altq will nicht ...

merl · 06.09.2005, 15:31

hallo,

also nach dem bau eines neuen kernels mit altq ...

schnipp--------------
altq on rl0 cbq bandwidth 11Mb queue { std, endor_bt }
queue std bandwidth 10Mb cbq(default)
queue endor_bt bandwidth 12Kb
pass out quick on rl0 proto { tcp, udp } from $endor port $bittorrent_tcp to any queue endor_bt
schnapp-------------

leider wird hier nix begrenzt ... warum ist mir eigendlich unklar ...

hat jemand einen tip?

gruss merl

napolion · 06.09.2005, 23:59

Hello.
Was für options hast du in die "kernelconf" aufgenommen.
Welche files schauen wie aus wäre evtl auch interresant.
schnipp - schnapp macht nur das Krokodil ohne zu wissen woher und wohin.

MfG nap

merl · 07.09.2005, 06:53

hallo,

also hier die kernel optionen:
options ALTQ
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Drop
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Prioirity Queueing
options ALTQ_NOPCC # Required for SMP build

rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
log_logfile="/var/log/pflog"
pflog_flags=""

pf.conf

# Interfaces
dmz_if = "fxp0"
int_if = "fxp1"
ext_if = "rl0"

# Rechner
phantom = "212.21.69.98"
endor = "212.21.69.100"
mailrelay = "212.21.75.66"

# Vergeben IP's auf User
hagenip = "{ 212.21.68.36, 212.21.68.37, 212.21.68.40 }"
timmip = "{ 212.21.68.38, 212.21.68.39 }"
gunnarip = "{ 212.21.68.34, 212.21.68.35 }"
eleip = "212.21.68.41"
toralfip = "{ 212.21.68.33, 212.21.68.44 }"
ankeip = "{ 212.21.68.42, 212.21.68.43 }"

# Zugangsberechtigung fuer SSH
sshrech = "{ 212.21.69.97, 212.21.69.100 }"
remote = "{ 194.114.76.60, 212.21.75.66 }"

# Ports
admin_services = "22"
mail_services = "25"
tcp_services = "{ 21, 20, 53, 123, 443, 8880 }"
udp_services = "{ 123, 24580, 24501 }"
bittorrent_tcp = "{ 6969, 6881:6889, 3881:3889 }"
voip_tcp_udp = "{ 3478, 3479, 5000:5010, 5060:5070, 7000:7010, 8000:8010, 10000 }"

# BlackIP's aus Blockliste auslesen
table <spyware> persist file "/blocklisten/blocklist.txt"

# Setzen von Optionen
set loginterface $ext_if
set optimization aggressive
scrub in all

# Traffic Managment
altq on $ext_if cbq bandwidth 11Mb queue { std, endor_bt }
queue std bandwidth 10Mb cbq(default)
queue endor_bt bandwidth 12Kb

# Redirect Regeln
rdr on $int_if proto tcp from any to any port 80 -> 212.21.96.98
rdr on $dmz_if proto tcp from any to any port 80 -> 212.21.96.98
rdr on $int_if proto tcp from any to any port 8888 -> 127.0.0.1 port 8118
rdr on $dmz_if proto tcp from any to any port 8888 -> 127.0.0.1 port 8118
rdr on $int_if proto tcp from any to any port 8080 -> 212.21.75.251 port 3128

rdr on $dmz_if proto tcp from any to any port 8080 -> 212.21.75.251 port 3128

# Generelle Block Regel
block in all
block out on $ext_if from 212.21.69.100 to any

# Freiwillig machen wir keinen mucks

block return log on $ext_if

# Wir wollen kein IPv6.0
block quick inet6

# Block HotIps
block quick log from any to <spyware>

# Auf dem Loopback alles erlauben
pass quick on lo0 all

# Rules zum Redirect
pass in quick on $int_if proto tcp from any to ($int_if) port 80
pass in quick on $int_if proto tcp from any to ($dmz_if) port 80
pass in quick on $int_if proto tcp from any to ($int_if) port 8080
pass in quick on $dmz_if proto tcp from any to ($dmz_if) port 8080
pass in quick on $int_if proto tcp from any to ($int_if) port 8888
pass in quick on $dmz_if proto tcp from any to ($dmz_if) port 8888

# Video und RealStreaming
pass in quick on $int_if proto udp from any port 6970:7170 to any keep state
pass in quick on $int_if proto tcp from any port { 7070, 7071, 554 } to any keep state
pass in quick on $dmz_if proto udp from any port 6970:7170 to any keep state
pass in quick on $dmz_if proto tcp from any port { 7070, 7071, 554 } to any keep state

