Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic shaping not working in Beta 4 for outbound queues?

    Traffic Shaping
    10
    45
    21.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      billm
      last edited by

      @dvserg:

      i have this problem too

      • queue status not displayed along time (only page header). reafresh not helped
        If i press stop in IE window - page form displayed in clean state

      Below you state you have a p166 - it'll be slow.  That's slower than the Soekris 4801 I use as a test platform.

      @dvserg:

      • if i see queue graph - worked only def lines qlanaks

      Nothing has changed in the wizard since before Beta3.  There was one or two small rule generation bug fixes in the backend since beta3, but those changes have had two sets of eyes review them.

      @dvserg:

      –-----------------------------------------
      new
      queue state page i can see after 10-15 min wites (after refresh). This is may be processor usage? May be queue state procedure take more processor time then pfS 3 ? (in 3 ver queue state worked beautiful in my hardvare config)
      I have P166/128Mb

      Hard to believe.  I can look to see what changed on the status page, but I don't remember any recent commits to it.

      –Bill

      pfSense core developer
      blog - http://www.ucsecurity.com/
      twitter - billmarquette

      1 Reply Last reply Reply Quote 0
      • L
        Leoandru
        last edited by

        @psychosematic:

        I am having the same issue based with voip queue … inbound is working ... but nothing on the outbound ... reran the wizard .. reset the states ... tested ... rebooted ... tested ... same issue ... although just before I reset the states the webgui became unresponsive for about 20mins. I forgot to check the logs before I reboot. I will see if I can reproduce the issue.

        Could you post the /tmp/rules.debug and the shaper config xml so we could take a look?

        1 Reply Last reply Reply Quote 0
        • D
          dvserg
          last edited by

          I'm tested shapping - all traffic shaped on default rules.
          I have ADSL (assymetric traffic speed). May be this have special options for rules?

          SquidGuardDoc EN  RU Tutorial
          Localization ru_PFSense

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            @dvserg:

            I'm tested shapping - all traffic shaped on default rules.
            I have ADSL (assymetric traffic speed). May be this have special options for rules?

            No.  It asks for upload and download speeds during the wizard.

