Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic shaping not working in Beta 4 for outbound queues?

    Scheduled Pinned Locked Moved Traffic Shaping
    45 Posts 10 Posters 21.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dvserg
      last edited by

      hm..
      this my base config

       <shaper><schedulertype>hfsc</schedulertype>
	 <queue><schedulertype><bandwidth>2</bandwidth>
		<bandwidthtype>Mb</bandwidthtype>
		<priority>0</priority>
		<name>qwanRoot</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime><realtime3><realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue>on</parentqueue>
		 <attachtoqueue><associatedrule><rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></attachtoqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></realtime3></realtime></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>256</bandwidth>
		<bandwidthtype>Kb</bandwidthtype>
		<priority>0</priority>
		<name>qlanRoot</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime><realtime3><realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue>on</parentqueue>
		 <attachtoqueue><associatedrule><rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></attachtoqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></realtime3></realtime></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><name>qwandef</name>
		<attachtoqueue>qwanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<defaultqueue>true</defaultqueue>
		<priority>3</priority>
		<realtime>on</realtime>
		<realtime3>1%</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><name>qlandef</name>
		<priority>3</priority>
		<attachtoqueue>qlanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<defaultqueue>true</defaultqueue>
		<realtime>on</realtime>
		<realtime3>1%</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><schedulertype><bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>7</priority>
		<name>qwanacks</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>1%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qwanRoot</attachtoqueue>
		 <associatedrule><ack>on</ack>
		 <rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>7</priority>
		<name>qlanacks</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>1%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qlanRoot</attachtoqueue>
		 <associatedrule><ack>on</ack>
		 <rio><red><ecn><defaultqueue></defaultqueue></ecn></red></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>6</priority>
		<name>qRdpUp</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>3%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qwanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>6</priority>
		<name>qRdpDown</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>3%</realtime3>
		 <realtime2><realtime1><upperlimit><upperlimit3><upperlimit2><upperlimit1><parentqueue><attachtoqueue>qlanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></upperlimit3></upperlimit></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><name>qOthersUpH</name>
		<attachtoqueue>qwanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>6</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype></queue> 
	 <queue><name>qOthersDownH</name>
		<attachtoqueue>qlanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>6</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype></queue> 
	 <queue><name>qOthersUpL</name>
		<attachtoqueue>qwanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>2</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><name>qOthersDownL</name>
		<attachtoqueue>qlanRoot</attachtoqueue>
		<associatedrule>0</associatedrule>
		<priority>2</priority>
		<red>on</red>
		<ecn>on</ecn>
		<realtime>on</realtime>
		<realtime3>1Kb</realtime3>
		<bandwidth>1</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<qlimit>500</qlimit></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>2</priority>
		<name>qwebUp</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>2Kb</realtime3>
		 <realtime2><realtime1><upperlimit>on</upperlimit>
		<upperlimit3>5%</upperlimit3>
		 <upperlimit2><upperlimit1><parentqueue><attachtoqueue>qwanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <queue><schedulertype><bandwidth>3</bandwidth>
		<bandwidthtype>%</bandwidthtype>
		<priority>2</priority>
		<name>qwebDown</name>
		 <borrow><linkshare><linkshare3><linkshare2><linkshare1><realtime>on</realtime>
		<realtime3>2Kb</realtime3>
		 <realtime2><realtime1><upperlimit>on</upperlimit>
		<upperlimit3>5%</upperlimit3>
		 <upperlimit2><upperlimit1><parentqueue><attachtoqueue>qlanRoot</attachtoqueue>
		 <associatedrule><rio><red>on</red>
		<ecn>on</ecn>
		 <defaultqueue></defaultqueue></rio></associatedrule></parentqueue></upperlimit1></upperlimit2></realtime1></realtime2></linkshare1></linkshare2></linkshare3></linkshare></borrow></schedulertype></queue> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>22</port></destination> 
		 <direction><iptos><tcpflags><descr>m_OtherH SSH inbound</descr>
		<inqueue>qOthersUpH</inqueue>
