[01/12/11] Traffic shaper not properly shaping traffic!



  • Updated with lots of info below: HERE

    I've noticed since testing pfSense 2 that p2p traffic doesn't seem to be shaping the same using the same rules.  In 1.2.3, the rules put all of the torrent traffic into the correct queue, but in 2.x, it seems to get most of it right (sometimes), but not all.  Affects every version I've had on the box since installing BETA 2 on Dec 27th.

    Aliases:
    uT_Box 192.168.1.68        uTorrent Box
    uT_In 12801                uT_In
    uT_Out 12950:12999, 12801 uT_Out

    Here are the rules in 1.2.3:
    LAN->WAN TCP uT_Box Port: uT_Out * qP2PUp/qP2PDown uT_Out TCP
    WAN->LAN TCP * uT_Box Port: uT_In qP2PDown/qP2PUp uT_In TCP
    LAN->WAN UDP uT_Box Port: uT_Out * qP2PUp/qP2PDown uT_Out UDP
    WAN->LAN UDP * uT_Box Port: uT_In qP2PDown/qP2PUp uT_In UDP

    Here is the same rules in the "Floating" section of 2.0:
    TCP uT_Box uT_Out * * * qP2P   uT_Out (TCP)
    UDP uT_Box uT_Out * * * qP2P   uT_Out (UDP)  
    TCP * * uT_Box uT_In * qP2P   uT_In (TCP)
    UDP * * uT_Box uT_In * qP2P   uT_In (UDP)

    The rules in 1.2.3 put all the traffic in the p2p queue, but I'm noticing in 2.0, there is a good amount of bleed into the default queue, sometimes even exceeding the p2p queue.

    Have a defined the rules incorrectly?  Is 2.0 not matching and shaping traffic properly?  I can't figure this out.



  • Thank you for the move.  I wasn't sure if it was me or 2.0.  Hopefully this will be of use to others using the shaper.  Seems there are several people saying it isn't working quite right for various things.

    Just hope that I'm not wasting everyone's time looking into this and it being a user error, since the whole 'floating rules' and such are new to me and a little confusing.

    Even though this is happening on more than one build, I'll give this just in case:

    2.0-BETA5 (i386)
    built on Mon Jan 3 13:22:20 EST 2011
    


  • It is not so easy on 2.0 to judge your shaping setup.

    Please give me all you LAN and all you floating rules so i will tell you a reason if there is any.

    I can tell you just for a start that the rule you have there will not match internal host since it is evaluated after nat so you have to move those rules to LAN before any other rule.



  • Okay Ermal, screenies of the rules are attached.  The only rules under "LAN" are the default ones, anti-lockout and the default lan->any rule

    If floating rules are not matched for internal IPs, what exactly is the point of 'floating' rules?  The wizard puts all the created rules there by default.  I'm confuddled!

    One of the other reasons for springing for 2.x was that I'm hoping I can limit traffic of everything, but at the same time NOT limit things such as the webgui or squid, which is something that cannot be done at all in 1.2.3.  So once I get a grasp of what is going on and how to properly implement rules, I'm hoping to completely phase out my 1.2.3 machine to 2.x






  • Hopefully this is enough information for someone to point me in the right direction.  I keep fiddling with the rules and coming up with things that do not work quite as expected.  Seems that the behavior of 1.2.3 where rules don't seem to want to match when you put "TCP/UDP" is still there.  Though, I'm not sure since so far I can't get the rule to behave as I wanted to begin with :P



  • Anyone have any ideas on this?  My network isn't liking torrent traffic not being shaped correctly.  I just don't understand why the traffic isn't being shaped correctly?
    I have the "torrent and other download box" set to use specific ports on outbound and inbound traffic for torrents, so I know it is using the ports that the shaper is set for.



  • Hey Ermal, I have to ask if there is something wrong with the shaper itself as I haven't heard back in a few, and I got you the info needed.  Is it the shaper or my rules?



  • @ermal:

    I can tell you just for a start that the rule you have there will not match internal host since it is evaluated after nat so you have to move those rules to LAN before any other rule.

    Im a tad confused on this bit as well, as from the wiki, it would seem that the floating rules are evaluated for all NICs?
    @Wiki:

    Floating rules allow you to to set shaping rules for all interfaces at once. They are evaluated before the interface rules, and are non terminating. The last floating rule that matches a stream will be the one that applies.

    So are floating rules indeed not evaluated for certain connections?  I thought the traffic shaper's floating rules would "just work ™" since even the wizard puts the rules there (and the wizard should do this right).

    I know that once I get the rules working as they should, my next goal is to modify them to work as I'd hoped pfSense 1.2.3 would (and doesn't):  I don't want traffic from the future Opt LAN to be shaped from LAN2 to LAN1 or the other way, nor do I want squid traffic from the pfSense router itself to be shaped.  Hopefully this is possible as I don't exactly have an extra box to stick between to act as a squid transparent proxy so that I can save some of my bandwidth, without shaping the proxy traffic -- it shouldn't be, on the inside at least, for my purposes.



  • I appear to be experiencing this too..What gives? Its really frustrating. Walking through the wizard with the same rules i had under 1.2.3. VoIP sounded flawless on 1.2.3. Shaper appears to have virtually no effect on my Jan 7 BETA 2.0.

    This is a major issue.



  • I'm kinda clueless myself too.  Having issues that are kinda similar but different product.  Until Ermal or someone else that is a traffic shaper Guru gets on, we're both kinda screwed :(  I'm not sure if the rules are just done wrong, or if there is something wrong with the shaper, or somewhere between the code handling what we see for rules and the actual shaper rules.



  • Have you tried the new Jan 10 build? Have you tried erasing settings and redoing everything fresh instead of importing a past config?



  • Meh… hate to do that, but I could.  Lots of aliases and such.  Granted my rules aren't too complicated just two forwards (that use aliases since I just have a tiny http/ftp/streaming server and a torrent seed box).

    I'll give that a shot, but I'm not sure if it will resolve anything as it seems that the rules are partially being followed, just bunches of traffic is slipping through to the default queue.



  • Well, I've installed the latest build, and gotten stuff somewhat where I want it.  But now I'm slightly confused as to how to go about setting up the rules.  The new wizard decided to not to even create queues or rules at all for the LAN side, which in some ways makes sense since incoming traffic isn't always the best to try and shape.  But I think it actually helps in my case here, as I do need to keep p2p from chewing on the inbound connection as well – which does seem to work.

