Search results

Check what your tables really contain pfctl -t yourtable -T show I recommend you use the pftop tool to check in which rule the packets are falling. Consider pftop -v rules You can add log to the pass rules, so you can see packet within the rules: tcpdump -vvteni pflog0 I hope that helps you...

I want to just block a few classes that must be blocked. It seems like it's partly working , but not all packets are accessible. And moreover I cannot connect from outside. What is wrong? My FreeBSD is 7.3-Stable. My WAN interface is vlan300 and vlan352 is for a user. The rule for blocking is...

Oh right, boys and girls... I said girls... anyway ;-) I made a lot of test a nd here are the results, the most stable appeared to be hfsc queueing, the cbq with similar configuration seems to have worse speeds with the same bandwidth configuration. The wan and lan interface are both on the...

Not really, this messes up completely my whole network. Whoa, really, if that is working then I'm saved. Thank you I will check out that.

I just wanted to ask one thing. I understand I can't make a queue on vlan but if let's say all traffic is on vlan, no IPs on phy interface and I altq on em0. Will it still work ? em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500...

Yes, I could agree with you, basically, beacause using nat quick on you may speed up processing of at least allowed hosts, but okay filtering by nat looks a little awkward. I found once a picture with packet dealing BSD with pf, but cannot find it again. Either way the case seems to be solved...

ifconfig_fxp0_name="wan0" ifconfig_fxp1_name="lan0" wan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9<RXCSUM,VLAN_MTU> ether 00:30:05:03:90:b1 inet 10.8.46.252 netmask 0xffffff00 broadcast 10.8.46.255 inet6 fe80::230:5ff:fe03:90b1%wan0 prefixlen 64 scopeid...

Damn, I still have troubles in getting that to work. It doesn't seems to work at work, even with plain configuration, no vlans, wan & lan interface. To be perfectly clear, I want to hard-limit the connection for set speed. ext_if="wan0" int_if="lan0" nat_addr="10.9.222.1" table <int_net> {...

Ok, thanks again, so if I have one interface and vlans on it. I can just separate them by proper pass in and pass out rules, right? Like: altq on em0 hfsc bandwidth 100Mb queue { luserD,LuserU } queue luserU bandwidth 50% hfsc(upperlimit 10Mb default) queue luserD bandwidth 50% hfsc(upperlimit...

Lovely, this is the answer I wanted to hear. I was wondering if the nat is in some way distinguish for firewall like pass quick, that stops the rule checking process at that point.

Please answer me, can one do altq per vlan? I found misleading information about that.

Sure, these 700 users are in 8 seperated vlans :D So in situation these, having vlan350, subnet 10.1.1.0/24 and vlan351, subnet 10.1.2.0/24 there's solution: table <localnet> {10.1.1.0/24 10.1.2.0/24} nat on vlan350 from 10.1.1.0/24 to !<localnet> -> 10.1.1.254 nat on vlan351 from 10.1.2.0/24...

Yeah, you are right. I got separated in vlans like 10.1.1.0/24 is vlan350, 10.1.2.0/24 is vlan351. So basically I could make nat on each gateway like: nat on vlan350 from 10.1.1.0/24 to !10.1.1.0/24 -> 10.1.1.254 nat on vlan351 from 10.1.2.0/24 to !10.1.2.0/24 -> 10.1.2.254 But what about...

What happens if : table <goodguys> {10.7.0.1, 10.7.0.2} nat on $ext_if from 10.7.0.1/24 to !10.7.0.1/24 -> $nat_ip pass out from <goodguys> to any keep state block log all My question is, because NAT must be before filtering. If someone in network will set his ip address as 10.7.0.10, will...

Yeah, you are right. So if I'd like to shape upload I need to do ALTQ on WAN interface, but download on LAN interface. That might be not bad idea but I must have two machines then.

Hello everyone, I'm working on new traffic shaper, firewall generator based on pf queues. The situation in simplest case looks like that for single router/firewall: - one WAN interface (either VLAN or PHY) - one LAN interface, but mostly with multiple VLANs - users have upperlimit for upload...

I'm hardening my internal network router. Got under it 'bout 700 users. Because I've recently noticed that user with proper IP will work accordingly if sets the ip statically in place of legitimate user I need to do sth to cut this down. Pernament ARP protects only from spoofing, but still the...