Operating systems

Using pf and ALTQ for QoS management

Recent Internet politics has focused quite a bit of attention on the matter of "Net Neutrality". The underlying assumption is that Internet access should be provided entirely without any packet prioritization or bandwidth controls apart from simple bandwidth partitioning to access clients. The techniques used to prioritize network packets are collectively known as Quality of Service.

QoS systems are designed to provide a means of reserving resources for specific high priority purposes, or of pre-empting such resources as needed from lower priority uses. This is in contrast to best-effort delivery procedures, where a first-come, first-served prioritization takes precedence over any scheduling of delivery and no guarantees are made. Generally, QoS is employed to attempt to guarantee some kind of minimal service performance for specific tasks, and a common argument is that in an age of increasing bandwidth usage for multimedia file transfers we must provide a means of ensuring such uses of the Internet do not bring basic services like email and web browsing to a screeching halt, crowding them out.

QoS is not just a matter for politics, however. It is of considerable interest for network administrators on large networks, and on home networks where users want availability of bandwidth both for multimedia file transfers and basic services like email and web browsing. Numerous software solutions for QoS prioritization exist for small to medium networks, both free and commercial. As more VOIP, streaming media, videoconferencing, and realtime remote monitoring applications grow in widespread use, QoS management will grow along with it. QoS schedulers can also be employed to mitigate the effects of Denial of Service attacks, which effectively shut down a network gateway by overwhelming it with unwanted network traffic.

For the small home network, possibly the easiest QoS setup you can get is a homebrew router/firewall built using basic computer hardware and m0n0wall. The compact, "user friendly" m0n0wall operating system is in fact a cut-down, dedicated router/firewall variant of BSD Unix that has an effectively one-click configuration for QoS management. A more capable and flexible solution is pfSense, another BSD Unix derivative for router/firewall implementations.

If you wish to build your own QoS router to exacting specifications, using ALTQ with the OpenBSD project's Packet Filter firewall software is an excellent choice -- and, being BSD-licensed open source software, there are no direct or indirect licensing costs to deal with.

ALTQ provides two different scheduler implementations that can be used to provide QoS management:

  1. CBQ: Class-based queueing is a hierarchical scheduling system, where each priority queue can have a subordinate, or "child", priority queue. Each queue has both priority and bandwidth assignments, where priorities determine when packets get sent and bandwidths determine throughput for high-bandwidth operations.
  2. PRIQ: Priority queueing is a linear, or flat, scheduling system, where queues do not have subordinate queues. Each queue has a simple priority assigned, and higher priority queues are processed before lower priority queues.

A third scheduler is available to the ALTQ system delivered with FreeBSD and NetBSD: HFSC, the Hierarchical Fair Service Curve. This system decouples delay and bandwidth allocation, which improves the ability of a hierarchical scheduling system to efficiently allocate network resources to varying service demands, particularly in circumstances with widely disparate latency and bandwidth characteristics of network traffic flows through the same network gateway.

A basic overview of how to implement and configure a QoS system using pf and ALTQ on a FreeBSD network gateway is available in the freely available FreeBSD Handbook, chapter 28.4 The OpenBSD Packet Filter (PF) and ALTQ.

More information on the ALTQ packet scheduler and queueing system can be found in its FreeBSD altq manpage and pf.conf manpage.

In particular, I would like to see some coffee shops with open wireless access points take note of the availability of QoS solutions like ALTQ. Too often, I have tried to get some work done on my laptop from a coffee shop and found that someone is consuming all the network's bandwidth with file transfers.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.


By assigning labels to your rules and then listing out the labels.... block in log all label "final_blocks:$if:$nr:$dstaddr:$dstport" the label being final_blocks The final line in my firewall rules... Block everything that I havent coded for... giving it the label of final_blocks pfctl -sl That command will show your firewall labels and the bandwidth used. final_blocks:any:127:any: 2 2 104 Third number is the one we care about.... 104 bytes sence the last time I reset that counter. Which I record into a db and reset every 5 minutes. Or, you could feed this to the free bandwidth graphic tool that is open source... Chuckle, a bit of grep here... A bit of open source graphic software there... Why, damn.... you got your self a bandwidth monitor that you can tweak to your hearts content. And it wont cost you a thing... Cheap a$$ bandwidth monitor... I'm lazy, I haven't writtent the graphics around it yet... I just run some sql to get an idea of my bandwidth usage. Thanks for the pf firewall information, it's what I use... I like it alot... Dan