Distribute bandwidth by IP's

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Distribute bandwidth by IP's

Hermes Ojeda Ruiz
Hi, Maybe this is a basic question, but I've read the man pages and the
PF book and I don't know how solve this problem.

- I have an E1 and the problem is how to distribute the bandwidth
equally on all the ip's. There are some constraints like use DHCP, and
no block ports. The company provide full access internet to the clients,
and the only limit to the client is the bandwidth, that one client don't
consume all the bandwidth, and all have a good service.

I have some simple firewalls with prioritization, but I don't know how
should do that. May be with CBQ but they are a lot of rules.

I found this: http://marc.info/?l=openbsd-pf&m=111772724522153&w=2

Can I do that with PF?  Need another tool?

Sorry, my english is a really bad thing.

Thanks in advance with your support.

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Hermes Ojeda Ruiz
On 07/09/10 13:21, roberth wrote:

> On Tue, 07 Sep 2010 13:15:03 -0500
> Hermes Ojeda Ruiz<[hidden email]>  wrote:
>
>    
>> Hi, Maybe this is a basic question, but I've read the man pages and
>> the PF book and I don't know how solve this problem.
>>
>> - I have an E1 and the problem is how to distribute the bandwidth
>> equally on all the ip's. There are some constraints like use DHCP,
>> and no block ports. The company provide full access internet to the
>> clients, and the only limit to the client is the bandwidth, that one
>> client don't consume all the bandwidth, and all have a good service.
>>
>> I have some simple firewalls with prioritization, but I don't know
>> how should do that. May be with CBQ but they are a lot of rules.
>>
>> I found this: http://marc.info/?l=openbsd-pf&m=111772724522153&w=2
>>
>> Can I do that with PF?  Need another tool?
>>
>> Sorry, my english is a really bad thing.
>>
>> Thanks in advance with your support.
>>
>>      
> Start here:
> http://www.openbsd.org/faq/pf/queueing.html
>    
Yes, I have read it.
May be with CBQ I can do that, but there are ~150 ip's

Thanks for your fast reply.

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

roberth-5
On Tue, 07 Sep 2010 13:34:45 -0500
Hermes Ojeda Ruiz <[hidden email]> wrote:

> On 07/09/10 13:21, roberth wrote:
> > On Tue, 07 Sep 2010 13:15:03 -0500
> > Hermes Ojeda Ruiz<[hidden email]>  wrote:
> >
> >    
> >> Hi, Maybe this is a basic question, but I've read the man pages and
> >> the PF book and I don't know how solve this problem.
> >>
> >> - I have an E1 and the problem is how to distribute the bandwidth
> >> equally on all the ip's. There are some constraints like use DHCP,
> >> and no block ports. The company provide full access internet to the
> >> clients, and the only limit to the client is the bandwidth, that
> >> one client don't consume all the bandwidth, and all have a good
> >> service.
> >>
> >> I have some simple firewalls with prioritization, but I don't know
> >> how should do that. May be with CBQ but they are a lot of rules.
> >>
> >> I found this: http://marc.info/?l=openbsd-pf&m=111772724522153&w=2
> >>
> >> Can I do that with PF?  Need another tool?
> >>
> >> Sorry, my english is a really bad thing.
> >>
> >> Thanks in advance with your support.
> >>
> >>      
> > Start here:
> > http://www.openbsd.org/faq/pf/queueing.html
> >    
> Yes, I have read it.
> May be with CBQ I can do that, but there are ~150 ip's
>
> Thanks for your fast reply.
>

(...)

So just put ~150 (*2 for both directions) child queues in your config.
Seems tedious, but that's the way it works atm.
Only shortcut i am aware of is to use a script to generate those lines
instead of copy/paste/edit. ;)

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Hermes Ojeda Ruiz
In reply to this post by Hermes Ojeda Ruiz
Sorry, if my explanation don't have enough details.

- The internet connection is an E1
- There are ~150 users (IPs)
- The company give full internet access to the clients. With no service
restriction.
- There only a C class LAN.