# VOIP Ports
pass quick proto { tcp, udp } from any to any port $voip_tcp_udp keep state

# HTTP, SSH, FTP, NTP, DBOX
pass quick proto tcp from any port $tcp_services to any keep state

pass in quick log on $ext_if proto tcp from $remote to $sshrech port $admin_services flags S/SA keep state

pass in quick on $ext_if proto udp from any to any port $udp_services keep state
pass in quick on $dmz_if proto udp from any to any port $udp_services keep state
pass in quick on $int_if proto udp from any to any port $udp_services keep state

pass in quick log on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from $mailrelay to ($ext_if) port $mail_services keep state

# Rules Site endor.port-x.de
pass in quick log on $ext_if proto tcp from any to $endor port 80 flags S/SA synproxy state
pass in quick on $ext_if proto { tcp, udp } from any to $endor port $bittorrent_tcp
pass out quick on $ext_if proto { tcp, udp } from $endor port $bittorrent_tcp to any queue endor_bt
# Ende Site endor.port-x.de

# User Rules Site hagen.port-x.de
pass in quick on $ext_if proto tcp from any to 212.21.68.40 port { 80, 8080 } flags S/SA synproxy state
# Ende Site hagen.port-x.de

# User Rules Mario's PowerBook
pass in quick on $dmz_if proto { tcp, udp } from 212.21.69.103 to any port $bittorrent_tcp keep state
pass in quick on $ext_if proto { tcp, udp } from any to 212.21.69.103 port $bittorrent_tcp keep state
# Ende Mario's PowerBook

# ICMP
pass out quick on $int_if proto { udp, icmp } all keep state
pass out quick on $dmz_if proto { udp, icmp } all keep state
pass out quick on $int_if proto tcp from any to any port { 22, 23 } keep state
pass out quick on $dmz_if proto tcp from any to any port { 22, 23 } keep state

# WLAN <> LAN
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
pass in quick on $dmz_if from $dmz_if:network to any keep state
pass out quick on $dmz_if from any to $dmz_if:network keep state

# Ausgang nach zum Internet
pass out quick on $ext_if proto tcp all modulate state flags S/SA
PASS out quick on $ext_if proto { udp, icmp } all keep state

merl · 07.09.2005, 06:56

Vergessen noch zuzufügen:

also eigendlich funktioniert alles, natuerlich kann die pf.conf noch optimiert werden, bin ja gerade erst dabei
mich dort einzuarbeiten. aber das altq scheint irgendwie überhaupt nicht zu wollen.

ps: auch haette ich jetzt alles ips aendern koennen, aber ich habe nix zu verbergen ... ;-) ;-)

napolion · 14.09.2005, 09:27

Folgende Zeilen stammen aus der Feder eines
Sonymitarbeiters der sich damit beschäftigt hat.
{http://www.csl.sony.co.jp/person/kjc/software/TIPS.txt}
---
Q. CBQ doesn't work as I expected.
A. It is not easy to track down problems.
My rule of thumb to track down problems:
- watch out for possible interference: CPU or link could
get saturated before queueing takes place.
- start with a simple setting, add complexity step by step.
- use "altqstat" to get the statistics and the internal
state of CBQ.
- try a kernel with a fine-grained timer value. if the
problem is gone, there must be some granularity
mismatching.
---
Weiters gibts da noch eine altq debug option für denn Kernel.

Das sollte dir helfen, vor Ort, das Problem einzugrenzen.

Versionsangaben sind meist auch nützlich bei der Fehlersuche.

Leider hab ich nicht die entsprechenden Resourcen um die
Problemstellung nachzubilden
ist aber eine interessante Thematik.

PS.:Hast du nicht mal gepostet das dir pf/altq so taugt?

Viel Spass.

