Traffic Shapper



  • Hallo Forum

    als ich den Traffic Shapper dsa erstemal einegrichtet habe scheinte auf den ertsen blick alles ok zu sein

    nachdem ich auf die idee kam den wert kbps auf mb umzustellen (wert 2000 auf 2 geändert) bringt er mir die folgende meldung

    There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth/tmp/rules.debug:30: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]: …

    über den wizard ging das ganz gut

    ich werde versuchen das ganze wieder einzurichten ..... intressieren würde es mich aber doch .... bis zum nächstenmal (regelverletzung)

    danke



  • Hallo Leute

    ich habe nach wie vor das Prob mit dem Traffic Shapper

    Dec 4 01:53:18 php: : There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:30: errors in queue definition pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:31: errors in queue definition pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:32: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]:

    Hier mal das Regelwerk

    Diagnostics: Execute command

    $ less /tmp/rules.debug

    System Aliases

    loopback = "{ lo0 }"
    lan = "{ sis0  }"
    wan = "{ sis1  }"
    enc0 = "{ enc0 }"
    DMZ = "{ sis2 }"
    WLAN = "{ ath0 }"

    User Aliases

    NB_test = "{ 192.168.100.245 }"

    set loginterface sis1
    set loginterface sis0
    set loginterface sis2
    set loginterface ath0
    set optimization normal

    scrub all random-id  fragment reassemble
    altq on sis1 hfsc bandwidth 1024Kb queue { qwanRoot }

    altq on sis2 hfsc bandwidth 256Kb queue { qDMZRoot }

    queue qDMZRoot bandwidth 256Kb priority 0 hfsc { qDMZdef, qDMZacks, qPenaltyDown, qP2PDown }
    queue qwanRoot bandwidth 1024Kb priority 0 hfsc { qwandef, qwanacks, qPenaltyUp, qP2PUp }
    queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
    queue qDMZdef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
    queue qwanacks bandwidth 20% priority 7 hfsc (  realtime 10% )
    queue qDMZacks bandwidth 20% priority 7 hfsc (  realtime 10% )
    queue qPenaltyUp bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn upperlimit 340Kb )
    queue qPenaltyDown bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn upperlimit 2300Kb )
    queue qP2PUp bandwidth 1% priority 1 qlimit 500 hfsc (  red ecn upperlimit 2000Kb realtime 1Kb )
    queue qP2PDown bandwidth 1% priority 1 qlimit 500 hfsc (  red ecn upperlimit 300Kb realtime 1Kb )

    nat-anchor "pftpx/"
    nat-anchor "natearly/
    "
    nat-anchor "natrules/*"

    FTP proxy

    rdr-anchor "pftpx/*"

    Outbound NAT rules

    nat on $wan from 192.168.10.0/24 to any -> (sis1)
    nat on $wan from 192.168.100.0/24 to any -> (sis1)
    nat on $wan from 192.168.30.0/24 to any -> (sis1)

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor - slbd updates

    rdr-anchor "slb"

    FTP Proxy/helper

    table <vpns>{  }
    no rdr on sis0 proto tcp from any to <vpns>port 21
    rdr on sis0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    no rdr on sis2 proto tcp from any to <vpns>port 21
    rdr on sis2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022

    IMSpector rdr anchor

    rdr-anchor "imspector"

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    block in all tag unshaped label "SHAPER: first match rule"
    pass in on  $DMZ from 192.168.100.2  to any  keep state tagged unshaped tag qPenaltyDown
    pass out on $wan from any to any keep state tagged qPenaltyDown tag qPenaltyUp
    pass in on  $wan from any  to 192.168.100.2  keep state tagged unshaped tag qPenaltyUp
    pass out on $DMZ from any to 192.168.100.2 keep state tagged qPenaltyUp tag qPenaltyDown
    pass in on  $wan proto tcp from any  to 192.168.100.0/24 port 4661:4665  keep state tagged unshaped tag qP2PUp
    pass out on $DMZ proto tcp from any to 192.168.100.0/24 port 4661:4665 keep state tagged qP2PUp tag qP2PDown
    pass in on  $DMZ proto tcp from 192.168.100.0/24  to any port 4661:4665  keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 4661:4665 keep state tagged qP2PDown tag qP2PUp
    pass in on  $DMZ from 192.168.100.0/24  to any  keep state tagged unshaped tag qP2PDown
    pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
    pass in on  $wan from any  to 192.168.100.0/24  keep state tagged unshaped tag qP2PUp
    pass out on $DMZ from any to 192.168.100.0/24 keep state tagged qP2PUp tag qP2PDown
    pass in on  $DMZ from 192.168.100.0/24  to any  keep state tagged unshaped tag qP2PDown
    pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
    pass in on  $wan from any  to 192.168.100.0/24  keep state tagged unshaped tag qP2PUp
    pass out on $DMZ from any to 192.168.100.0/24 keep state tagged qP2PUp tag qP2PDown

    anchor "ftpsesame/*"
    anchor "firewallrules"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    loopback