E1 --- OpenBSD Firewall --- LAN with ~150 IPs

The problem is to distribute equally the bandwidth to the users.  My
first approach is a CBQ rule by user giving a minimum bandwidth quote
and using the "borrow" option, to use the remaining bandwidth when some
users don't waste the bandwidth. But the number of rules is so big.

I hope that my explanation can be useful.

On 07/09/10 13:43, Johan Beisser wrote:

> On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruiz<[hidden email]>  wrote:
>    
>> Hi, Maybe this is a basic question, but I've read the man pages and the PF
>> book and I don't know how solve this problem.
>>
>> - I have an E1 and the problem is how to distribute the bandwidth equally on
>> all the ip's. There are some constraints like use DHCP, and no block ports.
>>      
> What exactly are you trying to accomplish. Please explain a little
> more, in detail.
>
>
>    
>> I have some simple firewalls with prioritization, but I don't know how
>> should do that. May be with CBQ but they are a lot of rules.
>>      
> If you're trying to set up a fair service, remember that PF simply
> processes the packets as they come in. So turn off queues, or define
> what you're trying to accomplish first.
>
> If you're trying to ensure some kinds of traffic can always leave
> "fairly" take a look at using HFSC queuing, then define the queues
> based on ports and use packet tagging to define what matches each
> queue.
>
> http://cvs.openbsd.org/faq/pf/tagging.html
>
>
> jb

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Hermes Ojeda Ruiz
In reply to this post by roberth-5
:) ok, that was my last option. I was looking a more "elegant" solution,
may be using tables or something like that. But if there is no choice,
I'll do that.

Thanks for your reply
On 07/09/10 13:56, roberth wrote:
> your config

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

James Peltier
In reply to this post by Hermes Ojeda Ruiz
----- Original Message ----

> From: Hermes Ojeda Ruiz <[hidden email]>
> To: [hidden email]
> Sent: Tue, September 7, 2010 12:09:03 PM
> Subject: Re: Distribute bandwidth by IP's
>
> Sorry, if my explanation don't have enough details.
>
> - The internet  connection is an E1
> - There are ~150 users (IPs)
> - The company give full  internet access to the clients. With no service
> restriction.
> - There only  a C class LAN.
>
> E1 --- OpenBSD Firewall --- LAN with ~150 IPs
>
> The  problem is to distribute equally the bandwidth to the users.  My
> first  approach is a CBQ rule by user giving a minimum bandwidth quote
> and using  the "borrow" option, to use the remaining bandwidth when some
> users don't  waste the bandwidth. But the number of rules is so big.
>
> I hope that my  explanation can be useful.
>
> On 07/09/10 13:43, Johan Beisser  wrote:
> > On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruiz<[hidden email]>  
>wrote:
> >    
> >> Hi, Maybe this is a basic question, but  I've read the man pages and the PF
> >> book and I don't know how solve  this problem.
> >>
> >> - I have an E1 and the problem is how to  distribute the bandwidth equally
>on
> >> all the ip's. There are some  constraints like use DHCP, and no block
ports.

> >>      
> > What exactly are you trying to accomplish. Please explain a  little
> > more, in detail.
> >
> >
> >    
> >> I have some simple firewalls with prioritization, but I don't know  how
> >> should do that. May be with CBQ but they are a lot of  rules.
> >>      
> > If you're trying to set up a  fair service, remember that PF simply
> > processes the packets as they come  in. So turn off queues, or define
> > what you're trying to accomplish  first.
> >
> > If you're trying to ensure some kinds of traffic can  always leave
> > "fairly" take a look at using HFSC queuing, then define the  queues
> > based on ports and use packet tagging to define what matches  each
> > queue.
> >
> > http://cvs.openbsd.org/faq/pf/tagging.html
> >
> >
> >  jb
>
>

Why are you trying to do this?  It seems overly complex to setup a queue for
each IP on the network just to allow them to borrow bandwidth from each other
which they would be doing anyway.

