Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shaper and speed issues

    Scheduled Pinned Locked Moved Traffic Shaping
    1 Posts 1 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benoit
      last edited by

      i try to get one pfsense box on a soekris net4801 to do some traffic shaping on my network.
      I ran through the magic shaper wizard and set the speed to 1024/256 kbits, wich is half of my internet pipe
      i'm using version 0.94.12.
      if i try to do some speedtests , i get 67/14 kbits with no other traffic on the line.

      here is the /tmp/rules.debug :

      System Aliases

      lan = "{ sis0  }"
      wan = "{ sis1  }"
      pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
      pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"

      User Aliases

      set loginterface sis1
      set loginterface sis0
      set optimization normal

      scrub on sis1 all
      altq on sis1 hfsc bandwidth 100Mb queue {  qWANRoot }
      altq on sis0 hfsc bandwidth 100Mb queue {  qLANRoot }

      queue qWANRoot bandwidth 256Kb priority 6 hfsc { qWANdef, qWANacks, qVOIPUp, qOthersUpH, qOthersUpL }
      queue qWANdef bandwidth 1% priority 3 hfsc (  default upperlimit(100% 100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
      queue qLANRoot bandwidth 1024Kb priority 6 hfsc { qLANdef, qLANacks, qVOIPDown, qOthersDownH, qOthersDownL }
      queue qLANdef bandwidth 1% priority 3 hfsc (  default upperlimit(100% 100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
      queue qLANacks bandwidth 1% priority 6 hfsc (  upperlimit(80% 1 80%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
      queue qWANacks bandwidth 1% priority 6 hfsc (  upperlimit(80% 1 80%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
      queue qVOIPUp bandwidth 1% priority 7 hfsc (  ecn upperlimit(32Kb 1 32Kb) linkshare(0% 1000 10%) realtime(32Kb 1 32Kb) )
      queue qVOIPDown bandwidth 1% priority 7 hfsc (  ecn upperlimit(32Kb 1 32Kb) linkshare(0% 1000 10%) realtime(32Kb 1 32Kb) )
      queue qOthersUpH bandwidth 1% priority 4 hfsc (  red ecn upperlimit(100% 100 90%) linkshare(0% 1000 10%) realtime(1Kb 1 1Kb) )
      queue qOthersDownH bandwidth 1% priority 4 hfsc (  red ecn upperlimit(100% 100 90%) linkshare(0% 1000 10%) realtime(1Kb 1 1Kb) )
      queue qOthersUpL bandwidth 1% priority 2 hfsc (  red ecn upperlimit(100% 100 90%) linkshare(0% 1000 10%) realtime(1Kb 1 1Kb) )
      queue qOthersDownL bandwidth 1% priority 2 hfsc (  red ecn upperlimit(100% 100 90%) linkshare(0% 1000 10%) realtime(1Kb 1 1Kb) )

      nat-anchor "pftpx/"
      nat-anchor "natearly/      "
      nat-anchor "natrules/*"
      nat on sis1 from 192.168.1.0/24 port 500 to any port 500 -> (sis1) port 500
      nat on sis1 from 192.168.1.0/24 to any -> (sis1)
      #SSH Lockout Table
      table <sshlockout>persist

      spam table

      table <spamd>persist

      Load balancing anchor - slbd updates

      rdr-anchor "slb"

      FTP proxy

      rdr-anchor "pftpx/*"
      rdr on sis0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

      pass in on  sis0 from 192.168.1.0/24 to any tos lowdelay  keep state tag qVOIPDown
      pass out on  sis1 from any to any tos lowdelay  keep state tag qVOIPUp
      pass in on  sis1 from any to 192.168.1.0/24 tos lowdelay  keep state tag qVOIPUp
      pass out on  sis0 from any to 192.168.1.0/24 tos lowdelay  keep state tag qVOIPDown
      pass in on  sis0 proto tcp from 192.168.1.0/24 to any port 53  keep state tag qOthersDownH
      pass out on  sis1 proto tcp from any to any port 53  keep state tag qOthersUpH
      pass in on  sis1 proto tcp from any to 192.168.1.0/24 port 53  keep state tag qOthersUpH
      pass out on  sis0 proto tcp from any to 192.168.1.0/24 port 53  keep state tag qOthersDownH
      pass in on  sis0 proto udp from 192.168.1.0/24 to any port 53  keep state tag qOthersDownH
      pass out on  sis1 proto udp from any to any port 53  keep state tag qOthersUpH
      pass in on  sis1 proto udp from any to 192.168.1.0/24 port 53  keep state tag qOthersUpH
      pass out on  sis0 proto udp from any to 192.168.1.0/24 port 53  keep state tag qOthersDownH

