Print PDF
Favorite
Email
Step 6Packet Prioritization
Packet Prioritization with ALTQ
If your WAN connection stays fairly saturated (with things like bittorrent), then I'm sure you've experienced your fair share of timeouts, lag, or slow page loads. Packet prioritzation offers a solution to this problem. Instead of spending $100+ on a router that has this feature, you can instead use ALTQ with PF to accomplish the same thing.
ALTQ is very easy to setup. The most complicated thing you have to do is recompile your kernel. Don't worry, it's much easier than you think. Just follow my instructions, and you should be fine. A new kernel is required, because ALTQ support is disabled by default in FreeBSD.
Adding ALTQ support to your kernel
To begin, read Building and Installing a Custom Kernel thorougly. After you read that, read Enabling ALTQ.
I'll be using the "new" method. After duplicating the GENERIC kernel configuration file, edit it with your favorite editor (pico is great for beginners). Now, add the folowing lines to the end of the file:
1. Change to the /usr/src directory.
Configuring ALTQ
ALTQ supports two kinds of packet prioritization: class-based (CBQ) and priority-based (PRIQ).
Class-based queueing divides trafic into "classes". A specific portion of your overall bandwidth is then allocated to each one of these classes.
Priority-based queueing, like it's name suggests, assigns priorities to packets. The packets with the highest priority are processed first.
There are also a few additional features that you have at your disposal: random early detection and explicit congestion notification (ECN).
Random early detection, or RED, calculates the average queue size, then drops or forwards packets depending on the level of congestion. If the average queue size is above a maximum threshold, all packets will be dropped. If the queue size is below a minimum threshold, no packets will be dropped. Anywhere between these thresholds, and packets will be dropped depending on how close the queue size is to the upper and lower thresholds.
Explicit congestion notification, or ECN, sets a flag in packets to notifiy hosts of network congestion. When a host that supports ECN receives a packet marked with this flag, it responds by throttling back it's activity.
I chose priority-queueing, because my network sees a large variety of different types of traffic. Priority-queuing uses numbers 1 through 15 to prioritize traffic, number 1 being highest priority. In my PF configuration file (pf.conf), I assigned a default priority to number 10. This means that any traffic that matches my firewall rules and is NOT given a priority will default to priority level 10. I then gave bittorrent a priority level of 15. By doing this, I am able to have bittorrent running non-stop on my network, without any noticeable increase in latency or throughput. I also gave SSH a high priority of 1, because of its time-critical nature. Here is what my PRIQ configurations look like ($int_if is my internal interface, device rl0; and $ext_if is my external interface, device dc0):
Now that I've determined my priority levels, it's time to actually assign them to my firewall rules. This is very easy. Simply add "queue <queue_name>" to the end of any rules that you would like to assign to the priority level identified by <queue_name>.
And that's it. Packet prioritization is that simple. Leave me a comment to let me know if this helps anyone. It has definately helped me.
I've attached a revised version of my pf.conf that includes ALTQ configurations.
If your WAN connection stays fairly saturated (with things like bittorrent), then I'm sure you've experienced your fair share of timeouts, lag, or slow page loads. Packet prioritzation offers a solution to this problem. Instead of spending $100+ on a router that has this feature, you can instead use ALTQ with PF to accomplish the same thing.
ALTQ is very easy to setup. The most complicated thing you have to do is recompile your kernel. Don't worry, it's much easier than you think. Just follow my instructions, and you should be fine. A new kernel is required, because ALTQ support is disabled by default in FreeBSD.
Adding ALTQ support to your kernel
To begin, read Building and Installing a Custom Kernel thorougly. After you read that, read Enabling ALTQ.
