[01/12/11] Traffic shaper not properly shaping traffic!
-
Anyone have any ideas on this? My network isn't liking torrent traffic not being shaped correctly. I just don't understand why the traffic isn't being shaped correctly?
I have the "torrent and other download box" set to use specific ports on outbound and inbound traffic for torrents, so I know it is using the ports that the shaper is set for. -
Hey Ermal, I have to ask if there is something wrong with the shaper itself as I haven't heard back in a few, and I got you the info needed. Is it the shaper or my rules?
-
@ermal:
I can tell you just for a start that the rule you have there will not match internal host since it is evaluated after nat so you have to move those rules to LAN before any other rule.
Im a tad confused on this bit as well, as from the wiki, it would seem that the floating rules are evaluated for all NICs?
@Wiki:Floating rules allow you to to set shaping rules for all interfaces at once. They are evaluated before the interface rules, and are non terminating. The last floating rule that matches a stream will be the one that applies.
So are floating rules indeed not evaluated for certain connections? I thought the traffic shaper's floating rules would "just work
" since even the wizard puts the rules there (and the wizard should do this right).I know that once I get the rules working as they should, my next goal is to modify them to work as I'd hoped pfSense 1.2.3 would (and doesn't): I don't want traffic from the future Opt LAN to be shaped from LAN2 to LAN1 or the other way, nor do I want squid traffic from the pfSense router itself to be shaped. Hopefully this is possible as I don't exactly have an extra box to stick between to act as a squid transparent proxy so that I can save some of my bandwidth, without shaping the proxy traffic -- it shouldn't be, on the inside at least, for my purposes.
-
I appear to be experiencing this too..What gives? Its really frustrating. Walking through the wizard with the same rules i had under 1.2.3. VoIP sounded flawless on 1.2.3. Shaper appears to have virtually no effect on my Jan 7 BETA 2.0.
This is a major issue.
-
I'm kinda clueless myself too. Having issues that are kinda similar but different product. Until Ermal or someone else that is a traffic shaper Guru gets on, we're both kinda screwed :( I'm not sure if the rules are just done wrong, or if there is something wrong with the shaper, or somewhere between the code handling what we see for rules and the actual shaper rules.
-
Have you tried the new Jan 10 build? Have you tried erasing settings and redoing everything fresh instead of importing a past config?
-
Meh… hate to do that, but I could. Lots of aliases and such. Granted my rules aren't too complicated just two forwards (that use aliases since I just have a tiny http/ftp/streaming server and a torrent seed box).
I'll give that a shot, but I'm not sure if it will resolve anything as it seems that the rules are partially being followed, just bunches of traffic is slipping through to the default queue.
-
Well, I've installed the latest build, and gotten stuff somewhat where I want it. But now I'm slightly confused as to how to go about setting up the rules. The new wizard decided to not to even create queues or rules at all for the LAN side, which in some ways makes sense since incoming traffic isn't always the best to try and shape. But I think it actually helps in my case here, as I do need to keep p2p from chewing on the inbound connection as well – which does seem to work.
But it would not help with p2p much. I'd need to limit it both in and out.
The good thing is that I have the torrent box set to use one port for incoming connections, and a set of ports set for all outbound connections. So it should be easy to shape the traffic -- was really easy in 1.2.3. -
Just an update: I've installed the latest ISO, cleanly. Remade rules and such, and this time I manually added queues and rules due to the above issue.
2.0-BETA5 (amd64) built on Mon Jan 10 01:41:22 EST 2011Here are my new rules, based off of what Ermal was stating earlier about it not being processed, so I stuck them in the LAN/WAN areas (hopefully correctly).
Floating: NONE
WAN:
* Reserved/not assigned by IANA * * * * * * Block bogon networks TCP/UDP * * Server Server_Services * qACK/qDefaultIn NAT TCP * * uT_Box uT_In * qP2Pin NAT UDP * * uT_Box uT_In * qP2Pin NATLAN:
TCP/UDP Admins * LAN address AdminPorts * qLANtraffic (block)TCP/UDP * * LAN address AdminPorts * none TCP uT_Box uT_Out * * * qP2P UDP uT_Box uT_Out * * * qP2P * LAN net * * * * none Default allow LAN to any ruleI've turned off everything that I can think of on the network that could even THINK of generating much traffic at all, and killed/restarted the latest ubuntu, linux mint, and a few other torrents to hopefully kick the crap out of the network and easily show if traffic is going to the right queues.
It isn't, if I'm not completely daft and reading this wrong. Seems to mostly work for the outgoing (but nowhere near completely), and the inbound shaping isn't working much at all:
pfTop: Up Queue 1-16/16, View: queue, Cache: 10000 02:23:11 QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S root_em1 486K hfsc 0 0 0 0 0 0 0 0 qACK 315K hfsc 31 1866 0 0 0 0 0 qGamesUp 34020 hfsc 0 0 0 0 0 0 0 qOtherHigh 24300 hfsc 0 0 0 0 0 0 0 qOtherLow 4860 hfsc 0 0 0 0 0 0 0 qDefault 4860 hfsc 140711 11992114 11 726 0 73 6609 < <ok, kinda<br="">qP2P 1000 hfsc 203990 17885997 0 0 0 295 22246 << root_em0 100M hfsc 0 0 0 0 0 0 0 0 qInternetIn 5821K hfsc 0 0 0 0 0 0 0 qACKIn 3783K hfsc 0 0 0 0 0 0 0 qGamesIn 407K hfsc 0 0 0 0 0 0 0 qOtherHighIn 291K hfsc 0 0 0 0 0 0 0 qOtherLowIn 58210 hfsc 0 0 0 0 0 0 0 qDefaultIn 58210 hfsc 271292 338512K 0 0 0 370 458210 < <very not="" ok.<br="">qP2Pin 1000 hfsc 175963 211570K 0 0 0 83 84086 << qLANtraffic 65M hfsc 7413 1662990 0 0 0 20 4455</very></ok,>The good news is that the rule for LAN traffic seems to work correctly. Yay! Squid now seems to be pushing out cached stuff at >10MB/s. If I could only get p2p traffic to behave I'd be golden.
