Traffic Shapper
-
Hallo Forum
als ich den Traffic Shapper dsa erstemal einegrichtet habe scheinte auf den ertsen blick alles ok zu sein
nachdem ich auf die idee kam den wert kbps auf mb umzustellen (wert 2000 auf 2 geändert) bringt er mir die folgende meldung
There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth/tmp/rules.debug:30: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]: …
über den wizard ging das ganz gut
ich werde versuchen das ganze wieder einzurichten ..... intressieren würde es mich aber doch .... bis zum nächstenmal (regelverletzung)
danke
-
Hallo Leute
ich habe nach wie vor das Prob mit dem Traffic Shapper
Dec 4 01:53:18 php: : There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:30: errors in queue definition pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:31: errors in queue definition pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:32: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]:
Hier mal das Regelwerk
Diagnostics: Execute command
$ less /tmp/rules.debug
System Aliases
loopback = "{ lo0 }"
lan = "{ sis0 }"
wan = "{ sis1 }"
enc0 = "{ enc0 }"
DMZ = "{ sis2 }"
WLAN = "{ ath0 }"User Aliases
NB_test = "{ 192.168.100.245 }"
set loginterface sis1
set loginterface sis0
set loginterface sis2
set loginterface ath0
set optimization normalscrub all random-id fragment reassemble
altq on sis1 hfsc bandwidth 1024Kb queue { qwanRoot }altq on sis2 hfsc bandwidth 256Kb queue { qDMZRoot }
queue qDMZRoot bandwidth 256Kb priority 0 hfsc { qDMZdef, qDMZacks, qPenaltyDown, qP2PDown }
queue qwanRoot bandwidth 1024Kb priority 0 hfsc { qwandef, qwanacks, qPenaltyUp, qP2PUp }
queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc ( default realtime 1% )
queue qDMZdef bandwidth 1% priority 1 qlimit 500 hfsc ( default realtime 1% )
queue qwanacks bandwidth 20% priority 7 hfsc ( realtime 10% )
queue qDMZacks bandwidth 20% priority 7 hfsc ( realtime 10% )
queue qPenaltyUp bandwidth 1% priority 2 qlimit 500 hfsc ( red ecn upperlimit 340Kb )
queue qPenaltyDown bandwidth 1% priority 2 qlimit 500 hfsc ( red ecn upperlimit 2300Kb )
queue qP2PUp bandwidth 1% priority 1 qlimit 500 hfsc ( red ecn upperlimit 2000Kb realtime 1Kb )
queue qP2PDown bandwidth 1% priority 1 qlimit 500 hfsc ( red ecn upperlimit 300Kb realtime 1Kb )nat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"FTP proxy
rdr-anchor "pftpx/*"
Outbound NAT rules
nat on $wan from 192.168.10.0/24 to any -> (sis1)
nat on $wan from 192.168.100.0/24 to any -> (sis1)
nat on $wan from 192.168.30.0/24 to any -> (sis1)#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor - slbd updates
rdr-anchor "slb"
FTP Proxy/helper
table <vpns>{ }
no rdr on sis0 proto tcp from any to <vpns>port 21
rdr on sis0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
no rdr on sis2 proto tcp from any to <vpns>port 21
rdr on sis2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022IMSpector rdr anchor
rdr-anchor "imspector"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
block in all tag unshaped label "SHAPER: first match rule"
pass in on $DMZ from 192.168.100.2 to any keep state tagged unshaped tag qPenaltyDown
pass out on $wan from any to any keep state tagged qPenaltyDown tag qPenaltyUp
pass in on $wan from any to 192.168.100.2 keep state tagged unshaped tag qPenaltyUp
pass out on $DMZ from any to 192.168.100.2 keep state tagged qPenaltyUp tag qPenaltyDown
pass in on $wan proto tcp from any to 192.168.100.0/24 port 4661:4665 keep state tagged unshaped tag qP2PUp
pass out on $DMZ proto tcp from any to 192.168.100.0/24 port 4661:4665 keep state tagged qP2PUp tag qP2PDown
pass in on $DMZ proto tcp from 192.168.100.0/24 to any port 4661:4665 keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 4661:4665 keep state tagged qP2PDown tag qP2PUp
pass in on $DMZ from 192.168.100.0/24 to any keep state tagged unshaped tag qP2PDown
pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
pass in on $wan from any to 192.168.100.0/24 keep state tagged unshaped tag qP2PUp
pass out on $DMZ from any to 192.168.100.0/24 keep state tagged qP2PUp tag qP2PDown
pass in on $DMZ from 192.168.100.0/24 to any keep state tagged unshaped tag qP2PDown
pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
pass in on $wan from any to 192.168.100.0/24 keep state tagged unshaped tag qP2PUp
pass out on $DMZ from any to 192.168.100.0/24 keep state tagged qP2PUp tag qP2PDownanchor "ftpsesame/*"
anchor "firewallrules"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from 192.168.2.103 to any keep state
NAT Reflection rules
allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 192.168.10.1 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 192.168.10.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"allow access to DHCP server on opt1
anchor "dhcpserverDMZ"
pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $DMZ proto udp from any port = 68 to 192.168.100.1 port = 67 label "allow access to DHCP server"
pass out quick on $DMZ proto udp from 192.168.100.1 port = 67 to any port = 68 label "allow access to DHCP server"allow our DHCP client out to the WAN
anchor "wandhcp"
pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
