No traffic passes WLAN interface after enabling the shaper



  • Hi there,

    I've setup four interfaces (WAN, LAN, GUESTWLAN and WLAN) and also added an interface group consisting of LAN and the two WLANs. Now I have some rules setup that allow traffic through my interface group and also certain traffic is allowed directly on my LAN and WLAN interfaces. When I enable the shaper and my rules are created I can still get traffic through my LAN interface but my WLAN is dead. I also see packets get dropped there:

    tcpdump: WARNING: pflog0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
    00:00:00.000000 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52653 > 199.59.148.30.80: [|tcp]
    00:00:00.534050 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52654 > 199.59.148.30.80:  tcp 20 [bad hdr length 0 - too short, < 20]
    00:00:01.829260 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52698 > 17.250.248.121.443: [|tcp]
    00:00:02.120815 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52684 > 66.220.149.55.80: [|tcp]
    00:00:21.173085 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52682 > 66.220.145.38.80: [|tcp]
    00:00:08.320537 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52686 > 66.220.147.36.80: [|tcp]
    00:00:03.213187 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52610 > 66.220.146.29.80: [|tcp]
    00:00:00.201339 rule 1/0(match): block in on ath0_wlan0: 172.16.100.5.52676 > 66.235.133.11.80:  tcp 32 [bad hdr length 0 - too short, < 20]
    00:00:03.150894 rule 1/0(match): block in on vr0: 10.0.100.1.64750 > 239.255.255.250.1900: UDP, length 132
    00:00:00.015973 rule 1/0(match): block in on vr0: 10.0.100.1.52190 > 10.0.100.254.5351: UDP, length 2
    
    

    The rules for this traffic exist though (from /tmp/rules.debug):

    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $WebPorts  flags S/SA keep state  label "USER_RULE: Allow web traffic"
    

    The $LocalNets alias contains my interface group nets and the $WebPorts alias contains my web surfing ports. It does work as soon as I remove the shaper.

    Any ideas? Do you need any more info?



  • Please provide your full ruleset after haveing the shaping active. (/tmp/rules.debug)



  • #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ pppoe0 }"
    LAN = "{ vr0 }"
    WLAN = "{ ath0_wlan0 }"
    MODEMACCESS = "{ vr1 }"
    GUESTWLAN = "{ ath0_wlan1 }"
    LocalNets = "{ LocalNets }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #pfSnortSam tables
    table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases 
    table <appleservers>{   17.155.0.0/16  79.223.0.0/16  80.149.0.0/16  87.154.0.0/16 } 
    AppleServers = "<appleservers>"
    table <dumbledore>{   172.16.100.5 } 
    Dumbledore = "<dumbledore>"
    table <dyndns_hostname>persist
    DynDNS_Hostname = "<dyndns_hostname>"
    FaceTimePorts = "{ 3478:3497 16384:16386 16393:16402 }"
    FiletransferPorts = "{ 21 22 }"
    table <gateprotecta>{   10.0.100.222 } 
    gateProtectA = "<gateprotecta>"
    table <gateprotectb>{   10.0.100.233 } 
    gateProtectB = "<gateprotectb>"
    table <hermione>{   172.16.100.50 } 
    Hermione = "<hermione>"
    IRCPorts = "{ 7000 6667 }"
    table <localareanetwork>{   10.0.100.0/24 } 
    LocalAreaNetwork = "<localareanetwork>"
    table <localnetworks>{   10.0.100.0/24  172.16.100.0/24  192.168.100.0/24  192.168.2.0/24 } 
    LocalNetworks = "<localnetworks>"
    table <luna>{   172.16.100.10 } 
    Luna = "<luna>"
    MailPorts = "{ 25 110 143 465 587 993 995 }"
    ManagementPorts = "{ 22 8443 80 443 }"
    MessagingPorts = "{ 1863 5222 5223 5190 }"
    table <penaltybox>{   10.0.100.100/30  10.0.100.104/29  10.0.100.112/29  10.0.100.120/32  172.16.100.100/30  172.16.100.104/29  172.16.100.112/29  172.16.100.120/32  192.168.100.100/30  192.168.100.104/29  192.168.100.112/29  192.168.100.120/32 } 
    PenaltyBox = "<penaltybox>"
    table <pfsense>{   10.0.100.254  172.16.100.254  192.168.100.254 } 
    pfSense = "<pfsense>"
    table <speedport>{   192.168.2.1 } 
    Speedport = "<speedport>"
    StarCraft2Ports = "{ 1119 3724 }"
    SteamPorts = "{ 27000:27015 27015:27030 27014:27050 4380 27015 3478 4379 4380 1500 3005 3101 28960 }"
    TeamviewerPorts = "{ 5938 60179 }"
    WebPorts = "{ 80 443 }"
    table <wirelesslocalareanetwork>{   172.16.100.0/24 } 
    WirelessLocalAreaNetwork = "<wirelesslocalareanetwork>"
    
