Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another penalty box question

    Scheduled Pinned Locked Moved Traffic Shaping
    5 Posts 3 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hiryu
      last edited by

      I setup traffic shaping via the multi lan/wan wizard using 1 lan and 1 wan interface and to use priority queues (PRIQ) using pfsense 2.2.3. During the wizard, it asked me to select an IP/alias/etc to use in the penalty box, which I did.

      During my testing, I found that traffic from the host in the penalty box wouldn't go through the "penalty queue". Even if I disabled all my other floating rules, it would still not go through the penalty queue. For my testing, I was using scp, and finally discovered that my penalized system would go through my high priority queue that I had set for ssh connections (provided that rule was enabled of course). I then set this ssh rule to log to see what was going on. The firewall sees that the source IP as the WAN IP, where as the rule for the penalty box created by the wizard sets the source IP to be the IP of the machine on your LAN. Obviously, the WAN IP will never match the LAN IP.

      Am I correct to assume that the penalty box was created for hosts on the LAN? The penalty box simply cannot work with the default penalty box rule.

      If we change default rule to to use the LAN interface instead of WAN. It SEEMS to work.

      With ALTQ, you can control your outgoing bandwidth, but not incoming. If we change the rule to use the LAN interface instead, does this mean that data SENT from the penalized LAN host is put into the penalty box, but data RECEIVED by the penalty host is not penalized? Wouldn't this also mean that connections to the pfsense firewall itself would also be penalized?

      Do we need a corresponding rule to get this working for downloads? Because I haven't been able to get anything working on that side, and it may not even be possible.

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        I kinda got confused with your post (sorry, tired) but I learned pfSense by verifying functionality one step at a time.

        Verify firewall rules are grabbing the packets you want.
        Verify they are applied to proper queue.

        pftop via command-line was my tool of choice for verifying packets were going where I expected. (watch queues and note when the packet counts increase)

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • H
          hiryu
          last edited by

          Thank you for the response. However, I did test this one step at a time, and I've tried to accomplish the same or similar functionality in the past editing /etc/pf.conf in FreeBSD and OpenBSD manually.

          My point is that I don't think the penalty box is working for anyone at this point (or at least, not as expected).

          1 Reply Last reply Reply Quote 0
          • N
            Nullity
            last edited by

            The penalty box is simply a (default) firewall rule with a low priority, nothing more. Are none of your rules assigning traffic as expected?

            Please correct any obvious misinformation in my posts.
            -Not a professional; an arrogant ignoramous.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              WFM…

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.