Another penalty box question

  • I setup traffic shaping via the multi lan/wan wizard using 1 lan and 1 wan interface and to use priority queues (PRIQ) using pfsense 2.2.3. During the wizard, it asked me to select an IP/alias/etc to use in the penalty box, which I did.

    During my testing, I found that traffic from the host in the penalty box wouldn't go through the "penalty queue". Even if I disabled all my other floating rules, it would still not go through the penalty queue. For my testing, I was using scp, and finally discovered that my penalized system would go through my high priority queue that I had set for ssh connections (provided that rule was enabled of course). I then set this ssh rule to log to see what was going on. The firewall sees that the source IP as the WAN IP, where as the rule for the penalty box created by the wizard sets the source IP to be the IP of the machine on your LAN. Obviously, the WAN IP will never match the LAN IP.

    Am I correct to assume that the penalty box was created for hosts on the LAN? The penalty box simply cannot work with the default penalty box rule.

    If we change default rule to to use the LAN interface instead of WAN. It SEEMS to work.

    With ALTQ, you can control your outgoing bandwidth, but not incoming. If we change the rule to use the LAN interface instead, does this mean that data SENT from the penalized LAN host is put into the penalty box, but data RECEIVED by the penalty host is not penalized? Wouldn't this also mean that connections to the pfsense firewall itself would also be penalized?

    Do we need a corresponding rule to get this working for downloads? Because I haven't been able to get anything working on that side, and it may not even be possible.

  • I kinda got confused with your post (sorry, tired) but I learned pfSense by verifying functionality one step at a time.

    Verify firewall rules are grabbing the packets you want.
    Verify they are applied to proper queue.

    pftop via command-line was my tool of choice for verifying packets were going where I expected. (watch queues and note when the packet counts increase)

  • Thank you for the response. However, I did test this one step at a time, and I've tried to accomplish the same or similar functionality in the past editing /etc/pf.conf in FreeBSD and OpenBSD manually.

    My point is that I don't think the penalty box is working for anyone at this point (or at least, not as expected).

  • The penalty box is simply a (default) firewall rule with a low priority, nothing more. Are none of your rules assigning traffic as expected?

  • Banned