 |
Title: Bandwidth limiting on OpenBSD 6.8 |
|
Author: Solène |
|
Date: 07 February 2021 |
|
Tags: openbsd unix network |
|
Description: |
|
|
|
This is a February 2021 update of a text originally published in April |
|
2017. |
|
|
|
## Introduction |
|
|
|
I will explain how to limit bandwidth on OpenBSD using its firewall PF |
|
(Packet Filter) queuing capability. It is a very powerful feature but |
|
it may be hard to understand at first. What is very important to |
|
understand is that it's technically not possible to limit the bandwidth |
|
of the whole system, because once data is getting on your network |
|
interface, it's already there and got by your router, what is possible |
|
is to limit the upload rate to cap the download rate. |
|
|
 |
OpenBSD pf.conf man page about queuing |
|
|
|
## Prerequisites |
|
|
|
My home internet access allows me to download at 1600 kB/s and upload |
|
at 95 kB/s. An easy way to limit bandwidth is to calculate a percent |
|
of your upload, that should apply that ratio to your download speed as |
|
well (this may not be very precise and may require tweaks). |
|
|
|
PF syntax requires bandwidth to be defined as kilo-bits (kb) and not |
|
kilo-bytes (kB), multiplying by 8 allow to switch from kB to kb. |
|
|
|
## Configuration |
|
|
|
Edit the file /etc/pf.conf as root and add the following before any |
|
pass/match/drop rules, in the example my main interface is em0. |
|
|
|
```OpenBSD packet filter configuration file sample |
|
# we define a main queue (requirement) |
|
queue main on em0 bandwidth 1G |
|
|
|
# set a queue for everything |
|
queue normal parent main bandwidth 200K max 200K default |
|
``` |
|
|
|
And reload with `pfctl -f /etc/pf.conf` as root. You can monitor the |
|
queue working with `systat queue` |
|
|
|
```Output of the command systat queue |
|
QUEUE BW/FL SCH PKTS BYTES DROP_P DROP_B QLEN |
|
main on em0 1000M fifo 0 0 0 0 0 |
|
normal 1000M fifo 535424 36032467 0 0 60 |
|
``` |
|
|
|
## More control (per user / protocol) |
|
|
|
This is only a global queuing rule that will apply to everything on the |
|
system. This can be greatly extended for specific need. For example, |
|
I use the program "oasis" which is a daemon for a peer to peer social |
|
network, sometimes it has upload burst because someone is syncing |
|
against my computer, I use the following rule to limit the upload |
|
bandwidth of this user. |
|
|
|
```OpenBSD packet filter configuration file sample |
|
# within the queue rules |
|
queue oasis parent main bandwidth 150K max 150K |
|
|
|
# in your match rules |
|
match on egress proto tcp from any to any user oasis set queue oasis |
|
``` |
|
|
|
Instead of a user, the rule could match a "to" address, I used to have |
|
such rules when I wanted to limit my upload bandwidth for uploading |
|
videos through peertube web interface. |