    But it would not help with p2p much.  I'd need to limit it both in and out.
    The good thing is that I have the torrent box set to use one port for incoming connections, and a set of ports set for all outbound connections.  So it should be easy to shape the traffic -- was really easy in 1.2.3.



  • Just an update:  I've installed the latest ISO, cleanly.  Remade rules and such, and this time I manually added queues and rules due to the above issue.

    2.0-BETA5 (amd64)
    built on Mon Jan 10 01:41:22 EST 2011
    

    Here are my new rules, based off of what Ermal was stating earlier about it not being processed, so I stuck them in the LAN/WAN areas (hopefully correctly).

    Floating: NONE

    WAN:

    * 	Reserved/not assigned by IANA 	* 	* 	* 	* 	* 	* 	Block bogon networks 	
    TCP/UDP 	* 	* 	Server 	Server_Services 	* 	qACK/qDefaultIn 	  	NAT   	
    TCP 	* 	* 	uT_Box 	uT_In 	* 	qP2Pin 	  	NAT   	
    UDP 	* 	* 	uT_Box 	uT_In 	* 	qP2Pin 	  	NAT   
    

    LAN:

    TCP/UDP 	Admins 	* 	LAN address 	AdminPorts 	* 	qLANtraffic 	  	  	
    (block)TCP/UDP 	* 	* 	LAN address 	AdminPorts 	* 	none
    TCP 	uT_Box 	uT_Out 	* 	* 	* 	qP2P 	  	  	
    UDP 	uT_Box 	uT_Out 	* 	* 	* 	qP2P 	  	  	
    * 	LAN net 	* 	* 	* 	* 	none 	  	Default allow LAN to any rule  
    

    I've turned off everything that I can think of on the network that could even THINK of generating much traffic at all, and killed/restarted the latest ubuntu, linux mint, and a few other torrents to hopefully kick the crap out of the network and easily show if traffic is going to the right queues.

    It isn't, if I'm not completely daft and reading this wrong.  Seems to mostly work for the outgoing (but nowhere near completely), and the inbound shaping isn't working much at all:

    pfTop: Up Queue 1-16/16, View: queue, Cache: 10000                                                              02:23:11
    
    QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S
    root_em1                        486K hfsc    0        0        0        0        0    0                     0       0
     qACK                           315K hfsc            31     1866        0        0    0                     0       0
     qGamesUp                      34020 hfsc             0        0        0        0    0                     0       0
     qOtherHigh                    24300 hfsc             0        0        0        0    0                     0       0
     qOtherLow                      4860 hfsc             0        0        0        0    0                     0       0
     qDefault                       4860 hfsc        140711 11992114       11      726    0                    73    6609  < <ok, kinda<br="">qP2P                           1000 hfsc        203990 17885997        0        0    0                   295   22246  <<
    root_em0                        100M hfsc    0        0        0        0        0    0                     0       0
     qInternetIn                   5821K hfsc             0        0        0        0    0                     0       0
      qACKIn                       3783K hfsc             0        0        0        0    0                     0       0
      qGamesIn                      407K hfsc             0        0        0        0    0                     0       0
      qOtherHighIn                  291K hfsc             0        0        0        0    0                     0       0
      qOtherLowIn                  58210 hfsc             0        0        0        0    0                     0       0
      qDefaultIn                   58210 hfsc        271292  338512K        0        0    0                   370  458210 < <very not="" ok.<br="">qP2Pin                        1000 hfsc        175963  211570K        0        0    0                    83   84086  <<
     qLANtraffic                     65M hfsc          7413  1662990        0        0    0                    20    4455</very></ok,>
    

    The good news is that the rule for LAN traffic seems to work correctly.  Yay!  Squid now seems to be pushing out cached stuff at >10MB/s.  If I could only get p2p traffic to behave I'd be golden.



  • I can't figure it out.  Is the shaper broken, or can anyone explain why it isn't shaping the traffic as it should be?  The rules in 1.2.3 worked flawlessly.  I could saturate the link with p2p traffic and I could run a test of http traffic and it would completely kill the p2p traffic.  With 2.x the p2p traffic isn't getting killed at all, and other traffic suffers because of this.

    Update:
    I created rules to block ANY and ALL traffic through the router directly below the webgui rules and the rules allowing p2p through.  This should, to my understanding, block any and all traffic other than p2p in/out.  I cleared the states, reset the firewall completely, turned off the download machine, and restarted any computer that could be generating any traffic.

    I still had massive traffic in the default queues, more than in the p2p queues.  Something is definitely wrong here, as the rules should have denied any traffic that could have possibly made it into the 'default' queue!

    Another update:
    Since I don't think I'd have much of a security issue here, I'm going to post the full /tmp/rules.debug file here, in the hopes that it might help a bit more.

    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ em1 }"
    LAN = "{ em0 }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort2C table
    table <snort2c>table <virusprot># User Aliases 
    AdminPorts = "{ 1337:1338 }"
    table <admins>{   192.168.1.16  192.168.1.15 } 
    Admins = "<admins>"
    Browsing_Ports = "{ 80 443 }"
    Mail_Ports = "{ 25 110 143 993 }"
    table <server>{   192.168.1.15 } 
    Server = "<server>"
    Server_Services = "{ 80 9001 }"
    Squid_ports = "{ 3128 }"
    table <ut_box>{   192.168.1.68 } 
    uT_Box = "<ut_box>"
    uT_In = "{ 12801 }"
    uT_Out = "{ 12801 12950:12999 }"
    
