How to manage bandwidth with OpenBSD PF

queuing

July 26, 2014

Abstract
Example for the conguration of an OpenBSD 5.5 based IPv4 net-
work router with bandwidth management. The given example addresses
a small home network with four users supporting multiple devices (e.g.,
notebooks, mobiles, tablets or desktops) per user. The Internet connec-
tion is implemented based on PPPoE dial-up line (e.g., ADSL).

Introduction
Disclaimer
The only one responsible for what you are doing is yourself. Simply following
this how-to will not exclude you from this responsibility. In other words: do not
blame me, if things go wrong.

Objective
This is not a beginners guide to OpenBSD, PF, networking, the Internet, or
computers in common. It addresses IT professionals.

Versions
New versions of this paper might be found on www.benjaminheckmann.de/
howto/.

1 OpenBSD Installation
Hardware Preparation
As minimal setup for a router you will need:
• Two Network Cards (one for the connection to the Internet, the other for
your local area network)

1
 • One Hard Disk Drive with at least 5 GB capacity (recommended, to be
able to update your installation)
• CD-ROM drive
• The other stu (like a processor, memory, etc.; for further details see
www.openbsd.org/faq/faq1.html#Platforms)
Download the les install55.iso, src.tar.gz, and sys.tar.gz. Create a bootable
CD using the install55.iso le. For more details see www.openbsd.org/faq/
faq4.html#MkCD-ROM.

Basic Operating System Setup

Boot your system from the prepared bootable CD. Follow the install dialog:
1. (I)nstall
2. Keyboard layout: de
3. Hostname: router
4. Network interfaces: <dev0>
5. IPv4: 192.168.0.1
6. Netmask: 255.255.255.0
7. IPv6: none
8. <dev1> (uncongured)
9. Default IPv4 route: none
10. DNS domain name: home.local
11. DNS nameservers: 127.0.0.1
12. Enter your password for the root account
13. Start sshd: yes
14. Start ntpd: yes
15. NTP servers: de.pool.ntp.org
16. X Windows System: no
17. Change default console: no
18. Setup a user: no
19. root disk: wd0

2
 20. DUIDs: yes
21. Use whole disk: whole
22. Use (A)uto layout
23. Location of sets: cd
24. Which one: cd0
25. Pathname: 5.5/amd64
26. Select sets:
• bsd
• bsd.rd
• base55.tgz
• etc55.tgz
• comp55.tgz
• man55.tgz
• -game55.tgz
• -xbase55.tgz
• -xetc55.tgz
• -xshare55.tgz
• -xfont55.tgz
• -xserv55.tgz
• done

27. Timezone: Europe/Berlin

28. reboot
See www.openbsd.org/faq/faq4.html, if you need more advice installing OpenBSD.

Prepare OpenBSD updates

After booting your new OpenBSD system, log in, mount your CD-ROM and
extract the OpenBSD sources for future updates in /usr/src. This will consume
at least 2 GB disk space, so be prepared.
mount_cd9660 /dev/cd0c /mnt
cd /usr/src
tar xvzf /mnt/src.tar.gz
tar xvzf /mnt/sys.tar.gz

3
Conguration of Basic OS Services
To enable routing, activate IP forwarding in the kernel. Also, congure the
routing of GRE packages for VPNs using PPTP.
vi /etc/sysctl.conf
<...>
net.inet.gre.allow=1
net.inet.ip.forwarding=1
<...>
Congure the start of the rewall, nameserver, timeserver and ftp proxy.
vi /etc/rc.conf.local

named_ags=""
ntpd_ags=""
dhcpd_ags=""
ftpproxy_ags=""
sendmail_ags=NO
inetd=NO
check_quotas=NO
Deactivate sendmail's cronjob.
crontab -e
<...>
#*/30 * * * * /usr/sbin/sendmail <...>
<...>
The automatic startup of the relevant services is now congured. The next step
is the conguration of the specic service behavior.
vi /var/named/named.boot

options forward-only forwarders <ip0> <ip1> <...>

vi /etc/resolv.conf

lookup le bind

nameserver 127.0.0.1

vi /etc/ntpd.conf

servers pool.ntp.org

4
 rdate -ncv pool.ntp.org
In former how-tos the conguration of a DHCP server was detailed. This how-to
obtains this feature.
For the conguration of the PPPoE dial-up, the according authentication
data must be known.
vi /etc/hostname.pppoe0

inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev <dev2>

authproto pap authname <user> authkey <password> up
!/sbin/route add default 0.0.0.1

vi /etc/hostname.<dev1>

up

2 Conguration of Firewall and Bandwidth Man-

agement
The following PF conguration is an example for a small home network with
four user. The ruleset supports multiple devices per user.
Former how-tos featured xed port ranges for incoming trac for specic
clients. This feature is now depreciated.
mv /etc/pf.conf /etc/pf_example.conf
vi /etc/pf.conf

##
## Interfaces
##

if_ext="pppoe0"
if_int="<dev0>"

##
## Bandwidth
##

# Example: 160Kb upstream, 864Kb downstream (!

bits, not bytes !)

