Traffic Shapper

megazocker

Hallo Forum

als ich den Traffic Shapper dsa erstemal einegrichtet habe scheinte auf den ertsen blick alles ok zu sein

nachdem ich auf die idee kam den wert kbps auf mb umzustellen (wert 2000 auf 2 geändert) bringt er mir die folgende meldung

There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth/tmp/rules.debug:30: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]: …

über den wizard ging das ganz gut

ich werde versuchen das ganze wieder einzurichten ..... intressieren würde es mich aber doch .... bis zum nächstenmal (regelverletzung)

danke

megazocker

Hallo Leute

ich habe nach wie vor das Prob mit dem Traffic Shapper

Dec 4 01:53:18 php: : There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:30: errors in queue definition pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:31: errors in queue definition pfctl: upper-limit larger than interface bandwidth /tmp/rules.debug:32: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]:

Hier mal das Regelwerk

Diagnostics: Execute command

$ less /tmp/rules.debug

System Aliases

loopback = "{ lo0 }"
lan = "{ sis0 }"
wan = "{ sis1 }"
enc0 = "{ enc0 }"
DMZ = "{ sis2 }"
WLAN = "{ ath0 }"

User Aliases

NB_test = "{ 192.168.100.245 }"

set loginterface sis1
set loginterface sis0
set loginterface sis2
set loginterface ath0
set optimization normal

scrub all random-id fragment reassemble
altq on sis1 hfsc bandwidth 1024Kb queue { qwanRoot }

altq on sis2 hfsc bandwidth 256Kb queue { qDMZRoot }

queue qDMZRoot bandwidth 256Kb priority 0 hfsc { qDMZdef, qDMZacks, qPenaltyDown, qP2PDown }
queue qwanRoot bandwidth 1024Kb priority 0 hfsc { qwandef, qwanacks, qPenaltyUp, qP2PUp }
queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc ( default realtime 1% )
queue qDMZdef bandwidth 1% priority 1 qlimit 500 hfsc ( default realtime 1% )
queue qwanacks bandwidth 20% priority 7 hfsc ( realtime 10% )
queue qDMZacks bandwidth 20% priority 7 hfsc ( realtime 10% )
queue qPenaltyUp bandwidth 1% priority 2 qlimit 500 hfsc ( red ecn upperlimit 340Kb )
queue qPenaltyDown bandwidth 1% priority 2 qlimit 500 hfsc ( red ecn upperlimit 2300Kb )
queue qP2PUp bandwidth 1% priority 1 qlimit 500 hfsc ( red ecn upperlimit 2000Kb realtime 1Kb )
queue qP2PDown bandwidth 1% priority 1 qlimit 500 hfsc ( red ecn upperlimit 300Kb realtime 1Kb )

nat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"

FTP proxy

rdr-anchor "pftpx/*"

Outbound NAT rules

nat on $wan from 192.168.10.0/24 to any -> (sis1)
nat on $wan from 192.168.100.0/24 to any -> (sis1)
nat on $wan from 192.168.30.0/24 to any -> (sis1)

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor - slbd updates

rdr-anchor "slb"

FTP Proxy/helper

table <vpns>{ }
no rdr on sis0 proto tcp from any to <vpns>port 21
rdr on sis0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
no rdr on sis2 proto tcp from any to <vpns>port 21
rdr on sis2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

block in all tag unshaped label "SHAPER: first match rule"
pass in on $DMZ from 192.168.100.2 to any keep state tagged unshaped tag qPenaltyDown
pass out on $wan from any to any keep state tagged qPenaltyDown tag qPenaltyUp
pass in on $wan from any to 192.168.100.2 keep state tagged unshaped tag qPenaltyUp
pass out on $DMZ from any to 192.168.100.2 keep state tagged qPenaltyUp tag qPenaltyDown
pass in on $wan proto tcp from any to 192.168.100.0/24 port 4661:4665 keep state tagged unshaped tag qP2PUp
pass out on $DMZ proto tcp from any to 192.168.100.0/24 port 4661:4665 keep state tagged qP2PUp tag qP2PDown
pass in on $DMZ proto tcp from 192.168.100.0/24 to any port 4661:4665 keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 4661:4665 keep state tagged qP2PDown tag qP2PUp
pass in on $DMZ from 192.168.100.0/24 to any keep state tagged unshaped tag qP2PDown
pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
pass in on $wan from any to 192.168.100.0/24 keep state tagged unshaped tag qP2PUp
pass out on $DMZ from any to 192.168.100.0/24 keep state tagged qP2PUp tag qP2PDown
pass in on $DMZ from 192.168.100.0/24 to any keep state tagged unshaped tag qP2PDown
pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
pass in on $wan from any to 192.168.100.0/24 keep state tagged unshaped tag qP2PUp
pass out on $DMZ from any to 192.168.100.0/24 keep state tagged qP2PUp tag qP2PDown

anchor "ftpsesame/*"
anchor "firewallrules"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

