No traffic passes WLAN interface after enabling the shaper
-
Hi there,
I've setup four interfaces (WAN, LAN, GUESTWLAN and WLAN) and also added an interface group consisting of LAN and the two WLANs. Now I have some rules setup that allow traffic through my interface group and also certain traffic is allowed directly on my LAN and WLAN interfaces. When I enable the shaper and my rules are created I can still get traffic through my LAN interface but my WLAN is dead. I also see packets get dropped there:
tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 00:00:00.000000 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52653 > 199.59.148.30.80: [|tcp] 00:00:00.534050 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52654 > 199.59.148.30.80: tcp 20 [bad hdr length 0 - too short, < 20] 00:00:01.829260 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52698 > 17.250.248.121.443: [|tcp] 00:00:02.120815 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52684 > 66.220.149.55.80: [|tcp] 00:00:21.173085 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52682 > 66.220.145.38.80: [|tcp] 00:00:08.320537 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52686 > 66.220.147.36.80: [|tcp] 00:00:03.213187 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52610 > 66.220.146.29.80: [|tcp] 00:00:00.201339 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52676 > 66.235.133.11.80: tcp 32 [bad hdr length 0 - too short, < 20] 00:00:03.150894 rule 1/0(match): block in on vr0: 10.0.100.1.64750 > 239.255.255.250.1900: UDP, length 132 00:00:00.015973 rule 1/0(match): block in on vr0: 10.0.100.1.52190 > 10.0.100.254.5351: UDP, length 2
The rules for this traffic exist though (from /tmp/rules.debug):
pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $WebPorts flags S/SA keep state label "USER_RULE: Allow web traffic"
The $LocalNets alias contains my interface group nets and the $WebPorts alias contains my web surfing ports. It does work as soon as I remove the shaper.
Any ideas? Do you need any more info?
-
Please provide your full ruleset after haveing the shaping active. (/tmp/rules.debug)
-
#System aliases loopback = "{ lo0 }" WAN = "{ pppoe0 }" LAN = "{ vr0 }" WLAN = "{ ath0_wlan0 }" MODEMACCESS = "{ vr1 }" GUESTWLAN = "{ ath0_wlan1 }" LocalNets = "{ LocalNets }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #pfSnortSam tables table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases table <appleservers>{ 17.155.0.0/16 79.223.0.0/16 80.149.0.0/16 87.154.0.0/16 } AppleServers = "<appleservers>" table <dumbledore>{ 172.16.100.5 } Dumbledore = "<dumbledore>" table <dyndns_hostname>persist DynDNS_Hostname = "<dyndns_hostname>" FaceTimePorts = "{ 3478:3497 16384:16386 16393:16402 }" FiletransferPorts = "{ 21 22 }" table <gateprotecta>{ 10.0.100.222 } gateProtectA = "<gateprotecta>" table <gateprotectb>{ 10.0.100.233 } gateProtectB = "<gateprotectb>" table <hermione>{ 172.16.100.50 } Hermione = "<hermione>" IRCPorts = "{ 7000 6667 }" table <localareanetwork>{ 10.0.100.0/24 } LocalAreaNetwork = "<localareanetwork>" table <localnetworks>{ 10.0.100.0/24 172.16.100.0/24 192.168.100.0/24 192.168.2.0/24 } LocalNetworks = "<localnetworks>" table <luna>{ 172.16.100.10 } Luna = "<luna>" MailPorts = "{ 25 110 143 465 587 993 995 }" ManagementPorts = "{ 22 8443 80 443 }" MessagingPorts = "{ 1863 5222 5223 5190 }" table <penaltybox>{ 10.0.100.100/30 10.0.100.104/29 10.0.100.112/29 10.0.100.120/32 172.16.100.100/30 172.16.100.104/29 172.16.100.112/29 172.16.100.120/32 192.168.100.100/30 192.168.100.104/29 192.168.100.112/29 192.168.100.120/32 } PenaltyBox = "<penaltybox>" table <pfsense>{ 10.0.100.254 172.16.100.254 192.168.100.254 } pfSense = "<pfsense>" table <speedport>{ 192.168.2.1 } Speedport = "<speedport>" StarCraft2Ports = "{ 1119 3724 }" SteamPorts = "{ 27000:27015 27015:27030 27014:27050 4380 27015 3478 4379 4380 1500 3005 3101 28960 }" TeamviewerPorts = "{ 5938 60179 }" WebPorts = "{ 80 443 }" table <wirelesslocalareanetwork>{ 172.16.100.0/24 } WirelessLocalAreaNetwork = "<wirelesslocalareanetwork>" # Gateways GWWAN = " route-to ( pppoe0 x.x.x.x ) " set loginterface pppoe0 set loginterface vr0 set loginterface ath0_wlan0 set loginterface vr1 set loginterface ath0_wlan1 set optimization normal set limit states 23000 set limit src-nodes 23000 set skip on pfsync0 scrub in on $WAN all fragment reassemble scrub in on $LAN all fragment reassemble scrub in on $WLAN all fragment reassemble scrub in on $MODEMACCESS all fragment reassemble scrub in on $GUESTWLAN all fragment reassemble altq on vr0 priq bandwidth 49000Kb queue { qACK, qOthersDefault, qP2P, qGames, qOthersHigh, qOthersLow } queue qACK on vr0 priority 6 priq ( ecn ) queue qOthersDefault on vr0 priority 3 priq ( ecn ) queue qP2P on vr0 priority 1 priq ( ecn , default ) queue qGames on vr0 priority 5 priq ( ecn ) queue qOthersHigh on vr0 priority 4 priq ( ecn ) queue qOthersLow on vr0 priority 2 priq ( ecn ) altq on ath0_wlan0 priq bandwidth 49000Kb queue { qACK, qOthersDefault, qP2P, qGames, qOthersHigh, qOthersLow } queue qACK on ath0_wlan0 priority 6 priq ( ecn ) queue qOthersDefault on ath0_wlan0 priority 3 priq ( ecn ) queue qP2P on ath0_wlan0 priority 1 priq ( ecn , default ) queue qGames on ath0_wlan0 priority 5 priq ( ecn ) queue qOthersHigh on ath0_wlan0 priority 4 priq ( ecn ) queue qOthersLow on ath0_wlan0 priority 2 priq ( ecn ) altq on ath0_wlan1 priq bandwidth 49000Kb queue { qACK, qOthersDefault, qP2P, qGames, qOthersHigh, qOthersLow } queue qACK on ath0_wlan1 priority 6 priq ( ecn ) queue qOthersDefault on ath0_wlan1 priority 3 priq ( ecn ) queue qP2P on ath0_wlan1 priority 1 priq ( ecn , default ) queue qGames on ath0_wlan1 priority 5 priq ( ecn ) queue qOthersHigh on ath0_wlan1 priority 4 priq ( ecn ) queue qOthersLow on ath0_wlan1 priority 2 priq ( ecn ) altq on pppoe0 priq bandwidth 9000Kb queue { qACK, qOthersDefault, qP2P, qGames, qOthersHigh, qOthersLow } queue qACK on pppoe0 priority 6 priq ( ecn ) queue qOthersDefault on pppoe0 priority 3 priq ( ecn ) queue qP2P on pppoe0 priority 1 priq ( ecn , default ) queue qGames on pppoe0 priority 5 priq ( ecn ) queue qOthersHigh on pppoe0 priority 4 priq ( ecn ) queue qOthersLow on pppoe0 priority 2 priq ( ecn ) nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules nat on $WAN from 10.0.100.0/24 to !192.168.2.1/32 -> x.x.x.x/32 port 1024:65535 nat on $MODEMACCESS from 10.0.100.0/24 to 192.168.2.1/32 -> 192.168.2.254/32 port 1024:65535 nat on $WAN from 172.16.100.0/24 to !192.168.2.1/32 -> x.x.x.x/32 port 1024:65535 nat on $WAN from 192.168.100.0/24 to !192.168.2.1/32 -> x.x.x.x/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <direct_networks>{ x.x.x.x/32 10.0.100.0/24 172.16.100.0/24 192.168.2.0/24 192.168.100.0/24 } # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # pfSnortSam block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts" block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to any port 8443 label "webConfiguratorlockout" block in quick from <virusprot>to any label "virusprot overload table" table <bogons>persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN" antispoof for pppoe0 # block anything from private networks on interfaces with the option set antispoof for $WAN block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" antispoof for vr0 # allow access to DHCP server on LAN pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $LAN proto udp from any port = 68 to 10.0.100.254 port = 67 label "allow access to DHCP server" pass out on $LAN proto udp from 10.0.100.254 port = 67 to any port = 68 label "allow access to DHCP server" antispoof for ath0_wlan0 # allow access to DHCP server on WLAN pass in on $WLAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $WLAN proto udp from any port = 68 to 172.16.100.254 port = 67 label "allow access to DHCP server" pass out on $WLAN proto udp from 172.16.100.254 port = 67 to any port = 68 label "allow access to DHCP server" antispoof for vr1 antispoof for ath0_wlan1 # allow access to DHCP server on GUESTWLAN pass in on $GUESTWLAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $GUESTWLAN proto udp from any port = 68 to 192.168.100.254 port = 67 label "allow access to DHCP server" pass out on $GUESTWLAN proto udp from 192.168.100.254 port = 67 to any port = 68 label "allow access to DHCP server" # loopback pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( pppoe0 x.x.x.x ) from x.x.x.x to !x.x.x.x/32 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on vr0 proto tcp from any to (vr0) port { 8443 443 22 } keep state label "anti-lockout rule" # User-defined rules follow match from any to any queue (qOthersLow) label "USER_RULE: Penalty Box" match proto udp from any to any port 88 queue (qGames) label "USER_RULE: m_Game xbox360-1 outbound" match proto udp from any to any port 3074 queue (qGames) label "USER_RULE: m_Game xbox360-2 outbound" match proto tcp from any to any port 3074 queue (qGames,qACK) label "USER_RULE: m_Game xbox360-3 outbound" match proto tcp from any to any port 3389 queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSRDP outbound" match proto tcp from any to any port 5899 >< 5931 queue (qOthersHigh,qACK) label "USER_RULE: m_Other VNC outbound" match proto tcp from any to any port 3283 queue (qOthersHigh,qACK) label "USER_RULE: m_Other AppleRemoteDesktop1 outbound" match proto tcp from any to any port 5900 queue (qOthersHigh,qACK) label "USER_RULE: m_Other AppleRemoteDesktop2 outbound" match proto udp from any to any port 3283 queue (qOthersHigh) label "USER_RULE: m_Other AppleRemoteDesktop3 outbound" match proto udp from any to any port 5900 queue (qOthersHigh) label "USER_RULE: m_Other AppleRemoteDesktop4 outbound" match proto tcp from any to any port 5631 queue (qOthersLow,qACK) label "USER_RULE: m_Other pcany1 outbound" match proto udp from any to any port 5632 queue (qOthersLow) label "USER_RULE: m_Other pcany2 outbound" match proto tcp from any to any port 6666 >< 6671 queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match proto tcp from any to any port 5222 queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match proto tcp from any to any port 5223 queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match proto tcp from any to any port 5269 queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match proto tcp from any to any port 5190 queue (qOthersDefault,qACK) label "USER_RULE: m_Other ICQ1 outbound" match proto udp from any to any port 5190 queue (qOthersDefault) label "USER_RULE: m_Other ICQ2 outbound" match proto tcp from any to any port 5190 queue (qOthersDefault,qACK) label "USER_RULE: m_Other AIM outbound" match proto tcp from any to any port 1863 queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSN1 outbound" match proto tcp from any to any port 6890 >< 6901 queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSN2 outbound" match proto tcp from any to any port 6901 queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSN3 outbound" match proto udp from any to any port 6901 queue (qOthersDefault) label "USER_RULE: m_Other MSN4 outbound" match proto tcp from any to any port 14534 queue (qOthersDefault,qACK) label "USER_RULE: m_Other teamspeak1 outbound" match proto tcp from any to any port 51234 queue (qOthersDefault,qACK) label "USER_RULE: m_Other teamspeak2 outbound" match proto udp from any to any port 8766 >< 8769 queue (qOthersDefault) label "USER_RULE: m_Other teamspeak3 outbound" match proto tcp from any to any port 1723 queue (qOthersHigh,qACK) label "USER_RULE: m_Other PPTP outbound" match proto gre from any to any queue (qOthersHigh) label "USER_RULE: m_Other PPTPGRE outbound" match proto udp from any to any port 500 queue (qOthersHigh) label "USER_RULE: m_Other IPSEC outbound" match proto ah from any to any queue (qOthersHigh) label "USER_RULE: m_Other IPSEC outbound" match proto esp from any to any queue (qOthersHigh) label "USER_RULE: m_Other IPSEC outbound" match proto tcp from any to any port 7999 >< 8101 queue (qOthersHigh,qACK) label "USER_RULE: m_Other STREAMINGMP3 outbound" match proto tcp from any to any port 554 queue (qOthersHigh,qACK) label "USER_RULE: m_Other RTSP1 outbound" match proto tcp from any to any port 80 queue (qOthersHigh,qACK) label "USER_RULE: m_Other HTTP outbound" match proto tcp from any to any port 443 queue (qOthersHigh,qACK) label "USER_RULE: m_Other HTTPS outbound" match proto tcp from any to any port 22 queue (qOthersHigh,qACK) label "USER_RULE: m_Other SSH outbound" match proto tcp from any to any port 25 queue (qOthersDefault,qACK) label "USER_RULE: m_Other SMTP outbound" match proto tcp from any to any port 110 queue (qOthersLow,qACK) label "USER_RULE: m_Other POP3 outbound" match proto tcp from any to any port 143 queue (qOthersDefault,qACK) label "USER_RULE: m_Other IMAP outbound" match proto tcp from any to any port 1352 queue (qOthersLow,qACK) label "USER_RULE: m_Other LotusNotes1 outbound" match proto udp from any to any port 1352 queue (qOthersLow) label "USER_RULE: m_Other LotusNotes2 outbound" match proto tcp from any to any port 53 queue (qOthersHigh,qACK) label "USER_RULE: m_Other DNS1 outbound" match proto udp from any to any port 53 queue (qOthersHigh) label "USER_RULE: m_Other DNS2 outbound" match inet proto icmp from any to any queue (qOthersHigh) label "USER_RULE: m_Other ICMP outbound" match proto tcp from any to any port 445 queue (qOthersDefault,qACK) label "USER_RULE: m_Other SMB1 outbound" match proto tcp from any to any port 136 >< 140 queue (qOthersDefault,qACK) label "USER_RULE: m_Other SMB2 outbound" match proto tcp from any to any port 161 queue (qOthersDefault,qACK) label "USER_RULE: m_Other SNMP outbound" match proto udp from any to any port 161 queue (qOthersDefault) label "USER_RULE: m_Other SNMP2 outbound" match proto tcp from any to any port 3306 queue (qOthersLow,qACK) label "USER_RULE: m_Other MySQL1 outbound" match proto tcp from any to any port 119 queue (qOthersLow,qACK) label "USER_RULE: m_Other NNTP1 outbound" match proto udp from any to any port 119 queue (qOthersLow) label "USER_RULE: m_Other NNTP2 outbound" match proto tcp from any to any port 5999 queue (qOthersLow,qACK) label "USER_RULE: m_Other cvsup outbound" match proto tcp from any to any port 5001 queue (qOthersLow,qACK) label "USER_RULE: m_Other Slingbox1 outbound" match proto udp from any to any port 5001 queue (qOthersLow) label "USER_RULE: m_Other Slingbox2 outbound" match proto tcp from any to any port 3000 queue (qOthersLow,qACK) label "USER_RULE: m_Other HBCI outbound" pass in log quick on $WAN reply-to ( pppoe0 x.x.x.x ) proto tcp from any to x.x.x.x port 22 flags S/SA keep state ( max-src-conn 5 max-src-conn-rate 5 /30, overload <virusprot>flush global ) label "USER_RULE: Allow Secure Shell to pfSense" block in quick on $LAN from any to 10.0.100.255 label "USER_RULE: Don't log broadcasts" pass in quick on $LAN from $gateProtectA to any keep state label "USER_RULE: gateProtect A any" pass in quick on $LAN from $gateProtectB to any keep state label "USER_RULE: gateProtect B any" pass in quick on $LAN from 10.0.100.0/24 to 172.16.100.254/24 keep state label "USER_RULE: Default allow LAN to WLAN rule" pass in quick on $LAN proto tcp from 10.0.100.0/24 to ! $LocalNetworks port 8000 flags S/SA keep state label "USER_RULE: Allow Easynews traffic" pass in quick on $LAN proto { tcp udp } from 10.0.100.0/24 to ! $LocalNetworks port $SteamPorts keep state label "USER_RULE: Allow Steam" pass in quick on $LAN proto udp from 10.0.100.0/24 to $AppleServers port $FaceTimePorts keep state label "USER_RULE: Allow Facetime" pass in quick on $LocalNets proto tcp from $LocalNetworks to $pfSense port $ManagementPorts flags S/SA keep state label "USER_RULE: pfSense Management" pass in quick on $LocalNets proto tcp from $LocalNetworks to $Speedport port $ManagementPorts flags S/SA keep state label "USER_RULE: Speedport Management" pass in quick on $LocalNets proto { tcp udp } from $LocalNetworks to $pfSense port 53 keep state label "USER_RULE: pfSense DNS Forwarder" pass in quick on $LocalNets proto { tcp udp } from $LocalNetworks to $pfSense port 123 keep state label "USER_RULE: pfSense NTP" pass in quick on $LocalNets inet proto icmp from $LocalNetworks to $pfSense icmp-type echoreq keep state label "USER_RULE: Echo requests to pfSense" pass in quick on $LocalNets inet proto icmp from $LocalNetworks to $Speedport icmp-type echoreq keep state label "USER_RULE: Echo requests to Speedport" pass in quick