block in log quick on $wan proto udp from any port = 67 to 192.168.10.0/24 port = 68 label "block dhcp client out wan"LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for sis0
antispoof for sis2anchor "spoofing"
block anything from private networks on WAN interface
anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"pass traffic from firewall -> out
anchor "firewallout"
pass out quick on sis1 all keep state tagged qPenaltyUp queue (qPenaltyUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on sis1 all keep state tagged qP2PUp queue (qP2PUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on sis1 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on sis0 all keep state label "let out anything from firewall host itself"
pass out quick on sis2 all keep state tagged qPenaltyDown queue (qPenaltyDown, qDMZacks) label "let out anything from firewall host itself"
pass out quick on sis2 all keep state tagged qP2PDown queue (qP2PDown, qDMZacks) label "let out anything from firewall host itself"
pass out quick on sis2 all keep state queue (qDMZdef, qDMZacks) label "let out anything from firewall host itself"
pass out quick on ath0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on sis2 proto icmp keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
pass out quick on $DMZ all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on sis0 from any to 192.168.10.1 keep state label "anti-lockout web rule"SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
anchor "ftpproxy"
anchor "pftpx/*"User-defined aliases follow
Anchors for rules that might be matched by queues
anchor qDMZRoot tagged qDMZRoot
load anchor qDMZRoot from "/tmp/qDMZRoot.rules"
anchor qwanRoot tagged qwanRoot
load anchor qwanRoot from "/tmp/qwanRoot.rules"
anchor qwandef tagged qwandef
load anchor qwandef from "/tmp/qwandef.rules"
anchor qDMZdef tagged qDMZdef
load anchor qDMZdef from "/tmp/qDMZdef.rules"
anchor qwanacks tagged qwanacks
load anchor qwanacks from "/tmp/qwanacks.rules"
anchor qDMZacks tagged qDMZacks
load anchor qDMZacks from "/tmp/qDMZacks.rules"
anchor qPenaltyUp tagged qPenaltyUp
load anchor qPenaltyUp from "/tmp/qPenaltyUp.rules"
anchor qPenaltyDown tagged qPenaltyDown
load anchor qPenaltyDown from "/tmp/qPenaltyDown.rules"
anchor qP2PUp tagged qP2PUp
load anchor qP2PUp from "/tmp/qP2PUp.rules"
anchor qP2PDown tagged qP2PDown
load anchor qP2PDown from "/tmp/qP2PDown.rules"User-defined rules follow
pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 53 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 80 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 443 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 21 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4662 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 4672 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4661 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 4665 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4711 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4712 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 22 keep state label "USER_RULE: Default LAN -> any"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 80 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 443 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 21 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 25 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 110 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 995 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 143 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 993 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 5001 keep state label "USER_RULE: OpenVPN"
# sis2 opt2 array key does not exist forVPN Rules
pass in quick on sis0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis1 inet proto tcp from port 20 to (sis1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"enable ftp-proxy
pass in quick on sis2 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"IMSpector
anchor "imspector"
uPnPd
anchor "miniupnpd"
#–-------------------------------------------------------------------------
default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"Execute Shell command
Command:Download
File to download:Upload
File to upload:PHP Execute
Command:Example: interfaces_carp_bring_up_final();
pfSense is
2004-2008 BSD Perimeter LLC. All Rights Reserved. [view license]
[Commercial Support Available]Ich verstehe nicht was das Prob ist.
habe ein 3000er Leitung
und das Ganze Läuft auf einem WrapBoard 3 x ethx 1 x minipci für wlanegal was ich mache es funzt nicht
ich will nur dem P2P nicht die ganze bandbreite geben
3000 down
446 upP2P 2000 Down Max
P2P 300 up maxder rechner zum P"P hängt an der DMZ (OPT1)
der rest über einen switch am LAN
WAN geht zum dsl routerden rest hätte ich gerne zum surfen
tipps währen net danke
(hänge an dem ding schon den ganzen abend um komme nicht vorwärts)</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></vpns></sshlockout>
-
Hat da jemand Kilobit und Megabyte durcheinanderbekommen? Nach 8Bit meine ich zumindest auch, ich wär breit wie ein Byte.. ;)