    # Gateways
    GWWAN = " route-to ( em1 192.168.128.1 ) "
    
    set loginterface em1
    set loginterface em0
    set optimization normal
    set limit states 194000
    set limit src-nodes 194000
    
    set skip on pfsync0
    
    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble
    
     altq on  em1 hfsc bandwidth 486Kb queue {  qACK,  qGamesUp,  qOtherHigh,  qOtherLow,  qDefault,  qP2P  } 
     queue qACK on em1 bandwidth 65% qlimit 2000 hfsc (  ecn  ,  realtime 65% , linkshare 65%  )  
     queue qGamesUp on em1 bandwidth 7% hfsc (  ecn  ,  realtime 7% )  
     queue qOtherHigh on em1 bandwidth 5% hfsc (  red  , ecn  ,  realtime 5% )  
     queue qOtherLow on em1 bandwidth 1% hfsc (  red  , ecn  ,  realtime 1% )  
     queue qDefault on em1 bandwidth 1% hfsc (  red  , ecn  , default  ,  realtime 1% )  
     queue qP2P on em1 bandwidth 1Kb qlimit 2000 hfsc (  red  , rio  , ecn  ,  realtime 1Kb , linkshare 1Kb  )  
    
     altq on  em0 hfsc bandwidth 100Mb queue {  qInternetIn,  qLANtraffic  } 
     queue qInternetIn on em0 bandwidth 5821Kb hfsc (  ecn  ,  realtime 5821Kb , linkshare 5821Kb  )  {  qACKIn,  qGamesIn,  qOtherHighIn,  qOtherLowIn,  qDefaultIn,  qP2Pin  } 
     queue qACKIn on em0 bandwidth 65% qlimit 2000 hfsc (  ecn  ,  realtime 65% , linkshare 65%  )  
     queue qGamesIn on em0 bandwidth 7% hfsc (  ecn  ,  realtime 7% )  
     queue qOtherHighIn on em0 bandwidth 5% hfsc (  red  , ecn  ,  realtime 5% )  
     queue qOtherLowIn on em0 bandwidth 1% hfsc (  red  , ecn  ,  realtime 1% )  
     queue qDefaultIn on em0 bandwidth 1% hfsc (  red  , ecn  , default  ,  realtime 1% )  
     queue qP2Pin on em0 bandwidth 1Kb qlimit 2000 hfsc (  red  , rio  , ecn  ,  realtime 1Kb , linkshare 1Kb  )  
    
     queue qLANtraffic on em0 bandwidth 65Mb hfsc (  ecn  ,  realtime 65Mb )  
    
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    nat on $WAN  from 192.168.1.0/24 to any port 500 -> 192.168.128.10/32  static-port
    nat on $WAN  from 192.168.1.0/24 to any -> 192.168.128.10/32  static-port
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <direct_networks>{ 192.168.128.0/24 192.168.1.0/24 }
    # NAT Inbound Redirects
    rdr on em1 proto tcp from any to 192.168.128.10 port $uT_In -> $uT_Box
    rdr on em1 proto udp from any to 192.168.128.10 port $uT_In -> $uT_Box
    rdr on em1 proto tcp from any to 192.168.128.10 port $Server_Services -> $Server
    
    # Setup Squid proxy redirect
    no rdr on em0 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on em0 proto tcp from any to !(em0) port 80 -> 127.0.0.1 port 80
    
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in  all label "Default deny rule"
    block out  all label "Default deny rule"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # snort2c
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 1338 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 1337 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in  quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for em1
    # allow our DHCP client out to the WAN
    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof for em0
    # allow access to DHCP server on LAN
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
    
    # loopback
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em1 192.168.128.1 ) from 192.168.128.10 to !192.168.128.0/24 keep state allow-opts label "let out anything from firewall host itself"
    
    # User-defined rules follow
    pass  in  quick  on $WAN reply-to ( em1 192.168.128.1 )  proto tcp  from any to   $uT_Box port $uT_In  flags S/SA keep state  queue (qP2Pin)  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( em1 192.168.128.1 )  proto udp  from any to   $uT_Box port $uT_In  keep state  queue (qP2Pin)  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( em1 192.168.128.1 )  proto { tcp udp }  from any to   $Server port $Server_Services  keep state  queue (qP2Pin)  label "USER_RULE: NAT "
    pass  in  quick  on $LAN  proto { tcp udp }  from   $Admins to 192.168.1.1 port $AdminPorts  keep state  queue (qLANtraffic)  label "USER_RULE"
    block  in log  quick  on $LAN  proto { tcp udp }  from any to 192.168.1.1 port $AdminPorts   label "USER_RULE"
    pass  in  quick  on $LAN  proto tcp  from   $uT_Box port $uT_Out  to any flags S/SA keep state  queue (qP2P)  label "USER_RULE"
    pass  in  quick  on $LAN  proto udp  from   $uT_Box port $uT_Out  to any keep state  queue (qP2P)  label "USER_RULE"
    pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.1.0/24 to 192.168.1.1 port $Squid_ports  keep state  queue (qLANtraffic)  label "USER_RULE"
    pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  queue (qDefault,qACKIn)  label "USER_RULE: Default allow LAN to any rule"
    
    # VPN Rules
    anchor "tftp-proxy/*"
    
    # uPnPd
    anchor "miniupnpd"
    
    # Setup squid pass rules for proxy
    pass in quick on em0 proto tcp from any to !(em0) port 80 flags S/SA keep state
    pass in quick on em0 proto tcp from any to !(em0) port 3128 flags S/SA keep state</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></ut_box></ut_box></server></server></admins></admins></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    

    Also in case it helps (thank you to xLP on IRC) I have the final rules that are loaded into pf:

