I can recommend using queues in pf ... very simple and effective.
https://man.openbsd.org/pf.conf#QUEUEING
Am 02.01.20 um 15:12 schrieb radek:
> Hello,
>
> I have the following scenario:
> [box_rac]----[fw_rac] <--iked site-to-site--> [fw_krz]--[box_krz]
>
> [box_rac] pulls (rsync) "big data" from [box_krz] through VPN.
> I need to put this traffic to the total background, making way for any other packets going through VPN, NICs, from/to any other boxes on both sides.
>
> I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by specific rules [1] and setting the lowest priority fot it.
> Unfortunately it doesn't seem to work as expected. Bandwidth seems to be shared roughly equally with other traffic (tested with pushing data (netcat) through VPN in the same time).
>
> I would appreciate your advice or any clues on what I have done wrong. Thank you.
>
> [fw_rac] and [fw_krz] have analogical rulesets [2].
>
> [1]
> [fw_rac]:
> pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state
>
> [fw_krz]:
> pass out quick on enc0 from $box_krz to $box_rac set prio (0, 0) keep state
>
> [2] pf.conf [fw_rac]:
> ext_if = "vr0"
> lan_rac_if = "vr2" #
> lan_rac_local = $lan_rac_if:network # 10.0.15.0/24
> backup_if = "vr3" #
> backup_local = $backup_if:network # 10.0.115/24
>
> box_rac = "10.0.115.151"
> box_krz = "10.0.100.151"
>
> set fingerprints "/dev/null"
> set skip on { lo, enc0 }
> set block-policy drop
> set optimization normal
> set ruleset-optimization basic
> antispoof quick for {lo0, $lan_rac_if, $backup_if }
> match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, $backup_local } nat-to $ext_if set prio (3, 7)
> block all
> match out all scrub (no-df random-id)
> pass out on egress keep state
>
> pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state
> pass out quick on $ext_if from $box_rac to $box_krz set prio (0, 0) keep state
>
> pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 7) keep state
>
> ssh_port = "1071"
> table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $krz_wan, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
> table <bruteforce> persist counters
> block from <bruteforce>
> pass in log quick inet proto tcp from <ssh_trust> to $ext_if port $ssh_port flags S/SA \
> set prio (7, 7) keep state \
> (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush global)
>
> icmp_types = "{ echoreq, unreach }"
> pass inet proto icmp all icmp-type $icmp_types \
> set prio (7, 7) keep state
>
> table <vpn_peers> const { $krz_wan }
> pass out quick on egress proto esp from (egress:0) to <vpn_peers> set prio (6, 7) keep state
> pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} set prio (6, 7) keep state
> pass in quick on egress proto esp from <vpn_peers> to (egress:0) set prio (6, 7) keep state
> pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} set prio (6, 7) keep state
>
> pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} set prio (6,7) keep state
> pass in on egress proto {ah,esp} set prio (6,7) keep state
> block return in on ! lo0 proto tcp to port 6000:6010
>
>
No comments:
Post a Comment