-
I can't figure it out. Is the shaper broken, or can anyone explain why it isn't shaping the traffic as it should be? The rules in 1.2.3 worked flawlessly. I could saturate the link with p2p traffic and I could run a test of http traffic and it would completely kill the p2p traffic. With 2.x the p2p traffic isn't getting killed at all, and other traffic suffers because of this.
Update:
I created rules to block ANY and ALL traffic through the router directly below the webgui rules and the rules allowing p2p through. This should, to my understanding, block any and all traffic other than p2p in/out. I cleared the states, reset the firewall completely, turned off the download machine, and restarted any computer that could be generating any traffic.I still had massive traffic in the default queues, more than in the p2p queues. Something is definitely wrong here, as the rules should have denied any traffic that could have possibly made it into the 'default' queue!
Another update:
Since I don't think I'd have much of a security issue here, I'm going to post the full /tmp/rules.debug file here, in the hopes that it might help a bit more.#System aliases loopback = "{ lo0 }" WAN = "{ em1 }" LAN = "{ em0 }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #Snort2C table table <snort2c>table <virusprot># User Aliases AdminPorts = "{ 1337:1338 }" table <admins>{ 192.168.1.16 192.168.1.15 } Admins = "<admins>" Browsing_Ports = "{ 80 443 }" Mail_Ports = "{ 25 110 143 993 }" table <server>{ 192.168.1.15 } Server = "<server>" Server_Services = "{ 80 9001 }" Squid_ports = "{ 3128 }" table <ut_box>{ 192.168.1.68 } uT_Box = "<ut_box>" uT_In = "{ 12801 }" uT_Out = "{ 12801 12950:12999 }" # Gateways GWWAN = " route-to ( em1 192.168.128.1 ) " set loginterface em1 set loginterface em0 set optimization normal set limit states 194000 set limit src-nodes 194000 set skip on pfsync0 scrub in on $WAN all fragment reassemble scrub in on $LAN all fragment reassemble altq on em1 hfsc bandwidth 486Kb queue { qACK, qGamesUp, qOtherHigh, qOtherLow, qDefault, qP2P } queue qACK on em1 bandwidth 65% qlimit 2000 hfsc ( ecn , realtime 65% , linkshare 65% ) queue qGamesUp on em1 bandwidth 7% hfsc ( ecn , realtime 7% ) queue qOtherHigh on em1 bandwidth 5% hfsc ( red , ecn , realtime 5% ) queue qOtherLow on em1 bandwidth 1% hfsc ( red , ecn , realtime 1% ) queue qDefault on em1 bandwidth 1% hfsc ( red , ecn , default , realtime 1% ) queue qP2P on em1 bandwidth 1Kb qlimit 2000 hfsc ( red , rio , ecn , realtime 1Kb , linkshare 1Kb ) altq on em0 hfsc bandwidth 100Mb queue { qInternetIn, qLANtraffic } queue qInternetIn on em0 bandwidth 5821Kb hfsc ( ecn , realtime 5821Kb , linkshare 5821Kb ) { qACKIn, qGamesIn, qOtherHighIn, qOtherLowIn, qDefaultIn, qP2Pin } queue qACKIn on em0 bandwidth 65% qlimit 2000 hfsc ( ecn , realtime 65% , linkshare 65% ) queue qGamesIn on em0 bandwidth 7% hfsc ( ecn , realtime 7% ) queue qOtherHighIn on em0 bandwidth 5% hfsc ( red , ecn , realtime 5% ) queue qOtherLowIn on em0 bandwidth 1% hfsc ( red , ecn , realtime 1% ) queue qDefaultIn on em0 bandwidth 1% hfsc ( red , ecn , default , realtime 1% ) queue qP2Pin on em0 bandwidth 1Kb qlimit 2000 hfsc ( red , rio , ecn , realtime 1Kb , linkshare 1Kb ) queue qLANtraffic on em0 bandwidth 65Mb hfsc ( ecn , realtime 65Mb ) nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules nat on $WAN from 192.168.1.0/24 to any port 500 -> 192.168.128.10/32 static-port nat on $WAN from 192.168.1.0/24 to any -> 192.168.128.10/32 static-port # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <direct_networks>{ 192.168.128.0/24 192.168.1.0/24 } # NAT Inbound Redirects rdr on em1 proto tcp from any to 192.168.128.10 port $uT_In -> $uT_Box rdr on em1 proto udp from any to 192.168.128.10 port $uT_In -> $uT_Box rdr on em1 proto tcp from any to 192.168.128.10 port $Server_Services -> $Server # Setup Squid proxy redirect no rdr on em0 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80 rdr on em0 proto tcp from any to !(em0) port 80 -> 127.0.0.1 port 80 # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in all label "Default deny rule" block out all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # snort2c block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 1338 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to any port 1337 label "webConfiguratorlockout" block in quick from <virusprot>to any label "virusprot overload table" table <bogons>persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in quick on $WAN from <bogons>to any label "block bogon networks from WAN" antispoof for em1 # allow our DHCP client out to the WAN pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN" pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. antispoof for em0 # allow access to DHCP server on LAN pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server" pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server" # loopback pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( em1 192.168.128.1 ) from 192.168.128.10 to !192.168.128.0/24 keep state allow-opts label "let out anything from firewall host itself" # User-defined rules follow pass in quick on $WAN reply-to ( em1 192.168.128.1 ) proto tcp from any to $uT_Box port $uT_In flags S/SA keep state queue (qP2Pin) label "USER_RULE: NAT " pass in quick on $WAN reply-to ( em1 192.168.128.1 ) proto udp from