		<outqueue>qOthersDownH</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>22</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_OtherH SSH outbound</descr>
		<inqueue>qOthersDownH</inqueue>
		<outqueue>qOthersUpH</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network></destination> 
		<descr>m_Other ICMP inbound</descr>
		<protocol>icmp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any></any></destination> 
		<descr>m_Other ICMP outbound</descr>
		<protocol>icmp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>53-53</port></destination> 
		<descr>m_Other DNS1 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>53-53</port></any></destination> 
		<descr>m_Other DNS1 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>53-53</port></destination> 
		<descr>m_Other DNS2 inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>53-53</port></any></destination> 
		<descr>m_Other DNS2 outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>161-161</port></destination> 
		<descr>m_Other SNMP2 inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>161-161</port></any></destination> 
		<descr>m_Other SNMP2 outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>161-161</port></destination> 
		<descr>m_Other SNMP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>161-161</port></any></destination> 
		<descr>m_Other SNMP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>119-119</port></destination> 
		<descr>m_Other NNTP1 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>119-119</port></any></destination> 
		<descr>m_Other NNTP1 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>119-119</port></destination> 
		<descr>m_Other NNTP2 inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>119-119</port></any></destination> 
		<descr>m_Other NNTP2 outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network></destination> 
		<descr>m_Other IPSEC inbound</descr>
		<protocol>esp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any></any></destination> 
		<descr>m_Other IPSEC outbound</descr>
		<protocol>esp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>500-500</port></destination> 
		<descr>m_Other IPSEC inbound</descr>
		<protocol>udp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>500-500</port></any></destination> 
		<descr>m_Other IPSEC outbound</descr>
		<protocol>udp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network></destination> 
		<descr>m_Other IPSEC inbound</descr>
		<protocol>ah</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any></any></destination> 
		<descr>m_Other IPSEC outbound</descr>
		<protocol>ah</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>1723-1723</port></destination> 
		<descr>m_Other PPTP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>1723-1723</port></any></destination> 
		<descr>m_Other PPTP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>445-445</port></destination> 
		<descr>m_Other SMB1 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>445-445</port></any></destination> 
		<descr>m_Other SMB1 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>137-139</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other SMB2 inbound</descr>
		<inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>137-139-137-139</port></any></destination> 
		<descr>m_Other SMB2 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>3389</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other MSRDP inbound</descr>
		<inqueue>qRdpUp</inqueue>
		<outqueue>qRdpDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>3389</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other MSRDP outbound</descr>
		<inqueue>qRdpDown</inqueue>
		<outqueue>qRdpUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>6667-6670</port></destination> 
		<descr>m_Other IRC inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>6667-6670</port></any></destination> 
		<descr>m_Other IRC outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>80</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTP inbound</descr>
		<inqueue>qwebUp</inqueue>
		<outqueue>qwebDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>80</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTP outbound</descr>
		<inqueue>qwebDown</inqueue>
		<outqueue>qwebUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>443</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTPS inbound</descr>
		<inqueue>qwebUp</inqueue>
		<outqueue>qwebDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>443</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other HTTPS outbound</descr>
		<inqueue>qwebDown</inqueue>
		<outqueue>qwebUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<protocol>tcp</protocol>
		<source>
			 <any><destination><network>lan</network>
			<port>3125-3129</port></destination> 
		 <direction><iptos><tcpflags><descr>m_Other Proxy inbound</descr>
		<inqueue>qwebUp</inqueue>
		<outqueue>qwebDown</outqueue></tcpflags></iptos></direction></any></rule> 
	 <rule><in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<protocol>tcp</protocol>
		<source>
			<network>lan</network>