MfG nap

06.09.2005, 15:31	#1
merl Registered User Registrierungsdatum: Jul 2005 Beiträge: 17	altq will nicht ... hallo, also nach dem bau eines neuen kernels mit altq ... schnipp-------------- altq on rl0 cbq bandwidth 11Mb queue { std, endor_bt } queue std bandwidth 10Mb cbq(default) queue endor_bt bandwidth 12Kb pass out quick on rl0 proto { tcp, udp } from $endor port $bittorrent_tcp to any queue endor_bt schnapp------------- leider wird hier nix begrenzt ... warum ist mir eigendlich unklar ... hat jemand einen tip? gruss merl

06.09.2005, 23:59	#2
napolion Registered User Registrierungsdatum: Jan 2003 Beiträge: 143	Hello. Was für options hast du in die "kernelconf" aufgenommen. Welche files schauen wie aus wäre evtl auch interresant. schnipp - schnapp macht nur das Krokodil ohne zu wissen woher und wohin. MfG nap Geändert von napolion (07.09.2005 um 00:00 Uhr). Grund: hmm, rechtscheriebung :)

Themen-Optionen
Druckbare Version zeigen Diese Seite per E-Mail verschicken
Ansicht	Thema bewerten
Linear-Darstellung Zur Hybrid-Darstellung wechseln Zur Baum-Darstellung wechseln	Thema bewerten:

Ähnliche Themen
Thema	Erstellt von	Forum	Antworten	Letzter Beitrag
Altq?	Mr. BBQ	OpenBSD - Allgemein	3	19.09.2005 18:35
Paketpriorisierung mit PF und ALTQ	I.MC	FreeBSD - Netzwerk	2	18.10.2004 21:46
pf mit ALTQ Support Howto	Stefan Bauer	Howtos	7	02.10.2004 21:02
Zusammenführung von ALTQ und PF	asg	News	0	20.08.2003 07:28
altq mit freebsd 5.0 und t-dsl?	minski	FreeBSD - Netzwerk	6	12.07.2003 23:06

07.09.2005, 06:53	#3
merl Registered User Registrierungsdatum: Jul 2005 Beiträge: 17	hallo, also hier die kernel optionen: options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Prioirity Queueing options ALTQ_NOPCC # Required for SMP build rc.conf: pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" log_logfile="/var/log/pflog" pflog_flags="" pf.conf # Interfaces dmz_if = "fxp0" int_if = "fxp1" ext_if = "rl0" # Rechner phantom = "212.21.69.98" endor = "212.21.69.100" mailrelay = "212.21.75.66" # Vergeben IP's auf User hagenip = "{ 212.21.68.36, 212.21.68.37, 212.21.68.40 }" timmip = "{ 212.21.68.38, 212.21.68.39 }" gunnarip = "{ 212.21.68.34, 212.21.68.35 }" eleip = "212.21.68.41" toralfip = "{ 212.21.68.33, 212.21.68.44 }" ankeip = "{ 212.21.68.42, 212.21.68.43 }" # Zugangsberechtigung fuer SSH sshrech = "{ 212.21.69.97, 212.21.69.100 }" remote = "{ 194.114.76.60, 212.21.75.66 }" # Ports admin_services = "22" mail_services = "25" tcp_services = "{ 21, 20, 53, 123, 443, 8880 }" udp_services = "{ 123, 24580, 24501 }" bittorrent_tcp = "{ 6969, 6881:6889, 3881:3889 }" voip_tcp_udp = "{ 3478, 3479, 5000:5010, 5060:5070, 7000:7010, 8000:8010, 10000 }" # BlackIP's aus Blockliste auslesen table <spyware> persist file "/blocklisten/blocklist.txt" # Setzen von Optionen set loginterface $ext_if set optimization aggressive scrub in all # Traffic Managment altq on $ext_if cbq bandwidth 11Mb queue { std, endor_bt } queue std bandwidth 10Mb cbq(default) queue endor_bt bandwidth 12Kb # Redirect Regeln rdr on $int_if proto tcp from any to any port 80 -> 212.21.96.98 rdr on $dmz_if proto tcp from any to any port 80 -> 212.21.96.98 rdr on $int_if proto tcp from any to any port 8888 -> 127.0.0.1 port 8118 rdr on $dmz_if proto tcp from any to any port 8888 -> 127.0.0.1 port 8118 rdr on $int_if proto tcp from any to any port 8080 -> 212.21.75.251 port 3128 rdr on $dmz_if proto tcp from any to any port 8080 -> 212.21.75.251 port 3128 # Generelle Block Regel block in all block out on $ext_if from 212.21.69.100 to any # Freiwillig machen wir keinen mucks block return log on $ext_if # Wir wollen kein IPv6.0 block quick inet6 # Block HotIps block quick log from any to <spyware> # Auf dem Loopback alles erlauben pass quick on lo0 all # Rules zum Redirect pass in quick on $int_if proto tcp from any to ($int_if) port 80 pass in quick on $int_if proto tcp from any to ($dmz_if) port 80 pass in quick on $int_if proto tcp from any to ($int_if) port 8080 pass in quick on $dmz_if proto tcp from any to ($dmz_if) port 8080 pass in quick on $int_if proto tcp from any to ($int_if) port 8888 pass in quick on $dmz_if proto tcp from any to ($dmz_if) port 8888 # Video und RealStreaming pass in quick on $int_if proto udp from any port 6970:7170 to any keep state pass in quick on $int_if proto tcp from any port { 7070, 7071, 554 } to any keep state pass in quick on $dmz_if proto udp from any port 6970:7170 to any keep state pass in quick on $dmz_if proto tcp from any port { 7070, 7071, 554 } to any keep state # VOIP Ports pass quick proto { tcp, udp } from any to any port $voip_tcp_udp keep state # HTTP, SSH, FTP, NTP, DBOX pass quick proto tcp from any port $tcp_services to any keep state pass in quick log on $ext_if proto tcp from $remote to $sshrech port $admin_services flags S/SA keep state pass in quick on $ext_if proto udp from any to any port $udp_services keep state pass in quick on $dmz_if proto udp from any to any port $udp_services keep state pass in quick on $int_if proto udp from any to any port $udp_services keep state pass in quick log on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA synproxy state pass in quick on $ext_if proto tcp from $mailrelay to ($ext_if) port $mail_services keep state # Rules Site endor.port-x.de pass in quick log on $ext_if proto tcp from any to $endor port 80 flags S/SA synproxy state pass in quick on $ext_if proto { tcp, udp } from any to $endor port $bittorrent_tcp pass out quick on $ext_if proto { tcp, udp } from $endor port $bittorrent_tcp to any queue endor_bt # Ende Site endor.port-x.de # User Rules Site hagen.port-x.de pass in quick on $ext_if proto tcp from any to 212.21.68.40 port { 80, 8080 } flags S/SA synproxy state # Ende Site hagen.port-x.de # User Rules Mario's PowerBook pass in quick on $dmz_if proto { tcp, udp } from 212.21.69.103 to any port $bittorrent_tcp keep state pass in quick on $ext_if proto { tcp, udp } from any to 212.21.69.103 port $bittorrent_tcp keep state # Ende Mario's PowerBook # ICMP pass out quick on $int_if proto { udp, icmp } all keep state pass out quick on $dmz_if proto { udp, icmp } all keep state pass out quick on $int_if proto tcp from any to any port { 22, 23 } keep state pass out quick on $dmz_if proto tcp from any to any port { 22, 23 } keep state # WLAN <> LAN pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network keep state pass in quick on $dmz_if from $dmz_if:network to any keep state pass out quick on $dmz_if from any to $dmz_if:network keep state # Ausgang nach zum Internet pass out quick on $ext_if proto tcp all modulate state flags S/SA PASS out quick on $ext_if proto { udp, icmp } all keep state