            1 Reply Last reply Reply Quote 0
            • D
              dvserg
              last edited by

              hm..
              this my base config

               <shaper><schedulertype>hfsc</schedulertype>
	 <queue><schedulertype><bandwidth>2</bandwidth>
		<bandwidthtype>Mb</bandwidthtype>
		<priority>0</priority>
		<name>qwanRoot</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime><realtime3><realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue>on</parentqueue>
		 <attachtoqueue><associatedrule><rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></attachtoqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></realtime3></realtime></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>256</bandwidth>
		<bandwidthtype>Kb</bandwidthtype>
		<priority>0</priority>
		<name>qlanRoot</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime><realtime3><realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue>on</parentqueue>
		 <attachtoqueue><associatedrule><rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></attachtoqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></realtime3></realtime></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><name>qwandef</name>
		<attachtoqueue>qwanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<defaultqueue>true</defaultqueue>
		<priority>3</priority>
		<realtime>on</realtime>
		<realtime3>1%</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><name>qlandef</name>
		<priority>3</priority>
		<attachtoqueue>qlanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<defaultqueue>true</defaultqueue>
		<realtime>on</realtime>
		<realtime3>1%</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><schedulertype><bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>7</priority>
		<name>qwanacks</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>1%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qwanRoot</attachtoqueue>
		 <associatedrule><ack>on</ack>
		 <rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>7</priority>
		<name>qlanacks</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>1%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qlanRoot</attachtoqueue>
		 <associatedrule><ack>on</ack>
		 <rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>6</priority>
		<name>qRdpUp</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>3%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qwanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>6</priority>
		<name>qRdpDown</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>3%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qlanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><name>qOthersUpH</name>
		<attachtoqueue>qwanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>6</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype></queue> 
	 <queue><name>qOthersDownH</name>
		<attachtoqueue>qlanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>6</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype></queue> 
	 <queue><name>qOthersUpL</name>
		<attachtoqueue>qwanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>2</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><name>qOthersDownL</name>
		<attachtoqueue>qlanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>2</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>2</priority>
		<name>qwebUp</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>2Kb</realtime3>
		 <realtime2><realtime1><upperlimit>on</upperlimit>
		<upperlimit3>5%</upperlimit3>
		 <upperlimit2><upperlimit1><parentqueue><attachtoqueue>qwanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>2</priority>
		<name>qwebDown</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>2Kb</realtime3>
		 <realtime2><realtime1><upperlimit>on</upperlimit>
		<upperlimit3>5%</upperlimit3>
		 <upperlimit2><upperlimit1><parentqueue><attachtoqueue>qlanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>22</port></destination> 
		 <direction><iptos><tcpflags><descr>m_OtherH SSH inbound</descr>
		<inqueue>qOthersUpH</inqueue>
		<outqueue>qOthersDownH</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>22</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_OtherH SSH outbound</descr>
		<inqueue>qOthersDownH</inqueue>
		<outqueue>qOthersUpH</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network></destination> 
		<descr>m_Other ICMP inbound</descr>
		<protocol>icmp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any></any></destination> 
		<descr>m_Other ICMP outbound</descr>
		<protocol>icmp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>53-53</port></destination> 
		<descr>m_Other DNS1 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>53-53</port></any></destination> 
		<descr>m_Other DNS1 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>53-53</port></destination> 
		<descr>m_Other DNS2 inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>53-53</port></any></destination> 
		<descr>m_Other DNS2 outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>161-161</port></destination> 
		<descr>m_Other SNMP2 inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>161-161</port></any></destination> 
		<descr>m_Other SNMP2 outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>161-161</port></destination> 
		<descr>m_Other SNMP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>161-161</port></any></destination> 
		<descr>m_Other SNMP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>119-119</port></destination> 
		<descr>m_Other NNTP1 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>119-119</port></any></destination> 
		<descr>m_Other NNTP1 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>119-119</port></destination> 
		<descr>m_Other NNTP2 inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>119-119</port></any></destination> 
		<descr>m_Other NNTP2 outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network></destination> 
		<descr>m_Other IPSEC inbound</descr>
		<protocol>esp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any></any></destination> 
		<descr>m_Other IPSEC outbound</descr>
		<protocol>esp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>500-500</port></destination> 
		<descr>m_Other IPSEC inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>500-500</port></any></destination> 
		<descr>m_Other IPSEC outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network></destination> 
		<descr>m_Other IPSEC inbound</descr>
		<protocol>ah</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any></any></destination> 
		<descr>m_Other IPSEC outbound</descr>
		<protocol>ah</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>1723-1723</port></destination> 
		<descr>m_Other PPTP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>1723-1723</port></any></destination> 
		<descr>m_Other PPTP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>445-445</port></destination> 
		<descr>m_Other SMB1 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>445-445</port></any></destination> 
		<descr>m_Other SMB1 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>137-139</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other SMB2 inbound</descr>
		<inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>137-139-137-139</port></any></destination> 
		<descr>m_Other SMB2 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>3389</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other MSRDP inbound</descr>
		<inqueue>qRdpUp</inqueue>
		<outqueue>qRdpDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>3389</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other MSRDP outbound</descr>
		<inqueue>qRdpDown</inqueue>
		<outqueue>qRdpUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>6667-6670</port></destination> 
		<descr>m_Other IRC inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>6667-6670</port></any></destination> 
		<descr>m_Other IRC outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>80</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTP inbound</descr>
		<inqueue>qwebUp</inqueue>
		<outqueue>qwebDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>80</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTP outbound</descr>
		<inqueue>qwebDown</inqueue>
		<outqueue>qwebUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>443</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTPS inbound</descr>
		<inqueue>qwebUp</inqueue>
		<outqueue>qwebDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>443</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTPS outbound</descr>
		<inqueue>qwebDown</inqueue>
		<outqueue>qwebUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>3125-3129</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other Proxy inbound</descr>
		<inqueue>qwebUp</inqueue>
		<outqueue>qwebDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>3125-3129</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other Proxy outbound</descr>
		<inqueue>qwebDown</inqueue>
		<outqueue>qwebUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>143-143</port></destination> 
		<descr>m_Other IMAP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>143-143</port></any></destination> 
		<descr>m_Other IMAP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>110-110</port></destination> 
		<descr>m_Other POP3 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>110-110</port></any></destination> 
		<descr>m_Other POP3 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>25-25</port></destination> 
		<descr>m_Other SMTP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>25-25</port></any></destination> 
		<descr>m_Other SMTP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <enable></enable></shaper>

              SquidGuardDoc EN  RU Tutorial
              Localization ru_PFSense

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                You forgot to show /tmp/rules.debug ….

