# ALTQ with transparent proxy on firewall



## Magnesik (Aug 27, 2010)

I have small network with few machines. It looks like this: 


```
Wan ---- rl0 [FREEBSD] rl1---- LAN
```

The problem is how to make dynamic shape of download and upload for these machines when on server is running trasnparent proxy (squid) Outgoing connections through rl0 (upload) look like from local machine  (server) and queues for clients are useless. Is there any possible solution?


----------



## triumdh (Aug 28, 2010)

Can you post your pf.conf?


----------



## Magnesik (Aug 28, 2010)

```
ext_if="rl0"
int_if="rl1"


set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }


set skip on lo

altq on $ext_if   bandwidth 900Kb hfsc queue { std_out, www_out, dns_out, tcp_ack_out }

queue std_out     bandwidth  5% priority 3 qlimit 500 hfsc (default)
queue www_out     bandwidth 30% priority 4 qlimit 500 hfsc (realtime   30%)
queue dns_out     bandwidth 30% priority 5 qlimit 500 hfsc (realtime   20%)
queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime   30%)



nat on $ext_if from !($ext_if) to any -> ($ext_if)

rdr pass on $int_if inet proto {tcp, udp} from any to any port www -> 127.0.0.1 port 3128


block out on $ext_if
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SAFR keep state queue (std_out, tcp_ack_out)
pass out on $ext_if inet proto {udp icmp} from ($ext_if) to any keep state
pass out on $ext_if inet proto {tcp udp} from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port {80, 443} keep state queue (www_out, tcp_ack_out)
```

port 3128 is squid


----------



## triumdh (Aug 28, 2010)

I notice you have


```
pass out on $ext_if inet proto tcp from ($ext_if)
```

I usually allow the internal network out i.e


```
pass out on $ext_if inet proto tcp from $localnet
```

where $localnet is a macro representing the internal network in CIDR notation


----------



## Magnesik (Aug 28, 2010)

As you can see my pf.conf shapes upload traffic only in general. It doesnt relate with each machine. The problem is how to - for example - write queue for relevant machine upload when the source of packet  (which is going through the external interface) is from local machine (in this case from server)? Unfortunately squid hides computers behind him.


----------



## triumdh (Aug 29, 2010)

I may not be understanding properly.
Squid is on the internal interface of your server acting as a network gateway.
You want to shape traffic from a server behind the gateway server?
Even with squid in place you should be able to queue traffic to a destination port like port 80. Something like


```
pass out on $ext_if inet proto tcp from $localnet to any port {80, 443} keep state queue (www_out, tcp_ack_out)
```


----------



## Magnesik (Aug 29, 2010)

*triumdh* you have right but I want to divide upload equally and dynamically for existing users. For example we have 3 machines: 192.168.1.101-3. The maximum upload is 1Mbit. 

300 kbit for 192.168.1.101
300 kbit for 192.168.1.102
300 kbit for 192.168.1.103
100 kbit for the rest

My present pf.conf has problem with shaping upload traffic because when some client use the whole of upload the rest of clients have problem with lags.

As I think the right queue to shapre traffic without squid should look like this:


```
pass out on $ext_if inet proto tcp from 192.168.1.101 to any port {80, 443} keep state queue (www_out_1, tcp_ack_out_1)
```

It will not work because packets to port 80 are generated by squid and they look like they are sended by server not as client. (Am I right?)


----------



## triumdh (Aug 29, 2010)

Squid is not an issue with the firewall or shaping.

Type


```
tcpdump rl0 port 80
```


and you should see your Internet traffic

Create queues (or sub-queues under the www_out queue) for individual IP addresses and it should work.


----------



## triumdh (Aug 29, 2010)

That should be


```
tcpdump -i r10 port 80
```


----------



## Magnesik (Aug 29, 2010)

Does it have a sens?


```
altq on $ext_if   bandwidth 900Kb hfsc queue {user1, user2, rest}

queue rest      bandwidth  10% priority 3 qlimit 500 hfsc (default)

queue user1     bandwidth 45% priority 6 qlimit 500 hfsc (realtime   30%) {std_out, www_out, dns_out, tcp_ack_out}
	
	queue std_out     bandwidth  5% priority 3 qlimit 500 hfsc 
	queue www_out     bandwidth 30% priority 4 qlimit 500 hfsc (realtime   30%)
	queue dns_out     bandwidth 30% priority 5 qlimit 500 hfsc (realtime   20%)
	queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime   30%)

queue user2     bandwidth 45% priority 6 qlimit 500 hfsc (realtime   30%) {std_out, www_out, dns_out, tcp_ack_out}
	
	queue std_out     bandwidth  5% priority 3 qlimit 500 hfsc 
	queue www_out     bandwidth 30% priority 4 qlimit 500 hfsc (realtime   30%)
	queue dns_out     bandwidth 30% priority 5 qlimit 500 hfsc (realtime   20%)
	queue tcp_ack_out bandwidth 35% priority 6 qlimit 500 hfsc (realtime   30%)
```

If yes - how to write rules for childs?


----------



## triumdh (Aug 30, 2010)

```
pfctl -vvsq
```

Will give you information on what your queues are doing


----------



## triumdh (Aug 31, 2010)

I missed this earlier. You will need to tag redirected squid traffic.


```
rdr pass on $int_if inet proto {tcp, udp} from any to any port www tag www_int_if -> 127.0.0.1 port 3128
```

and use the tagged traffic in your rules


----------



## Magnesik (Sep 4, 2010)

Can somebody give me a clue how to write queues to shape traffic dynamically among i.e. 2 computers and at once (in their main queues) provide them priority of acks, dns and www?


----------



## triumdh (Sep 5, 2010)

This might help using hfsc. It is only an example but it works.


```
altq on wan0 bandwidth 1Mb hfsc queue { q_pri, q_def, q_any }
 queue q_pri bandwidth 49%           priority 7 hfsc
 queue q_def bandwidth 49%           priority 5 hfsc (linkshare 49%) {q_1,q_2,ssh_login,q_3,q_4}
   queue ssh_login bandwidth 96%       priority 5 hfsc
   queue q_1    bandwidth 1%           priority 4 hfsc
   queue q_2    bandwidth 1%           priority 4 hfsc
   queue q_3    bandwidth 1%           priority 4 hfsc
   queue q_4    bandwidth 1%           priority 3 hfsc (default)
 queue q_any bandwidth  1% qlimit 25   priority 3 hfsc (upperlimit 272Kb)
```

Then


```
pass out on wan0 inet proto { tcp, udp } from $localnet to any port $SSH keep state queue (ssh_login, q_pri)
```

The information is in the man pages.


----------



## Magnesik (Sep 14, 2010)

triumdh said:
			
		

> I missed this earlier. You will need to tag redirected squid traffic.
> 
> 
> ```
> ...



Will packets still have the tags after they pass the squid? How can I check it?


----------

