[РЕШЕНО]Не работает торрент клиент
-
Вот скрины Firewall. Тут еще такой вопрос, а на интерфейс OPT1 ненадо никаких правил, на нем у меня инет(ставил пакет DHCP+PPTP)
$ ifconfig xl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9 <rxcsum,vlan_mtu>ether 00:04:75:9e:0d:63 inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255 inet6 fe80::204:75ff:fe9e:d63%xl0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (100baseTX <full-duplex>) status: active xl1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9 <rxcsum,vlan_mtu>ether 00:0e:a6:21:30:d2 inet6 fe80::20e:a6ff:fe21:30d2%xl1 prefixlen 64 scopeid 0x2 inet 172.17.133.110 netmask 0xfffffc00 broadcast 172.17.135.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=100 <promisc>metric 0 mtu 33204 ng0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1500 inet 10.100.24.106 --> 172.17.0.1 netmask 0xffffffff inet6 fe80::204:75ff:fe9e:d63%ng0 prefixlen 64 scopeid 0x7</up,pointopoint,running,noarp,simplex,multicast></promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,simplex,multicast>$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 172.17.0.1 UGS 0 4969 ng0 10.100.24.106 lo0 UHS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 0 lo0 172.17.0.1 10.100.24.106 UH 1 0 ng0 172.17.132.0/22 link#2 UC 0 0 xl1 172.17.132.1 00:30:48:dc:a2:e4 UHLW 2 87 xl1 1181 172.17.133.110 127.0.0.1 UGHS 0 0 lo0 192.168.9.0/24 link#1 UC 0 0 xl0 192.168.9.9 18:a9:05:8b:5c:87 UHLW 1 8895 xl0 1118 213.110.96.6/32 172.17.132.1 UGS 0 550 xl1 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%xl0/64 link#1 UC xl0 fe80::204:75ff:fe9e:d63%xl0 00:04:75:9e:0d:63 UHL lo0 fe80::%xl1/64 link#2 UC xl1 fe80::20e:a6ff:fe21:30d2%xl1 00:0e:a6:21:30:d2 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#3 UHL lo0 fe80::%ng0/64 link#7 UC ng0 fe80::204:75ff:fe9e:d63%ng0 link#7 UHL lo0 ff01:1::/32 link#1 UC xl0 ff01:2::/32 link#2 UC xl1 ff01:3::/32 ::1 UC lo0 ff01:7::/32 link#7 UC ng0 ff02::%xl0/32 link#1 UC xl0 ff02::%xl1/32 link#2 UC xl1 ff02::%lo0/32 ::1 UC lo0 ff02::%ng0/32 link#7 UC ng0$ pfctl -sr scrub all random-id fragment reassemble anchor "ftpsesame/*" all anchor "firewallrules" all block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from <snort2c> to any label "Block snort2c hosts" block drop quick from any to <snort2c> label "Block snort2c hosts" block drop in quick inet6 all block drop out quick inet6 all anchor "loopback" all pass in quick on lo0 all flags S/SA keep state label "pass loopback" pass out quick on lo0 all flags S/SA keep state label "pass loopback" anchor "packageearly" all anchor "carp" all pass quick inet proto icmp from 172.17.133.110 to any keep state anchor "dhcpserverlan" all pass in quick on xl0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN" pass in quick on xl0 inet proto udp from any port = bootpc to 192.168.9.1 port = bootps keep state label "allow access to DHCP server on LAN" pass out quick on xl0 inet proto udp from 192.168.9.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN" anchor "wandhcp" all pass out quick on xl1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out wan" block drop in log quick on xl1 inet proto udp from any port = bootps to 192.168.9.0/24 port = bootpc label "block dhcp client out wan" block drop in on ! xl0 inet from 192.168.9.0/24 to any block drop in inet from 192.168.9.1 to any block drop in on xl0 inet6 from fe80::204:75ff:fe9e:d63 to any anchor "spoofing" all anchor "limitingesr" all block drop in quick from <virusprot> to any label "virusprot overload table" pass out quick on xl0 proto icmp all keep state label "let out anything from firewall host itself" pass out quick on xl1 proto icmp all keep state label "let out anything from firewall host itself" pass out quick on xl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" anchor "firewallout" all pass out quick on xl1 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on xl0 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host" pass out quick on ng0 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" pass out quick on ng0 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" anchor "anti-lockout" all pass in quick on xl0 inet from any to 192.168.9.1 flags S/SA keep state label "anti-lockout web rule" block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout" anchor "ftpproxy" all anchor "pftpx/*" all pass in quick on xl1 reply-to (xl1 172.17.132.1) inet proto tcp from any port = 8888 to 192.168.9.9 