    $ pfctl -sr
    scrub in on em1 all fragment reassemble
    scrub in on em0 all fragment reassemble
    anchor "relayd/*" all
    block drop in all label "Default deny rule"
    block drop out all label "Default deny rule"
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = 1338 label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = 1337 label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in quick on em1 from <bogons>to any label "block bogon networks from WAN"
    block drop in on ! em1 inet from 192.168.128.0/24 to any
    block drop in inet from 192.168.128.10 to any
    block drop in on em1 inet6 from fe80::221:85ff:fe16:3769 to any
    pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
    pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
    block drop in on ! em0 inet from 192.168.1.0/24 to any
    block drop in inet from 192.168.1.1 to any
    block drop in on em0 inet6 from fe80::221:85ff:fe16:3768 to any
    pass in on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in on em0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
    pass out on em0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in on lo0 all flags S/SA keep state label "pass loopback"
    pass out on lo0 all flags S/SA keep state label "pass loopback"
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em1 192.168.128.1) inet from 192.168.128.10 to ! 192.168.128.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state allow-opts label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state allow-opts label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = http flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = http keep state label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = 9001 keep state label "USER_RULE: NAT " queue qP2Pin
    pass in quick on em0 inet proto tcp from <admins>to 192.168.1.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue qLANtraffic
    pass in quick on em0 inet proto udp from <admins>to 192.168.1.1 port 1337:1338 keep state label "USER_RULE" queue qLANtraffic
    block drop in log quick on em0 inet proto tcp from any to 192.168.1.1 port 1337:1338 label "USER_RULE"
    block drop in log quick on em0 inet proto udp from any to 192.168.1.1 port 1337:1338 label "USER_RULE"
    pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state label "USER_RULE" queue qP2P
    pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state label "USER_RULE" queue qP2P
    pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state label "USER_RULE" queue qP2P
    pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state label "USER_RULE" queue qP2P
    pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P
    pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P
    pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state allow-opts label "USER_RULE" queue qP2P
    pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state allow-opts label "USER_RULE" queue qP2P
    pass in quick on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 3128 flags S/SA keep state label "USER_RULE" queue qLANtraffic
    pass in quick on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.1 port = 3128 keep state label "USER_RULE" queue qLANtraffic
    pass in quick on em0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" queue(qDefault, qACKIn)
    anchor "tftp-proxy/*" all
    anchor "miniupnpd" all
    pass in quick on em0 proto tcp from any to ! (em0) port = http flags S/SA keep state
    pass in quick on em0 proto tcp from any to ! (em0) port = 3128 flags S/SA keep state</ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></admins></admins></server></server></server></server></ut_box></ut_box></ut_box></ut_box></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    

    Y.A.U.

    I just stuffed a 1.2.3 box between the pfsense 2 box and the modem (yay finally figured out how to put stupid freakin' POS isp modem in bridge mode).

    The rules for pfsense 1.2.3 are WAY different!  This has to be why 2.x isn't shaping right.   Now for some input on WHY, and what to do to fix it!

    $ pfctl -sr
    scrub all random-id max-mss 1452 fragment reassemble
    block drop in all label "SHAPER: first match rule" tag unshaped
    pass in on sis0 inet proto tcp from 192.168.128.10 port 12950:12999 to any flags S/SA keep state tag qP2PDown tagged unshaped
    pass in on sis0 inet proto tcp from 192.168.128.10 port = 12801 to any flags S/SA keep state tag qP2PDown tagged unshaped
    pass out on rl0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown
    pass out on ng0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown
    pass in on sis0 inet proto udp from 192.168.128.10 port 12950:12999 to any keep state tag qP2PDown tagged unshaped
    pass in on sis0 inet proto udp from 192.168.128.10 port = 12801 to any keep state tag qP2PDown tagged unshaped
    pass out on rl0 proto udp all keep state tag qP2PUp tagged qP2PDown
    pass in on rl0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped
    pass out on ng0 proto udp all keep state tag qP2PUp tagged qP2PDown
    pass in on ng0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped
    pass out on sis0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PDown tagged qP2PUp
    pass in on rl0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped
    pass in on ng0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped
    pass out on sis0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PDown tagged qP2PUp
    pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped
    pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped
    pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesDown tagged qGamesUp
    pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 3016:3021 keep state tag qGamesDown tagged unshaped
    pass out on rl0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown
    pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped
    pass out on ng0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown
    pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped
    pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesDown tagged qGamesUp
    pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 30000:30500 keep state tag qGamesDown tagged unshaped
    pass out on rl0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown
    pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped
    pass out on ng0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown
    pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped
    pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesDown tagged qGamesUp
    pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped
    pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped
    pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesDown tagged qGamesUp
    pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 45000:45010 keep state tag qGamesDown tagged unshaped
    pass out on rl0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown
    pass out on ng0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown
    pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = 7080 flags S/SA keep state tag qGamesDown tagged unshaped
    pass out on rl0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown
    pass out on ng0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown
    pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged unshaped
    pass out on rl0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown
    pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped
    pass out on ng0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown
    pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped
    pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged qGamesUp
    pass in quick on sis0 proto tcp from any to ! (sis0) port = http flags S/SA keep state
    pass in quick on sis0 proto tcp from any to ! (sis0) port = 3128 flags S/SA keep state
    anchor "ftpsesame/*" all
    anchor "firewallrules" all
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c> to any label "Block snort2c hosts"
    block drop quick from any to <snort2c> label "Block snort2c hosts"
    anchor "loopback" all
    pass in quick on lo0 all flags S/SA keep state label "pass loopback"
    pass out quick on lo0 all flags S/SA keep state label "pass loopback"
    anchor "packageearly" all
    anchor "carp" all
    pass quick inet proto icmp from 98.69.142.38 to any keep state
    anchor "dhcpserverlan" all
    pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN"
    pass in quick on sis0 inet proto udp from any port = bootpc to 192.168.128.1 port = bootps keep state label "allow access to DHCP server on LAN"
    pass out quick on sis0 inet proto udp from 192.168.128.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN"
    block drop in quick on rl0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan"
    block drop in quick on ng0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan"
    block drop in on ! sis0 inet from 192.168.128.0/24 to any
    block drop in inet from 192.168.128.1 to any
    block drop in on sis0 inet6 from fe80::20d:87ff:fe0b:30dd to any
    anchor "spoofing" all
    anchor "spoofing" all
    block drop in on ! ng0 inet from 98.69.142.38 to any
    block drop in inet from 98.69.142.38 to any
    block drop in on rl0 inet6 from fe80::2e0:7dff:feab:dd0b to any
    block drop in on ng0 inet6 from fe80::20d:87ff:fe0b:30dd to any
    block drop in quick on rl0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block drop in quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block drop in quick on rl0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in quick on rl0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block drop in quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block drop in quick on rl0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    block drop in quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    anchor "limitingesr" all
    block drop in quick from <virusprot> to any label "virusprot overload table"
    anchor "wanbogons" all
    block drop in quick on rl0 from <bogons> to any label "block bogon networks from wan"
    block drop in quick on ng0 from <bogons> to any label "block bogon networks from wan"
    anchor "firewallout" all
    pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp
    pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp
    pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp
    pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp
    pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks)
    pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks)
    pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesDown, qlanacks) tagged qGamesDown
    pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PDown, qlanacks) tagged qP2PDown
    pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qlandef, qlanacks)
    pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host"
    pass out quick on ng0 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
    block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout"
    anchor "ftpproxy" all
    anchor "pftpx/*" all
    anchor "qwanRoot" all tagged qwanRoot
    anchor "qwanacks" all tagged qwanacks
    anchor "qGamesUp" all tagged qGamesUp
    anchor "qOthersUpH" all tagged qOthersUpH
    anchor "qOthersUpL" all tagged qOthersUpL
    anchor "qwandef" all tagged qwandef
    anchor "qP2PUp" all tagged qP2PUp
    anchor "qlanRoot" all tagged qlanRoot
    anchor "qlanacks" all tagged qlanacks
    anchor "qGamesDown" all tagged qGamesDown
    anchor "qOthersDownH" all tagged qOthersDownH
    anchor "qOthersDownL" all tagged qOthersDownL
    anchor "qlandef" all tagged qlandef
    anchor "qP2PDown" all tagged qP2PDown
    pass in quick on sis0 inet proto tcp from <admins> to 192.168.128.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue(qlandef, qlanacks)
    block drop in quick on sis0 inet proto tcp from any to 192.168.128.1 port 1337:1338 label "USER_RULE" queue(qlandef, qlanacks)
    pass in quick on sis0 inet from 192.168.128.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" queue(qlandef, qlanacks)
    pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on rl0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on rl0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on rl0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on ng0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on ng0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on ng0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on rl0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on ng0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
    pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    anchor "imspector" all
    anchor "miniupnpd" all
    block drop in quick all label "Default deny rule"
    block drop out quick all label "Default deny rule"</pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></admins></sshlockout></bogons></bogons></virusprot></snort2c></snort2c>
    

