[altq 1441] Packet Marking

[Sitsofe Wheeler <sits@sucs.org>]

Hello, I am running an OpenBSD firewall with NAT and ALTQ. I have set up
download restrictions using CBQ and all is well in that respect. However,
there is a very limited amount of uploading bandwidth (128KBits) which
leads to large problems when it is all used. I would ideally like to use
CBQ to divide it up fairly in the upstream direction.

However, because NAT is being used by the time the packets reach the
outgoing internet network card (ne0) they all have the same from ipaddress
on them. I have tried to mark packets using diffserv on rl0 but the
filters on ne0 were not catching many packets.
    
Network Topology:
Internet
   |
 (ne0)
+------+
|router|
+------+
 (rl0)
   |
  LAN

Here is a snippet from altq.conf that I tried:
interface ne0 bandwidth 128K cbq
conditioner rl0 user1 <mark 0x0a>
        filter rl0 user1 0 0 (internal LAN address) 0 0
conditioner rl0 user2 <mark 0x0b>
        filter rl0 user2 0 0 (internal LAN address) 0 0   
conditioner rl0 user3 <mark 0x0c>
        filter rl0 user3 0 0 (internal LAN address) 0 0
conditioner rl0 user4 <mark 0x0d>
        filter rl0 user4 0 0 (internal LAN address) 0 0

class cbq ne0 root NULL pbandwidth 100 cleardscp
class cbq ne0 user1 root borrow pbandwidth 22 red cleardscp
        filter ne0 user1 0 0 0 0 0 tos 0x0a
class cbq ne0 user2 root borrow pbandwidth 22 red cleardscp
        filter ne0 user2 0 0 0 0 0 tos 0x0b
class cbq ne0 user3 root borrow pbandwidth 22 red cleardscp
        filter ne0 user3 0 0 0 0 0 tos 0x0c
class cbq ne0 user4 root borrow pbandwidth 22 red cleardscp
        filter ne0 user4 0 0 0 0 0 tos 0x0d
class cbq ne0 control root borrow pbandwidth 2 control cleardscp
class cbq ne0 default root borrow pbandwidth 4 default cleardscp

Is marking in this fashion feasible? Am I marking and filtering correctly?
If not, can anyone suggest a scheme that won't drop packets but which will
work with the current setup? Thanks!

-- 

Sitsofe | http://sucs.org/~sits/