per-vlan traffic control

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

per-vlan traffic control

Paulo Coimbra
hi,
This is my first mail to the list. It's possible limit traffic by Vlan with
openbsd? For example I would like to limit 50mb for Vlan 100.

Br,

Paulo Coimbra


--
br,

Paulo Coimbra

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

James Shupe-4
On 8/19/2015 3:39 PM, Paulo Coimbra wrote:
> hi,
> This is my first mail to the list. It's possible limit traffic by Vlan with
> openbsd? For example I would like to limit 50mb for Vlan 100.
>
> Br,
>
> Paulo Coimbra
>
>

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf.conf&arch=i386

Read the QUEUEING section.

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Paulo Coimbra
Hi all,

I'm now doing some tests with openbsd+pf+queueing. My scenario is:

[MIKROTIK 1] ----------------- [OPENBSD BOX]--------------[MIKROTIK 2]

I've configured vlan 100 with physical interface em0 at openbsdBox and
mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit
bandwidth at 10M each direction. But... It doesn't works.

My pf.conf is as follows:

#
# [0x01] Macros
#

#
# [0x02] Tables
#

#
# [0x03] Options
#
set skip on lo

#
# [0x04] Traffic Normalization
#

#
# [0x05] Queueing
#
queue v100 on em0 bandwidth 1000M
queue vlan100_in parent  v100 bandwidth 10M default
queue vlan100_out parent v100 bandwidth 10M

#
# [0x06] Translation
#

#
# [0x07] Packet Filtering
#
pass in quick on vlan100 set queue vlan100_in
pass out quick on vlan100 set queue vlan100_out

Any ideas? What am I doing wrong?

thanx,

Paulo Coimbra


2015-08-19 22:59 GMT-03:00 James Shupe <[hidden email]>:

> On 8/19/2015 3:39 PM, Paulo Coimbra wrote:
> > hi,
> > This is my first mail to the list. It's possible limit traffic by Vlan
> with
> > openbsd? For example I would like to limit 50mb for Vlan 100.
> >
> > Br,
> >
> > Paulo Coimbra
> >
> >
>
>
> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf.conf&arch=i386
>
> Read the QUEUEING section.
>
>


--
br,

Paulo Coimbra

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Josh Grosse
On 2015-08-20 08:47, Paulo Coimbra wrote:
> Hi all,
>
> I'm now doing some tests with openbsd+pf+queueing. My scenario is:
>
> [MIKROTIK 1] ----------------- [OPENBSD BOX]--------------[MIKROTIK 2]
>
> I've configured vlan 100 with physical interface em0 at openbsdBox and
> mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit
> bandwidth at 10M each direction. But... It doesn't works.

[snip]

> queue v100 on em0 bandwidth 1000M
> queue vlan100_in parent  v100 bandwidth 10M default
> queue vlan100_out parent v100 bandwidth 10M

[snip]

> pass in quick on vlan100 set queue vlan100_in
> pass out quick on vlan100 set queue vlan100_out
>
> Any ideas? What am I doing wrong?

Queuing only works on packets that are *outbound*.  Once inbound packets
have arrived, they are already present.

So, if you want to limit the rate of traffic from the Internet to your
local
LAN, do so when those packets are forwarded by the router.  Those are
outbound
packets, and they can be queued.

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Rafael Zalamena-2
In reply to this post by Paulo Coimbra
On Thu, Aug 20, 2015 at 09:47:09AM -0300, Paulo Coimbra wrote:
> Hi all,

Hello Paulo,

>
> I'm now doing some tests with openbsd+pf+queueing. My scenario is:
>
> [MIKROTIK 1] ----------------- [OPENBSD BOX]--------------[MIKROTIK 2]
>
> I've configured vlan 100 with physical interface em0 at openbsdBox and
> mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit
> bandwidth at 10M each direction. But... It doesn't works.
>
> My pf.conf is as follows:
>
--- SNIPPED ---
>
> queue v100 on em0 bandwidth 1000M
> queue vlan100_in parent  v100 bandwidth 10M default
> queue vlan100_out parent v100 bandwidth 10M
>
--- SNIPPED ---
>
> Any ideas? What am I doing wrong?

You didn't configure the 'max' parameter in your queue, so it's probably
sharing the bandwidth.

Try this:
...
queue vlan100_in parent  v100 bandwidth 10M, max 10M default
queue vlan100_out parent v100 bandwidth 10M, max 10M
...