    # Gateways
    GWWAN = " route-to ( pppoe0 x.x.x.x ) "
    
    set loginterface pppoe0
    set loginterface vr0
    set loginterface ath0_wlan0
    set loginterface vr1
    set loginterface ath0_wlan1
    set optimization normal
    set limit states 23000
    set limit src-nodes 23000
    
    set skip on pfsync0
    
    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble
    scrub in on $WLAN all    fragment reassemble
    scrub in on $MODEMACCESS all    fragment reassemble
    scrub in on $GUESTWLAN all    fragment reassemble
    
     altq on  vr0 priq bandwidth 49000Kb queue {  qACK,  qOthersDefault,  qP2P,  qGames,  qOthersHigh,  qOthersLow  } 
     queue qACK on vr0 priority 6 priq (  ecn  )  
     queue qOthersDefault on vr0 priority 3 priq (  ecn  )  
     queue qP2P on vr0 priority 1 priq (  ecn  , default  )  
     queue qGames on vr0 priority 5 priq (  ecn  )  
     queue qOthersHigh on vr0 priority 4 priq (  ecn  )  
     queue qOthersLow on vr0 priority 2 priq (  ecn  )  
    
     altq on  ath0_wlan0 priq bandwidth 49000Kb queue {  qACK,  qOthersDefault,  qP2P,  qGames,  qOthersHigh,  qOthersLow  } 
     queue qACK on ath0_wlan0 priority 6 priq (  ecn  )  
     queue qOthersDefault on ath0_wlan0 priority 3 priq (  ecn  )  
     queue qP2P on ath0_wlan0 priority 1 priq (  ecn  , default  )  
     queue qGames on ath0_wlan0 priority 5 priq (  ecn  )  
     queue qOthersHigh on ath0_wlan0 priority 4 priq (  ecn  )  
     queue qOthersLow on ath0_wlan0 priority 2 priq (  ecn  )  
    
     altq on  ath0_wlan1 priq bandwidth 49000Kb queue {  qACK,  qOthersDefault,  qP2P,  qGames,  qOthersHigh,  qOthersLow  } 
     queue qACK on ath0_wlan1 priority 6 priq (  ecn  )  
     queue qOthersDefault on ath0_wlan1 priority 3 priq (  ecn  )  
     queue qP2P on ath0_wlan1 priority 1 priq (  ecn  , default  )  
     queue qGames on ath0_wlan1 priority 5 priq (  ecn  )  
     queue qOthersHigh on ath0_wlan1 priority 4 priq (  ecn  )  
     queue qOthersLow on ath0_wlan1 priority 2 priq (  ecn  )  
    
     altq on  pppoe0 priq bandwidth 9000Kb queue {  qACK,  qOthersDefault,  qP2P,  qGames,  qOthersHigh,  qOthersLow  } 
     queue qACK on pppoe0 priority 6 priq (  ecn  )  
     queue qOthersDefault on pppoe0 priority 3 priq (  ecn  )  
     queue qP2P on pppoe0 priority 1 priq (  ecn  , default  )  
     queue qGames on pppoe0 priority 5 priq (  ecn  )  
     queue qOthersHigh on pppoe0 priority 4 priq (  ecn  )  
     queue qOthersLow on pppoe0 priority 2 priq (  ecn  )  
    
