• Howto applying zph patch on LUSCA r14850

    Locked
    4
    0 Votes
    4 Posts
    5k Views
    D

    Remember that only the traffic that comes from squid's cache will be marked. So you have to keep an eye at squid's log (tail -f /var/log/squid/access.log) to see if cache HIT are sent with appropriate tos (using tcpdump).

    It worked as expected when I tested it a few months ago.

  • How do I detect bandwidth hogs?

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Ipfw-classifyd skype block not work

    Locked
    7
    0 Votes
    7 Posts
    6k Views
    N

    @ermal:

    The skype pattern is not correct and needs to be fixed.
    I noted this quite late so you have to edit or create a custom pattern for it to work.

    Hi ermal,

    I do not use skype in layer 7. So is there another pattern which is not correct or is it another problem ?
    Is there any other way to find out which pattern makes the problem instead of just select and unselect one ?

    Thanks

  • PRIQ not working as expected

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Limit torrent download speed by setting fix # of connections?

    Locked
    9
    0 Votes
    9 Posts
    7k Views
    J

    @marcelloc:

    Edit the firewall rule you want to set connection limit.

    setting # in Maximum state entries per host would limit numberr of connections?

  • Traffic shaper working for outbound, not for inbound

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    D

    Try queueing with "In" on WAN with source w.x.y.z and dest. "Lan subnet" instead for the download matching.

    And use rules in the LAN tab instead to do outbount shaping.

  • Rate-limit an opened trafic

    Locked
    6
    0 Votes
    6 Posts
    2k Views
    jimpJ

    Not that I'm aware of, I think it would end up the same, only applying to new connections.

  • Limiter not work correct on second nic

    Locked
    10
    0 Votes
    10 Posts
    5k Views
    savagoS

    Same  problem  reported here http://forum.pfsense.org/index.php/topic,37399.0.html

    pfctl -vsr

    scrub in on fxp0 all min-ttl 255 fragment reassemble  [ Evaluations: 3366630   Packets: 683193    Bytes: 240344701   States: 0     ]  [ Inserted: uid 0 pid 34968 ] scrub in on re0 all min-ttl 255 fragment reassemble  [ Evaluations: 1887278   Packets: 1035091   Bytes: 496825229   States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "relayd/*" all  [ Evaluations: 33964     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log all label "Default deny rule"  [ Evaluations: 33964     Packets: 17161     Bytes: 1107535     States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out log all label "Default deny rule"  [ Evaluations: 33964     Packets: 12        Bytes: 1416        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick inet6 all  [ Evaluations: 33964     Packets: 30        Bytes: 2160        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out quick inet6 all  [ Evaluations: 7376      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any port = 0 to any  [ Evaluations: 33934     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any to any port = 0  [ Evaluations: 18322     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any port = 0 to any  [ Evaluations: 33936     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any to any port = 0  [ Evaluations: 15590     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from <snort2c>to any label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from any to <snort2c>label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <sshlockout>to any port = 2299 label "sshlockout"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"  [ Evaluations: 11827     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick from <virusprot>to any label "virusprot overload table"  [ Evaluations: 26564     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 from <bogons>to any label "block bogon networks from WAN"  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! fxp0 inet from 87.120.xxx.0/24 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 87.120.xxx.yyy to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on fxp0 inet6 from fe80::4e00:10ff:fe54:4632 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"  [ Evaluations: 19933     Packets: 2766      Bytes: 237779      States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! re0 inet from 192.168.0.0/24 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 192.168.0.254 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on re0 inet6 from fe80::21c:c0ff:fec4:da44 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 6630      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 192.168.0.254 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 1         Packets: 2         Bytes: 717         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out quick on re0 inet proto udp from 192.168.0.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server"  [ Evaluations: 8218      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 31174     Packets: 4         Bytes: 536         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 31172     Packets: 266001    Bytes: 255650100   States: 79    ]  [ Inserted: uid 0 pid 34968 ] pass out route-to (fxp0 87.120.xxx.y) inet from 87.120.xxx.yyy to ! 87.120.xxx.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 7376      Packets: 332423    Bytes: 246309331   States: 44    ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = http flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 31174     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = https flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 6         Packets: 443       Bytes: 189501      States: 1     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = 2299 flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "userrules/*" all  [ Evaluations: 31171     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto icmp from any to 87.120.xxx.yyy keep state label "USER_RULE"  [ Evaluations: 31171     Packets: 19        Bytes: 1978        States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = https flags S/SA keep state label "USER_RULE"  [ Evaluations: 17154     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = 2299 flags S/SA keep state label "USER_RULE"  [ Evaluations: 5999      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" dnpipe(1, 2)  [ Evaluations: 24520     Packets: 323866    Bytes: 237555787   States: 54    ]  [ Inserted: uid 0 pid 34968 ] anchor "tftp-proxy/*" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "miniupnpd" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ]</bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

