PF+AltQ+NAT

I'm trying to setup the following config:
 [LAN] --- fxp1 -[OpenBSD]- fxp0 --- sf1 -[OpenBSD]- sf0 --- [Internet]

Note the [OpenBSD] boxes are the same OpenBSD box (it has a two onboard NICs (fxp) and a four port NIC (sf). The fxp0 and fxp1 devices are setup as a bridge in an attempt to allow me to do AltQ on traffic in both directions. I have NAT running on sf0 and all my AltQ rules on the fxp interfaces. This is also running OpenBSD 4.1 from the 2007/03/30 snapshot, so some options are 4.1 specific (such as the `no state' keyword).

Below is a simplified version of my pf.conf.. It only includes the NAT and AltQ rules

# See pf.conf(5) for syntax and examples
#
ext_if="sf0"
int_if="sf1"
ext_bridge_if="fxp0"
int_bridge_if="fxp1"

set debug urgent
set block-policy return
set optimization aggressive
set state-policy if-bound

# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in on $ext_if all fragment reassemble

# AltQ 
altq on $ext_bridge_if cbq bandwidth 1Mb queue { std_out, ssh_im_dns_out, bt_out }
queue std_out           bandwidth 500Kb cbq(default ecn borrow)
queue ssh_im_dns_out    bandwidth 50Kb cbq(ecn)
queue bt_out            bandwidth 250Kb cbq(ecn)

altq on $int_bridge_if cbq bandwidth 1.4Mb queue { std_in, ssh_im_dns_in, bt_in }
queue std_in            bandwidth 400Kb cbq(default ecn borrow)
queue ssh_im_dns_in     bandwidth 50Kb cbq(ecn)
queue bt_in             bandwidth 400Kb priority 3 cbq(ecn)

# NAT
nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)

# Filter Rules
# Incoming Traffic
pass  out on $int_bridge_if inet proto tcp from any to any port 6881:6999 queue bt_in no state
pass  out on $int_bridge_if inet proto tcp from any port 6881:6999 to any queue bt_in no state
pass  out on $int_bridge_if inet proto tcp from any to 192.168.1.61 queue bt_in no state
pass  out on $int_bridge_if inet proto tcp from any to 192.168.1.42 queue bt_in no state

# Outgoing Traffic
pass  out on $ext_bridge_if inet from 192.168.1.61 to any queue bt_out no state
pass  out on $ext_bridge_if inet proto tcp from 192.168.1.42 to any queue bt_out no state

One if the things I have found that may or may not be an issue is that with `set state-policy if-bound', `pfctl -s state' still shows that the state is bound to all interfaces.

Powered by FreeBSD! r4l domain registration