Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problema con Traffic Shaper

    Scheduled Pinned Locked Moved
    Español
    2
    3
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sulivan
      last edited by

      Hola a todos!

      Después de solucionar los problemas que tenía con la configuración inicial ahora tengo el siguiente (sí, estoy lleno de problemas, jajaja). Antes de nada quiero decir que he leido y leido pero no consigo solucionar el problema (incluyendo la buena guía del señor bellera).

      El problema es que configuro el traffic shaper con un caudal máximo de 320Kb aproximadamente (40Kbytes) en la bajada y la opción UpperLimit. Hasta aquí todo bien porque cuando conecto una máquina me baja a esa velocidad exactamente. El problema bien cuando conecto dos máquinas, en vez de bajar una a 20kbytes y la otra igual (es decir, compartir el ancho), una baja a 20kbytes y la otra empieza a dar 0Kbytes o 20kbytes, produciendo bastantes problemas.

      Quiero decir que no me importa que sean programas p2p, archivos directos o lo que sea, simplemente quiero que se comparta la línea y ha ser posible que cuando uno no la use, el otro use el total del ancho de banda. Además el ancho de banda para esto es del 90% prácticamente.

      ¿Alguien me ayuda?

      Saludos.

      Archivo rules.debug

      System Aliases

      loopback = "{ lo0 }"
      lan = "{ ath0  }"
      ng0 = "{ vr0 ng0 }"
      wan = "{ vr0  ng0 }"
      enc0 = "{ enc0 }"

      User Aliases

      Clientes = "{ 192.168.2.230 192.168.2.231 192.168.2.232 192.168.2.233 192.168.2.234 192.168.2.235 192.168.2.236 192.168.2.237 192.168.2.238 192.168.2.239 192.168.2.240 192.168.2.241 192.168.2.242 192.168.2.243 192.168.2.244 192.168.2.245 192.168.2.246 192.168.2.247 192.168.2.248 192.168.2.249 }"
      Gestion = "{ 192.168.2.250 }"

      set loginterface vr0
      set loginterface ath0
      set optimization normal

      scrub all random-id max-mss 1452 fragment reassemble
      altq on vr0 hfsc bandwidth 256Kb queue { qwanRoot }
      altq on ath0 hfsc bandwidth 2000Kb queue { qlanRoot }

      queue qwanRoot bandwidth 256Kb priority 0 hfsc { qwandef, qwanacks, qPenaltyUp }
      queue qlanRoot bandwidth 2000Kb priority 0 hfsc { qlandef, qlanacks, qPenaltyDown }
      queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
      queue qlandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
      queue qwanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
      queue qlanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
      queue qPenaltyUp bandwidth 50% priority 7 hfsc (  red ecn upperlimit 80Kb )
      queue qPenaltyDown bandwidth 50% priority 7 hfsc (  red ecn upperlimit 320Kb )

      nat-anchor "pftpx/"
      nat-anchor "natearly/      "
      nat-anchor "natrules/*"

      FTP proxy

      rdr-anchor "pftpx/*"

      Outbound NAT rules

      nat on $ng0 from 192.168.2.0/24 to any -> (ng0)

      #SSH Lockout Table
      table <sshlockout>persist

      Load balancing anchor - slbd updates

      rdr-anchor "slb"

      FTP Proxy/helper

      table <vpns>{  }

      NAT Inbound Redirects

      rdr on ng0 proto tcp from any to 83.46.138.205 port { 4662 } -> 192.168.2.249
      rdr on ng0 proto udp from any to 83.46.138.205 port { 4672 } -> 192.168.2.249

      IMSpector rdr anchor

      rdr-anchor "imspector"

      UPnPd rdr anchor

      rdr-anchor "miniupnpd"

      block in all tag unshaped label "SHAPER: first match rule"
      pass in on  $wan from any  to $Clientes  keep state tagged unshaped tag qPenaltyUp
      pass out on $lan from any to $Clientes keep state tagged qPenaltyUp tag qPenaltyDown
      pass in on  $lan from $Clientes  to any  keep state tagged unshaped tag qPenaltyDown
      pass out on $wan from any to any keep state tagged qPenaltyDown tag qPenaltyUp

      anchor "ftpsesame/*"
      anchor "firewallrules"

      We use the mighty pf, we cannot be fooled.