		 <destination><any><port>3125-3129</port></any></destination> 
		 <direction><iptos><tcpflags><descr>m_Other Proxy outbound</descr>
		<inqueue>qwebDown</inqueue>
		<outqueue>qwebUp</outqueue></tcpflags></iptos></direction></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>143-143</port></destination> 
		<descr>m_Other IMAP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>143-143</port></any></destination> 
		<descr>m_Other IMAP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>110-110</port></destination> 
		<descr>m_Other POP3 inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>110-110</port></any></destination> 
		<descr>m_Other POP3 outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <rule><inqueue>qwandef</inqueue>
		<outqueue>qlandef</outqueue>
		<in-interface>wan</in-interface>
		<out-interface>lan</out-interface>
		<source>
			 <any><destination><network>lan</network>
			<port>25-25</port></destination> 
		<descr>m_Other SMTP inbound</descr>
		<protocol>tcp</protocol></any></rule> 
	 <rule><inqueue>qlandef</inqueue>
		<outqueue>qwandef</outqueue>
		<in-interface>lan</in-interface>
		<out-interface>wan</out-interface>
		<source>
			<network>lan</network>

		 <destination><any><port>25-25</port></any></destination> 
		<descr>m_Other SMTP outbound</descr>
		<protocol>tcp</protocol></rule> 
	 <enable></enable></shaper>

      SquidGuardDoc EN  RU Tutorial
      Localization ru_PFSense

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        You forgot to show /tmp/rules.debug ….

        1 Reply Last reply Reply Quote 0
        • D
          dvserg
          last edited by 

          # System Aliases 
loopback = "{ lo0 }"
lan = "{ xl0  carp0 bridge0 }"
wan = "{ rl0  carp0 bridge0 ng0 }"
# User Aliases 
AdminLine = "{ 10.62.0.25 }"

set loginterface rl0
set loginterface xl0
set optimization normal

scrub on rl0 all random-id 
altq on rl0 hfsc bandwidth 2Mb queue { qwanRoot }
altq on xl0 hfsc bandwidth 256Kb queue { qlanRoot }

queue qwanRoot bandwidth 2Mb priority 0 hfsc { qwandef, qwanacks, qRdpUp, qOthersUpH, qOthersUpL, qwebUp }
queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qRdpDown, qOthersDownH, qOthersDownL, qwebDown }
queue qwandef bandwidth 1% priority 3 qlimit 500 hfsc (  default realtime 1% )
queue qlandef bandwidth 1% priority 3 qlimit 500 hfsc (  default realtime 1% )
queue qwanacks bandwidth 1% priority 7 hfsc (  realtime 1% )
queue qlanacks bandwidth 1% priority 7 hfsc (  realtime 1% )
queue qRdpUp bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qRdpDown bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qOthersUpH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersDownH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qwebUp bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )
queue qwebDown bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )

# UPnPd rdr anchor
rdr-anchor "upnpd/*"
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
nat on $wan from 10.62.0.0/24 port 500 to any port 500 -> (rl0) port 500
nat on $wan from 10.62.0.0/24 to any -> (rl0)
#SSH Lockout Table
table <sshlockout>persist

# spam table 
table <whitelist>persist
table <blacklist>persist
table <spamd>persist
table <spamd-white>persist file "/var/db/whitelist.txt"
rdr pass on rl0 proto tcp from <blacklist>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from <spamd>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from ! <spamd-white>to port smtp -> 127.0.0.1 port spamd

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 22  keep state tagged unshaped tag qOthersUpH 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 22 keep state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 22  keep state tagged unshaped tag qOthersDownH 
pass out on $wan proto tcp from any to any port 22 keep state tagged qOthersDownH tag qOthersUpH
pass in on  $wan proto icmp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto icmp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto icmp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto icmp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto esp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto esp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto esp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 500  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 500 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 500  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 500 keep state tagged qlandef tag qwandef
pass in on  $wan proto ah from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto ah from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto ah from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 1723  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 1723 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 1723  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 1723 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 445  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 445 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 445  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 445 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 137:139  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 137:139 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 137:139  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 137:139 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3389  keep state tagged unshaped tag qRdpUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3389 keep state tagged qRdpUp tag qRdpDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3389  keep state tagged unshaped tag qRdpDown 
pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 6667:6670  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 6667:6670 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 6667:6670  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 6667:6670 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 80  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 80 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 80  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 80 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 443  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 443 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 443  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 443 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3125:3129  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3125:3129 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3125:3129  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 3125:3129 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 143  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 143 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 143  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 143 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 110  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 110 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 110  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 110 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 25  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 25 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 25  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 25 keep state tagged qlandef tag qwandef