    I'd also post the pftop showing that the traffic is going WHERE IT SHOULD, but for some odd reason I can't get pftop to display that page?  "8" doesn't work :(

    I'm noticing that the rules for 1.2.3 (that work correctly) are at the top, with no "quick" flag set.  In 2.x the rules are near the end, and they are set with "quick" which to my understanding means that the traffic isn't processed anymore after that rule.  Could this be what is b0rking the shaper?

    BTW, thank you again to xLP on IRC.  That command helped me dig around a little more.  Hopefully some Guru like Ermal can come in here and make some sense out of all of this.



  • Thanks for the report.  We are going to look into it.



  • Ahh cool.  Thanks, and I hope that my crazy "paste everything and let the Guru's sort it out" approach is somewhat useful.  If you guys need any more info please do tell me, and I'll get right to it.



  • Well for most of the part squid is you worst problem in your traffic shaping schema.
    Seems you do not have squid on 1.2.3 but i might be wrong on it since you have not shown nat rules on 1.2.3(pfctl -vsn)

    If you want to know why you do not get anything in the right queues you can check( pfctl -vsr) which shows which rules have matched and that will tell you which queue the packets have been sent too.

    The first thing you have to do is put a rule on floating rules to send packets from localhost, wanip to the queue you've meant for http traffic with direction out.
    Then you can start fiddling around with the other rules.



  • @ermal:

    Well for most of the part squid is you worst problem in your traffic shaping schema.
    Seems you do not have squid on 1.2.3 but i might be wrong on it since you have not shown nat rules on 1.2.3(pfctl -vsn)

    If you want to know why you do not get anything in the right queues you can check( pfctl -vsr) which shows which rules have matched and that will tell you which queue the packets have been sent too.

    Squid was on 1.2.3 as well.  This isn't a complete ruleset on 1.2.3 like I had before that worked fine, as I seem to have misplaced the config file.  One of the reasons I am lookign at pfsense 2, is that I can put squid traffic in that qLANtraffic queue (I might not be doing this right but it seems to work so far).

    As for the commands, I'm on it, will post at bottom.

    The first thing you have to do is put a rule on floating rules to send packets from localhost, wanip to the queue you've meant for http traffic with direction out.

    My head just exploded.  Might need to dumb that down a tad, or provide an example.  I'm hoping you mean:

    pass  out  quick  on {  em1  } reply-to ( em1 192.168.128.1 )  proto tcp  from   127.0.0.1 to any port 80  flags S/SA keep state  queue (qOtherLow,qACKIn)  label "USER_RULE: Ermal's Rule"
    

    Here goes:

    $ pfctl -vsn
    nat-anchor "pftpx/*" all
      [ Evaluations: 103551    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    nat-anchor "natearly/*" all
      [ Evaluations: 103551    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    nat-anchor "natrules/*" all
      [ Evaluations: 103551    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    nat on rl0 inet from 192.168.128.0/24 to any -> (ng0) round-robin static-port
      [ Evaluations: 103551    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    nat on ng0 inet from 192.168.128.0/24 to any -> (ng0) round-robin static-port
      [ Evaluations: 103551    Packets: 870730    Bytes: 279926793   States: 241   ]
      [ Inserted: uid 0 pid 61310 ]
    nat on rl0 inet from 192.168.1.0/24 to any -> (ng0) round-robin static-port
      [ Evaluations: 46267     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    nat on ng0 inet from 192.168.1.0/24 to any -> (ng0) round-robin static-port
      [ Evaluations: 46267     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr-anchor "pftpx/*" all
      [ Evaluations: 103241    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr-anchor "slb" all
      [ Evaluations: 103241    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    no rdr on sis0 proto tcp from any to <vpns> port = ftp
      [ Evaluations: 103241    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on sis0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
      [ Evaluations: 29325     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on ng0 inet proto tcp from any to 98.69.142.38 port = 9001 -> 192.168.128.10
      [ Evaluations: 71505     Packets: 1084      Bytes: 435239      States: 1     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on ng0 inet proto tcp from any to 98.69.142.38 port = http -> 192.168.128.10
      [ Evaluations: 5591      Packets: 168       Bytes: 19357       States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on ng0 inet proto udp from any to 98.69.142.38 port = 9001 -> 192.168.128.10
      [ Evaluations: 73742     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on ng0 inet proto udp from any to 98.69.142.38 port = http -> 192.168.128.10
      [ Evaluations: 36276     Packets: 2         Bytes: 94          States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on ng0 inet proto tcp from any to 98.69.142.38 port = 12801 -> 192.168.128.10
      [ Evaluations: 42004     Packets: 155605    Bytes: 55421317    States: 27    ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on ng0 inet proto udp from any to 98.69.142.38 port = 12801 -> 192.168.128.10
      [ Evaluations: 36429     Packets: 358606    Bytes: 170830375   States: 101   ]
      [ Inserted: uid 0 pid 61310 ]
    rdr on sis0 inet proto tcp from any to ! (sis0) port = http -> 127.0.0.1 port 80
      [ Evaluations: 63798     Packets: 107958    Bytes: 67956679    States: 77    ]
      [ Inserted: uid 0 pid 61310 ]
    rdr-anchor "imspector" all
      [ Evaluations: 61144     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    rdr-anchor "miniupnpd" all
      [ Evaluations: 61144     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]</vpns>
    

