Bug / Traffic Shaper Firewall Transparent possible.


  • This may or may not be a bug but I am getting this probelm as follows.

    I know it was stated as this is not supported but with this configuartion everything is working correctly.
    This isn't truely transparent as it is on a public IP, but could easily be through a DMZ supported router to a Local address.

    Setup on a Tyan ITX Pentium Celeron 566mhz, 256Mb PC133 RAM, on board Ethernet, 2 EDIMAX NIC 10/100Mbs PCI cards.

    Basically have a WAN bridge setup for a Traffic Shaper / Transparent Firewall.

    3 interfaces, WAN, LAN, WAN Bridge.

    WAN - Public IP on a Class C Range
    LAN - Prive Addresses for a Backdoor local DHCP
    WAN Bridge - Public IP on a Class C Range

    When going to Traffic Shaper Wizard and I enable WAN = OUT and WAN Bridge = In
    After clicking next and seting my rules, etc, etc and finish I generate:

    No source address found in rule 0 No destination address found in rule 1 No destination address found in rule 3 No destination address found in rule 4 No destination address found in rule 5 No destination address found in rule 6 No destination address found in rule 11 No destination address found in rule 14 No destination address found in rule 15 No destination address found in rule 17 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/shaper.inc:487) in /usr/local/www/wizard.php(88) : eval()'d code on line 1

    Basically what I found was the Wizard does not specify the correct option for WAN Bridge, it defaults to LAN. So I manually changed the Rules to see fit of WAN Bridge.

    Second Probelm in this error is also in Source and Destination. It wants to enable Network = Wan Bridge /31 default. To correct this I changed it to  WAN Bridge subnet.

    After correcting the rest of the Ques/Rules everything works great.

    This issue may have been already addressed as I am new to these boards and new to the Unix/FreeBSD environment so hopefully this isn't repitive as I know the frustration of answering the same thing twice.


  • I doubt this has been fixed, but what version are you running?

    –Bill


  • beta 2. 1.0 . Everything working great. I submit screen shots of the cue's working if you are interested.

    I tried out the priority on the Gaming, P2P, VOIP, Bit Torrents and Several other applications. Works very well.

    Can you clue me in as to why it may not work? I am Linux/BSD amature so I know my way around fairly well with the command line and how config xml works.

    Just to give you a better idea of my setup as I was not complete.

    WAN Connection comes into an eight port switch. This is so I can keep things off the traffic shaper that don't need it. From the switch I have a cable into my Ethernet on my motherboard. fxp0

    Then I have 2 PCI cards. I like having 1 setup as a LAN so I can get in the machine locally if need be.
    Then other PCI card, which is setup as OPT1 @ rl0 is setup as a bridge with the WAN port as if following the guide on how to setup a transparent firewall. Out of this Ethernet card goes into another switch of all devices that I want traffic shaped.

    Following the Firewall rules similar to m0n0wall, I changed it from the default WAN Bridge Network /31 it was wanting to default, to WANBridge Subnet. I had to change about 10 rules from the shaper wizzard.


  • You have other machine besides the pfSense connected to your WAN? This means pfSense can't shape efficitvely because if a machine is messing with the bandwidth in front of the pfSenses WAN there is no way pfSense can throttle this down. You need to have everything running through the pfSense if you want to use shaping.


  • As I posted earlier that is why I have switches.

    || = ethernet cable.

    WAN connection
    |
    |
    8 port Switch – Things I don't want Traffic Shaped
    |
    |
    pfSense WAN Connection from 8 port Switch--------LAN Connection for DHCP Local
    OPT1 Bridged with WAN
    |
    |
    8 Port Switch -- Things I want Traffic Shaped.
    |                    |
    |                    |
    Wireless AP    Client Computers

    Everything works. Maybe that horrible network diagram will help.


  • Yeah, Iunderstood that. What I wrote applies to your setup. You won't be able to shape things correctly with other "out of control" devices at your WAN using bandwidth.


  • and i understand that. that is why i wrote "things i don't want traffic shaped"

    BTW: installed the latest snapshot 4/3/06

    Going to run and see how it works. Going into a production environment today.


  • Congrats on the Snapshot 4/3/06 as it fixed the issue with the ques being added correctly.

    On a note…If any developer is interested I may allow them into the box if they are wanting to see how it works or I can post my configuration if anyone is interested in this setup.

    Basically it is going to take a 10Mb backhaul link and limit it to 3Mb for a building client.


  • Just wanted everyone to know everything is working great. This blows m0n0wall away. Clients are pissed off as they were getting a 10Mbs feed but they were only paying for 3Mb. NTOP Great addition really helps with figuring out where my client traffic is coming from and who to point the finger at.