                1 Reply Last reply Reply Quote 0
                • D
                  dvserg
                  last edited by 

                  # System Aliases 
loopback = "{ lo0 }"
lan = "{ xl0  carp0 bridge0 }"
wan = "{ rl0  carp0 bridge0 ng0 }"
# User Aliases 
AdminLine = "{ 10.62.0.25 }"

set loginterface rl0
set loginterface xl0
set optimization normal

scrub on rl0 all random-id 
altq on rl0 hfsc bandwidth 2Mb queue { qwanRoot }
altq on xl0 hfsc bandwidth 256Kb queue { qlanRoot }

queue qwanRoot bandwidth 2Mb priority 0 hfsc { qwandef, qwanacks, qRdpUp, qOthersUpH, qOthersUpL, qwebUp }
queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qRdpDown, qOthersDownH, qOthersDownL, qwebDown }
queue qwandef bandwidth 1% priority 3 qlimit 500 hfsc (  default realtime 1% )
queue qlandef bandwidth 1% priority 3 qlimit 500 hfsc (  default realtime 1% )
queue qwanacks bandwidth 1% priority 7 hfsc (  realtime 1% )
queue qlanacks bandwidth 1% priority 7 hfsc (  realtime 1% )
queue qRdpUp bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qRdpDown bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qOthersUpH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersDownH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qwebUp bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )
queue qwebDown bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )

# UPnPd rdr anchor
rdr-anchor "upnpd/*"
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
nat on $wan from 10.62.0.0/24 port 500 to any port 500 -> (rl0) port 500
nat on $wan from 10.62.0.0/24 to any -> (rl0)
#SSH Lockout Table
table <sshlockout>persist

# spam table 
table <whitelist>persist
table <blacklist>persist
table <spamd>persist
table <spamd-white>persist file "/var/db/whitelist.txt"
rdr pass on rl0 proto tcp from <blacklist>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from <spamd>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from ! <spamd-white>to port smtp -> 127.0.0.1 port spamd

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 22  keep state tagged unshaped tag qOthersUpH 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 22 keep state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 22  keep state tagged unshaped tag qOthersDownH 
pass out on $wan proto tcp from any to any port 22 keep state tagged qOthersDownH tag qOthersUpH
pass in on  $wan proto icmp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto icmp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto icmp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto icmp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto esp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto esp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto esp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 500  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 500 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 500  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 500 keep state tagged qlandef tag qwandef
pass in on  $wan proto ah from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto ah from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto ah from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 1723  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 1723 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 1723  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 1723 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 445  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 445 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 445  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 445 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 137:139  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 137:139 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 137:139  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 137:139 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3389  keep state tagged unshaped tag qRdpUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3389 keep state tagged qRdpUp tag qRdpDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3389  keep state tagged unshaped tag qRdpDown 
pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 6667:6670  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 6667:6670 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 6667:6670  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 6667:6670 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 80  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 80 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 80  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 80 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 443  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 443 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 443  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 443 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3125:3129  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3125:3129 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3125:3129  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 3125:3129 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 143  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 143 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 143  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 143 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 110  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 110 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 110  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 110 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 25  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 25 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 25  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 25 keep state tagged qlandef tag qwandef

anchor "ftpsesame/*" 
anchor "firewallrules"

# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"
# enable ftp-proxy

anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on xl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on xl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from port 20 to (rl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.62.0.3 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.62.0.3 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for xl0
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state label "let out anything from firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on rl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qOthersUpH queue (qOthersUpH, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qOthersDownH queue (qOthersDownH, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 10.62.0.0/24 to 10.62.0.3 keep state label "anti-lockout web rule"

# SSH lockout
block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
anchor qlanRoot tagged qlanRoot
anchor qwandef tagged qwandef
anchor qlandef tagged qlandef
anchor qwanacks tagged qwanacks
anchor qlanacks tagged qlanacks
anchor qRdpUp tagged qRdpUp
anchor qRdpDown tagged qRdpDown
anchor qOthersUpH tagged qOthersUpH
anchor qOthersDownH tagged qOthersDownH
anchor qOthersUpL tagged qOthersUpL
anchor qOthersDownL tagged qOthersDownL
anchor qwebUp tagged qwebUp
anchor qwebDown tagged qwebDown
pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE: Default Wan -> any" 
pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any" 
pass quick proto carp keep state
pass quick proto pfsync
# VPN Rules

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></spamd-white></spamd></blacklist></spamd-white></spamd></blacklist></whitelist></sshlockout>

                  SquidGuardDoc EN  RU Tutorial
                  Localization ru_PFSense

                  1 Reply Last reply Reply Quote 0
                  • B
                    billm
                    last edited by

                    queue qwebUp bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )
                    queue qwebDown bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )

                    5% of 256K is really really slow (12Kbit aka 1KByte) - that's the limit you transmit web traffic OUT of your network.
                    5% of 2Mbit is 102Kbit, also rather slow.

