CS & IT Solutions

Here is a tutorial about building a FreeBSD router with traffic shaping using OpenBSD’s PF and ALTQ HFSC discipline.

Step 1. Compile Kernel with support for PF and ALTQ
————————————————————————-

cd /usr/src/sys/i386/conf/
cp GENERIC ROUTER

edit ROUTER file and add the following lines at the end of file:

# —————— add the following lines to ROUTER file ——————
# pf support
device mem
device pf
device pflog
device pfsync

# other optimizations
options HZ=1000
options DEVICE_POLLING
# ———————————- eof ———————————————-

Next, compile kernel with configurations from ROUTER file

cd /usr/src
make -j4 buildkernel KERNCONF=ROUTER
make installkernel KERNCONF=ROUTER

Reboot the machine and you have support in kernel for PF and ALTQ

Step 2 Create pf.conf file for your firewall and traffic shaper
———————————————————————————

Rename your default /etc/pf.conf file and create a new config file. In our example we asume your network cards are fxp0 for WAN and fxp1 for LAN. also your LAN subnet is 192.168.0.0/24, and we setup LAN IP of router with value 192.168.0.1. Our LAN being on a private subnet (we only have one public IP) we will use NAT from PF.

Shaping rules are for two PCs on LAN. Both have asigned a maximum of 5Mb bandwidth, with a guaranteed bandwidth of 1Mb

Next is presented pf.conf file:

# ——————— pf.conf ———————
ext_if=”fxp0″
int_if=”fxp1″
pc1=”192.168.0.2″
pc2=”192.168.0.3″

altq on $ext_if hfsc bandwidth 10Mb queue {def_up,pc1_up, pc2_up}
altq on $int_if hfsc bandwidth 10Mb queue {def_down,pc1_down, pc2_down}

queue pc1_up bandwidth 5Mb hfsc(realtime 1Mb linkshare 50% upperlimit 5Mb)
queue pc2_down bandwidth 5Mb hfsc(realtime 1Mb linkshare 50% upperlimit 5Mb)

queue def_up bandwidth 128Kb hfsc(realtime 128Kb linkshare 10% upperlimit 256Kb default)
queue def_down bandwidth 128Kb hfsc(realtime 128Kb linkshare 10% upperlimit 256Kb default)

nat on $ext_if from $int_if:network to any -> ($ext_if)

# —— Pass rules, Shaping for PC1
pass in quick on $ext_if from any to $pc1
pass out quick on $int_if from any to $pc1 queue pc1_down

pass in quick on $int_if from $pc1 to any
pass out quick on $ext_if from $pc1 to any queue pc1_up

# —— Pass rules, Shaping for PC2
pass in quick on $ext_if from any to $pc2
pass out quick on $int_if from any to $pc2 queue pc2_down

pass in quick on $int_if from $pc2 to any
pass out quick on $ext_if from $pc2 to any queue pc2_up

block all
# ———————– end pf.conf file —————————

Step 3. Edit your /etc/rc.conf file and enable pf at startup to load config from /etc/pf.conf file
—————————————————————————————————————————-

Your rc.conf file should look like this:

# ————– rc.conf —————–
hostname=”router.example.com”
gateway_enable=”yes”
defaultrouter=”80.80.0.1″

ifconfig_fxp0=”inet 80.80.0.2 netmask 255.255.255.224″
ifconfig_fxp1=”inet 192.168.0.1 netmask 255.255.255.0″

sshd_enable=”yes”

pf_enable=”YES”
pf_rules=”/etc/pf.conf”
# —————- end rc.conf ———

Tips to debug PF rules:
——————————–

pfctl -vvsr (see PF loaded rules)
pfctl -vvsq (see PF queues in realtime)
pfctl -f /etc/pf.conf (load pf.conf file)
pfctl -F state (flush states)

source here