackpri.html

I use the approach described there and can utilize the full simultaneous
upload/download potential of my cable. Don't forget to queue every pass
rule, including the incoming ones.

/tpf