    pfctl -vsn

    no nat proto carp all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natearly/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natrules/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 6838      Packets: 347150    Bytes: 259653965  States: 41    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] no rdr proto carp all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "relayd/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "tftp-proxy/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "miniupnpd" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ]

    pfctl -a miniupnpd -vsn

    rdr pass quick on fxp0 inet proto tcp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.0.10 port 51413   [ Evaluations: 34050    Packets: 270701    Bytes: 255875228  States: 81    ]   [ Inserted: uid 0 pid 16714 ]
  • Limiters in Bridge mode and grouping hosts!

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    E

    You are looking at limiters queues.
    You can actually create childs on limiters as well :)

  • Priority Queue Problem - BattleField 3

    Locked
    4
    0 Votes
    4 Posts
    4k Views
    M

    I'm trying the same without success. None of the BF3 traffic goes in the qGames. I even added just the udp ports with no success.

  • Transparant bridging and limiters

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    G

    Hello guys,

    I really need your help on setting up an PfSense server. I'm new on this (been using before ALLOT), I've managed to make partly the configuration of server, but yet i don't get the results i want to have.
    My LAN output of server connects to the "internet" and i have multiple WAN connections, which I want to limit per IP. The problem is that I want to have the WAN hosts grouped, for example :
    Group 1 has 20 hosts, I want to assign to this group 3 Mbps/3 Mbps and each of the hosts in the group 256 Kbps/128 Kbps. I want to configure the LAN and WAN interfaces in "bridge" mode and assign bandwdith limits to a group of hosts and to each host separately.
    I have managed to configure LAN and WAN in bridge mode, I have created limiters and such, but my only problem is how to assign hosts to the groups I want to and then limit their traffic as I need to.
    Since I mentioned I've been using before ALLOT and it was easy to create a group,assign bandwidth limits and place hosts under the group with desired bandwidth and protocol for each host.
    Please refer to scheme attached. As you may see , i want to group the hosts, assign bandwidth limits to the group and bandwdith limits to each host of group. I'm trying but I cant find any option to do this into PfSense GUI.
    Please help me on this. if you need further info, just ask :)
    Many thanks,

    Ges

    scheme.jpg
    scheme.jpg_thumb

  • Layer 7 - Create container with action "ALLOW" and not "BLOCK" !?

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    N

    @ermal:

    Not yet implemented.

    Any roadmap for this?

  • Small university network security design with pfSense 2.0.1

    Locked
    5
    0 Votes
    5 Posts
    4k Views
    M

    It,s  Edraw Max  http://www.edrawsoft.com/download.php

  • Per IP traffic Shaping

    Locked
    33
    0 Votes
    33 Posts
    52k Views
    marcellocM

    Nice  :)

    As you are moving from Clearos to pfsense, you may need to take a look on some tutorials to understand better differences between both.

    doc.pfsense.org has a lot of tutorials

    On portuguese forum there are some topics on top with a lot of information that will help you.

    http://forum.pfsense.org/index.php/board,12.0.html

  • Block access to internet by mac adress

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    marcellocM

    You can use captive portal mac options to filter

    Or you can use ip based rules together with dhcp reservations.

  • Accelerating wan link via fast acks response

    Locked
    9
    0 Votes
    9 Posts
    4k Views
    C

    you may be able to find some kind of proxy that can do so, I'm not aware of any though.

  • Verify VoIP Prioritization

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • How to upload new pattern of Layer 7

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Voip priortize IPsec vpn

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Cap BT

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.