I'll be using the "new" method. After duplicating the GENERIC kernel configuration file, edit it with your favorite editor (pico is great for beginners). Now, add the folowing lines to the end of the file:
#ALTQ OPTIONSoptions ALTQoptions ALTQ_CBQ # CLASS BASES QUEINGoptions ALTQ_RED # RANDOM EARLY DETECTIONoptions ALTQ_RIO # RED IN/OUToptions ALTQ_HFSC # HIERARCHIAL PACKET SCHEDULERoptions ALTQ_PRIQ # PRIORITY QUEUINGoptions ALTQ_NOPCC # REQUIRED FOR SMP BUILDNow save the file (I called mine FIREWALLKERNEL), then follow these steps (from the handbook) to compile it:
1. Change to the /usr/src directory.
# cd /usr/src2. Compile the kernel.
# make buildkernel KERNCONF=FIREWALLKERNEL3. Install the new kernel.
# make installkernel KERNCONF=FIREWALLKERNELIf everything works, your new kernel is ready to use. FreeBSD is even kind enough to place the new kernel in your boot path. All you have to do is reboot your system (`shutdown -r now`). Now, you should have ALTQ support compiled into your kernel. Our next step is actually configuring ALTQ
Configuring ALTQ
ALTQ supports two kinds of packet prioritization: class-based (CBQ) and priority-based (PRIQ).
Class-based queueing divides trafic into "classes". A specific portion of your overall bandwidth is then allocated to each one of these classes.
Priority-based queueing, like it's name suggests, assigns priorities to packets. The packets with the highest priority are processed first.
There are also a few additional features that you have at your disposal: random early detection and explicit congestion notification (ECN).
Random early detection, or RED, calculates the average queue size, then drops or forwards packets depending on the level of congestion. If the average queue size is above a maximum threshold, all packets will be dropped. If the queue size is below a minimum threshold, no packets will be dropped. Anywhere between these thresholds, and packets will be dropped depending on how close the queue size is to the upper and lower thresholds.
Explicit congestion notification, or ECN, sets a flag in packets to notifiy hosts of network congestion. When a host that supports ECN receives a packet marked with this flag, it responds by throttling back it's activity.
I chose priority-queueing, because my network sees a large variety of different types of traffic. Priority-queuing uses numbers 1 through 15 to prioritize traffic, number 1 being highest priority. In my PF configuration file (pf.conf), I assigned a default priority to number 10. This means that any traffic that matches my firewall rules and is NOT given a priority will default to priority level 10. I then gave bittorrent a priority level of 15. By doing this, I am able to have bittorrent running non-stop on my network, without any noticeable increase in latency or throughput. I also gave SSH a high priority of 1, because of its time-critical nature. Here is what my PRIQ configurations look like ($int_if is my internal interface, device rl0; and $ext_if is my external interface, device dc0):
altq on $int_if priq bandwidth 100% queue {std, ssh, bt, http, p2p}altq on $ext_if priq bandwidth 5Mb queue {std, ssh, bt, http, p2p}queue ssh priority 1 priqqueue http priority 2 priqqueue std priority 10 priq (default)queue p2p priority 13 priq (red, ecn)queue bt priority 15 priq (red, ecn)Notice my "bandwidth" options on the first and second lines. I set the ALTQ queue size on my external interface to 5Mb. Although my external interface may be connected at 10Mbps, I am only allotted 5Mbps by my ISP. This is important, because packet prioritization relies on the level of saturation on an interface to determine when to start queuing packets. You'll notice I also assigned 100% of the bandwidth on my internal interface to ALTQ. This means that all traffic flowing through my internal interface will have 100% of its 100Mbps bandwidth.Now that I've determined my priority levels, it's time to actually assign them to my firewall rules. This is very easy. Simply add "queue <queue_name>" to the end of any rules that you would like to assign to the priority level identified by <queue_name>.
And that's it. Packet prioritization is that simple. Leave me a comment to let me know if this helps anyone. It has definately helped me.
I've attached a revised version of my pf.conf that includes ALTQ configurations.
pf.conf4 KB| « Previous Step | Download PDFView All Steps | Next Step » |
 |
Add Comment
|
