FreeBSD Router with Traffic Shaping with PF and ALTQ CBQ

Here is a tutorial about building a FreeBSD router with traffic shaping using OpenBSD's PF and ALTQ CBQ discipline.

Step 1. Compile Kernel with support for PF and ALTQ
-------------------------------------------------------------------------

cd /usr/src/sys/i386/conf/
cp GENERIC ROUTER

edit ROUTER file and add the following lines at the end of file:

# ------------------ add the following lines to ROUTER file ------------------
# pf support
device mem
device pf
device pflog
device pfsync

# altq support
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ

# other optimizations
options HZ=1000
options DEVICE_POLLING
# ---------------------------------- eof ----------------------------------------------

Next, compile kernel with configurations from ROUTER file

cd /usr/src
make -j4 buildkernel KERNCONF=ROUTER
make installkernel KERNCONF=ROUTER

Reboot the machine and you have support in kernel for PF and ALTQ


Step 2 Create pf.conf file for your firewall and traffic shaper
---------------------------------------------------------------------------------

Rename your default /etc/pf.conf file and create a new config file. In our example we asume your network cards are fxp0 for WAN and fxp1 for LAN. also your LAN subnet is 192.168.0.0/24, and we setup LAN IP of router with value 192.168.0.1. Our LAN being on a private subnet (we only have one public IP) we will use NAT from PF.

Shaping is for 2 PCs on LAN. We've used a bandwidth of 10Mb/s, we've asigned 45% of bandwidth for every PC, and 10% for default queue.

Next is presented pf.conf file:

# --------------------- pf.conf ---------------------
ext_if="fxp0"
int_if="fxp1"
pc1="192.168.0.2"
pc2="192.168.0.3"

altq on $ext_if cbq bandwidth 10Mb queue {def_up, pc1_up, pc2_up}
altq on $int_if cbq bandwidth 10Mb queue {def_down, pc1_down, pc2_down}

queue def_up bandwidth 10% cbq(default)
queue def_down bandwidth 10% cbq(default)

queue pc1_up bandwidth 45% priority 6 cbq(red)
queue pc1_down bandwidth 45% priority 6 cbq(red)
queue pc2_up bandwidth 45% priority 6 cbq(red)
queue pc2_down bandwidth 45% priority 6 cbq(red)

nat on $ext_if from $int_if:network to any -> ($ext_if)

pass in quick on $ext_if from any to $pc1
pass out quick on $int_if from any to $pc1 queue pc1_down

pass in quick on $int_if from $pc1 to any
pass out quick on $ext_if from $pc1 to any queue pc1_up

pass in quick on $ext_if from any to $pc2
pass out quick on $int_if from any to $pc2 queue pc2_down

pass in quick on $int_if from $pc2 to any
pass out quick on $ext_if from $pc2 to any queue pc2_up

block all
# ----------------------- end pf.conf file ---------------------------


Step 3. Edit your /etc/rc.conf file and enable pf at startup to load config from /etc/pf.conf file
----------------------------------------------------------------------------------------------------------------------------

Your rc.conf file should look like this:

# -------------- rc.conf -----------------
hostname="router.example.com"
gateway_enable="yes"
defaultrouter="80.80.0.1"

ifconfig_fxp0="inet 80.80.0.2 netmask 255.255.255.224"
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0"

sshd_enable="yes"

pf_enable="YES"
pf_rules="/etc/pf.conf"
# ---------------- end rc.conf ---------



Tips to debug PF rules:
--------------------------------

pfctl -vvsr       (see PF loaded rules)
pfctl -vvsq       (see PF queues in realtime)
pfctl -f /etc/pf.conf      (load pf.conf file)
pfctl -F state               (flush states)