>
> thanx,
>
> Paulo Coimbra

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Paulo Coimbra
In reply to this post by Josh Grosse
Well, considering that only outbound packets can be queued, I've changed
some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is
upload. Packets that are "outgoing" at vlan100 is download, all right? My
changed pf.conf below: (but even with these changes, doesn´t work for me, I
getting 300Mb+ each direction.). Am I a dumb? (LMFAO).

#
# [0x01] Macros
#
$if_Internet="em1"

#
# [0x05] Queueing
#
queue Internet on $if_Internet bandwidth 10M
queue vlan100_upload parent Internet bandwidth 5M max 5M default

queue v100 on vlan100 bandwidth 10M
queue vlan100_download parent v100 bandwidth 5M max 5M default

#
# [0x07] Packet Filtering
#

pass out quick on vlan100 set queue vlan100_download no state
pass out quick on $if_Internet set queue vlan100_upload no state


br,

Paulo Coimbra

2015-08-20 10:11 GMT-03:00 Josh Grosse <[hidden email]>:

> On 2015-08-20 08:47, Paulo Coimbra wrote:
>
>> Hi all,
>>
>> I'm now doing some tests with openbsd+pf+queueing. My scenario is:
>>
>> [MIKROTIK 1] ----------------- [OPENBSD BOX]--------------[MIKROTIK 2]
>>
>> I've configured vlan 100 with physical interface em0 at openbsdBox and
>> mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit
>> bandwidth at 10M each direction. But... It doesn't works.
>>
>
> [snip]
>
> queue v100 on em0 bandwidth 1000M
>> queue vlan100_in parent  v100 bandwidth 10M default
>> queue vlan100_out parent v100 bandwidth 10M
>>
>
> [snip]
>
> pass in quick on vlan100 set queue vlan100_in
>> pass out quick on vlan100 set queue vlan100_out
>>
>> Any ideas? What am I doing wrong?
>>
>
> Queuing only works on packets that are *outbound*.  Once inbound packets
> have arrived, they are already present.
>
> So, if you want to limit the rate of traffic from the Internet to your
> local
> LAN, do so when those packets are forwarded by the router.  Those are
> outbound
> packets, and they can be queued.
>
>


--
br,

Paulo Coimbra

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Atanas Vladimirov
On 20.08.2015 16:35, Paulo Coimbra wrote:

> Well, considering that only outbound packets can be queued, I've
> changed
> some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is
> upload. Packets that are "outgoing" at vlan100 is download, all right?
> My
> changed pf.conf below: (but even with these changes, doesn´t work for
> me, I
> getting 300Mb+ each direction.). Am I a dumb? (LMFAO).
>
> #
> # [0x01] Macros
> #
> $if_Internet="em1"
>
> #
> # [0x05] Queueing
> #
> queue Internet on $if_Internet bandwidth 10M
> queue vlan100_upload parent Internet bandwidth 5M max 5M default
>
> queue v100 on vlan100 bandwidth 10M
> queue vlan100_download parent v100 bandwidth 5M max 5M default
>
> #
> # [0x07] Packet Filtering
> #
>
> pass out quick on vlan100 set queue vlan100_download no state
> pass out quick on $if_Internet set queue vlan100_upload no state
>
>
> br,
>
> Paulo Coimbra
>

http://marc.info/?l=openbsd-misc&m=141085207225887&w=2

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Paulo Coimbra
Hi Atanas,

Thanks for your response. I follow some configurations in that link you
send, but nothing had effect. Packets is not going to queues.

br,

Paulo Coimbra

2015-08-20 10:55 GMT-03:00 Atanas Vladimirov <[hidden email]>:

> On 20.08.2015 16:35, Paulo Coimbra wrote:
>
>> Well, considering that only outbound packets can be queued, I've changed
>> some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is
>> upload. Packets that are "outgoing" at vlan100 is download, all right? My
>> changed pf.conf below: (but even with these changes, doesn´t work for
>> me, I
>> getting 300Mb+ each direction.). Am I a dumb? (LMFAO).
>>
>> #
>> # [0x01] Macros
>> #
>> $if_Internet="em1"
>>
>> #
>> # [0x05] Queueing
>> #
>> queue Internet on $if_Internet bandwidth 10M
>> queue vlan100_upload parent Internet bandwidth 5M max 5M default
>>
>> queue v100 on vlan100 bandwidth 10M
>> queue vlan100_download parent v100 bandwidth 5M max 5M default
>>
>> #
>> # [0x07] Packet Filtering
>> #
>>
>> pass out quick on vlan100 set queue vlan100_download no state
>> pass out quick on $if_Internet set queue vlan100_upload no state
>>
>>
>> br,
>>
>> Paulo Coimbra
>>
>>
> http://marc.info/?l=openbsd-misc&m=141085207225887&w=2
>
>