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    nat on $WAN  from 10.0.100.0/24 to !192.168.2.1/32 -> x.x.x.x/32 port 1024:65535  
    nat on $MODEMACCESS  from 10.0.100.0/24 to 192.168.2.1/32 -> 192.168.2.254/32 port 1024:65535  
    nat on $WAN  from 172.16.100.0/24 to !192.168.2.1/32 -> x.x.x.x/32 port 1024:65535  
    nat on $WAN  from 192.168.100.0/24 to !192.168.2.1/32 -> x.x.x.x/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <direct_networks>{ x.x.x.x/32 10.0.100.0/24 172.16.100.0/24 192.168.2.0/24 192.168.100.0/24 }
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    
    # pfSnortSam
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
    block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 8443 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for pppoe0
    # block anything from private networks on interfaces with the option set
    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    antispoof for vr0
    # allow access to DHCP server on LAN
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 10.0.100.254 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 10.0.100.254 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for ath0_wlan0
    # allow access to DHCP server on WLAN
    pass in on $WLAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $WLAN proto udp from any port = 68 to 172.16.100.254 port = 67 label "allow access to DHCP server"
    pass out on $WLAN proto udp from 172.16.100.254 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for vr1
    antispoof for ath0_wlan1
    # allow access to DHCP server on GUESTWLAN
    pass in on $GUESTWLAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $GUESTWLAN proto udp from any port = 68 to 192.168.100.254 port = 67 label "allow access to DHCP server"
    pass out on $GUESTWLAN proto udp from 192.168.100.254 port = 67 to any port = 68 label "allow access to DHCP server"
    
    # loopback
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( pppoe0 x.x.x.x ) from x.x.x.x to !x.x.x.x/32 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on vr0 proto tcp from any to (vr0) port { 8443 443  22 } keep state label "anti-lockout rule"
    