# Total upstream

5
 bnd_up_max="160Kb"
# NAS, Router, etc. := 1/6
bnd_up_default="26Kb"
# User One := 1/4
bnd_up_usr1="40Kb"
# User Two := 1/4
bnd_up_usr2="40Kb"
# User Three := 1/6
bnd_up_usr3="27Kb"
# User Four := 1/6
bnd_up_usr4="27Kb"

# Total downstream
bnd_dn_max="864Kb"
# NAS, Router, etc. := 1/6
bnd_dn_default="144Kb"
# User One := 1/4
bnd_dn_usr1="216Kb"
# User Two := 1/4
bnd_dn_usr2="216Kb"
# User Three := 1/6
bnd_dn_usr3="144Kb"
# User Four := 1/6
bnd_dn_usr4="144Kb"

##
## Privileged clients
##

# User One
table <usr1_direct> { 192.168.2.21, 192.168.2.41, 192.168.2.50
}
# User Two
table <usr2_direct> { 192.168.2.22, 192.168.2.42 }
# User Three
table <usr3_direct> { 192.168.2.12, 192.168.2.32 }
# User Four
table <usr4_direct> { 192.168.2.11, 192.168.2.31 }

##
## Privileged networks
##

table <nets_priv> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,

10.0.0.0/8 }

6
 ##
## Default behavior
##

# Default response for block lters

set block-policy drop
# Bind states to interfaces
set state-policy if-bound
# Logging
set loginterface $if_ext
# Ignore trac on the local interface
set skip on lo

##
## Upstream queues
##

# Parent queue
queue up_parent on $if_ext bandwidth $bnd_up_max
# NAS, Router, etc.
queue up_default parent up_parent bandwidth $bnd_up_default
default
# User One
queue up_usr1 parent up_parent bandwidth $bnd_up_usr1
# User Two
queue up_usr2 parent up_parent bandwidth $bnd_up_usr2
# User Three
queue up_usr3 parent up_parent bandwidth $bnd_up_usr3
# User Four
queue up_usr4 parent up_parent bandwidth $bnd_up_usr4

##
## Downstream queues
##

# Parent queue
queue dn_parent on $if_int bandwidth $bnd_dn_max
# NAS, Router, etc.
queue dn_default parent dn_parent bandwidth $bnd_dn_default
default
# User One
queue dn_usr1 parent dn_parent bandwidth $bnd_dn_usr1
# User Two
queue dn_usr2 parent dn_parent bandwidth $bnd_dn_usr2
# User Three
queue dn_usr3 parent dn_parent bandwidth $bnd_dn_usr3

7
 # User Four
queue dn_usr4 parent dn_parent bandwidth $bnd_dn_usr4

##
## NAT
##

match out on $if_ext from $if_int:network to any nat-

to ($if_ext)

##
## Normalize trac
##

match in all scrub (random-id)

##
## Default lter
##

# Note: last matching rule wins => rst rule blocks

all
block all

##
## External interface ltering
##

# Deny incoming or outgoing privileged network ad-

dress sets
block in quick on $if_ext from <nets_priv> block out
quick on $if_ext to <nets_priv>
# Allow incoming ping request to router and keep state
pass in quick on $if_ext inet proto icmp to ($if_ext)
icmp-type echoreq
# Allow outbound trac, sort into queues and keep
state
pass out on $if_ext inet queue up_default
pass out on $if_ext inet from <usr1_direct> queue
up_usr1
pass out on $if_ext inet from <usr2_direct> queue
up_usr2
pass out on $if_ext inet from <usr3_direct> queue
up_usr3
pass out on $if_ext inet from <usr4_direct> queue
up_usr4

8
 ##
## Internal interface ltering
##

# Redirect FTP client trac

pass in quick on $if_int inet proto tcp to port 21 divert-
to 127.0.0.1 port 8021

# Allow outbound trac, but do not track its state

pass in on $if_int inet no state

# Sort inbound trac into queues

pass out on $if_int inet queue dn_default no state
pass out on $if_int inet to <usr1_direct> queue dn_usr1
no state
pass out on $if_int inet to <usr2_direct> queue dn_usr2
no state
pass out on $if_int inet to <usr3_direct> queue dn_usr3
no state
pass out on $if_int inet to <usr4_direct> queue dn_usr4
no state

##
## FTP proxy anchor
##

anchor "ftp-proxy/*"

##
## Deny spoong
##

antispoof quick for { lo, $if_int }

3 Prepare OpenBSD Updates

The following scripts enable the update of the system in three steps. The tmux
command can be used to prevent damage to the system in case of connection
aborts on ssh sessions, while executing those scripts.
vi update-01_sync.sh

#!/bin/csh
cd /usr/src

9
 setenv CVS_CLIENT_PORT -1
setenv CVSROOT [email protected]:/cvs
cvs -d$CVSROOT up -rOPENBSD_5_5 -Pd

vi update-02_kernel.sh

#!/bin/csh
cd /usr/src/sys/arch/amd64/conf
/usr/sbin/cong GENERIC
cd /usr/src/sys/arch/amd64/compile/GENERIC
make clean && make depend && make
cd /usr/src/sys/arch/amd64/compile/GENERIC
make install

vi update-03_binaries.sh

#!/bin/csh
rm -rf /usr/obj/*
cd /usr/src
make obj
cd /usr/src/etc && env DESTDIR=/ make distrib-
dirs
cd /usr/src
make build

chmod ug+x update-*.sh

4 Verifying queue eectivity

Some useful commands to monitor the usage of the congured queues:
• pfctl -vvs queue

• systat queues
• pfctl -vvs rules
The rst two commands enable the monitoring of the queue usage. The last
command may help to sort out, why queuing might not work in your ruleset.
pftop does not seem to be able to work with the new queuing at the moment.

10