any to $uT_Box port $uT_In keep state queue (qP2Pin) label "USER_RULE: NAT " pass in quick on $WAN reply-to ( em1 192.168.128.1 ) proto { tcp udp } from any to $Server port $Server_Services keep state queue (qP2Pin) label "USER_RULE: NAT " pass in quick on $LAN proto { tcp udp } from $Admins to 192.168.1.1 port $AdminPorts keep state queue (qLANtraffic) label "USER_RULE" block in log quick on $LAN proto { tcp udp } from any to 192.168.1.1 port $AdminPorts label "USER_RULE" pass in quick on $LAN proto tcp from $uT_Box port $uT_Out to any flags S/SA keep state queue (qP2P) label "USER_RULE" pass in quick on $LAN proto udp from $uT_Box port $uT_Out to any keep state queue (qP2P) label "USER_RULE" pass in quick on $LAN proto { tcp udp } from 192.168.1.0/24 to 192.168.1.1 port $Squid_ports keep state queue (qLANtraffic) label "USER_RULE" pass in quick on $LAN from 192.168.1.0/24 to any keep state queue (qDefault,qACKIn) label "USER_RULE: Default allow LAN to any rule" # VPN Rules anchor "tftp-proxy/*" # uPnPd anchor "miniupnpd" # Setup squid pass rules for proxy pass in quick on em0 proto tcp from any to !(em0) port 80 flags S/SA keep state pass in quick on em0 proto tcp from any to !(em0) port 3128 flags S/SA keep state</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></ut_box></ut_box></server></server></admins></admins></virusprot></snort2c></webconfiguratorlockout></sshlockout>Also in case it helps (thank you to xLP on IRC) I have the final rules that are loaded into pf:
$ pfctl -sr scrub in on em1 all fragment reassemble scrub in on em0 all fragment reassemble anchor "relayd/*" all block drop in all label "Default deny rule" block drop out all label "Default deny rule" block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from <snort2c>to any label "Block snort2c hosts" block drop quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to any port = 1338 label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to any port = 1337 label "webConfiguratorlockout" block drop in quick from <virusprot>to any label "virusprot overload table" block drop in quick on em1 from <bogons>to any label "block bogon networks from WAN" block drop in on ! em1 inet from 192.168.128.0/24 to any block drop in inet from 192.168.128.10 to any block drop in on em1 inet6 from fe80::221:85ff:fe16:3769 to any pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" block drop in on ! em0 inet from 192.168.1.0/24 to any block drop in inet from 192.168.1.1 to any block drop in on em0 inet6 from fe80::221:85ff:fe16:3768 to any pass in on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in on em0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server" pass out on em0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass in on lo0 all flags S/SA keep state label "pass loopback" pass out on lo0 all flags S/SA keep state label "pass loopback" pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out route-to (em1 192.168.128.1) inet from 192.168.128.10 to ! 192.168.128.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state allow-opts label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state allow-opts label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = http flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = http keep state label "USER_RULE: NAT " queue qP2Pin pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = 9001 keep state label "USER_RULE: NAT " queue qP2Pin pass in quick on em0 inet proto tcp from <admins>to 192.168.1.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue qLANtraffic pass in quick on em0 inet proto udp from <admins>to 192.168.1.1 port 1337:1338 keep state label "USER_RULE" queue qLANtraffic block drop in log quick on em0 inet proto tcp from any to 192.168.1.1 port 1337:1338 label "USER_RULE" block drop in log quick on em0 inet proto udp from any to 192.168.1.1 port 1337:1338 label "USER_RULE" pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state label "USER_RULE" queue qP2P pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state label "USER_RULE" queue qP2P pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state label "USER_RULE" queue qP2P pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state label "USER_RULE" queue qP2P pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state allow-opts label "USER_RULE" queue qP2P pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state allow-opts label "USER_RULE" queue qP2P pass in quick on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 3128 flags S/SA keep state label "USER_RULE" queue qLANtraffic pass in quick on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.1 port = 3128 keep state label "USER_RULE" queue qLANtraffic pass in quick on em0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" queue(qDefault, qACKIn) anchor "tftp-proxy/*" all anchor "miniupnpd" all pass in quick on em0 proto tcp from any to ! (em0) port = http flags S/SA keep state pass in quick on em0 proto tcp from any to ! (em0) port = 3128 flags S/SA keep state</ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></admins></admins></server></server></server></server></ut_box></ut_box></ut_box></ut_box></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>Y.A.U.
I just stuffed a 1.2.3 box between the pfsense 2 box and the modem (yay finally figured out how to put stupid freakin' POS isp modem in bridge mode).
