Bandwidth limit per IP

[PatrickBaer]

Good morning!

Today it was the second time, one uploader in the company blocked the whole internet-connection because he used the full bandwidth for his upload.

So what I would like to do is setup a pf-rule that says:

If one host uses up full bandwidth, let him.

When other hosts come in and require bandwidth, share the full bandwidth equally between them, depending on the amount of total hosts and the bandwidth they actually need.

When the other hosts are idle, give full bandwidth back to the first host.

I have seen setups with queue rules, that distribute bandwidth per address or queue, but none of them used such a dynamic rule.

Thanks in advance

Patrick

[jggimi]

I haven't seen your config, and don't know from your description if your selected queuing methodology supports borrowing. Quoting from the Class Based Queing section of the PF User's Guide:

Quote:

A queue may optionally be configured to borrow bandwidth from its parent queue if the parent is being under-utilized.

That is what I do. If there is bandwidth, I let those that want more get it (they "borrow"), when there is bandwidth contention, they are restricted to their designed caps.

[PatrickBaer]

Hm, do I get this right:

I setup one queue "clients" and assign each of them say 10% of the bandwidth maximum.

This should mean "use all the bandwidth, but if traffic gets heavier, do not exceed 10% of the total"?

Could you give me an example? My pf.conf doesn't use queues yet, I haven't actually needed them yet.

[J65nko]

You can find an example in http://www.openbsd.dk/faq/pf/queueing.html

[PatrickBaer]

Well, I went through it.

But that only describes load distribution by protocol or subnet, not by host!

That won't work for my case, as I want to keep any host in the network from eating up all the bandwidth?

[jggimi]

In previous threads you have stated, in no uncertain terms, that you don't want to be told to read a FAQ page or a man page. I will take a risk of ridicule from you once more, and point out one line from the PF FAQ, only:

Quote:

To assign traffic to a queue, the queue keyword is used in conjunction with PF's filter rules.

Here's one example of assigning a queue to a user from a particular IP address. It assigns the queue "myqueue" to all packets inbound from 10.0.0.1:

match in 10.0.0.1 to any queue myqueue

The match rule is not described in the FAQ, but it is in the man page. I won't tell you to read it. Any pass or match rule can be used to assign a queue.

[J65nko]

May be it is me but I see a lot of instances of cbq in the second example at http://www.openbsd.dk/faq/pf/queueing.html#example2.

I never use queueing myself, so I don't have any examples. When my daughter was still living home once in a while I used YBQ, "Yell Based Queueing" : hey, are you downloading something, cannot you wait until I watch the news and Nova at 10:00 hrs?!"

[PatrickBaer]

I have four class-c nets, is it wise to load up 1000 filter rules?

By the way, we already use ybq. But also we also use dwbp (doesn't work = blame patrick), I'd like to improve a little bit

[jggimi]

No, it probably isn't wise. It will consume memory to house the rule set, and it will consume CPU to process the rules, even with PF optimization.

Why do your 1000 addresses need to have individualized queues? You should have classes of users that can all share the same queue.

E.g: 500 of your users might have a workload (or everything, which is what you wanted) in a queue that consumes 10% of total bandwidth when there is contention, and borrows up to 50% of the total bandwith from a parent queue (which does not borrow) when there is not.

[PatrickBaer]

The problem is, that we transfer a HUGE amount of data over the internet, but independent from the kind of host.

So one day the ftp-server will be stuffed with 2T of data and then downloaded, the other day it's one of the desktop machines, that uploads 50G and jams the whole internet-connection (this is exactly what happened thursday)

So from what I understood, the queuing stuff can only limit down to one queue: I can share 50% to Group A and 50% to Group B. But what happens if Host 1 in Group A uses up all it can get? Group B can still claim 50% bandwidth. But what about Host 2 in Group A?

[jggimi]

Quote:

Originally Posted by PatrickBaer

...I can share 50% to Group A and 50% to Group B. But what happens if Host 1 in Group A uses up all it can get? Group B can still claim 50% bandwidth. But what about Host 2 in Group A?

Using the example you cite, Hosts 1 and 2 will share 50% of the bandwidth, because they share the same queue.

I have only ever used the class based queing scheduler, and organized queues by network application, to shape outbound bandwidth use. If conducting your shaping by application doesn't meet your needs, you might investigate the hierarchical fair service curve scheduler. It is not mentioned in the FAQ, but is described in the pf.conf man page, which says:

Quote:

...Each queue can have a priority and a bandwidth assigned. Priority main-
ly controls the time packets take to get sent out, while bandwidth
primarily affects throughput. hfsc supports both link-sharing and
guaranteed real-time services. It employs a service curve based
QoS model, and its unique feature is an ability to decouple delay
and bandwidth allocation.

[PatrickBaer]

Well, frankly I don't understand why nobody hasn't run into the problem of keeping one user to block the whole network yet?

[DutchDaemon]

In this case, I would not queue based on IP/host, but on the type of traffic you deem the most important (or the type of traffic you want the least interference with).

If you don't want FTP or rsync to consume all of your bandwidth, give them a 'lower queue' and a bandwidth limit with the ability to borrow from higher queues when these are not full. (this is for CBQ only)

I don't know which type of traffic you favour over others, but it should be relatively easy to identify them and determine which queueing order would work best.

E.g. if you have a local webserver you want to be reachable at all times, queue http traffic higher than ftp or rsync traffic, and if you value ssh even more, put that above the http queue. Depending on the type of altq mechanism you use, you can define up to 15 types of traffic. You don't absolutely need CBQ unless you want to give any of the traffic types a minimum bandwidth guarantee.

PRIQ alone will do fine if you don't mind that ftp or rsync (assuming that these are in the 'bottom queues') are blown away by traffic in the higher queues.

[jggimi]

Quote:

Originally Posted by PatrickBaer

Well, frankly I don't understand why nobody hasn't run into the problem of keeping one user to block the whole network yet?

If you find our answers are incomplete or unsatisfactory, please post your question to the PF mailing list, where an audience that is both broader and deeper may be able to assist you. http://www.benzedrine.cx/mailinglist.html