    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"

    permit wan interface to ping out (ping_hosts.sh)

    pass quick proto icmp from 192.168.2.103 to any keep state

    NAT Reflection rules

    allow access to DHCP server on LAN

    anchor "dhcpserverlan"
    pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
    pass in quick on $lan proto udp from any port = 68 to 192.168.10.1 port = 67 label "allow access to DHCP server on LAN"
    pass out quick on $lan proto udp from 192.168.10.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

    allow access to DHCP server on opt1

    anchor "dhcpserverDMZ"
    pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $DMZ proto udp from any port = 68 to 192.168.100.1 port = 67 label "allow access to DHCP server"
    pass out quick on $DMZ proto udp from 192.168.100.1 port = 67 to any port = 68 label "allow access to DHCP server"

    allow our DHCP client out to the WAN

    anchor "wandhcp"
    pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
    block in log quick on $wan proto udp from any port = 67 to 192.168.10.0/24 port = 68 label "block dhcp client out wan"

    LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

    antispoof for sis0
    antispoof for sis2

    anchor "spoofing"

    block anything from private networks on WAN interface

    anchor "spoofing"
    antispoof for $wan
    block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

    Support for allow limiting of TCP connections by establishment rate

    anchor "limitingesr"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

    pass traffic from firewall -> out

    anchor "firewallout"
    pass out quick on sis1 all keep state tagged qPenaltyUp queue (qPenaltyUp, qwanacks) label "let out anything from firewall host itself"
    pass out quick on sis1 all keep state tagged qP2PUp queue (qP2PUp, qwanacks) label "let out anything from firewall host itself"
    pass out quick on sis1 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
    pass out quick on sis0 all keep state  label "let out anything from firewall host itself"
    pass out quick on sis2 all keep state tagged qPenaltyDown queue (qPenaltyDown, qDMZacks) label "let out anything from firewall host itself"
    pass out quick on sis2 all keep state tagged qP2PDown queue (qP2PDown, qDMZacks) label "let out anything from firewall host itself"
    pass out quick on sis2 all keep state queue (qDMZdef, qDMZacks) label "let out anything from firewall host itself"
    pass out quick on ath0 all keep state  label "let out anything from firewall host itself"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out quick on sis2 proto icmp keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
    pass out quick on $DMZ all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webGUI or SSH

    anchor "anti-lockout"
    pass in quick on sis0 from any to 192.168.10.1 keep state label "anti-lockout web rule"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    anchor "ftpproxy"
    anchor "pftpx/*"

    User-defined aliases follow

    Anchors for rules that might be matched by queues

    anchor qDMZRoot tagged qDMZRoot
    load anchor qDMZRoot from "/tmp/qDMZRoot.rules"
    anchor qwanRoot tagged qwanRoot
    load anchor qwanRoot from "/tmp/qwanRoot.rules"
    anchor qwandef tagged qwandef
    load anchor qwandef from "/tmp/qwandef.rules"
    anchor qDMZdef tagged qDMZdef
    load anchor qDMZdef from "/tmp/qDMZdef.rules"
    anchor qwanacks tagged qwanacks
    load anchor qwanacks from "/tmp/qwanacks.rules"
    anchor qDMZacks tagged qDMZacks
    load anchor qDMZacks from "/tmp/qDMZacks.rules"
    anchor qPenaltyUp tagged qPenaltyUp
    load anchor qPenaltyUp from "/tmp/qPenaltyUp.rules"
    anchor qPenaltyDown tagged qPenaltyDown
    load anchor qPenaltyDown from "/tmp/qPenaltyDown.rules"
    anchor qP2PUp tagged qP2PUp
    load anchor qP2PUp from "/tmp/qP2PUp.rules"
    anchor qP2PDown tagged qP2PDown
    load anchor qP2PDown from "/tmp/qP2PDown.rules"

    User-defined rules follow

    pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 53 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 80 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 443 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 21 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4662 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 4672 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4661 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 4665 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4711 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4712 keep state  queue (qDMZdef, qDMZacks)  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 22 keep state  label "USER_RULE: Default LAN -> any"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 80 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 443 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 21 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 25 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 110 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 995 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 143 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 993 keep state  label "USER_RULE"
    pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 5001 keep state  label "USER_RULE: OpenVPN"
    #  sis2 opt2 array key does not exist for

    VPN Rules

    pass in quick on sis0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis1 inet proto tcp from port 20 to (sis1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

    enable ftp-proxy

    pass in quick on sis2 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

    IMSpector

    anchor "imspector"

    uPnPd

    anchor "miniupnpd"

    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log quick all label "Default deny rule"
    block out log quick all label "Default deny rule"

    Execute Shell command
    Command:

    Download
    File to download:

    Upload
    File to upload:

    PHP Execute
    Command:

    Example: interfaces_carp_bring_up_final();
    pfSense is © 2004-2008 BSD Perimeter LLC. All Rights Reserved. [view license]
    [Commercial Support Available]

    Ich verstehe nicht was das Prob ist.
    habe ein 3000er Leitung
    und das Ganze Läuft auf einem WrapBoard 3 x ethx 1 x minipci für wlan

    egal was ich mache es funzt nicht

    ich will nur dem P2P nicht die ganze bandbreite geben

    3000 down
    446 up

    P2P 2000 Down Max
    P2P 300 up max

    der rechner zum P"P hängt an der DMZ (OPT1)
    der rest über einen switch am LAN
    WAN geht zum dsl router

    den rest hätte ich gerne zum surfen

    tipps währen net danke

    (hänge an dem ding schon den ganzen abend um komme nicht vorwärts)</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></vpns></sshlockout>


  • Moderator

    Hat da jemand Kilobit und Megabyte durcheinanderbekommen? Nach 8Bit meine ich zumindest auch, ich wär breit wie ein Byte.. ;)


Locked