Problema con Traffic Shaper



  • Hola a todos!

    Después de solucionar los problemas que tenía con la configuración inicial ahora tengo el siguiente (sí, estoy lleno de problemas, jajaja). Antes de nada quiero decir que he leido y leido pero no consigo solucionar el problema (incluyendo la buena guía del señor bellera).

    El problema es que configuro el traffic shaper con un caudal máximo de 320Kb aproximadamente (40Kbytes) en la bajada y la opción UpperLimit. Hasta aquí todo bien porque cuando conecto una máquina me baja a esa velocidad exactamente. El problema bien cuando conecto dos máquinas, en vez de bajar una a 20kbytes y la otra igual (es decir, compartir el ancho), una baja a 20kbytes y la otra empieza a dar 0Kbytes o 20kbytes, produciendo bastantes problemas.

    Quiero decir que no me importa que sean programas p2p, archivos directos o lo que sea, simplemente quiero que se comparta la línea y ha ser posible que cuando uno no la use, el otro use el total del ancho de banda. Además el ancho de banda para esto es del 90% prácticamente.

    ¿Alguien me ayuda?

    Saludos.

    Archivo rules.debug

    System Aliases

    loopback = "{ lo0 }"
    lan = "{ ath0  }"
    ng0 = "{ vr0 ng0 }"
    wan = "{ vr0  ng0 }"
    enc0 = "{ enc0 }"

    User Aliases

    Clientes = "{ 192.168.2.230 192.168.2.231 192.168.2.232 192.168.2.233 192.168.2.234 192.168.2.235 192.168.2.236 192.168.2.237 192.168.2.238 192.168.2.239 192.168.2.240 192.168.2.241 192.168.2.242 192.168.2.243 192.168.2.244 192.168.2.245 192.168.2.246 192.168.2.247 192.168.2.248 192.168.2.249 }"
    Gestion = "{ 192.168.2.250 }"

    set loginterface vr0
    set loginterface ath0
    set optimization normal

    scrub all random-id max-mss 1452 fragment reassemble
    altq on vr0 hfsc bandwidth 256Kb queue { qwanRoot }
    altq on ath0 hfsc bandwidth 2000Kb queue { qlanRoot }

    queue qwanRoot bandwidth 256Kb priority 0 hfsc { qwandef, qwanacks, qPenaltyUp }
    queue qlanRoot bandwidth 2000Kb priority 0 hfsc { qlandef, qlanacks, qPenaltyDown }
    queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
    queue qlandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
    queue qwanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
    queue qlanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
    queue qPenaltyUp bandwidth 50% priority 7 hfsc (  red ecn upperlimit 80Kb )
    queue qPenaltyDown bandwidth 50% priority 7 hfsc (  red ecn upperlimit 320Kb )

    nat-anchor "pftpx/"
    nat-anchor "natearly/
    "
    nat-anchor "natrules/*"

    FTP proxy

    rdr-anchor "pftpx/*"

    Outbound NAT rules

    nat on $ng0 from 192.168.2.0/24 to any -> (ng0)

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor - slbd updates

    rdr-anchor "slb"

    FTP Proxy/helper

    table <vpns>{  }

    NAT Inbound Redirects

    rdr on ng0 proto tcp from any to 83.46.138.205 port { 4662 } -> 192.168.2.249
    rdr on ng0 proto udp from any to 83.46.138.205 port { 4672 } -> 192.168.2.249

    IMSpector rdr anchor

    rdr-anchor "imspector"

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    block in all tag unshaped label "SHAPER: first match rule"
    pass in on  $wan from any  to $Clientes  keep state tagged unshaped tag qPenaltyUp
    pass out on $lan from any to $Clientes keep state tagged qPenaltyUp tag qPenaltyDown
    pass in on  $lan from $Clientes  to any  keep state tagged unshaped tag qPenaltyDown
    pass out on $wan from any to any keep state tagged qPenaltyDown tag qPenaltyUp

    anchor "ftpsesame/*"
    anchor "firewallrules"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    loopback

    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"

    permit wan interface to ping out (ping_hosts.sh)

    pass quick proto icmp from 83.46.138.205 to any keep state

    NAT Reflection rules

    allow access to DHCP server on LAN

    anchor "dhcpserverlan"
    pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
    pass in quick on $lan proto udp from any port = 68 to 192.168.2.100 port = 67 label "allow access to DHCP server on LAN"
    pass out quick on $lan proto udp from 192.168.2.100 port = 67 to any port = 68 label "allow access to DHCP server on LAN"
    block in log quick on $wan proto udp from any port = 67 to 192.168.2.0/24 port = 68 label "block dhcp client out wan"

    pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

    LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

    antispoof for ath0

    anchor "spoofing"

    Support for allow limiting of TCP connections by establishment rate

    anchor "limitingesr"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

    pass traffic from firewall -> out

    anchor "firewallout"
    pass out quick on  { vr0 ng0 }  all keep state tagged qPenaltyUp queue (qPenaltyUp, qwanacks) label "let out anything from firewall host itself"
    pass out quick on  { vr0 ng0 }  all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
    pass out quick on ath0 all keep state tagged qPenaltyDown queue (qPenaltyDown, qlanacks) label "let out anything from firewall host itself"
    pass out quick on ath0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"# permit wan interface to ping out (ping_hosts.sh)
    pass out quick on ng0 proto icmp keep state label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webGUI or SSH

    anchor "anti-lockout"
    pass in quick on ath0 from any to 192.168.2.100 keep state label "anti-lockout web rule"

    SSH lockout

    block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

    anchor "ftpproxy"
    anchor "pftpx/*"

    User-defined aliases follow

    Anchors for rules that might be matched by queues

    anchor qwanRoot tagged qwanRoot
    load anchor qwanRoot from "/tmp/qwanRoot.rules"
    anchor qlanRoot tagged qlanRoot
    load anchor qlanRoot from "/tmp/qlanRoot.rules"
    anchor qwandef tagged qwandef
    load anchor qwandef from "/tmp/qwandef.rules"
    anchor qlandef tagged qlandef
    load anchor qlandef from "/tmp/qlandef.rules"
    anchor qwanacks tagged qwanacks
    load anchor qwanacks from "/tmp/qwanacks.rules"
    anchor qlanacks tagged qlanacks
    load anchor qlanacks from "/tmp/qlanacks.rules"
    anchor qPenaltyUp tagged qPenaltyUp
    load anchor qPenaltyUp from "/tmp/qPenaltyUp.rules"
    anchor qPenaltyDown tagged qPenaltyDown
    load anchor qPenaltyDown from "/tmp/qPenaltyDown.rules"

    User-defined rules follow

    pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE"
    pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE"

    VPN Rules

    pass in quick on ath0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on ath0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on ng0 inet proto tcp from port 20 to (ng0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

    enable ftp-proxy

    IMSpector

    anchor "imspector"

    uPnPd

    anchor "miniupnpd"

    #–-------------------------------------------------------------------------

    default rules (just to be sure)

    #---------------------------------------------------------------------------
    block in log quick all label "Default block all just to be sure."
    block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></sshlockout>



  • ¿Nadie sabe como solucionarlo?

    Una ayudita por favor.



  • ¡Hola!

    Por lo que dices deseas tener colas por cada cliente, no por cada tipo de conexión.

    El asistente de Traffic Shaper crea las colas por tipo de conexión y sus reglas correspondientes.

    Respetando la estructura de colas (madre e hijas) y sus reglas crea (a mano) las tuyas propias, por IPs.

    Saludos,

    Josep Pujadas


Log in to reply