anchor "ftpsesame/*" 
anchor "firewallrules"

# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"
# enable ftp-proxy

anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on xl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on xl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from port 20 to (rl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.62.0.3 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.62.0.3 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for xl0
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state label "let out anything from firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on rl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qOthersUpH queue (qOthersUpH, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qOthersDownH queue (qOthersDownH, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 10.62.0.0/24 to 10.62.0.3 keep state label "anti-lockout web rule"

# SSH lockout
block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
anchor qlanRoot tagged qlanRoot
anchor qwandef tagged qwandef
anchor qlandef tagged qlandef
anchor qwanacks tagged qwanacks
anchor qlanacks tagged qlanacks
anchor qRdpUp tagged qRdpUp
anchor qRdpDown tagged qRdpDown
anchor qOthersUpH tagged qOthersUpH
anchor qOthersDownH tagged qOthersDownH
anchor qOthersUpL tagged qOthersUpL
anchor qOthersDownL tagged qOthersDownL
anchor qwebUp tagged qwebUp
anchor qwebDown tagged qwebDown
pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE: Default Wan -> any" 
pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any" 
pass quick proto carp keep state
pass quick proto pfsync
# VPN Rules

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></spamd-white></spamd></blacklist></spamd-white></spamd></blacklist></whitelist></sshlockout>

          SquidGuardDoc EN  RU Tutorial
          Localization ru_PFSense

          1 Reply Last reply Reply Quote 0
          • B
            billm
            last edited by

            queue qwebUp bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )
            queue qwebDown bandwidth 3% priority 2 hfsc (  red ecn upperlimit 5% realtime 2Kb )

            5% of 256K is really really slow (12Kbit aka 1KByte) - that's the limit you transmit web traffic OUT of your network.
            5% of 2Mbit is 102Kbit, also rather slow.

            –Bill

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • L
              Leoandru
              last edited by

              I see the problem.

              let out anything from the firewall host itself and decrypted IPsec traffic

              pass out quick on rl0 all keep state label "let out anything from firewall host itself"

              is by passing the queues. and shouldn't be there if the shaper is active. Hrm I'll poke at the code a little later.

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                @Leoandru:

                I see the problem.

                let out anything from the firewall host itself and decrypted IPsec traffic

                pass out quick on rl0 all keep state label "let out anything from firewall host itself"

                is by passing the queues. and shouldn't be there if the shaper is active. Hrm I'll poke at the code a little later.

                That would be my fault.  We need this to allow pptp on wan client to work.  Any easy workarounds?

                1 Reply Last reply Reply Quote 0
                • L
                  Leoandru
                  last edited by

                  oh, ok.. It should be safe to remove that rule if the shaper is active since the shaper rules always creates a default pass out for each interface.

                  in his case

                  pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Okay, I have changed it to only install this rule if the traffic shaper is disabled.

                    If this is a full installation, please run from option 8 on the pfSense console:

                    cvs_sync.sh releng_1

                    1 Reply Last reply Reply Quote 0
                    • D
                      dvserg
                      last edited by

                      @sullrich:

                      Okay, I have changed it to only install this rule if the traffic shaper is disabled.

