Today I will explain how to do traffic limit with OpenBSD and PF. This is not hard at all if you want something easy, the man page pf.conf(5) in QUEUEING section is pretty good but it may disturbing when you don’t understand how it works. This is not something I master, I’m not sure of the behaviour in some cases but the following example works as I tested it ! :)
Internet is down at home, I want to use my phone as 4G router trough my OpenBSD laptop which will act as router. I don’t want the quota (some Gb) to be eaten in a few seconds, this connection allow to download up to 10 Mb/s so it can go quickly !
We will limit the total bandwidth to 1M (~ 110 kb/s) for people behind the NAT. It will be slow, but we will be sure that nothing behind the NAT like a program updating, cloud stuff synchronizing or videos in auto play won’t consume our quota.
Edit /etc/pf.conf accordigly to your network
internet="urndis0" lan="em0" # we define our available bandwidth queue main on $lan bandwidth 100M # we will let 1M but we will allow # 3M during 200 ms when initiating connection to keep the web a bit interactive queue limited parent main bandwidth 1M min 0K max 1M burst 3M for 200ms default set skip on lo # we do NAT here match out on egress inet from !(egress:network) to any nat-to (egress:0) block all pass out quick inet # we apply the queue here on EVERYTHING coming from the internet pass in on $lan set queue limited
This ONLY defines queue for DOWNLOADING, you can only set the queue on the lan interface, this won’t work on egress (network interface having internet) because you can’t limit what go in your interface, it’s already there when you want to limit.
Per protocol ?
You can define queues per remote port by creating new queues and doing something like this:
pass in on $lan proto tcp port ssh set queue ssh pass in on $lan proto tcp port www set queue web
Per host ?
As before, you can apply queues on IP host/range rather than protocols, or you can even mix both if you want.
The limit function changed in OpenBSD 5.5, everything you can read on the internet about ALTQ isn’t working anymore.