RE: ALTQ on GIF Interface - how much trouble to impliment?



Well, I'm not sure FAQ will help you because you probably aready read
it. But since you ask these things... :=) ... I suppose you need to use
traffic queueing on your internal (LAN) interfaces.
http://www.openbsd.org/faq/pf/queueing.html has examples of doing that.
Also, http://www.openbsd.org/faq/pf/tagging.html has examples of using
tagging. But the general idea is straightforward:

pass in on $int_if to $central_office_net tag VPN keep state
pass in on $int_if to $central_office_net proto tcp tag port { 80, 443 }
VPN_HTTP keep state
pass in on $int_if to $central_office_net proto tcp tag port { 3306,
1443 } VPN_DB keep state
...
pass in on $int_if tagged VPN_HTTP keep state queue XXX
pass in on $int_if tagged VPN_DB keep state queue YYY
pass in on $int_if tagged VPN keep state queue XXX

I think limiting "out" traffic on internal interface is meaningless - I
would limit it as "in" traffic on another VPN endpoint instead.

-----Original Message-----
From: owner-freebsd-pf@xxxxxxxxxxx [mailto:owner-freebsd-pf@xxxxxxxxxxx]
On Behalf Of J. Buck Caldwell
Sent: Monday, May 01, 2006 6:33 AM
To: freebsd-pf@xxxxxxxxxxx; freebsd-net@xxxxxxxxxxx
Subject: ALTQ on GIF Interface - how much trouble to impliment?

I'm in desperate need to do some traffic prioritization using pf and
ALTQ over a GIF tunnel. I asked this question some time ago on
freebsd-stable, and was told to use tags - but either I'm doing it
wrong, or it just doesn't work (probably, I'm doing it wrong). Either
way, supporting ALTQ over GIF would be a far preferable solution.

Here's the problem. I have a corporate office with a 4.5mb/sec
connection, and several branches with 3m-down/768k-up cable connections.

Each endpoint has a FreeBSD 5.4 or 6.x (migrating all to 6.x) box
providing NAT, DNS, DHCP etc - and connecting to the other endpoints via
GIF tunnels, encrypted point-to-point with IPSec. While prioritizing the
actual tunnel traffic (via "pass out quick on $ext_if queue(gif_out,
pri_out) proto { ipencap, esp } all keep state") does actually send the
GIF/IPSEC traffic out at a higher priority, what I need to do is to
actually prioritize the traffic inside the tunnel.

For example - the tunnel carries between the branches and the corporate
office, such as Lotus Notes, telnet/ssh sessions, and database queries.
What I need to do is prioritize the traffic so that, say, Notes traffic
goes out before Web traffic, but the database traffic is highest
priority (just under empty ACKs and such).

Currently, ALTQ support is not available in the GIF interface driver.
How difficult would it be to implement? I've done a little reading of
the man pages and source code, and while I am a decent Windows
programmer (C, not visual basic, get that look off your face), I've
never done any coding for FreeBSD, and wouldn't know quite where to
start.

If this is something that can be done relatively easily, I would be
willing to test, and possibly to help code, but I'll need pointers.
Otherwise, I'd love to get some help on figuring out how tagging works
so I can get it operating correctly.

_______________________________________________
freebsd-pf@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@xxxxxxxxxxx"
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • ALTQ on GIF Interface - how much trouble to impliment?
    ... I'm in desperate need to do some traffic prioritization using pf and ALTQ over a GIF tunnel. ... While prioritizing the actual tunnel traffic proto all keep state") does actually send the GIF/IPSEC traffic out at a higher priority, what I need to do is to actually prioritize the traffic inside the tunnel. ...
    (freebsd-net)
  • Re: IPSec tcp session stalling ( me too ) ...
    ... As soon as a gif interface is involved, ... checked with udp) session running inside the gif tunnel breaks. ... When either not using IPSec, not enabling pf or not using gif - ...
    (freebsd-net)
  • Re: FW: iHEADS UP: ipsec packet filtering change
    ... >> You don't really need the gif tunnels for ipsec. ... gifconfig stuff from an IPsec tunnel I administer and lo and behold it ... if I could resolve another problem where ipfw treated packets coming ...
    (freebsd-stable)
  • Gif IPTunnel networkA-to-networkB not work
    ... I had a problem with my virtual tunnel here, since i couldnt make 2 separate ... I make the gif tunnel in freebsd A with: ... Than to reach the others networks: ... I configure freebsd B like freebsd A with opposite. ...
    (freebsd-net)
  • Re: Gif IPTunnel networkA-to-networkB not work
    ... > using IPSec your gif tunnel won't really be used. ... It is not a good idea to use gifs in parallel with IPsec tunnel mode., ... When using IPIP tunnels with tunnel mode, ...
    (freebsd-net)