      anchor "firewallrules"

      loopback

      anchor "loopback"
      pass in quick on lo0 all label "pass loopback"
      pass out quick on lo0 all label "pass loopback"

      package manager early specific hook

      anchor "packageearly"

      carp

      anchor "carp"

      enable ftp-proxy

      anchor "ftpproxy"
      anchor "pftpx/*"
      pass in quick on sis1 inet proto tcp from port 20 to (sis1) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

      allow access to DHCP server on LAN

      anchor "dhcpserverlan"
      pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
      pass in quick on sis0 proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server on LAN"
      pass out quick on sis0 proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

      WAN spoof check

      anchor "wanspoof"
      block in log quick on sis1 from 192.168.1.0/24 to any label "WAN spoof check"

      allow our DHCP client out to the WAN

      XXX - should be more restrictive

      (not possible at the moment - need 'me' like in ipfw)

      anchor "wandhcp"
      pass out quick on sis1 proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
      block in log quick on sis1 proto udp from any port = 67 to 192.168.1.0/24 port = 68 label "allow dhcp client out wan"

      pass in quick on sis1 proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

      LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

      antispoof for sis0

      block anything from private networks on WAN interface

      anchor "spoofing"
      block in log quick on sis1 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block in log quick on sis1 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block in log quick on sis1 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block in log quick on sis1 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

      Support for allow limiting of TCP connections by establishment rate

      anchor "limitingesr"
      table <virusprot># let out anything from the firewall host itself and decrypted IPsec traffic

      pass out quick on sis1 all keep state label "let out anything from firewall host itself"

      pass traffic from firewall -> out

      anchor "firewallout"
      pass out quick on sis1 all keep state tagged qWANRoot queue qWANRoot label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qWANdef queue qWANdef label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qLANRoot queue qLANRoot label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qLANdef queue qLANdef label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qLANacks queue qLANacks label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qWANacks queue qWANacks label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qVOIPUp queue qVOIPUp label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qVOIPDown queue qVOIPDown label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qOthersUpH queue qOthersUpH label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qOthersDownH queue qOthersDownH label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qOthersUpL queue qOthersUpL label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qOthersDownL queue qOthersDownL label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qWANRoot queue qWANRoot label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qWANdef queue qWANdef label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qLANRoot queue qLANRoot label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qLANdef queue qLANdef label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qLANacks queue qLANacks label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qWANacks queue qWANacks label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qVOIPUp queue qVOIPUp label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qVOIPDown queue qVOIPDown label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qOthersUpH queue qOthersUpH label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qOthersDownH queue qOthersDownH label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qOthersUpL queue qOthersUpL label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qOthersDownL queue qOthersDownL label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state label "let out anything from firewall host itself"

      make sure the user cannot lock himself out of the webGUI or SSH

      anchor "anti-lockout"
      pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state label "anti-lockout web rule"

      SSH lockout

      block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

      User-defined rules follow

      Anchors for rules that might be matched by queues

      anchor qWANRoot tagged qWANRoot
      anchor qWANdef tagged qWANdef
      anchor qLANRoot tagged qLANRoot
      anchor qLANdef tagged qLANdef
      anchor qLANacks tagged qLANacks
      anchor qWANacks tagged qWANacks
      anchor qVOIPUp tagged qVOIPUp
      anchor qVOIPDown tagged qVOIPDown
      anchor qOthersUpH tagged qOthersUpH
      anchor qOthersDownH tagged qOthersDownH
      anchor qOthersUpL tagged qOthersUpL
      anchor qOthersDownL tagged qOthersDownL
      pass in quick on $lan from 192.168.1.0/24 to any keep state  queue (qLANdef, qLANacks)  label "USER_RULE: Default LAN -> any"

      VPN Rules

      #–-------------------------------------------------------------------------

      default rules (just to be sure)

      #---------------------------------------------------------------------------
      block in log quick all label "Default block all just to be sure."
      block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></spamd></sshlockout>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.