pfSense 2.0-BETA5: Unable to limit IPs in Penalty Box



  • Currently running 2.0-BETA5 (i386) built on Thu Feb 10 20:50:06 EST 2011.  The system has one wan and one lan interface.

    I am trying to put a single IP into the penalty box using the traffic shaping wizards (your choice of Single-LAN/multi-WAN or multi LAN/WAN).  In short, this does not work.

    Looking at the pf config, you can see that queues have been set up:

    grep queue /tmp/rules.debug
     altq on  em0 hfsc bandwidth 650Kb queue {  qACK,  qDefault  } 
     queue qACK on em0 bandwidth 14% hfsc (  ecn  , linkshare 14%  )  
     queue qDefault on em0 bandwidth 7% hfsc (  ecn  , default  )  
    pass   out  from any to any  queue (qOthersLow)  label "USER_RULE: Penalty Box"
    
    

    But the Penalty Box queue qOthersLow is not defined in the altq statement and the particular IP I am trying to penalize does not appear in the pf config at all.

    This is a long-running problem (eg. http://forum.pfsense.org/index.php/topic,22344 ) which is probably due to be fixed.

    Thanks.


  • Rebel Alliance Developer Netgate

    It may help to have the shaper section of your config.xml as well as the entire contents of /tmp/rules.debug



  • I've attached the shaper section of config.xml and the entire rules.debug file.

    The address I am attempting to block (192.168.56.22) - and other details of the Penalty Box configuration do appear in the ezshaper section of the xml, but does not make it through to rules.debug.

    shaper.xml.txt
    rules.debug.txt



  • I am having the same problem. Were you able to solve this issue?

    Is traffic shaping (penalize ip) totally disfunctional in pfSense?

    Gurus some input please.

    My post related to this:
    http://forum.pfsense.org/index.php/topic,36002.msg185862.html#msg185862

    Regards,



  • Can you please show even the ezshaper section from your config?



  • My other post (referenced above) includes all the snapshots but here is the configs:

     <ezshaper><step2><download>2000</download>
    			<upload>700</upload>
    			<inside_int>opt1</inside_int>
    			<outside_int>wan</outside_int></step2> 
    		 <step3><provider>Asterisk</provider>
    
    <address>
    			<bandwidth>384</bandwidth>
    
    		 <step4><address>192.168.2.5</address>
    
    			<bandwidthup>300</bandwidthup>
    			<bandwidthdown>1500</bandwidthdown>
    			<enable>on</enable></step4> 
    		 <step5><bandwidthup>10</bandwidthup>
    			<bandwidthdown>10</bandwidthdown>
    			<enable>on</enable>
    			<p2pcatchall>on</p2pcatchall></step5> 
    		 <step7><msrdp>D</msrdp>
    			<vnc>D</vnc>
    			<appleremotedesktop>D</appleremotedesktop>
    			<pcanywhere>D</pcanywhere>
    			<irc>D</irc>
    			<jabber>D</jabber>
    			<icq>D</icq>
    			<aolinstantmessenger>D</aolinstantmessenger>
    			<msnmessenger>D</msnmessenger>
    			<teamspeak>D</teamspeak>
    			<pptp>D</pptp>
    			<ipsec>D</ipsec>
    			<streamingmp3>D</streamingmp3>
    			<rtsp>D</rtsp>
    			<http>D</http>
    			<smtp>D</smtp>
    			<pop3>D</pop3>
    			<imap>D</imap></step7> 
    
    I thought penalize would be a no-brainer as this is not even QoS.
    
    Thanks,</address></step3></ezshaper> 
    


  • Anything on this?

    Regards,


Log in to reply