FreeBSD Router with Traffic Shaping with PF and ALTQ HFSC

Here is a tutorial about building a FreeBSD router with traffic shaping using OpenBSD's PF and ALTQ HFSC discipline. Step 1. Compile Kernel with support for PF and ALTQ ------------------------------------------------------------------------- cd /usr/src/sys/i386/conf/ cp GENERIC ROUTER edit ROUTER file and add the following lines at the end of file: # ------------------ add the following lines to ROUTER file ------------------ # pf support device mem device pf device pflog device pfsync # altq support options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ # other optimizations options HZ=1000 options DEVICE_POLLING # ---------------------------------- eof ---------------------------------------------- Next, compile kernel with configurations from ROUTER file cd /usr/src make -j4 buildkernel KERNCONF=ROUTER make installkernel KERNCONF=ROUTER Reboot the machine and you have support in kernel for PF and ALTQ Step 2 Create pf.conf file for your firewall and traffic shaper --------------------------------------------------------------------------------- Rename your default /etc/pf.conf file and create a new config file. In our example we asume your network cards are fxp0 for WAN and fxp1 for LAN. also your LAN subnet is 192.168.0.0/24, and we setup LAN IP of router with value 192.168.0.1. Our LAN being on a private subnet (we only have one public IP) we will use NAT from PF. Shaping rules are for two PCs on LAN. Both have asigned a maximum of 5Mb bandwidth, with a guaranteed bandwidth of 1Mb Next is presented pf.conf file: # --------------------- pf.conf --------------------- ext_if="fxp0" int_if="fxp1" pc1="192.168.0.2" pc2="192.168.0.3" altq on $ext_if hfsc bandwidth 10Mb queue {def_up,pc1_up, pc2_up} altq on $int_if hfsc bandwidth 10Mb queue {def_down,pc1_down, pc2_down} queue pc1_up bandwidth 5Mb hfsc(realtime 1Mb linkshare 50% upperlimit 5Mb) queue pc2_down bandwidth 5Mb hfsc(realtime 1Mb linkshare 50% upperlimit 5Mb) queue def_up bandwidth 128Kb hfsc(realtime 128Kb linkshare 10% upperlimit 256Kb default) queue def_down bandwidth 128Kb hfsc(realtime 128Kb linkshare 10% upperlimit 256Kb default) nat on $ext_if from $int_if:network to any -> ($ext_if) # ------ Pass rules, Shaping for PC1 pass in quick on $ext_if from any to $pc1 pass out quick on $int_if from any to $pc1 queue pc1_down pass in quick on $int_if from $pc1 to any pass out quick on $ext_if from $pc1 to any queue pc1_up # ------ Pass rules, Shaping for PC2 pass in quick on $ext_if from any to $pc2 pass out quick on $int_if from any to $pc2 queue pc2_down pass in quick on $int_if from $pc2 to any pass out quick on $ext_if from $pc2 to any queue pc2_up block all # ----------------------- end pf.conf file --------------------------- Step 3. Edit your /etc/rc.conf file and enable pf at startup to load config from /etc/pf.conf file ---------------------------------------------------------------------------------------------------------------------------- Your rc.conf file should look like this: # -------------- rc.conf ----------------- hostname="router.example.com" gateway_enable="yes" defaultrouter="80.80.0.1" ifconfig_fxp0="inet 80.80.0.2 netmask 255.255.255.224" ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0" sshd_enable="yes" pf_enable="YES" pf_rules="/etc/pf.conf" # ---------------- end rc.conf --------- Tips to debug PF rules: -------------------------------- pfctl -vvsr       (see PF loaded rules) pfctl -vvsq       (see PF queues in realtime) pfctl -f /etc/pf.conf      (load pf.conf file) pfctl -F state               (flush states)

 

< Prev		Next >