loopback

anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

permit wan interface to ping out (ping_hosts.sh)

pass quick proto icmp from 192.168.2.103 to any keep state

NAT Reflection rules

allow access to DHCP server on LAN

anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 192.168.10.1 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 192.168.10.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

allow access to DHCP server on opt1

anchor "dhcpserverDMZ"
pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $DMZ proto udp from any port = 68 to 192.168.100.1 port = 67 label "allow access to DHCP server"
pass out quick on $DMZ proto udp from 192.168.100.1 port = 67 to any port = 68 label "allow access to DHCP server"

allow our DHCP client out to the WAN

anchor "wandhcp"
pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
block in log quick on $wan proto udp from any port = 67 to 192.168.10.0/24 port = 68 label "block dhcp client out wan"

LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

antispoof for sis0
antispoof for sis2

anchor "spoofing"

block anything from private networks on WAN interface

anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

Support for allow limiting of TCP connections by establishment rate

anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

pass traffic from firewall -> out

anchor "firewallout"
pass out quick on sis1 all keep state tagged qPenaltyUp queue (qPenaltyUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on sis1 all keep state tagged qP2PUp queue (qP2PUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on sis1 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on sis0 all keep state label "let out anything from firewall host itself"
pass out quick on sis2 all keep state tagged qPenaltyDown queue (qPenaltyDown, qDMZacks) label "let out anything from firewall host itself"
pass out quick on sis2 all keep state tagged qP2PDown queue (qP2PDown, qDMZacks) label "let out anything from firewall host itself"
pass out quick on sis2 all keep state queue (qDMZdef, qDMZacks) label "let out anything from firewall host itself"
pass out quick on ath0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out quick on sis2 proto icmp keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
pass out quick on $DMZ all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webGUI or SSH

anchor "anti-lockout"
pass in quick on sis0 from any to 192.168.10.1 keep state label "anti-lockout web rule"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

anchor "ftpproxy"
anchor "pftpx/*"

User-defined aliases follow

Anchors for rules that might be matched by queues

anchor qDMZRoot tagged qDMZRoot
load anchor qDMZRoot from "/tmp/qDMZRoot.rules"
anchor qwanRoot tagged qwanRoot
load anchor qwanRoot from "/tmp/qwanRoot.rules"
anchor qwandef tagged qwandef
load anchor qwandef from "/tmp/qwandef.rules"
anchor qDMZdef tagged qDMZdef
load anchor qDMZdef from "/tmp/qDMZdef.rules"
anchor qwanacks tagged qwanacks
load anchor qwanacks from "/tmp/qwanacks.rules"
anchor qDMZacks tagged qDMZacks
load anchor qDMZacks from "/tmp/qDMZacks.rules"
anchor qPenaltyUp tagged qPenaltyUp
load anchor qPenaltyUp from "/tmp/qPenaltyUp.rules"
anchor qPenaltyDown tagged qPenaltyDown
load anchor qPenaltyDown from "/tmp/qPenaltyDown.rules"
anchor qP2PUp tagged qP2PUp
load anchor qP2PUp from "/tmp/qP2PUp.rules"
anchor qP2PDown tagged qP2PDown
load anchor qP2PDown from "/tmp/qP2PDown.rules"

User-defined rules follow

pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 53 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 80 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 443 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 21 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4662 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 4672 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4661 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto udp from 192.168.100.0/24 to any port = 4665 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4711 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $DMZ proto tcp from 192.168.100.0/24 to any port = 4712 keep state queue (qDMZdef, qDMZacks) label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 22 keep state label "USER_RULE: Default LAN -> any"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 80 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 443 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 21 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 25 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 110 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 995 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 143 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 993 keep state label "USER_RULE"
pass in quick on $lan proto tcp from 192.168.10.0/24 to any port = 5001 keep state label "USER_RULE: OpenVPN"
# sis2 opt2 array key does not exist for

VPN Rules

pass in quick on sis0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis1 inet proto tcp from port 20 to (sis1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

enable ftp-proxy

pass in quick on sis2 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"

#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"

Execute Shell command
Command:

Download
File to download:

Upload
File to upload:

PHP Execute
Command:

Ich verstehe nicht was das Prob ist.
habe ein 3000er Leitung
und das Ganze Läuft auf einem WrapBoard 3 x ethx 1 x minipci für wlan

egal was ich mache es funzt nicht

ich will nur dem P2P nicht die ganze bandbreite geben

3000 down
446 up

P2P 2000 Down Max
P2P 300 up max

der rechner zum P"P hängt an der DMZ (OPT1)
der rest über einen switch am LAN
WAN geht zum dsl router

den rest hätte ich gerne zum surfen

tipps währen net danke

(hänge an dem ding schon den ganzen abend um komme nicht vorwärts)</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></vpns></sshlockout>

JeGr

Hat da jemand Kilobit und Megabyte durcheinanderbekommen? Nach 8Bit meine ich zumindest auch, ich wär breit wie ein Byte.. ;)