It would seem more manageable to either segment the network (DMZ, IT Staff,
Users) such that you can assign a segment to respective queues or in a different
method to queue based on traffic type (http/ftp/ssh,etc).  Filtering rules would
also be incredibly more simplified.

 ---
James A. Peltier     [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Hermes Ojeda Ruiz
Yes, It's a little complex but is a requirement to guarantee a little
bandwidth to the user.  (and of course use the remaining unused bandwidth).

There is another way?

Thanks for the reply
On 07/09/10 15:14, James Peltier wrote:

> ----- Original Message ----
>
>    
>> From: Hermes Ojeda Ruiz<[hidden email]>
>> To: [hidden email]
>> Sent: Tue, September 7, 2010 12:09:03 PM
>> Subject: Re: Distribute bandwidth by IP's
>>
>> Sorry, if my explanation don't have enough details.
>>
>> - The internet  connection is an E1
>> - There are ~150 users (IPs)
>> - The company give full  internet access to the clients. With no service
>> restriction.
>> - There only  a C class LAN.
>>
>> E1 --- OpenBSD Firewall --- LAN with ~150 IPs
>>
>> The  problem is to distribute equally the bandwidth to the users.  My
>> first  approach is a CBQ rule by user giving a minimum bandwidth quote
>> and using  the "borrow" option, to use the remaining bandwidth when some
>> users don't  waste the bandwidth. But the number of rules is so big.
>>
>> I hope that my  explanation can be useful.
>>
>> On 07/09/10 13:43, Johan Beisser  wrote:
>>      
>>> On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruiz<[hidden email]>
>>>        
>> wrote:
>>      
>>>
>>>        
>>>> Hi, Maybe this is a basic question, but  I've read the man pages and the PF
>>>> book and I don't know how solve  this problem.
>>>>
>>>> - I have an E1 and the problem is how to  distribute the bandwidth equally
>>>>          
>> on
>>      
>>>> all the ip's. There are some  constraints like use DHCP, and no block
>>>>          
> ports.
>    
>>>>
>>>>          
>>> What exactly are you trying to accomplish. Please explain a  little
>>> more, in detail.
>>>
>>>
>>>
>>>        
>>>> I have some simple firewalls with prioritization, but I don't know  how
>>>> should do that. May be with CBQ but they are a lot of  rules.
>>>>
>>>>          
>>> If you're trying to set up a  fair service, remember that PF simply
>>> processes the packets as they come  in. So turn off queues, or define
>>> what you're trying to accomplish  first.
>>>
>>> If you're trying to ensure some kinds of traffic can  always leave
>>> "fairly" take a look at using HFSC queuing, then define the  queues
>>> based on ports and use packet tagging to define what matches  each
>>> queue.
>>>
>>> http://cvs.openbsd.org/faq/pf/tagging.html
>>>
>>>
>>>   jb
>>>        
>>
>>      
> Why are you trying to do this?  It seems overly complex to setup a queue for
> each IP on the network just to allow them to borrow bandwidth from each other
> which they would be doing anyway.
>
> It would seem more manageable to either segment the network (DMZ, IT Staff,
> Users) such that you can assign a segment to respective queues or in a different
> method to queue based on traffic type (http/ftp/ssh,etc).  Filtering rules would
> also be incredibly more simplified.
>
>   ---
> James A. Peltier     [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