    # User-defined rules follow
    match    from any to any  queue (qOthersLow)  label "USER_RULE: Penalty Box"
    match    proto udp  from any to any port 88   queue (qGames)  label "USER_RULE: m_Game xbox360-1 outbound"
    match    proto udp  from any to any port 3074   queue (qGames)  label "USER_RULE: m_Game xbox360-2 outbound"
    match    proto tcp  from any to any port 3074   queue (qGames,qACK)  label "USER_RULE: m_Game xbox360-3 outbound"
    match    proto tcp  from any to any port 3389   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSRDP outbound"
    match    proto tcp  from any to any port 5899 >< 5931   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other VNC outbound"
    match    proto tcp  from any to any port 3283   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop1 outbound"
    match    proto tcp  from any to any port 5900   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop2 outbound"
    match    proto udp  from any to any port 3283   queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop3 outbound"
    match    proto udp  from any to any port 5900   queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop4 outbound"
    match    proto tcp  from any to any port 5631   queue (qOthersLow,qACK)  label "USER_RULE: m_Other pcany1 outbound"
    match    proto udp  from any to any port 5632   queue (qOthersLow)  label "USER_RULE: m_Other pcany2 outbound"
    match    proto tcp  from any to any port 6666 >< 6671   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    proto tcp  from any to any port 5222   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    proto tcp  from any to any port 5223   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    proto tcp  from any to any port 5269   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    proto tcp  from any to any port 5190   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other ICQ1 outbound"
    match    proto udp  from any to any port 5190   queue (qOthersDefault)  label "USER_RULE: m_Other ICQ2 outbound"
    match    proto tcp  from any to any port 5190   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other AIM outbound"
    match    proto tcp  from any to any port 1863   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSN1 outbound"
    match    proto tcp  from any to any port 6890 >< 6901   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSN2 outbound"
    match    proto tcp  from any to any port 6901   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSN3 outbound"
    match    proto udp  from any to any port 6901   queue (qOthersDefault)  label "USER_RULE: m_Other MSN4 outbound"
    match    proto tcp  from any to any port 14534   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other teamspeak1 outbound"
    match    proto tcp  from any to any port 51234   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other teamspeak2 outbound"
    match    proto udp  from any to any port 8766 >< 8769   queue (qOthersDefault)  label "USER_RULE: m_Other teamspeak3 outbound"
    match    proto tcp  from any to any port 1723   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other PPTP outbound"
    match    proto gre  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other PPTPGRE outbound"
    match    proto udp  from any to any port 500   queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
    match    proto ah  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
    match    proto esp  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
    match    proto tcp  from any to any port 7999 >< 8101   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other STREAMINGMP3 outbound"
    match    proto tcp  from any to any port 554   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other RTSP1 outbound"
    match    proto tcp  from any to any port 80   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other HTTP outbound"
    match    proto tcp  from any to any port 443   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other HTTPS outbound"
    match  proto tcp  from any to any port 22   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other SSH outbound"
    match    proto tcp  from any to any port 25   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SMTP outbound"
    match    proto tcp  from any to any port 110   queue (qOthersLow,qACK)  label "USER_RULE: m_Other POP3 outbound"
    match    proto tcp  from any to any port 143   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IMAP outbound"
    match    proto tcp  from any to any port 1352   queue (qOthersLow,qACK)  label "USER_RULE: m_Other LotusNotes1 outbound"
    match    proto udp  from any to any port 1352   queue (qOthersLow)  label "USER_RULE: m_Other LotusNotes2 outbound"
    match    proto tcp  from any to any port 53   queue (qOthersHigh,qACK)  label "USER_RULE: m_Other DNS1 outbound"
    match    proto udp  from any to any port 53   queue (qOthersHigh)  label "USER_RULE: m_Other DNS2 outbound"
    match    inet proto icmp  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other ICMP outbound"
    match    proto tcp  from any to any port 445   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SMB1 outbound"
    match    proto tcp  from any to any port 136 >< 140   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SMB2 outbound"
    match    proto tcp  from any to any port 161   queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SNMP outbound"
    match    proto udp  from any to any port 161   queue (qOthersDefault)  label "USER_RULE: m_Other SNMP2 outbound"
    match    proto tcp  from any to any port 3306   queue (qOthersLow,qACK)  label "USER_RULE: m_Other MySQL1 outbound"
    match    proto tcp  from any to any port 119   queue (qOthersLow,qACK)  label "USER_RULE: m_Other NNTP1 outbound"
    match    proto udp  from any to any port 119   queue (qOthersLow)  label "USER_RULE: m_Other NNTP2 outbound"
    match    proto tcp  from any to any port 5999   queue (qOthersLow,qACK)  label "USER_RULE: m_Other cvsup outbound"
    match    proto tcp  from any to any port 5001   queue (qOthersLow,qACK)  label "USER_RULE: m_Other Slingbox1 outbound"
    match    proto udp  from any to any port 5001   queue (qOthersLow)  label "USER_RULE: m_Other Slingbox2 outbound"
    match    proto tcp  from any to any port 3000   queue (qOthersLow,qACK)  label "USER_RULE: m_Other HBCI outbound"