on $LocalNets inet proto icmp from $LocalNetworks to ! $LocalNetworks icmp-type echoreq keep state label "USER_RULE: Echo requests" pass in quick on $LocalNets proto udp from $LocalNetworks to ! $LocalNetworks port 33433 >< 33535 keep state label "USER_RULE: Traceroute" pass in quick on $LocalNets proto udp from $LocalNetworks port 1900 to 239.255.255.250 port 1900 keep state label "USER_RULE: SSDP" pass in quick on $LocalNets proto udp from $LocalNetworks port 5353 to 224.0.0.251 port 5353 keep state label "USER_RULE: MDNS" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port 8443 flags S/SA keep state label "USER_RULE: Allow pcsync-https" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $IRCPorts flags S/SA keep state label "USER_RULE: Allow IRC" pass in quick on $LocalNets proto { tcp udp } from $LocalNetworks to ! $LocalNetworks port 5354 keep state label "USER_RULE: Allow mdnsresponder" pass in quick on $LocalNets proto { tcp udp } from $LocalNetworks to ! $LocalNetworks port 5678 keep state label "USER_RULE: Allow Remote Replication Agent Connection" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port 31234 flags S/SA keep state label "USER_RULE: Allow Guitar Pro Updater" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $WebPorts flags S/SA keep state label "USER_RULE: Allow web traffic" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $MailPorts flags S/SA keep state label "USER_RULE: Allow mail traffic" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $MessagingPorts flags S/SA keep state label "USER_RULE: Allow IM traffic" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $FiletransferPorts flags S/SA keep state label "USER_RULE: Allow file transfers" pass in quick on $LocalNets proto tcp from $LocalNetworks to ! $LocalNetworks port $TeamviewerPorts flags S/SA keep state label "USER_RULE: Allow TeamViewer" pass in quick on $LocalNets proto { tcp udp } from $LocalNetworks to ! $LocalNetworks port $StarCraft2Ports keep state label "USER_RULE: Allow StarCraft 2 and Battle.net" block in quick on $WLAN from any to 172.16.100.255 label "USER_RULE: Don't log broadcasts" pass in quick on $WLAN from 172.16.100.254/24 to 10.0.100.0/24 keep state label "USER_RULE: Default allow WLAN to LAN rule" pass in quick on $WLAN proto tcp from 172.16.100.254/24 to 172.16.100.254 port 8000 flags S/SA keep state label "USER_RULE: Captive Portal -> pfSense" pass in quick on $WLAN proto tcp from $Hermione to 172.16.100.254 port 2189 flags S/SA keep state label "USER_RULE: Allow PS3 UPnP" pass in quick on $WLAN from $Hermione to ! $LocalNetworks keep state label "USER_RULE: Allow PS3 Any" pass in quick on $WLAN from $Dumbledore to ! $LocalNetworks keep state label "USER_RULE: Allow Dumbledore Any" block in quick on $MODEMACCESS from $Speedport to any label "USER_RULE: Disable logging for all Speedport traffic" block in quick on $GUESTWLAN from $Speedport to any label "USER_RULE: Don't log packets from Speedport" # VPN Rules anchor "tftp-proxy/*" # uPnPd anchor "miniupnpd"</virusprot></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></wirelesslocalareanetwork></wirelesslocalareanetwork></speedport></speedport></pfsense></pfsense></penaltybox></penaltybox></luna></luna></localnetworks></localnetworks></localareanetwork></localareanetwork></hermione></hermione></gateprotectb></gateprotectb></gateprotecta></gateprotecta></dyndns_hostname></dyndns_hostname></dumbledore></dumbledore></appleservers></appleservers></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>
-
And did you find anything unusual ermal?
-
Can you please show me the output of ifconfig -g LocalNets ?
-
That gives me:
vr0
ath0_wlan0
ath0_wlan1 -
The only thing i can say then is that either this is traffic with ip-options or traffic with don't fragment bit set.
Can you please collect tcpdumps and pfctl -vss and pfctl -vsr about this? -
Yeah. I will get that info on the weekend…
-
Updated to the latest snap of today and re-ran the wizard. At the moment this seems to be working. Is it new that the wizard only creates queues for the WAN interface and not for the LAN interfaces anymore?