James Peltier
----- Original Message ----

> From: Hermes Ojeda Ruiz <[hidden email]>
> To: [hidden email]
> Sent: Tue, September 7, 2010 1:38:41 PM
> Subject: Re: Distribute bandwidth by IP's
>
> Yes, It's a little complex but is a requirement to guarantee a little
> bandwidth to the user.  (and of course use the remaining unused  bandwidth).
>
> There is another way?
>
> Thanks for the reply
> On  07/09/10 15:14, James Peltier wrote:
> > ----- Original Message  ----
> >
> >    
> >> From: Hermes Ojeda Ruiz<[hidden email]>
> >> To: [hidden email]
> >> Sent: Tue,  September 7, 2010 12:09:03 PM
> >> Subject: Re: Distribute bandwidth by  IP's
> >>
> >> Sorry, if my explanation don't have enough  details.
> >>
> >> - The internet  connection is an  E1
> >> - There are ~150 users (IPs)
> >> - The company give  full  internet access to the clients. With no service
> >>  restriction.
> >> - There only  a C class  LAN.
> >>
> >> E1 --- OpenBSD Firewall --- LAN with ~150  IPs
> >>
> >> The  problem is to distribute equally the  bandwidth to the users.  My
> >> first  approach is a CBQ rule  by user giving a minimum bandwidth quote
> >> and using  the  "borrow" option, to use the remaining bandwidth when some
> >> users  don't  waste the bandwidth. But the number of rules is so  big.
> >>
> >> I hope that my  explanation can be  useful.
> >>
> >> On 07/09/10 13:43, Johan Beisser   wrote:
> >>      
> >>> On Tue, Sep 7, 2010 at  11:15 AM, Hermes Ojeda Ruiz<[hidden email]>
> >>>        
> >> wrote:
> >>      
> >>>
> >>>        
> >>>>  Hi, Maybe this is a basic question, but  I've read the man pages and the  
>PF
> >>>> book and I don't know how solve  this  problem.
> >>>>
> >>>> - I have an E1 and the problem  is how to  distribute the bandwidth
>equally
> >>>>          
> >> on
> >>      
> >>>> all the ip's. There are some  constraints like use  DHCP, and no block
> >>>>          
> > ports.
> >    
> >>>>
> >>>>          
> >>> What exactly are you trying to accomplish. Please explain  a  little
> >>> more, in  detail.
> >>>
> >>>
> >>>
> >>>        
> >>>> I have some simple firewalls with  prioritization, but I don't know  how
> >>>> should do that.  May be with CBQ but they are a lot of   rules.
> >>>>
> >>>>          
> >>> If you're trying to set up a  fair service, remember that  PF simply
> >>> processes the packets as they come  in. So turn  off queues, or define
> >>> what you're trying to accomplish   first.
> >>>
> >>> If you're trying to ensure some kinds of  traffic can  always leave
> >>> "fairly" take a look at using  HFSC queuing, then define the  queues
> >>> based on ports and  use packet tagging to define what matches  each
> >>>  queue.
> >>>
> >>> http://cvs.openbsd.org/faq/pf/tagging.html
> >>>
> >>>
> >>>    jb
> >>>        
> >>
> >>      
> > Why are you trying to do this?  It seems overly  complex to setup a queue
for

> > each IP on the network just to allow them  to borrow bandwidth from each
>other
> > which they would be doing  anyway.
> >
> > It would seem more manageable to either segment the  network (DMZ, IT Staff,
> > Users) such that you can assign a segment to  respective queues or in a
>different
> > method to queue based on traffic  type (http/ftp/ssh,etc).  Filtering rules
>would
> > also be incredibly  more simplified.
> >
> >   ---
> > James A. Peltier     [hidden email]
>
>

Well since you're talking service level agreements it is understandable that you
might want to do such a thing and in such case you would have no choice but to
create the individual queues/rules manually or by script.

Still, likely you will run into other issues, such as the number of queues
available by default in the code that may need to be tweaked.  See a post
earlier this month to misc@ about how to do that.

Also, perhaps there will be a performance hit in the evaluation of all the
queues that might be more hindering than helpful?  Best to let the devs speak to
that though.

---
James A. Peltier     [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Jussi Peltola
On Tue, Sep 07, 2010 at 01:56:57PM -0700, James Peltier wrote:
> Also, perhaps there will be a performance hit in the evaluation of all the
> queues that might be more hindering than helpful?
 
With an E1?

Even if you lose a little bit of throughput (which I doubt, if you are
running hardware that you can do a regular install on), some kind of QoS
is a must on such an oversubscribed line. It will very likely be
completely unusable without it.