--
br,

Paulo Coimbra

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Atanas Vladimirov
On 20.08.2015 17:31, Paulo Coimbra wrote:

> Hi Atanas,
>
> Thanks for your response. I follow some configurations in that link you
> send, but nothing had effect. Packets is not going to queues.
>
> br,
>
> Paulo Coimbra
>
> 2015-08-20 10:55 GMT-03:00 Atanas Vladimirov <[hidden email]>:
>
>> On 20.08.2015 16:35, Paulo Coimbra wrote:
>>
>>> Well, considering that only outbound packets can be queued, I've
>>> changed
>>> some rules at pf.conf. Packets that are "outgoing" at $if_Internet,
>>> is
>>> upload. Packets that are "outgoing" at vlan100 is download, all
>>> right? My
>>> changed pf.conf below: (but even with these changes, doesn´t work
>>> for
>>> me, I
>>> getting 300Mb+ each direction.). Am I a dumb? (LMFAO).
>>>
>>> #
>>> # [0x01] Macros
>>> #
>>> $if_Internet="em1"
>>>
>>> #
>>> # [0x05] Queueing
>>> #
>>> queue Internet on $if_Internet bandwidth 10M
>>> queue vlan100_upload parent Internet bandwidth 5M max 5M default
>>>
>>> queue v100 on vlan100 bandwidth 10M
>>> queue vlan100_download parent v100 bandwidth 5M max 5M default
>>>

Did you try to set the min bw as well:

  #
  # [0x05] Queueing
  #
  queue Internet on $if_Internet bandwidth 10M, min 9M max 10M
  queue vlan100_upload parent Internet bandwidth 5M, min 4M max 5M
default

  queue v100 on vlan100 bandwidth 10M, min 9M max 10M
  queue vlan100_download parent v100 bandwidth 5M, min 4M max 5M default

Reply | Threaded
Open this post in threaded view
|

Re: per-vlan traffic control

Stuart Henderson
In reply to this post by Paulo Coimbra
On 2015-08-20, Paulo Coimbra <[hidden email]> wrote:
> Well, considering that only outbound packets can be queued, I've changed
> some rules at pf.conf. Packets that are "outgoing" at $if_Internet, is
> upload. Packets that are "outgoing" at vlan100 is download, all right? My
> changed pf.conf below: (but even with these changes, doesn´t work for me, I
> getting 300Mb+ each direction.). Am I a dumb? (LMFAO).

Some tips:

- Use the state table to your advantage. Get rid of the "no state", when you
understand the other tips you'll see why you don't need it.

- With "pass ... queue XX" (or match/whatever), when a packet matches that
rule, it creates PF state which is "tagged" with the queue name. When traffic
traffic is transmitted out of *any* interface, if a queue of the "tagged"
name exists on that interface, it will be used to throttle transmission.

  match from vlan100:network queue vlan100_traffic
  match to vlan100:network queue vlan100_traffic

(or similar with "pass", I just find it easier to split these things up)

- The "queue XX on YY" line relates to *where* on the path through the network
stack the queue takes place. This should normally be on the physical interface
(if you have "vlandev em2" then queue on em2) not the vlan itself.

- You can have the same queue name on more than one interface, e.g.

  queue Internet on em0 bandwidth 10M
  queue vlan100_traffic on em0 parent Internet bandwidth 5M max 5M default
  queue vlan101_traffic on em0 parent Internet bandwidth 1M max 1M default

  queue em1_root VLANs on em1 bandwidth 1G
  queue vlan100_traffic on em1 parent em1_root bandwidth 5M max 5M default
  queue vlan101_traffic on em1 parent em1_root bandwidth 1M max 1M default

etc.

Troubleshooting:

- Use "systat q" and check traffic is being assigned to the queues you
expect.

- If packets aren't in the expected queues, identify which rules are
creating PF state. (pfctl -ss -v, check the rule number, pfctl -sr -R ##).
If states are being created by unexpected rules, use "match log(matches)"
and something like "tcpdump -neipflog0 -v" to help debug your ruleset.