    For 1.2.3

    $ pfctl -vsr
    scrub all random-id max-mss 1452 fragment reassemble
      [ Evaluations: 5583920   Packets: 5583920   Bytes: 495718779   States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in all label "SHAPER: first match rule" tag unshaped
      [ Evaluations: 208008    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto tcp from 192.168.128.10 port 12950:12999 to any flags S/SA keep state tag qP2PDown tagged unshaped
      [ Evaluations: 103803    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto tcp from 192.168.128.10 port = 12801 to any flags S/SA keep state tag qP2PDown tagged unshaped
      [ Evaluations: 25023     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown
      [ Evaluations: 176159    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto tcp all flags S/SA keep state tag qP2PUp tagged qP2PDown
      [ Evaluations: 176159    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto udp from 192.168.128.10 port 12950:12999 to any keep state tag qP2PDown tagged unshaped
      [ Evaluations: 208008    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto udp from 192.168.128.10 port = 12801 to any keep state tag qP2PDown tagged unshaped
      [ Evaluations: 27576     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto udp all keep state tag qP2PUp tagged qP2PDown
      [ Evaluations: 178416    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped
      [ Evaluations: 29592     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto udp all keep state tag qP2PUp tagged qP2PDown
      [ Evaluations: 208008    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PUp tagged unshaped
      [ Evaluations: 107739    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto tcp from any to 192.168.128.10 port = 12801 flags S/SA keep state tag qP2PDown tagged qP2PUp
      [ Evaluations: 169595    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped
      [ Evaluations: 206125    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PUp tagged unshaped
      [ Evaluations: 206125    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto udp from any to 192.168.128.10 port = 12801 keep state tag qP2PDown tagged qP2PUp
      [ Evaluations: 201292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped
      [ Evaluations: 200240    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesUp tagged unshaped
      [ Evaluations: 200240    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 3016:3021 keep state tag qGamesDown tagged qGamesUp
      [ Evaluations: 161990    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 3016:3021 keep state tag qGamesDown tagged unshaped
      [ Evaluations: 62196     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 66415     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped
      [ Evaluations: 102350    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto udp from any to any port 3016:3021 keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 168765    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesUp tagged unshaped
      [ Evaluations: 71664     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 45000:45010 keep state tag qGamesDown tagged qGamesUp
      [ Evaluations: 102087    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 30000:30500 keep state tag qGamesDown tagged unshaped
      [ Evaluations: 103135    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 106877    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto udp from any to any port 30000:30500 keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 106877    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesUp tagged unshaped
      [ Evaluations: 36609     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto udp from any to 192.168.128.0/24 port 30000:30500 keep state tag qGamesDown tagged qGamesUp
      [ Evaluations: 35372     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped
      [ Evaluations: 207224    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesUp tagged unshaped
      [ Evaluations: 207224    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = 7080 flags S/SA keep state tag qGamesDown tagged qGamesUp
      [ Evaluations: 165711    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto udp from 192.168.128.0/24 to any port 45000:45010 keep state tag qGamesDown tagged unshaped
      [ Evaluations: 142378    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 146599    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto udp from any to any port 45000:45010 keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 146599    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = 7080 flags S/SA keep state tag qGamesDown tagged unshaped
      [ Evaluations: 208008    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 146596    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto tcp from any to any port = 7080 flags S/SA keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 146596    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on sis0 inet proto tcp from 192.168.128.0/24 to any port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged unshaped
      [ Evaluations: 140694    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on rl0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 111134    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on rl0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on ng0 proto tcp from any to any port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged qGamesDown
      [ Evaluations: 111134    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in on ng0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesUp tagged unshaped
      [ Evaluations: 42300     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out on sis0 inet proto tcp from any to 192.168.128.0/24 port = afs3-fileserver flags S/SA keep state tag qGamesDown tagged qGamesUp
      [ Evaluations: 38863     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 proto tcp from any to ! (sis0) port = http flags S/SA keep state
      [ Evaluations: 69024     Packets: 110942    Bytes: 70010116    States: 96    ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 proto tcp from any to ! (sis0) port = 3128 flags S/SA keep state
      [ Evaluations: 26778     Packets: 1         Bytes: 48          States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "ftpsesame/*" all
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "firewallrules" all
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop quick proto tcp from any to any port = 0
      [ Evaluations: 66499     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop quick proto udp from any port = 0 to any
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop quick proto udp from any to any port = 0
      [ Evaluations: 138349    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop quick from <snort2c> to any label "Block snort2c hosts"
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop quick from any to <snort2c> label "Block snort2c hosts"
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "loopback" all
      [ Evaluations: 205292    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 205292    Packets: 111531    Bytes: 11476801    States: 6     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 94        Packets: 111531    Bytes: 11476801    States: 6     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "packageearly" all
      [ Evaluations: 205104    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "carp" all
      [ Evaluations: 205104    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass quick inet proto icmp from 98.69.142.38 to any keep state
      [ Evaluations: 205104    Packets: 2507      Bytes: 210588      States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "dhcpserverlan" all
      [ Evaluations: 204853    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN"
      [ Evaluations: 204853    Packets: 7         Bytes: 2305        States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 inet proto udp from any port = bootpc to 192.168.128.1 port = bootps keep state label "allow access to DHCP server on LAN"
      [ Evaluations: 27        Packets: 52        Bytes: 17092       States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on sis0 inet proto udp from 192.168.128.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN"