Jussi Peltola

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Stuart Henderson
In reply to this post by roberth-5
On 2010-09-07, roberth <[hidden email]> wrote:
>
> So just put ~150 (*2 for both directions) child queues in your config.

queues are per-interface anyway, so there's no need for the *2 in the
config (and the associated headaches in assigning traffic to the correct
queue)

altq on some_if cbq bandwidth 2048Kb queue (aa, ab, ac, ... es, et, eu)
altq on other_if cbq bandwidth 2048Kb queue (aa, ab, ac, ... es, et, eu)

queue aa bandwidth 12Kb priority 2 cbq(borrow red)
queue ab bandwidth 12Kb priority 2 cbq(borrow red)
...
queue et bandwidth 12Kb priority 2 cbq(borrow red)
queue eu bandwidth 12Kb priority 2 cbq(borrow red)

I think the users might be happier with hfsc rather than cbq though

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Hermes Ojeda Ruiz
Ok. That's good. Using hfsc what's the advantage?
https://calomel.org/pf_hfsc.html

Can be assigned the altq rules with hsfc by ip? or only by kind of packets?

Thanks a lot for your reply. The comments help me so much to understand many
things.

On Thu, Sep 9, 2010 at 3:09 AM, Stuart Henderson <[hidden email]>wrote:

> On 2010-09-07, roberth <[hidden email]> wrote:
> >
> > So just put ~150 (*2 for both directions) child queues in your config.
>
> queues are per-interface anyway, so there's no need for the *2 in the
> config (and the associated headaches in assigning traffic to the correct
> queue)
>
> altq on some_if cbq bandwidth 2048Kb queue (aa, ab, ac, ... es, et, eu)
> altq on other_if cbq bandwidth 2048Kb queue (aa, ab, ac, ... es, et, eu)
>
> queue aa bandwidth 12Kb priority 2 cbq(borrow red)
> queue ab bandwidth 12Kb priority 2 cbq(borrow red)
> ...
> queue et bandwidth 12Kb priority 2 cbq(borrow red)
> queue eu bandwidth 12Kb priority 2 cbq(borrow red)
>
> I think the users might be happier with hfsc rather than cbq though
>
>


--
Hermes Ojeda Ruiz

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Stuart Henderson
On 2010-09-09, Hermes Ojeda Ruiz <[hidden email]> wrote:
> Ok. That's good. Using hfsc what's the advantage?
> https://calomel.org/pf_hfsc.html

You can allow an initial burst (good for standard web traffic etc) and
then slow things down. With this tool you can discourage file transfers
and streaming traffic which isn't sustainable over a very busy line,
while allowing standard http, ssh, imap, etc. to work more normally
(small transfers, or low-bandwidth transfers, get through ok; large/
high-bandwidth transfers are throttled). And the end result is much
nicer than allowing everyone to have a "fair" share i.e. 10-12Kbit/sec.

(Also I doubt that cbq can accurately control traffic down to this
sort of speed..)

On the down side, the documentation for hfsc is pretty bad, I was just
setting it up recently myself and had to to assemble information from
about 4 different sources in order to learn enough to start experimenting..

> Can be assigned the altq rules with hsfc by ip? or only by kind of packets?

You can assign packets to queues by any criteria PF can match on..

match proto tcp to port ssh queue (fast, highest)
match proto tcp queue (standard, fast)
match proto udp to port domain queue (highest)
match proto udp from 10.0.0.1 queue (aa)

Reply | Threaded
Open this post in threaded view
|

Re: Distribute bandwidth by IP's

Kevin Chadwick-2
On Thu, 9 Sep 2010 23:12:48 +0000 (UTC)
Stuart Henderson <[hidden email]> wrote:

> about 4 different sources in order to learn enough to start experimenting..

pf.conf
calomel.org
building firewalls with openbsd

Do you have the other sources you used, to hand at all?

I have a pretty good idea but it never stays black and white for long
and so far haven't been sure that I'm not missing some of the finer
details.