The rules for pfsense 1.2.3 are WAY different! This has to be why 2.x isn't shaping right. Now for some input on WHY, and what to do to fix it!
$ pfctl -sr scrub all random-id max-mss 1452 fragment reassemble block drop in all label "SHAPER: first match rule" tag unshaped pass in on sis0 inet proto tcp from 192.168.128.10 port 12950:12999 to any flags S/SA keep state tag qP2PDown tagged unshaped pass in on sis0 inet proto tcp from 192.168.128.10 port = 12801 to any flags S/SA keep state tag qP2PDown tagged unshaped pass out on rl0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown pass out on ng0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown pass in on sis0 inet proto udp from 192.168.128.10 port 12950:12999 to any keep state tag qP2PDown tagged unshaped pass in on sis0 inet proto udp from 192.168.128.10 port = 12801 to any keep state tag qP2PDown tagged unshaped pass out on rl0 proto udp all keep state tag qP2PUp tagged qP2PDown pass in on rl0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped pass out on ng0 proto udp all keep state tag qP2PUp tagged qP2PDown pass in on ng0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped pass out on sis0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PDown tagged qP2PUp pass in on rl0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped pass in on ng0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped pass out on sis0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PDown tagged qP2PUp pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesDown tagged qGamesUp pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 3016:3021 keep state tag qGamesDown tagged unshaped pass out on rl0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped pass out on ng0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesDown tagged qGamesUp pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 30000:30500 keep state tag qGamesDown tagged unshaped pass out on rl0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped pass out on ng0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesDown tagged qGamesUp pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesDown tagged qGamesUp pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 45000:45010 keep state tag qGamesDown tagged unshaped pass out on rl0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown pass out on ng0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = 7080 flags S/SA keep state tag qGamesDown tagged unshaped pass out on rl0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown pass out on ng0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged unshaped pass out on rl0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped pass out on ng0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged qGamesUp pass in quick on sis0 proto tcp from any to ! (sis0) port = http flags S/SA keep state pass in quick on sis0 proto tcp from any to ! (sis0) port = 3128 flags S/SA keep state anchor "ftpsesame/*" all anchor "firewallrules" all block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from <snort2c> to any label "Block snort2c hosts" block drop quick from any to <snort2c> label "Block snort2c hosts" anchor "loopback" all pass in quick on lo0 all flags S/SA keep state label "pass loopback" pass out quick on lo0 all flags S/SA keep state label "pass loopback" anchor "packageearly" all anchor "carp" all pass quick inet proto icmp from 98.69.142.38 to any keep state anchor "dhcpserverlan" all pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN" pass in quick on sis0 inet proto udp from any port = bootpc to 192.168.128.1 port = bootps keep state label "allow access to DHCP server on LAN" pass out quick on sis0 inet proto udp from 192.168.128.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN" block drop in quick on rl0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan" block drop in quick on ng0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan" block drop in on ! sis0 inet from 192.168.128.0/24 to any block drop in inet from 192.168.128.1 to any block drop in on sis0 inet6 from fe80::20d:87ff:fe0b:30dd to any anchor "spoofing" all anchor "spoofing" all block drop in on ! ng0 inet from 98.69.142.38 to any block drop in inet from 98.69.142.38 to any block drop in on rl0 inet6 from fe80::2e0:7dff:feab:dd0b to any block drop in on ng0 inet6 from fe80::20d:87ff:fe0b:30dd to any block drop in quick on rl0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block drop in quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block drop in quick on rl0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block drop in quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block drop in quick on rl0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block drop in quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block drop in quick on rl0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" block drop in quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" anchor "limitingesr" all block drop in quick from <virusprot> to any label "virusprot overload table" anchor "wanbogons" all block drop in quick on rl0 from <bogons> to any label "block bogon networks from wan" block drop in quick on ng0 from <bogons> to any label "block bogon networks from wan" anchor "firewallout" all pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks) pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks) pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesDown, qlanacks) tagged qGamesDown pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PDown, qlanacks) tagged qP2PDown pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qlandef, qlanacks) pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host" pass out quick on ng0 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout" anchor "ftpproxy" all anchor "pftpx/*" all anchor "qwanRoot" all tagged qwanRoot anchor "qwanacks" all tagged qwanacks anchor "qGamesUp" all tagged qGamesUp anchor "qOthersUpH" all tagged qOthersUpH anchor "qOthersUpL" all tagged qOthersUpL anchor "qwandef" all tagged qwandef anchor "qP2PUp" all tagged qP2PUp anchor "qlanRoot" all tagged qlanRoot anchor "qlanacks" all tagged qlanacks anchor "qGamesDown" all tagged qGamesDown anchor "qOthersDownH" all tagged qOthersDownH anchor "qOthersDownL" all tagged qOthersDownL anchor "qlandef" all tagged qlandef anchor "qP2PDown" all tagged qP2PDown pass in quick on sis0 inet proto tcp from <admins> to 192.168.128.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue(qlandef, qlanacks) block drop in quick on sis0 inet proto tcp from any to 192.168.128.1 port 1337:1338 label "USER_RULE" queue(qlandef, qlanacks) pass in quick on sis0 inet from 192.168.128.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" queue(qlandef, qlanacks) pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on rl0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on rl0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on rl0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on ng0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on ng0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on ng0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on rl0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on ng0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" anchor "imspector" all anchor "miniupnpd" all block drop in quick all label "Default deny rule" block drop out quick all label "Default deny rule"</pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></admins></sshlockout></bogons></bogons></virusprot></snort2c></snort2c>I'd also post the pftop showing that the traffic is going WHERE IT SHOULD, but for some odd reason I can't get pftop to display that page? "8" doesn't work :(
I'm noticing that the rules for 1.2.3 (that work correctly) are at the top, with no "quick" flag set. In 2.x the rules are near the end, and they are set with "quick" which to my understanding means that the traffic isn't processed anymore after that rule. Could this be what is b0rking the shaper?