07.09.2005, 06:56	#4
merl Registered User Registrierungsdatum: Jul 2005 Beiträge: 17	Vergessen noch zuzufügen: also eigendlich funktioniert alles, natuerlich kann die pf.conf noch optimiert werden, bin ja gerade erst dabei mich dort einzuarbeiten. aber das altq scheint irgendwie überhaupt nicht zu wollen. ps: auch haette ich jetzt alles ips aendern koennen, aber ich habe nix zu verbergen ... ;-) ;-)

14.09.2005, 09:27	#5
napolion Registered User Registrierungsdatum: Jan 2003 Beiträge: 143	Folgende Zeilen stammen aus der Feder eines Sonymitarbeiters der sich damit beschäftigt hat. {http://www.csl.sony.co.jp/person/kjc/software/TIPS.txt} --- Q. CBQ doesn't work as I expected. A. It is not easy to track down problems. My rule of thumb to track down problems: - watch out for possible interference: CPU or link could get saturated before queueing takes place. - start with a simple setting, add complexity step by step. - use "altqstat" to get the statistics and the internal state of CBQ. - try a kernel with a fine-grained timer value. if the problem is gone, there must be some granularity mismatching. --- Weiters gibts da noch eine altq debug option für denn Kernel. Das sollte dir helfen, vor Ort, das Problem einzugrenzen. Versionsangaben sind meist auch nützlich bei der Fehlersuche. Leider hab ich nicht die entsprechenden Resourcen um die Problemstellung nachzubilden ist aber eine interessante Thematik. PS.:Hast du nicht mal gepostet das dir pf/altq so taugt? Viel Spass. MfG nap

Dieses Thema betrachten zurzeit 1 Personen. (0 registrierte Benutzer und 1 Gäste)