port = 8888 flags S/SA keep state label "USER_RULE: NAT " pass in quick on xl1 reply-to (xl1 172.17.132.1) inet proto udp from any port = 8888 to 192.168.9.9 port = 8888 keep state label "USER_RULE: NAT " pass in quick on xl1 reply-to (xl1 172.17.132.1) inet proto tcp from any port = aol to 192.168.9.9 port = aol flags S/SA keep state label "USER_RULE: NAT " pass in quick on xl1 reply-to (xl1 172.17.132.1) inet proto udp from any port = aol to 192.168.9.9 port = aol keep state label "USER_RULE: NAT " pass in quick on xl0 inet proto icmp all keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = domain flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = http flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = https flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = 8888 flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto udp from 192.168.9.9 to any port = 8888 keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = aol flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = pop3 flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on xl1 inet proto tcp from any port = ftp-data to (xl1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" pass in quick on ng0 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on ng0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" anchor "imspector" all anchor "miniupnpd" all block drop in log quick all label "Default deny rule" block drop out log quick all label "Default deny rule"</sshlockout></virusprot></snort2c></snort2c>$ pfctl -sn nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on xl1 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (xl1) port 500 round-robin nat on xl1 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (xl1) port 5060 round-robin nat on xl1 inet from 192.168.9.0/24 to any -> (xl1) port 1024:65535 round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on xl0 proto tcp from any to <vpns> port = ftp rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 rdr on xl1 inet proto tcp from any to 172.17.133.110 port = 8888 -> 192.168.9.9 rdr on xl1 inet proto udp from any to 172.17.133.110 port = 8888 -> 192.168.9.9 rdr on xl1 inet proto tcp from any to 172.17.133.110 port = aol -> 192.168.9.9 rdr on xl1 inet proto udp from any to 172.17.133.110 port = aol -> 192.168.9.9 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all</vpns>
-
Правила должны быть на том интерфейсе, откуда ты получаешь сервис. Если ты качаешь торренты через инет, а инет предоставляет opt1, то и правила нужно делать в opt1.
-
Ну вот, как же ты ожидаешь, чтобы торрент заработал нормально, если у тебя нет Public IP на WAN? Не взлетит :-(
–-отредактировано---
упс, пардон, не заметил. dasTieRR прав. -
Ну вот, как же ты ожидаешь, чтобы торрент заработал нормально, если у тебя нет Public IP на WAN? Не взлетит :-(
–-отредактировано---
упс, пардон, не заметил. dasTieRR прав.Тоесть если я все правила с вана перепишу на OPT1 то торент взлетит?
-
Ну вот, как же ты ожидаешь, чтобы торрент заработал нормально, если у тебя нет Public IP на WAN? Не взлетит :-(
–-отредактировано---
упс, пардон, не заметил. dasTieRR прав.Тоесть если я все правила с вана перепишу на OPT1 то торент взлетит?
Ещё как! прописывать лучше на открытой местности.
-
Вообщем все сделал вот так. WAN оставил в покое. Но торент пока отказывается сотрудничать((
-
Вообщем все сделал вот так. WAN оставил в покое. Но торент пока отказывается сотрудничать((
8888 у тебя нужен только извне, из локалки выпусти 1024 - 65535 (как уже люди выше писал, я сегодня эти порты лично проверил - 1 фильм скачался)
Либо выпусти из лана всё, хотя бы для теста. -
и всё-таки```
pfctl -sn -
Поменял правило на LANе. Ниже скрин
$ pfctl -sn nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on xl1 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (xl1) port 500 round-robin nat on xl1 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (xl1) port 5060 round-robin nat on xl1 inet from 192.168.9.0/24 to any -> (xl1) port 1024:65535 round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on xl0 proto tcp from any to <vpns> port = ftp rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all</vpns>
-
хм… что-то ng0 вообще не видать. Ты используешь мой пакет? какой версии?
-
-
-
-
Новая версия 0.44. Если не сработает то пожалуйста
ifconfig netstat -rn pfctl -sr pfctl -sn -
На почту скинешь?
-
На почту скинешь?
скинул. У тебя ж инет есть, почему нормальным способом не апдейтишь пакет?
