However, recommendations would be appreciated on the best approach to shape/control download traffic on an OpenBSD 5.8 NATing firewall/gateway machine with a single Internet uplink and:
(1) Multiple internal interfaces and subnets
(2) Being able to include the firewall's own download activities in the download bandwidth shaping
Outbound bandwidth control is straightforward because all outbound traffic exits through a single root queue. However, what I'm trying to accomplish is to have all inbound traffic also flow through a single "root queue" before it gets sent to internal networks (essentially a virtual inbound root queue).
I'd prefer to stick with if-bound states, allowing packet classification (and therefore queues and queue assignment) to be different on outbound vs. inbound directions.
One idea was to set up an additional internal loopback interface (lo1, and don't set skip on this if) and routing outbound traffic from the internal networks through this interface. This would allow addressing (1) but not really (2). However, on a physical interface, the semantics of queueing make sense. What are the semantics of queueing on a loopback interface? Is it possible? Would traffic in either direction ( int subnet->lo1->ext_if and ext_if->lo1->int subnet) both be subject to the queueing on lo1? A trial I did along these lines showed the pass rules passing traffic, but "systat queues" showed no bandwidth registering on the lo1 queues.
Also, is there a reasonable method to accomplish (2)? Is there a way to get the fw/gw to initiate its own traffic out of something like a loopback (purely internal to the fw/gw) interface and use pf or routing to queue that traffic outbound on the ext_if?