BTW, thank you again to xLP on IRC. That command helped me dig around a little more. Hopefully some Guru like Ermal can come in here and make some sense out of all of this.
-
Thanks for the report. We are going to look into it.
-
Ahh cool. Thanks, and I hope that my crazy "paste everything and let the Guru's sort it out" approach is somewhat useful. If you guys need any more info please do tell me, and I'll get right to it.
-
Well for most of the part squid is you worst problem in your traffic shaping schema.
Seems you do not have squid on 1.2.3 but i might be wrong on it since you have not shown nat rules on 1.2.3(pfctl -vsn)If you want to know why you do not get anything in the right queues you can check( pfctl -vsr) which shows which rules have matched and that will tell you which queue the packets have been sent too.
The first thing you have to do is put a rule on floating rules to send packets from localhost, wanip to the queue you've meant for http traffic with direction out.
Then you can start fiddling around with the other rules. -
@ermal:
Well for most of the part squid is you worst problem in your traffic shaping schema.
Seems you do not have squid on 1.2.3 but i might be wrong on it since you have not shown nat rules on 1.2.3(pfctl -vsn)If you want to know why you do not get anything in the right queues you can check( pfctl -vsr) which shows which rules have matched and that will tell you which queue the packets have been sent too.
Squid was on 1.2.3 as well. This isn't a complete ruleset on 1.2.3 like I had before that worked fine, as I seem to have misplaced the config file. One of the reasons I am lookign at pfsense 2, is that I can put squid traffic in that qLANtraffic queue (I might not be doing this right but it seems to work so far).
As for the commands, I'm on it, will post at bottom.
The first thing you have to do is put a rule on floating rules to send packets from localhost, wanip to the queue you've meant for http traffic with direction out.
My head just exploded. Might need to dumb that down a tad, or provide an example. I'm hoping you mean:
pass out quick on { em1 } reply-to ( em1 192.168.128.1 ) proto tcp from 127.0.0.1 to any port 80 flags S/SA keep state queue (qOtherLow,qACKIn) label "USER_RULE: Ermal's Rule"Here goes:
$ pfctl -vsn nat-anchor "pftpx/*" all [ Evaluations: 103551 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] nat-anchor "natearly/*" all [ Evaluations: 103551 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] nat-anchor "natrules/*" all [ Evaluations: 103551 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] nat on rl0 inet from 192.168.128.0/24 to any -> (ng0) round-robin static-port [ Evaluations: 103551 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] nat on ng0 inet from 192.168.128.0/24 to any -> (ng0) round-robin static-port [ Evaluations: 103551 Packets: 870730 Bytes: 279926793 States: 241 ] [ Inserted: uid 0 pid 61310 ] nat on rl0 inet from 192.168.1.0/24 to any -> (ng0) round-robin static-port [ Evaluations: 46267 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] nat on ng0 inet from 192.168.1.0/24 to any -> (ng0) round-robin static-port [ Evaluations: 46267 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr-anchor "pftpx/*" all [ Evaluations: 103241 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr-anchor "slb" all [ Evaluations: 103241 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] no rdr on sis0 proto tcp from any to <vpns> port = ftp [ Evaluations: 103241 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr on sis0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 [ Evaluations: 29325 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr on ng0 inet proto tcp from any to 98.69.142.38 port = 9001 -> 192.168.128.10 [ Evaluations: 71505 Packets: 1084 Bytes: 435239 States: 1 ] [ Inserted: uid 0 pid 61310 ] rdr on ng0 inet proto tcp from any to 98.69.142.38 port = http -> 192.168.128.10 [ Evaluations: 5591 Packets: 168 Bytes: 19357 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr on ng0 inet proto udp from any to 98.69.142.38 port = 9001 -> 192.168.128.10 [ Evaluations: 73742 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr on ng0 inet proto udp from any to 98.69.142.38 port = http -> 192.168.128.10 [ Evaluations: 36276 Packets: 2 Bytes: 94 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr on ng0 inet proto tcp from any to 98.69.142.38 port = 12801 -> 192.168.128.10 [ Evaluations: 42004 Packets: 155605 Bytes: 55421317 States: 27 ] [ Inserted: uid 0 pid 61310 ] rdr on ng0 inet proto udp from any to 98.69.142.38 port = 12801 -> 192.168.128.10 [ Evaluations: 36429 Packets: 358606 Bytes: 170830375 States: 101 ] [ Inserted: uid 0 pid 61310 ] rdr on sis0 inet proto tcp from any to ! (sis0) port = http -> 127.0.0.1 port 80 [ Evaluations: 63798 Packets: 107958 Bytes: 67956679 States: 77 ] [ Inserted: uid 0 pid 61310 ] rdr-anchor "imspector" all [ Evaluations: 61144 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] rdr-anchor "miniupnpd" all [ Evaluations: 61144 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ]</vpns>For 1.2.3
$ pfctl -vsr scrub all random-id max-mss 1452 fragment reassemble [ Evaluations: 5583920 Packets: 5583920 Bytes: 495718779 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in all label "SHAPER: first match rule" tag unshaped [ Evaluations: 208008 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto tcp from 192.168.128.10 port 12950:12999 to any flags S/SA keep state tag qP2PDown tagged unshaped [ Evaluations: 103803 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto tcp from 192.168.128.10 port = 12801 to any flags S/SA keep state tag qP2PDown tagged unshaped [ Evaluations: 25023 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown [ Evaluations: 176159 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown [ Evaluations: 176159 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto udp from 192.168.128.10 port 12950:12999 to any keep state tag qP2PDown tagged unshaped [ Evaluations: 208008 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto udp from 192.168.128.10 port = 12801 to any keep state tag qP2PDown tagged unshaped [ Evaluations: 27576 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto udp all keep state tag qP2PUp tagged qP2PDown [ Evaluations: 178416 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped [ Evaluations: 29592 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto udp all keep state tag qP2PUp tagged qP2PDown [ Evaluations: 208008 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped [ Evaluations: 107739 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PDown tagged qP2PUp [ Evaluations: 169595 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped [ Evaluations: 206125 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped [ Evaluations: 206125 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PDown tagged qP2PUp [ Evaluations: 201292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped [ Evaluations: 200240 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped [ Evaluations: 200240 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesDown tagged qGamesUp [ Evaluations: 161990 