                    –Bill

                    pfSense core developer
                    blog - http://www.ucsecurity.com/
                    twitter - billmarquette

                    1 Reply Last reply Reply Quote 0
                    • L
                      Leoandru
                      last edited by

                      I see the problem.

                      let out anything from the firewall host itself and decrypted IPsec traffic

                      pass out quick on rl0 all keep state label "let out anything from firewall host itself"

                      is by passing the queues. and shouldn't be there if the shaper is active. Hrm I'll poke at the code a little later.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        @Leoandru:

                        I see the problem.

                        let out anything from the firewall host itself and decrypted IPsec traffic

                        pass out quick on rl0 all keep state label "let out anything from firewall host itself"

                        is by passing the queues. and shouldn't be there if the shaper is active. Hrm I'll poke at the code a little later.

                        That would be my fault.  We need this to allow pptp on wan client to work.  Any easy workarounds?

                        1 Reply Last reply Reply Quote 0
                        • L
                          Leoandru
                          last edited by

                          oh, ok.. It should be safe to remove that rule if the shaper is active since the shaper rules always creates a default pass out for each interface.

                          in his case

                          pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            Okay, I have changed it to only install this rule if the traffic shaper is disabled.

                            If this is a full installation, please run from option 8 on the pfSense console:

                            cvs_sync.sh releng_1

                            1 Reply Last reply Reply Quote 0
                            • D
                              dvserg
                              last edited by

                              @sullrich:

                              Okay, I have changed it to only install this rule if the traffic shaper is disabled.

                              If this is a full installation, please run from option 8 on the pfSense console:

                              cvs_sync.sh releng_1

                              How configure cvs_sync for update with existing firewall? (or http)

                              SquidGuardDoc EN  RU Tutorial
                              Localization ru_PFSense

                              1 Reply Last reply Reply Quote 0
                              • H
                                hoba
                                last edited by

                                There is nothing to configure. Just make sure your pfSense is connected to the internet and can access/resolve pfsense.org as it will pull down the files from there. Then run the command from the shell. It will take some time. Don't use the webgui while it's updating.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dvserg
                                  last edited by

                                  @hoba:

                                  There is nothing to configure. Just make sure your pfSense is connected to the internet and can access/resolve pfsense.org as it will pull down the files from there. Then run the command from the shell. It will take some time. Don't use the webgui while it's updating.

                                  ~~what different between internet access of webgui package_install and shell pkg_add?

                                  In webgui packaged adding good without any trouble, but in shell

                                  pkg_add cvsup-without-gui

                                  can't connect to ftp…~~

                                  cvs_sync.sh need to connect to cvs.pfsense.com only 5999 port or any?

                                  SquidGuardDoc EN  RU Tutorial
                                  Localization ru_PFSense

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    Make it easier on yourself and allow any.  It needs to connect to pfSense.com for packages as well.

                                    Plus traffic from the firewall itself does not apply to the filter rules.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      dvserg
                                      last edited by

                                      No. I can't see any effect after update  :(
                                      Bandwidth not worked - only default and ACK

                                      SquidGuardDoc EN  RU Tutorial
                                      Localization ru_PFSense

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        Leoandru
                                        last edited by

                                        Look at the rules.. is the offending rule still there? the one I pointed out.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          sullrich
                                          last edited by

                                          @dvserg:

                                          No. I can't see any effect after update  :(
                                          Bandwidth not worked - only default and ACK

                                          Did you reboot after running the command?