                      If this is a full installation, please run from option 8 on the pfSense console:

                      cvs_sync.sh releng_1

                      How configure cvs_sync for update with existing firewall? (or http)

                      SquidGuardDoc EN  RU Tutorial
                      Localization ru_PFSense

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        There is nothing to configure. Just make sure your pfSense is connected to the internet and can access/resolve pfsense.org as it will pull down the files from there. Then run the command from the shell. It will take some time. Don't use the webgui while it's updating.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dvserg
                          last edited by

                          @hoba:

                          There is nothing to configure. Just make sure your pfSense is connected to the internet and can access/resolve pfsense.org as it will pull down the files from there. Then run the command from the shell. It will take some time. Don't use the webgui while it's updating.

                          ~~what different between internet access of webgui package_install and shell pkg_add?

                          In webgui packaged adding good without any trouble, but in shell

                          pkg_add cvsup-without-gui

                          can't connect to ftp…~~

                          cvs_sync.sh need to connect to cvs.pfsense.com only 5999 port or any?

                          SquidGuardDoc EN  RU Tutorial
                          Localization ru_PFSense

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            Make it easier on yourself and allow any.  It needs to connect to pfSense.com for packages as well.

                            Plus traffic from the firewall itself does not apply to the filter rules.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dvserg
                              last edited by

                              No. I can't see any effect after update  :(
                              Bandwidth not worked - only default and ACK

                              SquidGuardDoc EN  RU Tutorial
                              Localization ru_PFSense

                              1 Reply Last reply Reply Quote 0
                              • L
                                Leoandru
                                last edited by

                                Look at the rules.. is the offending rule still there? the one I pointed out.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by

                                  @dvserg:

                                  No. I can't see any effect after update  :(
                                  Bandwidth not worked - only default and ACK

                                  Did you reboot after running the command?

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    dvserg
                                    last edited by

                                    Not. I nothing to find
                                    really worked in queue status : qwandef  qlandef  qlanacks
                                    other queues not have packets (0/pps)

                                    # System Aliases 
loopback = "{ lo0 }"
lan = "{ xl0  carp0 bridge0 }"
wan = "{ rl0  carp0 bridge0 ng0 }"
# User Aliases 
AdminLine = "{ 10.62.0.25 }"

set loginterface rl0
set loginterface xl0
set optimization normal

scrub on rl0 all random-id 
altq on rl0 hfsc bandwidth 2Mb queue { qwanRoot }
altq on xl0 hfsc bandwidth 256Kb queue { qlanRoot }

queue qwanRoot bandwidth 2Mb priority 0 hfsc { qwandef, qwanacks, qRdpUp, qOthersUpH, qOthersUpL, qwebUp }
queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qRdpDown, qOthersDownH, qOthersDownL, qwebDown }
queue qwandef bandwidth 5% priority 3 hfsc (  default realtime 1% )
queue qlandef bandwidth 5% priority 3 hfsc (  default realtime 1% )
queue qwanacks bandwidth 5% priority 7 hfsc (  realtime 1% )
queue qlanacks bandwidth 5% priority 7 hfsc (  realtime 1% )
queue qRdpUp bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qRdpDown bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qOthersUpH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersDownH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qwebUp bandwidth 10% priority 2 hfsc (  red ecn realtime 5Kb )
queue qwebDown bandwidth 40Kb priority 2 hfsc (  red ecn realtime 5Kb )

# UPnPd rdr anchor
rdr-anchor "upnpd/*"
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
nat on $wan from 10.62.0.0/24 port 500 to any port 500 -> (rl0) port 500
nat on $wan from 10.62.0.0/24 to any -> (rl0)
#SSH Lockout Table
table <sshlockout>persist

# spam table 
table <whitelist>persist
table <blacklist>persist
table <spamd>persist
table <spamd-white>persist file "/var/db/whitelist.txt"
rdr pass on rl0 proto tcp from <blacklist>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from <spamd>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from ! <spamd-white>to port smtp -> 127.0.0.1 port spamd

