OpenBSD provides a robust mechanism for providing rate limiting and Quality of Service (QoS) when the host is acting as a gateway. When supplying bandwidth to a wireless and DMZ network through the same gateway, you generally want the DMZ to have higher priority access to the Internet. This will prevent wireless users from saturating your bandwidth and denying access to your DMZ resources from the outside.

The OpenBSD queuing interface, ALTQ, allows for many different types of traffic shaping. Class Based Queuing (CBQ) and Random Early Detection (RED) are enabled by default in a standard OpenBSD installation. To make sure they are enabled, check your platform independent kernel configuration file for the following line:

option ALTQ

ALTQ is controlled by a userland daemon called altqd. altqd reads its configuration from /etc/altq.conf by default. To ensure altqd starts at boot time, verify the following line is contained in your /etc/rc.conf:

altqd_flags=""

More advanced QoS mechanisms such as Hierarchical Fair Service Curve (HFSC), Weighted Fair Queuing (WFQ) and Priority Queuing (PRIQ) can be turned on using various configuration options. For a full list of the queuing options, see the options(4) manual page.

With CBQ, you can create classes of traffic based on source or destination protocols and addresses. These classes can be very generic and cover whole subnets or they can be very specific and apply only to a certain TCP port on a given server. These classes can then be assigned a percentage or absolute amount of the total available bandwidth.

One of the largest offenders of excessive bandwidth utilization on a corporate network is web surfing. We will use web-surfing limitation as our example. First, the maximum available throughput and queuing type must be configured on the external interface. Assume this system has a T1 for connectivity to the Internet:

# Example altq.conf
interface dc0 bandwidth 1540K cbq

Now the root class must be configured. All other classes will be members of other classes and ultimately a member of the root class. This tree of classes allows for fine-grained control of traffic on various ports in various networks:

class cbq dc0 root_class NULL priority 0 pbandwidth 100

The root_class parent is set to NULL since there are no other classes. The priority is set to 0, the lowest. pbandwidth is the percentage of the available bandwidth the class can use. In this case, the root_class is allowed all the available bandwidth.

Now a default child class must be created to serve as a catchall for other, non-classified traffic:

class cbq dc0 def_class root_class borrow pbandwidth 100 default

The def_class is a child of the root_class. The keyword borrow indicates this class can borrow spare bandwidth from its parent class. If the borrow keyword is omitted, the percentage bandwidth would be an maximum bandwidth, not simply a guaranteed bandwidth. The default keyword indicates this is the catchall class.

Finally, a web-surfing class must be created:

class cbq dc0 ws_class def_class pbandwidth 20 red

ws_class is a child of def_class and will only be allowed to use a maximum of 20% of the available bandwidth. If the 20% cap is violated, the kernel will use RED to throttle down connections.

For the ws_class, filter definitions must be created to instruct the kernel how to apply this class. Filters take the following structure:

filter dst_address [netmask netmask] dst_port src_address [netmask netmask] 
   src_port protocol

The protocol is the IP protocol number (e.g., TCP is IP protocol number 6). The value 0 serves as a wildcard for altq filters. The following rules will limit web surfing, which originates from our NAT address:

        filter dc0 wi_class 192.0.2.230 0 0 80 0
        filter dc0 wi_class 0 80 192.0.2.230 0 0

altqd may be started by hand. Check your syslog files for any configuration error which altqd will log as start time. By examining your firewall logs and utilization statistics, you will be able to determine what traffic is important to your network and what traffic is causing unneeded performance problems. Using ALTQ, you can classify and shape the traffic coming in and out of your network to get the most out of your resources.