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            dvserg
                                            last edited by

                                            Not. I nothing to find
                                            really worked in queue status : qwandef  qlandef  qlanacks
                                            other queues not have packets (0/pps)

                                            # System Aliases 
loopback = "{ lo0 }"
lan = "{ xl0  carp0 bridge0 }"
wan = "{ rl0  carp0 bridge0 ng0 }"
# User Aliases 
AdminLine = "{ 10.62.0.25 }"

set loginterface rl0
set loginterface xl0
set optimization normal

scrub on rl0 all random-id 
altq on rl0 hfsc bandwidth 2Mb queue { qwanRoot }
altq on xl0 hfsc bandwidth 256Kb queue { qlanRoot }

queue qwanRoot bandwidth 2Mb priority 0 hfsc { qwandef, qwanacks, qRdpUp, qOthersUpH, qOthersUpL, qwebUp }
queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qRdpDown, qOthersDownH, qOthersDownL, qwebDown }
queue qwandef bandwidth 5% priority 3 hfsc (  default realtime 1% )
queue qlandef bandwidth 5% priority 3 hfsc (  default realtime 1% )
queue qwanacks bandwidth 5% priority 7 hfsc (  realtime 1% )
queue qlanacks bandwidth 5% priority 7 hfsc (  realtime 1% )
queue qRdpUp bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qRdpDown bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qOthersUpH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersDownH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qwebUp bandwidth 10% priority 2 hfsc (  red ecn realtime 5Kb )
queue qwebDown bandwidth 40Kb priority 2 hfsc (  red ecn realtime 5Kb )

# UPnPd rdr anchor
rdr-anchor "upnpd/*"
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
nat on $wan from 10.62.0.0/24 port 500 to any port 500 -> (rl0) port 500
nat on $wan from 10.62.0.0/24 to any -> (rl0)
#SSH Lockout Table
table <sshlockout>persist

# spam table 
table <whitelist>persist
table <blacklist>persist
table <spamd>persist
table <spamd-white>persist file "/var/db/whitelist.txt"
rdr pass on rl0 proto tcp from <blacklist>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from <spamd>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from ! <spamd-white>to port smtp -> 127.0.0.1 port spamd

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 22  keep state tagged unshaped tag qOthersUpH 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 22 keep state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 22  keep state tagged unshaped tag qOthersDownH 
pass out on $wan proto tcp from any to any port 22 keep state tagged qOthersDownH tag qOthersUpH
pass in on  $wan proto icmp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto icmp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto icmp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto icmp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto esp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto esp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto esp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 500  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 500 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 500  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 500 keep state tagged qlandef tag qwandef
pass in on  $wan proto ah from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto ah from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto ah from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 1723  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 1723 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 1723  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 1723 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 445  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 445 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 445  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 445 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 137:139  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 137:139 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 137:139  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 137:139 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3389  keep state tagged unshaped tag qRdpUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3389 keep state tagged qRdpUp tag qRdpDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3389  keep state tagged unshaped tag qRdpDown 
pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 6667:6670  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 6667:6670 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 6667:6670  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 6667:6670 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 80  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 80 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 80  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 80 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 443  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 443 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 443  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 443 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3125:3129  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3125:3129 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3125:3129  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 3125:3129 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 143  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 143 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 143  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 143 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 110  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 110 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 110  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 110 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 25  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 25 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 25  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 25 keep state tagged qlandef tag qwandef

anchor "ftpsesame/*" 
anchor "firewallrules"

# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"
# enable ftp-proxy

anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on xl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on xl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from port 20 to (rl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.62.0.3 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.62.0.3 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for xl0
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on rl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qOthersUpH queue (qOthersUpH, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qOthersDownH queue (qOthersDownH, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 10.62.0.0/24 to 10.62.0.3 keep state label "anti-lockout web rule"

# SSH lockout
block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
anchor qlanRoot tagged qlanRoot
anchor qwandef tagged qwandef
anchor qlandef tagged qlandef
anchor qwanacks tagged qwanacks
anchor qlanacks tagged qlanacks
anchor qRdpUp tagged qRdpUp
anchor qRdpDown tagged qRdpDown
anchor qOthersUpH tagged qOthersUpH
anchor qOthersDownH tagged qOthersDownH
anchor qOthersUpL tagged qOthersUpL
anchor qOthersDownL tagged qOthersDownL
anchor qwebUp tagged qwebUp
anchor qwebDown tagged qwebDown
pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE: Default Wan -> any" 
pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any" 
pass quick proto carp keep state
pass quick proto pfsync
# VPN Rules

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></spamd-white></spamd></blacklist></spamd-white></spamd></blacklist></whitelist></sshlockout>

                                            SquidGuardDoc EN  RU Tutorial
                                            Localization ru_PFSense

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.