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 22  keep state tagged unshaped tag qOthersUpH 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 22 keep state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 22  keep state tagged unshaped tag qOthersDownH 
pass out on $wan proto tcp from any to any port 22 keep state tagged qOthersDownH tag qOthersUpH
pass in on  $wan proto icmp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto icmp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto icmp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto icmp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto esp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto esp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto esp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 500  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 500 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 500  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 500 keep state tagged qlandef tag qwandef
pass in on  $wan proto ah from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto ah from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto ah from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 1723  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 1723 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 1723  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 1723 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 445  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 445 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 445  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 445 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 137:139  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 137:139 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 137:139  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 137:139 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3389  keep state tagged unshaped tag qRdpUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3389 keep state tagged qRdpUp tag qRdpDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3389  keep state tagged unshaped tag qRdpDown 
pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 6667:6670  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 6667:6670 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 6667:6670  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 6667:6670 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 80  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 80 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 80  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 80 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 443  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 443 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 443  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 443 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3125:3129  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3125:3129 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3125:3129  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 3125:3129 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 143  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 143 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 143  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 143 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 110  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 110 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 110  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 110 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 25  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 25 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 25  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 25 keep state tagged qlandef tag qwandef

anchor "ftpsesame/*" 
anchor "firewallrules"

# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"
# enable ftp-proxy

anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on xl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on xl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from port 20 to (rl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.62.0.3 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.62.0.3 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for xl0
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on rl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qOthersUpH queue (qOthersUpH, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qOthersDownH queue (qOthersDownH, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 10.62.0.0/24 to 10.62.0.3 keep state label "anti-lockout web rule"

# SSH lockout
block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
anchor qlanRoot tagged qlanRoot
anchor qwandef tagged qwandef
anchor qlandef tagged qlandef
anchor qwanacks tagged qwanacks
anchor qlanacks tagged qlanacks
anchor qRdpUp tagged qRdpUp
anchor qRdpDown tagged qRdpDown
anchor qOthersUpH tagged qOthersUpH
anchor qOthersDownH tagged qOthersDownH
anchor qOthersUpL tagged qOthersUpL
anchor qOthersDownL tagged qOthersDownL
anchor qwebUp tagged qwebUp
anchor qwebDown tagged qwebDown
pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE: Default Wan -> any" 
pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any" 
pass quick proto carp keep state
pass quick proto pfsync
# VPN Rules

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></spamd-white></spamd></blacklist></spamd-white></spamd></blacklist></whitelist></sshlockout>

                                    SquidGuardDoc EN  RU Tutorial
                                    Localization ru_PFSense

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      darrendavid
                                      last edited by

                                      hey-

                                      same issue here. I want to see if a cvs_sync fixes it, but I'm on a soekris and / is mounted read-only… and of course i can't edit /etc/fstab because, well, / is mounted read-only. what's the trick for cvs_sync'ing on a WRAP box?

                                      thanks,
                                      darren

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        @darrendavid:

                                        hey-

                                        same issue here. I want to see if a cvs_sync fixes it, but I'm on a soekris and / is mounted read-only… and of course i can't edit /etc/fstab because, well, / is mounted read-only. what's the trick for cvs_sync'ing on a WRAP box?

                                        thanks,
                                        darren

                                        There is no trick.  This does not work with Embedded platforms.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          darrendavid
                                          last edited by

                                          i /knew/ you were going to say that.  ;)

                                          can you point me to the docs for building my own from cvs, if there are any?

                                          thanks for all the work on this. it's looking grand.

                                          cheers,
                                          darren

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            dvserg
                                            last edited by

                                            in other forums say thet ALTQ must be configured to 2 interface (because them work only with out traffic).
                                            allike problem when one with interfaces not correctly set
                                            in my rules this correct?

                                            ps pls don't kill me - i only newbe (2 mth with nix system)  ;)

                                            ps2 after update from cvs queue status graph work very stable (1.5 hr wisout stops)

                                            SquidGuardDoc EN  RU Tutorial
                                            Localization ru_PFSense

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.