I am attempting to limit all clients on the network to 128Kbps down and 64Kbps up. This is *sort of* working, except that for some reason, ALL clients are falling under the "c1" queue (which is the default), instead of using the ones written specifically for them.

Here is my pf.conf:$ cat /etc/pf.conf
int_if="rl0"
ext_if="nfe0"
int_net="192.168.2.0/24"

principal="192.168.2.2"
c1="192.168.2.3"
c2="192.168.2.4"
c3="192.168.2.5"
c4="192.168.2.6"
c5="192.168.2.7"
c6="192.168.2.8"
c7="192.168.2.9"
c8="192.168.2.10"
c9="192.168.2.11"


altq on $int_if cbq bandwidth 3Mb queue { principal_d,c1_d,c2_d,c3_d,c4_d,c5_d,c6_d,c7_d,c8_ d,c9_d }
altq on $ext_if cbq bandwidth 1Mb queue { principal_u,c1_u,c2_u,c3_u,c4_u,c5_u,c6_u,c7_u,c8_ u,c9_u }


queue principal_d bandwidth 192Kb cbq ( rio )
queue principal_u bandwidth 64Kb cbq ( rio )

queue c1_d bandwidth 128Kb cbq ( default rio )
queue c1_u bandwidth 64Kb cbq ( default rio )

queue c2_d bandwidth 128Kb cbq ( rio )
queue c2_u bandwidth 64Kb cbq ( rio )

queue c3_d bandwidth 128Kb cbq ( rio )
queue c3_u bandwidth 64Kb cbq ( rio )

queue c4_d bandwidth 128Kb cbq ( rio )
queue c4_u bandwidth 64Kb cbq ( rio )

queue c5_d bandwidth 128Kb cbq ( rio )
queue c5_u bandwidth 64Kb cbq ( rio )

queue c6_d bandwidth 128Kb cbq ( rio )
queue c6_u bandwidth 64Kb cbq ( rio )

queue c7_d bandwidth 128Kb cbq ( rio )
queue c7_u bandwidth 64Kb cbq ( rio )

queue c8_d bandwidth 1200Kb cbq ( rio )
queue c8_u bandwidth 64Kb cbq ( rio )

queue c9_d bandwidth 128Kb cbq ( rio )
queue c9_u bandwidth 64Kb cbq ( rio )


pass out on $int_if from any to $principal keep state queue principal_d
pass out on $int_if from any to $c1 keep state queue c1_d
pass out on $int_if from any to $c2 keep state queue c2_d
pass out on $int_if from any to $c3 keep state queue c3_d
pass out on $int_if from any to $c4 keep state queue c4_d
pass out on $int_if from any to $c5 keep state queue c5_d
pass out on $int_if from any to $c6 keep state queue c6_d
pass out on $int_if from any to $c7 keep state queue c7_d
pass out on $int_if from any to $c8 keep state queue c8_d
pass out on $int_if from any to $c9 keep state queue c9_d


pass out on $ext_if from $principal to any keep state queue principal_u
pass out on $ext_if from $c1 to any keep state queue c1_u
pass out on $ext_if from $c2 to any keep state queue c2_u
pass out on $ext_if from $c3 to any keep state queue c3_u
pass out on $ext_if from $c4 to any keep state queue c4_u
pass out on $ext_if from $c5 to any keep state queue c5_u
pass out on $ext_if from $c6 to any keep state queue c6_u
pass out on $ext_if from $c7 to any keep state queue c7_u
pass out on $ext_if from $c8 to any keep state queue c8_u
pass out on $ext_if from $c9 to any keep state queue c9_u
And here is "pftop" and pressing 8 on the keyboard:pfTop: Up Queue 1-22/22, View: queue, Cache: 10000 21:09:20

QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S
root_rl0 3000K cbq 0 238 59029 0 0 0 0 0 9 2544
root_nfe0 1000K cbq 0 275 212907 0 0 0 0 0 12 7886
principal_d 192K cbq 0 0 0 0 0 0 0 0 0
principal_u 64000 cbq 0 0 0 0 0 0 0 0 0
c1_d 128K cbq 238 59029 0 0 0 0 3 9 2544
c1_u 64000 cbq 275 212907 34 31105 33 0 65 12 7886
c2_d 128K cbq 0 0 0 0 0 0 0 0 0
c2_u 64000 cbq 0 0 0 0 0 0 0 0 0
c3_d 128K cbq 0 0 0 0 0 0 0 0 0
c3_u 64000 cbq 0 0 0 0 0 0 0 0 0
c4_d 128K cbq 0 0 0 0 0 0 0 0 0
c4_u 64000 cbq 0 0 0 0 0 0 0 0 0
c5_d 128K cbq 0 0 0 0 0 0 0 0 0
c5_u 64000 cbq 0 0 0 0 0 0 0 0 0
c6_d 128K cbq 0 0 0 0 0 0 0 0 0
c6_u 64000 cbq 0 0 0 0 0 0 0 0 0
c7_d 128K cbq 0 0 0 0 0 0 0 0 0
c7_u 64000 cbq 0 0 0 0 0 0 0 0 0
c8_d 1200K cbq 0 0 0 0 0 0 0 0 0
c8_u 64000 cbq 0 0 0 0 0 0 0 0 0
c9_d 128K cbq 0 0 0 0 0 0 0 0 0
c9_u 64000 cbq 0 0 0 0 0 0 0 0 0
Can anyone suggest what I am doing wrong?

Well, clearly and unfortunately this thread never got a reply and I was forced to switch to ipfw/dummynet for the bandwidth limiting. I'd rather be using pf for its advanced packet shaping features, but sometimes we have to settle for what gets the most important part done.

I don't have means to simulate and try your config right now as I am on a Windows machine, but you could've tried to generate traffic and then run pfctl -vv -ss (and possibly pfctl -vv -sr) to see which rule(s) put traffic into default queue so you can investigate why.
I see you got the problem solved but It's worth knowing why it didn't work. ;)

Can you do an ascii-art network diagram (topology). I think the reason your rules aren't hitting are --perhaps-- because you have the inside-outside ip addresses and the to-from mis-aligned.

pfctl -vvsrules

will show you the rule "hit" counts. I suspect they'll be zero.

/Scott

Can you do an ascii-art network diagram (topology). I think the reason your rules aren't hitting are --perhaps-- because you have the inside-outside ip addresses and the to-from mis-aligned.

Ok.

( INTERNET ) --- ( ADSL modem ) --- ( <nfe0> FreeBSD gateway <rl0> ) --- ( switch ) --- ( clients )