    pass  in log  quick  on $WAN reply-to ( pppoe0 x.x.x.x )  proto tcp  from any to x.x.x.x port 22  flags S/SA keep state ( max-src-conn 5 max-src-conn-rate 5 /30, overload <virusprot>flush global  )  label "USER_RULE: Allow Secure Shell to pfSense"
    block  in  quick  on $LAN  from any to   10.0.100.255  label "USER_RULE: Don't log broadcasts"
    pass  in  quick  on $LAN  from   $gateProtectA to any keep state  label "USER_RULE: gateProtect A any"
    pass  in  quick  on $LAN  from   $gateProtectB to any keep state  label "USER_RULE: gateProtect B any"
    pass  in  quick  on $LAN  from 10.0.100.0/24 to 172.16.100.254/24 keep state  label "USER_RULE: Default allow LAN to WLAN rule"
    pass  in  quick  on $LAN  proto tcp  from 10.0.100.0/24 to  ! $LocalNetworks port 8000  flags S/SA keep state  label "USER_RULE: Allow Easynews traffic"
    pass  in  quick  on $LAN  proto { tcp udp }  from 10.0.100.0/24 to  ! $LocalNetworks port $SteamPorts  keep state  label "USER_RULE: Allow Steam"
    pass  in  quick  on $LAN  proto udp  from 10.0.100.0/24 to   $AppleServers port $FaceTimePorts  keep state  label "USER_RULE: Allow Facetime"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to   $pfSense port $ManagementPorts  flags S/SA keep state  label "USER_RULE: pfSense Management"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to   $Speedport port $ManagementPorts  flags S/SA keep state  label "USER_RULE: Speedport Management"
    pass  in  quick  on $LocalNets  proto { tcp udp }  from   $LocalNetworks to   $pfSense port 53  keep state  label "USER_RULE: pfSense DNS Forwarder"
    pass  in  quick  on $LocalNets  proto { tcp udp }  from   $LocalNetworks to   $pfSense port 123  keep state  label "USER_RULE: pfSense NTP"
    pass  in  quick  on $LocalNets  inet proto icmp  from   $LocalNetworks to   $pfSense icmp-type echoreq keep state  label "USER_RULE: Echo requests to pfSense"
    pass  in  quick  on $LocalNets  inet proto icmp  from   $LocalNetworks to   $Speedport icmp-type echoreq keep state  label "USER_RULE: Echo requests to Speedport"
    pass  in  quick  on $LocalNets  inet proto icmp  from   $LocalNetworks to  ! $LocalNetworks icmp-type echoreq keep state  label "USER_RULE: Echo requests"
    pass  in  quick  on $LocalNets  proto udp  from   $LocalNetworks to  ! $LocalNetworks port 33433 >< 33535  keep state  label "USER_RULE: Traceroute"
    pass  in  quick  on $LocalNets  proto udp  from   $LocalNetworks port 1900  to   239.255.255.250 port 1900  keep state  label "USER_RULE: SSDP"
    pass  in  quick  on $LocalNets  proto udp  from   $LocalNetworks port 5353  to   224.0.0.251 port 5353  keep state  label "USER_RULE: MDNS"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port 8443  flags S/SA keep state  label "USER_RULE: Allow pcsync-https"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $IRCPorts  flags S/SA keep state  label "USER_RULE: Allow IRC"
    pass  in  quick  on $LocalNets  proto { tcp udp }  from   $LocalNetworks to  ! $LocalNetworks port 5354  keep state  label "USER_RULE: Allow mdnsresponder"
    pass  in  quick  on $LocalNets  proto { tcp udp }  from   $LocalNetworks to  ! $LocalNetworks port 5678  keep state  label "USER_RULE: Allow Remote Replication Agent Connection"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port 31234  flags S/SA keep state  label "USER_RULE: Allow Guitar Pro Updater"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $WebPorts  flags S/SA keep state  label "USER_RULE: Allow web traffic"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $MailPorts  flags S/SA keep state  label "USER_RULE: Allow mail traffic"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $MessagingPorts  flags S/SA keep state  label "USER_RULE: Allow IM traffic"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $FiletransferPorts  flags S/SA keep state  label "USER_RULE: Allow file transfers"
    pass  in  quick  on $LocalNets  proto tcp  from   $LocalNetworks to  ! $LocalNetworks port $TeamviewerPorts  flags S/SA keep state  label "USER_RULE: Allow TeamViewer"
    pass  in  quick  on $LocalNets  proto { tcp udp }  from   $LocalNetworks to  ! $LocalNetworks port $StarCraft2Ports  keep state  label "USER_RULE: Allow StarCraft 2 and Battle.net"
    block  in  quick  on $WLAN  from any to   172.16.100.255  label "USER_RULE: Don't log broadcasts"
    pass  in  quick  on $WLAN  from 172.16.100.254/24 to 10.0.100.0/24 keep state  label "USER_RULE: Default allow WLAN to LAN rule"
    pass  in  quick  on $WLAN  proto tcp  from 172.16.100.254/24 to 172.16.100.254 port 8000  flags S/SA keep state  label "USER_RULE: Captive Portal -> pfSense"
    pass  in  quick  on $WLAN  proto tcp  from   $Hermione to 172.16.100.254 port 2189  flags S/SA keep state  label "USER_RULE: Allow PS3 UPnP"
    pass  in  quick  on $WLAN  from   $Hermione to  ! $LocalNetworks keep state  label "USER_RULE: Allow PS3 Any"
    pass  in  quick  on $WLAN  from   $Dumbledore to  ! $LocalNetworks keep state  label "USER_RULE: Allow Dumbledore Any"
    block  in  quick  on $MODEMACCESS  from   $Speedport to any  label "USER_RULE: Disable logging for all Speedport traffic"
    block  in  quick  on $GUESTWLAN  from   $Speedport to any  label "USER_RULE: Don't log packets from Speedport"
    
    # VPN Rules
    anchor "tftp-proxy/*"
    
    # uPnPd
    anchor "miniupnpd"</virusprot></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></wirelesslocalareanetwork></wirelesslocalareanetwork></speedport></speedport></pfsense></pfsense></penaltybox></penaltybox></luna></luna></localnetworks></localnetworks></localareanetwork></localareanetwork></hermione></hermione></gateprotectb></gateprotectb></gateprotecta></gateprotecta></dyndns_hostname></dyndns_hostname></dumbledore></dumbledore></appleservers></appleservers></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout> 
    


  • And did you find anything unusual ermal?



  • Can you please show me the output of ifconfig -g LocalNets ?



  • That gives me:

    vr0
    ath0_wlan0
    ath0_wlan1



  • The only thing i can say then is that either this is traffic with ip-options or traffic with don't fragment bit set.
    Can you please collect tcpdumps and pfctl -vss and pfctl -vsr about this?



  • Yeah. I will get that info on the weekend…



  • Updated to the latest snap of today and re-ran the wizard. At the moment this seems to be working. Is it new that the wizard only creates queues for the WAN interface and not for the LAN interfaces anymore?


Log in to reply