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 3016:3021 keep state tag qGamesDown tagged unshaped [ Evaluations: 62196 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown [ Evaluations: 66415 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped [ Evaluations: 102350 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown [ Evaluations: 168765 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped [ Evaluations: 71664 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesDown tagged qGamesUp [ Evaluations: 102087 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 30000:30500 keep state tag qGamesDown tagged unshaped [ Evaluations: 103135 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown [ Evaluations: 106877 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown [ Evaluations: 106877 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped [ Evaluations: 36609 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesDown tagged qGamesUp [ Evaluations: 35372 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped [ Evaluations: 207224 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped [ Evaluations: 207224 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesDown tagged qGamesUp [ Evaluations: 165711 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 45000:45010 keep state tag qGamesDown tagged unshaped [ Evaluations: 142378 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown [ Evaluations: 146599 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown [ Evaluations: 146599 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = 7080 flags S/SA keep state tag qGamesDown tagged unshaped [ Evaluations: 208008 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown [ Evaluations: 146596 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown [ Evaluations: 146596 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged unshaped [ Evaluations: 140694 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on rl0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown [ Evaluations: 111134 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on ng0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown [ Evaluations: 111134 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped [ Evaluations: 42300 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged qGamesUp [ Evaluations: 38863 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 proto tcp from any to ! (sis0) port = http flags S/SA keep state [ Evaluations: 69024 Packets: 110942 Bytes: 70010116 States: 96 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 proto tcp from any to ! (sis0) port = 3128 flags S/SA keep state [ Evaluations: 26778 Packets: 1 Bytes: 48 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "ftpsesame/*" all [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "firewallrules" all [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop quick proto tcp from any port = 0 to any [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop quick proto tcp from any to any port = 0 [ Evaluations: 66499 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop quick proto udp from any port = 0 to any [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop quick proto udp from any to any port = 0 [ Evaluations: 138349 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop quick from <snort2c> to any label "Block snort2c hosts" [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop quick from any to <snort2c> label "Block snort2c hosts" [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "loopback" all [ Evaluations: 205292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 205292 Packets: 111531 Bytes: 11476801 States: 6 ] [ Inserted: uid 0 pid 61310 ] pass out quick on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 94 Packets: 111531 Bytes: 11476801 States: 6 ] [ Inserted: uid 0 pid 61310 ] anchor "packageearly" all [ Evaluations: 205104 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "carp" all [ Evaluations: 205104 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass quick inet proto icmp from 98.69.142.38 to any keep state [ Evaluations: 205104 Packets: 2507 Bytes: 210588 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "dhcpserverlan" all [ Evaluations: 204853 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN" [ Evaluations: 204853 Packets: 7 Bytes: 2305 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 inet proto udp from any port = bootpc to 192.168.128.1 port = bootps keep state label "allow access to DHCP server on LAN" [ Evaluations: 27 Packets: 52 Bytes: 17092 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on sis0 inet proto udp from 192.168.128.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN" [ Evaluations: 70456 Packets: 5 Bytes: 1640 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on rl0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan" [ Evaluations: 174135 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on ng0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan" [ Evaluations: 174135 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in on ! sis0 inet from 192.168.128.0/24 to any [ Evaluations: 139624 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in inet from 192.168.128.1 to any [ Evaluations: 139624 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in on sis0 inet6 from fe80::20d:87ff:fe0b:30dd to any [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "spoofing" all [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "spoofing" all [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in on ! ng0 inet from 98.69.142.38 to any [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in inet from 98.69.142.38 to any [ Evaluations: 107488 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in on rl0 inet6 from fe80::2e0:7dff:feab:dd0b to any [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in on ng0 inet6 from fe80::20d:87ff:fe0b:30dd to any [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on rl0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on rl0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on rl0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on rl0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" [ Evaluations: 100960 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "limitingesr" all [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick from <virusprot> to any label "virusprot overload table" [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "wanbogons" all [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on rl0 from <bogons> to any label "block bogon networks from wan" [ Evaluations: 204815 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on ng0 from <bogons> to any label "block bogon networks from wan" [ Evaluations: 204815 Packets: 938 Bytes: 104640 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "firewallout" all [ Evaluations: 203877 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp [ Evaluations: 203877 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp [ Evaluations: 203877 Packets: 35 Bytes: 4827 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp [ Evaluations: 162511 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp [ Evaluations: 162511 Packets: 782149 Bytes: 261565239 States: 190 ] [ Inserted: uid 0 pid 61310 ] pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks) [ Evaluations: 111354 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks) [ Evaluations: 111354 Packets: 231456 Bytes: 92571498 States: 324 ] [ Inserted: uid 0 pid 61310 ] pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesDown, qlanacks) tagged qGamesDown [ Evaluations: 97327 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PDown, qlanacks) tagged qP2PDown [ Evaluations: 38664 Packets: 516832 Bytes: 227562826 States: 125 ] [ Inserted: uid 0 pid 61310 ] pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qlandef, qlanacks) [ Evaluations: 86 Packets: 1259 Bytes: 454906 States: 1 ] [ Inserted: uid 0 pid 61310 ] pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass out quick on ng0 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout" [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "ftpproxy" all [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "pftpx/*" all [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qwanRoot" all tagged qwanRoot [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qwanacks" all tagged qwanacks [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qGamesUp" all tagged qGamesUp [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qOthersUpH" all tagged qOthersUpH [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qOthersUpL" all tagged qOthersUpL [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qwandef" all tagged qwandef [ Evaluations: 100022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qP2PUp" all tagged qP2PUp [ Evaluations: 100022 Packets: 516833 Bytes: 227562877 States: 125 ] [ Inserted: uid 0 pid 61310 ] anchor "qlanRoot" all tagged qlanRoot [ Evaluations: 61444 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qlanacks" all tagged qlanacks [ Evaluations: 61444 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qGamesDown" all tagged qGamesDown [ Evaluations: 61444 Packets: 35 Bytes: 4827 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qOthersDownH" all tagged qOthersDownH [ Evaluations: 61437 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qOthersDownL" all tagged qOthersDownL [ Evaluations: 61437 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qlandef" all tagged qlandef [ Evaluations: 61437 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "qP2PDown" all tagged qP2PDown [ Evaluations: 61437 Packets: 782149 Bytes: 261565239 States: 190 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 inet proto tcp from <admins> to 192.168.128.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue(qlandef, qlanacks) [ Evaluations: 10279 Packets: 4216 Bytes: 1973720 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick on sis0 inet proto tcp from any to 192.168.128.1 port 1337:1338 label "USER_RULE" queue(qlandef, qlanacks) [ Evaluations: 2275 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 inet from 192.168.128.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" queue(qlandef, qlanacks) [ Evaluations: 7496 Packets: 107177 Bytes: 26332131 States: 133 ] [ Inserted: uid 0 pid 61310 ] pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 2831 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on rl0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on rl0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on rl0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 2831 Packets: 1087 Bytes: 435359 States: 1 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 48 Packets: 168 Bytes: 19357 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 981 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 2 Packets: 2 Bytes: 94 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 245 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on rl0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 245 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks) [ Evaluations: 195 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" [ Evaluations: 2746 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" [ Evaluations: 2746 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "imspector" all [ Evaluations: 2746 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] anchor "miniupnpd" all [ Evaluations: 2746 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop in quick all label "Default deny rule" [ Evaluations: 2746 Packets: 2746 Bytes: 231399 States: 0 ] [ Inserted: uid 0 pid 61310 ] block drop out quick all label "Default deny rule" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 61310 ]</pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></admins></sshlockout></bogons></bogons></virusprot></snort2c></snort2c> -
Sorry for making another post, but it wouldn't let me put it in last post.
For 2.x
$ pfctl -vsr scrub in on em1 all fragment reassemble [ Evaluations: 3784425 Packets: 798991 Bytes: 41483715 States: 0 ] [ Inserted: uid 0 pid 2091 ] scrub in on em0 all fragment reassemble [ Evaluations: 1950868 Packets: 1053747 Bytes: 109560619 States: 0 ] [ Inserted: uid 0 pid 2091 ] anchor "relayd/*" all [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in all label "Default deny rule" [ Evaluations: 168216 Packets: 1840 Bytes: 371749 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop out all label "Default deny rule" [ Evaluations: 168216 Packets: 86 Bytes: 10699 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop quick proto tcp from any port = 0 to any [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop quick proto tcp from any to any port = 0 [ Evaluations: 53771 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop quick proto udp from any port = 0 to any [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop quick proto udp from any to any port = 0 [ Evaluations: 114338 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop quick from <snort2c>to any label "Block snort2c hosts" [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop quick from any to <snort2c>label "Block snort2c hosts" [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in log quick proto tcp from <sshlockout>to any port = 1338 label "sshlockout" [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in log quick proto tcp from <webconfiguratorlockout>to any port = 1337 label "webConfiguratorlockout" [ Evaluations: 27457 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in quick from <virusprot>to any label "virusprot overload table" [ Evaluations: 85010 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in quick on em1 from <bogons>to any label "block bogon networks from WAN" [ Evaluations: 85010 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in on ! em1 inet from 192.168.128.0/24 to any [ Evaluations: 85010 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in inet from 192.168.128.10 to any [ Evaluations: 84554 Packets: 494 Bytes: 34632 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in on em1 inet6 from fe80::221:85ff:fe16:3769 to any [ Evaluations: 85010 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" [ Evaluations: 36524 Packets: 4 Bytes: 1312 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" [ Evaluations: 116069 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in on ! em0 inet from 192.168.1.0/24 to any [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in inet from 192.168.1.1 to any [ Evaluations: 120233 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in on em0 inet6 from fe80::221:85ff:fe16:3768 to any [ Evaluations: 85010 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 48486 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in on em0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass out on em0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 107387 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 168216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass out on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 168216 Packets: 559044 Bytes: 247776218 States: 137 ] [ Inserted: uid 0 pid 2091 ] pass out route-to (em1 192.168.128.1) inet from 192.168.128.10 to ! 