Queuing

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

OpenBSD's packet queueing (QoS) is rather advanced, but very powerful. Debugging and monitoring can be carried out using the systat queue CLI command.

Prioritisation

In most cases, queueing is about prioritising; making sure that the important traffic is processed earlier, and at a fast, reserved rate. For example, we can make sure that clustering and management traffic is always processed first

firewall {
	pass quick proto carp set prio 7
	pass in quick proto tcp to port { 22 443 } set prio 6
	...

or reserving a certain upload capacity for our website

firewall {
	queue wan on em0 bandwidth 10M
	queue website parent wan bandwidth 8M
	queue other parent wan bandwidth 2M default
	pass in quick on wan proto tcp to port { 80 443 } set queue website
	...

Bandwidth throttling

In most cases (like the ones above), you want to make all capacity available for traffic. In other words, queues are not throttled until there's a capacity shortage. It is however possible to create more "harsh" restrictions, like the example below. By having a very short queue limit, packets are dropped rather than queued which guarantees that the maximum capacity is never exceeded, even during short bursts. The "download" bandwidth for the guest network is limited by the "guest" queue on em2, and the upload bandwidth is limited by the "wan_guest" queue on em0.

firewall {
	queue wan on em0 bandwidth 10M
	queue wan_guest parent wan bandwidth 1M max 1M qlimit 1
	queue wan_other parent wan bandwidth 10M default
	queue guest on em2 bandwidth 1M max 1M default qlimit 1
	pass out quick on wan received-on guest set queue wan_guest
	...
}
interface em0 {
	group "wan"
	...
}
interface em1 {
	group "lan"
	...
}
interface em2 {
	group "guest"
	...
}