      block quick proto { tcp, udp } from any port = 0 to any
      block quick proto { tcp, udp } from any to any port = 0

      snort2c

      table <snort2c>persist
      block quick from <snort2c>to any label "Block snort2c hosts"
      block quick from any to <snort2c>label "Block snort2c hosts"

      loopback

      anchor "loopback"
      pass in quick on $loopback all label "pass loopback"
      pass out quick on $loopback all label "pass loopback"

      package manager early specific hook

      anchor "packageearly"

      carp

      anchor "carp"

      permit wan interface to ping out (ping_hosts.sh)

      pass quick proto icmp from 83.46.138.205 to any keep state

      NAT Reflection rules

      allow access to DHCP server on LAN

      anchor "dhcpserverlan"
      pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
      pass in quick on $lan proto udp from any port = 68 to 192.168.2.100 port = 67 label "allow access to DHCP server on LAN"
      pass out quick on $lan proto udp from 192.168.2.100 port = 67 to any port = 68 label "allow access to DHCP server on LAN"
      block in log quick on $wan proto udp from any port = 67 to 192.168.2.0/24 port = 68 label "block dhcp client out wan"

      pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

      LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

      antispoof for ath0

      anchor "spoofing"

      Support for allow limiting of TCP connections by establishment rate

      anchor "limitingesr"
      table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

      pass traffic from firewall -> out

      anchor "firewallout"
      pass out quick on  { vr0 ng0 }  all keep state tagged qPenaltyUp queue (qPenaltyUp, qwanacks) label "let out anything from firewall host itself"
      pass out quick on  { vr0 ng0 }  all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
      pass out quick on ath0 all keep state tagged qPenaltyDown queue (qPenaltyDown, qlanacks) label "let out anything from firewall host itself"
      pass out quick on ath0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
      pass out quick on $enc0 keep state label "IPSEC internal host to host"# permit wan interface to ping out (ping_hosts.sh)
      pass out quick on ng0 proto icmp keep state label "let out anything from firewall host itself"

      make sure the user cannot lock himself out of the webGUI or SSH

      anchor "anti-lockout"
      pass in quick on ath0 from any to 192.168.2.100 keep state label "anti-lockout web rule"

      SSH lockout

      block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

      anchor "ftpproxy"
      anchor "pftpx/*"

      User-defined aliases follow

      Anchors for rules that might be matched by queues

      anchor qwanRoot tagged qwanRoot
      load anchor qwanRoot from "/tmp/qwanRoot.rules"
      anchor qlanRoot tagged qlanRoot
      load anchor qlanRoot from "/tmp/qlanRoot.rules"
      anchor qwandef tagged qwandef
      load anchor qwandef from "/tmp/qwandef.rules"
      anchor qlandef tagged qlandef
      load anchor qlandef from "/tmp/qlandef.rules"
      anchor qwanacks tagged qwanacks
      load anchor qwanacks from "/tmp/qwanacks.rules"
      anchor qlanacks tagged qlanacks
      load anchor qlanacks from "/tmp/qlanacks.rules"
      anchor qPenaltyUp tagged qPenaltyUp
      load anchor qPenaltyUp from "/tmp/qPenaltyUp.rules"
      anchor qPenaltyDown tagged qPenaltyDown
      load anchor qPenaltyDown from "/tmp/qPenaltyDown.rules"

      User-defined rules follow

      pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE"
      pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE"

      VPN Rules

      pass in quick on ath0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on ath0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on ng0 inet proto tcp from port 20 to (ng0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

      enable ftp-proxy

      IMSpector

      anchor "imspector"

      uPnPd

      anchor "miniupnpd"

      #–-------------------------------------------------------------------------

      default rules (just to be sure)

      #---------------------------------------------------------------------------
      block in log quick all label "Default block all just to be sure."
      block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></sshlockout>

      1 Reply Last reply Reply Quote 0
      • S
        Sulivan
        last edited by

        ¿Nadie sabe como solucionarlo?

        Una ayudita por favor.

        1 Reply Last reply Reply Quote 0
        • belleraB
          bellera
          last edited by

          ¡Hola!

          Por lo que dices deseas tener colas por cada cliente, no por cada tipo de conexión.

          El asistente de Traffic Shaper crea las colas por tipo de conexión y sus reglas correspondientes.

          Respetando la estructura de colas (madre e hijas) y sus reglas crea (a mano) las tuyas propias, por IPs.

          Saludos,

          Josep Pujadas

          1 Reply Last reply Reply Quote 0
          • First post
            Last post