-
$ ifconfig xl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9 <rxcsum,vlan_mtu>ether 00:04:75:9e:0d:63 inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255 inet6 fe80::204:75ff:fe9e:d63%xl0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (100baseTX <full-duplex>) status: active xl1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9 <rxcsum,vlan_mtu>ether 00:0e:a6:21:30:d2 inet6 fe80::20e:a6ff:fe21:30d2%xl1 prefixlen 64 scopeid 0x2 inet 172.17.133.110 netmask 0xfffffc00 broadcast 172.17.135.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=100 <promisc>metric 0 mtu 33204 ng0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1500 inet 10.100.24.106 --> 172.17.0.1 netmask 0xffffffff inet6 fe80::204:75ff:fe9e:d63%ng0 prefixlen 64 scopeid 0x7</up,pointopoint,running,noarp,simplex,multicast></promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,simplex,multicast>$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 172.17.0.1 UGS 0 5727 ng0 10.100.24.106 lo0 UHS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 0 lo0 172.17.0.1 10.100.24.106 UH 1 0 ng0 172.17.132.0/22 link#2 UC 0 0 xl1 172.17.132.1 00:30:48:dc:a2:e4 UHLW 2 54 xl1 1196 172.17.133.110 127.0.0.1 UGHS 0 0 lo0 192.168.9.0/24 link#1 UC 0 0 xl0 192.168.9.9 18:a9:05:8b:5c:87 UHLW 1 3186 xl0 857 213.110.96.6 172.17.132.1 UGHS 0 6238 xl1 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%xl0/64 link#1 UC xl0 fe80::204:75ff:fe9e:d63%xl0 00:04:75:9e:0d:63 UHL lo0 fe80::%xl1/64 link#2 UC xl1 fe80::20e:a6ff:fe21:30d2%xl1 00:0e:a6:21:30:d2 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#3 UHL lo0 fe80::%ng0/64 link#7 UC ng0 fe80::204:75ff:fe9e:d63%ng0 link#7 UHL lo0 ff01:1::/32 link#1 UC xl0 ff01:2::/32 link#2 UC xl1 ff01:3::/32 ::1 UC lo0 ff01:7::/32 link#7 UC ng0 ff02::%xl0/32 link#1 UC xl0 ff02::%xl1/32 link#2 UC xl1 ff02::%lo0/32 ::1 UC lo0 ff02::%ng0/32 link#7 UC ng0$ pfctl -sr scrub all random-id fragment reassemble anchor "ftpsesame/*" all anchor "firewallrules" all block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from <snort2c> to any label "Block snort2c hosts" block drop quick from any to <snort2c> label "Block snort2c hosts" block drop in quick inet6 all block drop out quick inet6 all anchor "loopback" all pass in quick on lo0 all flags S/SA keep state label "pass loopback" pass out quick on lo0 all flags S/SA keep state label "pass loopback" anchor "packageearly" all anchor "carp" all pass quick inet proto icmp from 172.17.133.110 to any keep state anchor "dhcpserverlan" all pass in quick on xl0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN" pass in quick on xl0 inet proto udp from any port = bootpc to 192.168.9.1 port = bootps keep state label "allow access to DHCP server on LAN" pass out quick on xl0 inet proto udp from 192.168.9.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN" anchor "wandhcp" all pass out quick on xl1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out wan" block drop in log quick on xl1 inet proto udp from any port = bootps to 192.168.9.0/24 port = bootpc label "block dhcp client out wan" block drop in on ! xl0 inet from 192.168.9.0/24 to any block drop in inet from 192.168.9.1 to any block drop in on xl0 inet6 from fe80::204:75ff:fe9e:d63 to any anchor "spoofing" all anchor "limitingesr" all block drop in quick from <virusprot> to any label "virusprot overload table" pass out quick on xl0 proto icmp all keep state label "let out anything from firewall host itself" pass out quick on xl1 proto icmp all keep state label "let out anything from firewall host itself" pass out quick on xl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" anchor "firewallout" all pass out quick on xl1 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on xl0 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host" pass out quick on ng0 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" pass out quick on ng0 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" anchor "anti-lockout" all pass in quick on xl0 inet from any to 192.168.9.1 flags S/SA keep state label "anti-lockout web rule" block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout" anchor "ftpproxy" all anchor "pftpx/*" all pass in quick on ng0 inet proto tcp from any port = 8888 to 192.168.9.9 port = 8888 flags S/SA keep state label "USER_RULE" pass in quick on ng0 inet proto udp from any port = 8888 to 192.168.9.9 port = 8888 keep state label "USER_RULE" pass in quick on xl0 inet from 192.168.9.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" pass in quick on xl0 inet proto icmp all keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = domain flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port = http flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 192.168.9.9 to any port >= 1024 flags S/SA keep state label "USER_RULE" pass in quick on xl0 inet proto udp from 192.168.9.9 to any port >= 1024 keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on xl1 inet proto tcp from any port = ftp-data to (xl1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" pass in quick on ng0 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on ng0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" anchor "imspector" all anchor "miniupnpd" all block drop in log quick all label "Default deny rule" block drop out log quick all label "Default deny rule"</sshlockout></virusprot></snort2c></snort2c>$ pfctl -sn nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on xl1 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (xl1) port 500 round-robin nat on xl1 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (xl1) port 5060 round-robin nat on xl1 inet from 192.168.9.0/24 to any -> (xl1) port 1024:65535 round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on xl0 proto tcp from any to <vpns> port = ftp rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all</vpns> -
Klikni 'e' chtoby redaktirovat' port-forward, save I apply. Potom esche raz
pfctl -sn -
Klikni 'e' chtoby redaktirovat' port-forward, save I apply. Potom esche raz
pfctl -sn$ pfctl -sn nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on xl1 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (xl1) port 500 round-robin nat on xl1 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (xl1) port 5060 round-robin nat on xl1 inet from 192.168.9.0/24 to any -> (xl1) port 1024:65535 round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on xl0 proto tcp from any to <vpns> port = ftp rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 rdr on ng0 inet proto tcp from any to 10.100.24.106 port = 8888 -> 192.168.9.9 rdr on ng0 inet proto udp from any to 10.100.24.106 port = 8888 -> 192.168.9.9 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all</vpns> -
ну вот, port forward заработал -)))
Однако, я был прав - нет у тебя нормального public ip. Не заработает твой торрент -( Меняй провайдера.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.