Hi,

On Thu, 23 Nov 2006 11:48:34 +0100, igy
wrote:

> Sometimes there is really need for ALTQ on incoming traffic:

ALTQ on incoming traffic won't work -- obviously.

> If ftp traffic to the client is large, then smtp traffic
> will be blocked. There is obviously need to queue the
> traffic in some a way. (All SRV, BSD and clients
> are in company, they are not "strange" internet machines).
>
> ALTQ on enc0 is not possible (it is well known).
> There is problem on queue on $ext_if (it is only IP sec traffic).

I've had the very same problem a while ago (need to priorize VoIP traffic
accross my well saturated VPN connection) and tried a lot of things to no
avail.

Suprisingly, tags (as in the pf "tag" statement) survive IPSEC encryption.
I've done something like this:

# define queues
altq on $dsl_if priq bandwidth 384Kb queue { STD, TCPACK, UDP }
queue STD priority 0 priq(default)
queue UDP priority 14
queue TCPACK priority 15

# sort tagged packets to queues
pass out quick proto esp tagged TCPACK queue TCPACK keep state
pass out quick proto esp tagged UDP queue UDP keep state

# tag packets
pass in from { , } to keep state
pass in proto tcp from { , } to flags A/A tag TCPACK
keep state
pass in proto udp from { , } to tag UDP keep state

It actually works. If I don't tag the packets I've got a pretty much
stuttering VoIP connection, if I do everything's clear.

YMMV, however.

Regards, Danilo