      [ Evaluations: 70456     Packets: 5         Bytes: 1640        States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on rl0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan"
      [ Evaluations: 174135    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on ng0 inet proto udp from any port = bootps to 192.168.128.0/24 port = bootpc label "block dhcp client out wan"
      [ Evaluations: 174135    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in on ! sis0 inet from 192.168.128.0/24 to any
      [ Evaluations: 139624    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in inet from 192.168.128.1 to any
      [ Evaluations: 139624    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in on sis0 inet6 from fe80::20d:87ff:fe0b:30dd to any
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "spoofing" all
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "spoofing" all
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in on ! ng0 inet from 98.69.142.38 to any
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in inet from 98.69.142.38 to any
      [ Evaluations: 107488    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in on rl0 inet6 from fe80::2e0:7dff:feab:dd0b to any
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in on ng0 inet6 from fe80::20d:87ff:fe0b:30dd to any
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on rl0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on rl0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on rl0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on rl0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      [ Evaluations: 100960    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "limitingesr" all
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick from <virusprot> to any label "virusprot overload table"
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "wanbogons" all
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on rl0 from <bogons> to any label "block bogon networks from wan"
      [ Evaluations: 204815    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on ng0 from <bogons> to any label "block bogon networks from wan"
      [ Evaluations: 204815    Packets: 938       Bytes: 104640      States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "firewallout" all
      [ Evaluations: 203877    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp
      [ Evaluations: 203877    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesUp, qwanacks) tagged qGamesUp
      [ Evaluations: 203877    Packets: 35        Bytes: 4827        States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp
      [ Evaluations: 162511    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp
      [ Evaluations: 162511    Packets: 782149    Bytes: 261565239   States: 190   ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks)
      [ Evaluations: 111354    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on ng0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks)
      [ Evaluations: 111354    Packets: 231456    Bytes: 92571498    States: 324   ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qGamesDown, qlanacks) tagged qGamesDown
      [ Evaluations: 97327     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PDown, qlanacks) tagged qP2PDown
      [ Evaluations: 38664     Packets: 516832    Bytes: 227562826   States: 125   ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on sis0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qlandef, qlanacks)
      [ Evaluations: 86        Packets: 1259      Bytes: 454906      States: 1     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass out quick on ng0 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout"
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "ftpproxy" all
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "pftpx/*" all
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qwanRoot" all tagged qwanRoot
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qwanacks" all tagged qwanacks
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qGamesUp" all tagged qGamesUp
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qOthersUpH" all tagged qOthersUpH
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qOthersUpL" all tagged qOthersUpL
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qwandef" all tagged qwandef
      [ Evaluations: 100022    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qP2PUp" all tagged qP2PUp
      [ Evaluations: 100022    Packets: 516833    Bytes: 227562877   States: 125   ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qlanRoot" all tagged qlanRoot
      [ Evaluations: 61444     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qlanacks" all tagged qlanacks
      [ Evaluations: 61444     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qGamesDown" all tagged qGamesDown
      [ Evaluations: 61444     Packets: 35        Bytes: 4827        States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qOthersDownH" all tagged qOthersDownH
      [ Evaluations: 61437     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qOthersDownL" all tagged qOthersDownL
      [ Evaluations: 61437     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qlandef" all tagged qlandef
      [ Evaluations: 61437     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "qP2PDown" all tagged qP2PDown
      [ Evaluations: 61437     Packets: 782149    Bytes: 261565239   States: 190   ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 inet proto tcp from <admins> to 192.168.128.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue(qlandef, qlanacks)
      [ Evaluations: 10279     Packets: 4216      Bytes: 1973720     States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick on sis0 inet proto tcp from any to 192.168.128.1 port 1337:1338 label "USER_RULE" queue(qlandef, qlanacks)
      [ Evaluations: 2275      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 inet from 192.168.128.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" queue(qlandef, qlanacks)
      [ Evaluations: 7496      Packets: 107177    Bytes: 26332131    States: 133   ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 2831      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on rl0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on rl0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on rl0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 2831      Packets: 1087      Bytes: 435359      States: 1     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 proto tcp from any to <pfsense_lan> port = http flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 48        Packets: 168       Bytes: 19357       States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 proto udp from any to <pfsense_lan> port = 9001 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 981       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 proto udp from any to <pfsense_lan> port = http keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 2         Packets: 2         Bytes: 94          States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on rl0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 245       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on rl0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 proto tcp from any to <pfsense_lan> port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 245       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 proto udp from any to <pfsense_lan> port = 12801 keep state label "USER_RULE: NAT " queue(qwandef, qwanacks)
      [ Evaluations: 195       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
      [ Evaluations: 2746      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
      [ Evaluations: 2746      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "imspector" all
      [ Evaluations: 2746      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    anchor "miniupnpd" all
      [ Evaluations: 2746      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop in quick all label "Default deny rule"
      [ Evaluations: 2746      Packets: 2746      Bytes: 231399      States: 0     ]
      [ Inserted: uid 0 pid 61310 ]
    block drop out quick all label "Default deny rule"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 61310 ]</pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></pfsense_lan></admins></sshlockout></bogons></bogons></virusprot></snort2c></snort2c>
    


