pfSense 2.0-BETA5: Unable to limit IPs in Penalty Box

ldpaniak

Currently running 2.0-BETA5 (i386) built on Thu Feb 10 20:50:06 EST 2011.  The system has one wan and one lan interface.

I am trying to put a single IP into the penalty box using the traffic shaping wizards (your choice of Single-LAN/multi-WAN or multi LAN/WAN).  In short, this does not work.

Looking at the pf config, you can see that queues have been set up:

grep queue /tmp/rules.debug
 altq on  em0 hfsc bandwidth 650Kb queue {  qACK,  qDefault  } 
 queue qACK on em0 bandwidth 14% hfsc (  ecn  , linkshare 14%  )  
 queue qDefault on em0 bandwidth 7% hfsc (  ecn  , default  )  
pass   out  from any to any  queue (qOthersLow)  label "USER_RULE: Penalty Box"

But the Penalty Box queue qOthersLow is not defined in the altq statement and the particular IP I am trying to penalize does not appear in the pf config at all.

This is a long-running problem (eg. http://forum.pfsense.org/index.php/topic,22344 ) which is probably due to be fixed.

Thanks.

jimp

It may help to have the shaper section of your config.xml as well as the entire contents of /tmp/rules.debug

ldpaniak

I've attached the shaper section of config.xml and the entire rules.debug file.

The address I am attempting to block (192.168.56.22) - and other details of the Penalty Box configuration do appear in the ezshaper section of the xml, but does not make it through to rules.debug.

shaper.xml.txt
rules.debug.txt

torontob

I am having the same problem. Were you able to solve this issue?

Is traffic shaping (penalize ip) totally disfunctional in pfSense?

Gurus some input please.

My post related to this:
http://forum.pfsense.org/index.php/topic,36002.msg185862.html#msg185862

Regards,

eri--

Can you please show even the ezshaper section from your config?

torontob

My other post (referenced above) includes all the snapshots but here is the configs:

 <ezshaper><step2><download>2000</download>
			<upload>700</upload>
			<inside_int>opt1</inside_int>
			<outside_int>wan</outside_int></step2> 
		 <step3><provider>Asterisk</provider>

<address>
			<bandwidth>384</bandwidth>

		 <step4><address>192.168.2.5</address>

			<bandwidthup>300</bandwidthup>
			<bandwidthdown>1500</bandwidthdown>
			<enable>on</enable></step4> 
		 <step5><bandwidthup>10</bandwidthup>
			<bandwidthdown>10</bandwidthdown>
			<enable>on</enable>
			<p2pcatchall>on</p2pcatchall></step5> 
		 <step7><msrdp>D</msrdp>
			<vnc>D</vnc>
			<appleremotedesktop>D</appleremotedesktop>
			<pcanywhere>D</pcanywhere>
			<irc>D</irc>
			<jabber>D</jabber>
			<icq>D</icq>
			<aolinstantmessenger>D</aolinstantmessenger>
			<msnmessenger>D</msnmessenger>
			<teamspeak>D</teamspeak>
			<pptp>D</pptp>
			<ipsec>D</ipsec>
			<streamingmp3>D</streamingmp3>
			<rtsp>D</rtsp>
			<http>D</http>
			<smtp>D</smtp>
			<pop3>D</pop3>
			<imap>D</imap></step7> 

I thought penalize would be a no-brainer as this is not even QoS.

Thanks,</address></step3></ezshaper> 

torontob

Anything on this?

Regards,