192.168.128.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 83206 Packets: 766649 Bytes: 273943580 States: 192 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 168216 Packets: 145916 Bytes: 53977300 States: 23 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 32746 Packets: 374294 Bytes: 187859186 States: 111 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state allow-opts label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 109 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state allow-opts label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 109 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = http flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 1040 Packets: 168 Bytes: 19357 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 67 Packets: 932 Bytes: 376802 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = http keep state label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 576 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = 9001 keep state label "USER_RULE: NAT " queue qP2Pin [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 inet proto tcp from <admins>to 192.168.1.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue qLANtraffic [ Evaluations: 84901 Packets: 77331 Bytes: 10091738 States: 1 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 inet proto udp from <admins>to 192.168.1.1 port 1337:1338 keep state label "USER_RULE" queue qLANtraffic [ Evaluations: 24229 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in log quick on em0 inet proto tcp from any to 192.168.1.1 port 1337:1338 label "USER_RULE" [ Evaluations: 47228 Packets: 21 Bytes: 6197 States: 0 ] [ Inserted: uid 0 pid 2091 ] block drop in log quick on em0 inet proto udp from any to 192.168.1.1 port 1337:1338 label "USER_RULE" [ Evaluations: 24107 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state label "USER_RULE" queue qP2P [ Evaluations: 48658 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state label "USER_RULE" queue qP2P [ Evaluations: 23100 Packets: 299740 Bytes: 65699398 States: 106 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state label "USER_RULE" queue qP2P [ Evaluations: 25238 Packets: 417355 Bytes: 181931808 States: 70 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state label "USER_RULE" queue qP2P [ Evaluations: 40 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P [ Evaluations: 641 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P [ Evaluations: 574 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state allow-opts label "USER_RULE" queue qP2P [ Evaluations: 641 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state allow-opts label "USER_RULE" queue qP2P [ Evaluations: 40 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 3128 flags S/SA keep state label "USER_RULE" queue qLANtraffic [ Evaluations: 1892 Packets: 21952 Bytes: 16665734 States: 5 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.1 port = 3128 keep state label "USER_RULE" queue qLANtraffic [ Evaluations: 212 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" queue(qDefault, qACKIn) [ Evaluations: 1061 Packets: 30162 Bytes: 12788169 States: 7 ] [ Inserted: uid 0 pid 2091 ] anchor "tftp-proxy/*" all [ Evaluations: 85544 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] anchor "miniupnpd" all [ Evaluations: 85544 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto tcp from any to ! (em0) port = http flags S/SA keep state [ Evaluations: 85544 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ] pass in quick on em0 proto tcp from any to ! (em0) port = 3128 flags S/SA keep state [ Evaluations: 672 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2091 ]</ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></admins></admins></server></server></server></server></ut_box></ut_box></ut_box></ut_box></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>Also, just a heads up if it could affect anything, I have turned on AON on both boxes with static ports. Noticed somewhere it was changing the ports and I'm not sure if that was screwing anything up. The 2.x machine still is showing an almost equal number of packets on the default/p2p queues on both machines.
If I can wrap my head around what you meant for that floating rule, I'll implement it and immediately get back here with the results.
-
Well, I've completely removed squid from the equation, re-installed pfsense from the latest ISO and updated, then re-created the rules again. It still isn't working, and I'm just too frustrated to deal with it for a bit – it is making me feel really stupid, 'cause I just don't understand how the traffic is going where it shouldn't.
It isn't properly shaping traffic out or in for traffic that I've bound for specific ports, and checked 50 times to make sure that the traffic itself is behaving as it should. I've even rebound the rules to the wizard's default ports for the traffic I need to shape and it still isn't working.
I'll admit that much more traffic is indeed going to the correct queue without squid installed. But this was a non-issue with 1.2.3. So I'll wait for some stuff to happen.The GUI needs some TLC. The wizard is broken, half the stuff in the configuration screens is not documented or explained -- which is understandable since nothing is set in stone yet and something might change that would require a lot of GUI rewriting. Rules that make sense in 1.2.3 are largely ineffectual in 2.x. I don't know if maybe the change of rule order in pf, or something else, is doing this.
Basically for me to test 2.x I'd need traffic shaping (and squid, my link sucks so I try to save bandwidth). Traffic shaping is too darn confusing to use right now, bad enough that I'm getting really niffed with it. So I'll sit back and wait till there is some focus on it in development, and I'll be happy to test it out for ease of use and functionality when it gets put into the spotlight. Right now it seems there are other areas that are more important.
But, I hope that it is looked at soon. QoS is important. I may not be a pf god, but I'm not quite an idiot. And if I can't figure out how to shape traffic that I know but the incoming and outgoing ports for, then there is something wrong somewhere.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.