  • Sorry for making another post, but it wouldn't let me put it in last post.

    For 2.x

    $ pfctl -vsr
    scrub in on em1 all fragment reassemble
      [ Evaluations: 3784425   Packets: 798991    Bytes: 41483715    States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    scrub in on em0 all fragment reassemble
      [ Evaluations: 1950868   Packets: 1053747   Bytes: 109560619   States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    anchor "relayd/*" all
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in all label "Default deny rule"
      [ Evaluations: 168216    Packets: 1840      Bytes: 371749      States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop out all label "Default deny rule"
      [ Evaluations: 168216    Packets: 86        Bytes: 10699       States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop quick proto tcp from any to any port = 0
      [ Evaluations: 53771     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop quick proto udp from any port = 0 to any
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop quick proto udp from any to any port = 0
      [ Evaluations: 114338    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop quick from <snort2c>to any label "Block snort2c hosts"
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop quick from any to <snort2c>label "Block snort2c hosts"
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in log quick proto tcp from <sshlockout>to any port = 1338 label "sshlockout"
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = 1337 label "webConfiguratorlockout"
      [ Evaluations: 27457     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in quick from <virusprot>to any label "virusprot overload table"
      [ Evaluations: 85010     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in quick on em1 from <bogons>to any label "block bogon networks from WAN"
      [ Evaluations: 85010     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in on ! em1 inet from 192.168.128.0/24 to any
      [ Evaluations: 85010     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in inet from 192.168.128.10 to any
      [ Evaluations: 84554     Packets: 494       Bytes: 34632       States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in on em1 inet6 from fe80::221:85ff:fe16:3769 to any
      [ Evaluations: 85010     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 36524     Packets: 4         Bytes: 1312        States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 116069    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in on ! em0 inet from 192.168.1.0/24 to any
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in inet from 192.168.1.1 to any
      [ Evaluations: 120233    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in on em0 inet6 from fe80::221:85ff:fe16:3768 to any
      [ Evaluations: 85010     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 48486     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in on em0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass out on em0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 107387    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 168216    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass out on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 168216    Packets: 559044    Bytes: 247776218   States: 137   ]
      [ Inserted: uid 0 pid 2091 ]
    pass out route-to (em1 192.168.128.1) inet from 192.168.128.10 to ! 192.168.128.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 83206     Packets: 766649    Bytes: 273943580   States: 192   ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 168216    Packets: 145916    Bytes: 53977300    States: 23    ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 32746     Packets: 374294    Bytes: 187859186   States: 111   ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <ut_box>port = 12801 flags S/SA keep state allow-opts label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 109       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <ut_box>port = 12801 keep state allow-opts label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 109       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = http flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 1040      Packets: 168       Bytes: 19357       States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto tcp from any to <server>port = 9001 flags S/SA keep state label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 67        Packets: 932       Bytes: 376802      States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = http keep state label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 576       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em1 reply-to (em1 192.168.128.1) inet proto udp from any to <server>port = 9001 keep state label "USER_RULE: NAT " queue qP2Pin
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 inet proto tcp from <admins>to 192.168.1.1 port 1337:1338 flags S/SA keep state label "USER_RULE" queue qLANtraffic
      [ Evaluations: 84901     Packets: 77331     Bytes: 10091738    States: 1     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 inet proto udp from <admins>to 192.168.1.1 port 1337:1338 keep state label "USER_RULE" queue qLANtraffic
      [ Evaluations: 24229     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in log quick on em0 inet proto tcp from any to 192.168.1.1 port 1337:1338 label "USER_RULE"
      [ Evaluations: 47228     Packets: 21        Bytes: 6197        States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    block drop in log quick on em0 inet proto udp from any to 192.168.1.1 port 1337:1338 label "USER_RULE"
      [ Evaluations: 24107     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state label "USER_RULE" queue qP2P
      [ Evaluations: 48658     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state label "USER_RULE" queue qP2P
      [ Evaluations: 23100     Packets: 299740    Bytes: 65699398    States: 106   ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state label "USER_RULE" queue qP2P
      [ Evaluations: 25238     Packets: 417355    Bytes: 181931808   States: 70    ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state label "USER_RULE" queue qP2P
      [ Evaluations: 40        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto tcp from <ut_box>port = 12801 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P
      [ Evaluations: 641       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto tcp from <ut_box>port 12950:12999 to any flags S/SA keep state allow-opts label "USER_RULE" queue qP2P
      [ Evaluations: 574       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto udp from <ut_box>port = 12801 to any keep state allow-opts label "USER_RULE" queue qP2P
      [ Evaluations: 641       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto udp from <ut_box>port 12950:12999 to any keep state allow-opts label "USER_RULE" queue qP2P
      [ Evaluations: 40        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 3128 flags S/SA keep state label "USER_RULE" queue qLANtraffic
      [ Evaluations: 1892      Packets: 21952     Bytes: 16665734    States: 5     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.1 port = 3128 keep state label "USER_RULE" queue qLANtraffic
      [ Evaluations: 212       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" queue(qDefault, qACKIn)
      [ Evaluations: 1061      Packets: 30162     Bytes: 12788169    States: 7     ]
      [ Inserted: uid 0 pid 2091 ]
    anchor "tftp-proxy/*" all
      [ Evaluations: 85544     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    anchor "miniupnpd" all
      [ Evaluations: 85544     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto tcp from any to ! (em0) port = http flags S/SA keep state
      [ Evaluations: 85544     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]
    pass in quick on em0 proto tcp from any to ! (em0) port = 3128 flags S/SA keep state
      [ Evaluations: 672       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 2091 ]</ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></ut_box></admins></admins></server></server></server></server></ut_box></ut_box></ut_box></ut_box></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    

    Also, just a heads up if it could affect anything, I have turned on AON on both boxes with static ports.  Noticed somewhere it was changing the ports and I'm not sure if that was screwing anything up.  The 2.x machine still is showing an almost equal number of packets on the default/p2p queues on both machines.

    If I can wrap my head around what you meant for that floating rule, I'll implement it and immediately get back here with the results.



  • Well, I've completely removed squid from the equation, re-installed pfsense from the latest ISO and updated, then re-created the rules again.  It still isn't working, and I'm just too frustrated to deal with it for a bit – it is making me feel really stupid, 'cause I just don't understand how the traffic is going where it shouldn't.

    It isn't properly shaping traffic out or in for traffic that I've bound for specific ports, and checked 50 times to make sure that the traffic itself is behaving as it should.  I've even rebound the rules to the wizard's default ports for the traffic I need to shape and it still isn't working.
    I'll admit that much more traffic is indeed going to the correct queue without squid installed.  But this was a non-issue with 1.2.3.  So I'll wait for some stuff to happen.

    The GUI needs some TLC.  The wizard is broken, half the stuff in the configuration screens is not documented or explained -- which is understandable since nothing is set in stone yet and something might change that would require a lot of GUI rewriting.  Rules that make sense in 1.2.3 are largely ineffectual in 2.x.  I don't know if maybe the change of rule order in pf, or something else, is doing this.

    Basically for me to test 2.x I'd need traffic shaping (and squid, my link sucks so I try to save bandwidth).  Traffic shaping is too darn confusing to use right now, bad enough that I'm getting really niffed with it.  So I'll sit back and wait till there is some focus on it in development, and I'll be happy to test it out for ease of use and functionality when it gets put into the spotlight.  Right now it seems there are other areas that are more important.

    But, I hope that it is looked at soon.  QoS is important.  I may not be a pf god, but I'm not quite an idiot.  And if I can't figure out how to shape traffic that I know but the incoming and outgoing ports for, then there is something wrong somewhere.


Locked