OpenBSD provides a robust mechanism for providing rate limiting and Quality of Service (QoS) when the host is acting as a gateway. When supplying bandwidth to a wireless and DMZ network through the same gateway, you generally want the DMZ to have higher priority access to the Internet. This will prevent wireless users from saturating your bandwidth and denying access to your DMZ resources from the outside.
The OpenBSD queuing interface, ALTQ, allows for many different types of traffic shaping. Class Based Queuing (CBQ) and Random Early Detection (RED) are enabled by default in a standard OpenBSD installation. To make sure they are enabled, check your platform independent kernel configuration file for the following line:
option ALTQ
ALTQ is controlled by a userland daemon called
altqd
. altqd
reads its
configuration from /etc/altq.conf
by default. To
ensure altqd
starts at boot time, verify the
following line is contained in your
/etc/rc.conf
:
altqd_flags=""
More
advanced QoS mechanisms such as Hierarchical Fair Service Curve
(HFSC), Weighted Fair Queuing (WFQ) and Priority Queuing (PRIQ) can
be turned on using various configuration options. For a full list of
the queuing options, see the options(4)
manual
page.
With CBQ, you can create classes of traffic based on source or destination protocols and addresses. These classes can be very generic and cover whole subnets or they can be very specific and apply only to a certain TCP port on a given server. These classes can then be assigned a percentage or absolute amount of the total available bandwidth.
One of the largest offenders of excessive bandwidth utilization on a corporate network is web surfing. We will use web-surfing limitation as our example. First, the maximum available throughput and queuing type must be configured on the external interface. Assume this system has a T1 for connectivity to the Internet:
# Example altq.conf interface dc0 bandwidth 1540K cbq
Now the root class must be configured. All other classes will be members of other classes and ultimately a member of the root class. This tree of classes allows for fine-grained control of traffic on various ports in various networks:
class cbq dc0 root_class NULL priority 0 pbandwidth 100
The root_class
parent is set to
NULL
since there are no other classes. The
priority is set to 0, the lowest. pbandwidth
is
the percentage of the available bandwidth the class can use. In this
case, the root_class
is allowed all the
available bandwidth.
Now a default child class must be created to serve as a catchall for other, non-classified traffic:
class cbq dc0 def_class root_class borrow pbandwidth 100 default
The def_class
is a child of the
root_class
. The keyword
borrow
indicates this class can borrow spare
bandwidth from its parent class. If the borrow
keyword is omitted, the percentage bandwidth would be an maximum
bandwidth, not simply a guaranteed bandwidth. The
default
keyword indicates this is the catchall
class.
Finally, a web-surfing class must be created:
class cbq dc0 ws_class def_class pbandwidth 20 red
ws_class
is a child of
def_class
and will only be allowed to use a
maximum of 20% of the available bandwidth. If the 20% cap is
violated, the kernel will use RED to throttle down connections.
For the ws_class
, filter definitions must be
created to instruct the kernel how to apply this class. Filters take
the following structure:
filterdst_address
[netmasknetmask
]dst_port src_address
[netmasknetmask
]src_port protocol
The protocol is the IP protocol number (e.g., TCP is IP protocol
number 6). The value 0
serves as a wildcard for
altq
filters. The following rules will limit web
surfing, which originates from our NAT address:
filter dc0 wi_class 192.0.2.230 0 0 80 0 filter dc0 wi_class 0 80 192.0.2.230 0 0
altqd
may be started by hand. Check your
syslog
files for any configuration error which
altqd
will log as start time. By examining your
firewall logs and utilization statistics, you will be able to
determine what traffic is important to your network and what traffic
is causing unneeded performance problems. Using ALTQ, you can
classify and shape the traffic coming in and out of your network to
get the most out of your resources.
3.144.252.140