Hello .. I need some review and suggestion for this rules.
I have 3 subnets :
192.168.1.0/24 - local network (bridge1 / re2 - wlan0)
10.10.1.0/24 - vlan10 for management wifi devices (vlan10 wlandev re2)
10.31.1.0/24 - vlan31 for WiFi clients (vlan31 wlandev re2 / with restrictions to communicate with local LAN and management)
bridge0 re0 and re1 are devices for IpTV and VoIP so there is no need for any rules just pass.
So I need review and some suggestion for this rules and I have one question about QoS .. With this setup any IP from 10.31.1.0/24 range will have Down/Up (4Mbits / 2Mbit/s) ?
Thanks
Code:
#!/bin/sh
cmd="/sbin/ipfw -q"
# external interface
wan_if="ng0"
# internal interface
lan_if="bridge1"
vlan_wifi="vlan31"
# flush rules
$cmd flush
$cmd pipe flush
###upload
$cmd pipe 1 config bw 2Mbit/s
#$cmd queue 1 config pipe 1 weight 1 queue 100 mask src-ip 0xffffffff gred 0.002/17/51/0.1
$cmd queue 4 config pipe 1 weight 30 queue 100 mask src-ip 0xffffffff gred 0.002/17/51/0.1
###download
$cmd pipe 2 config bw 4Mbit/s
#$cmd queue 2 config pipe 2 weight 1 queue 100 mask dst-ip 0xffffffff gred 0.002/17/51/0.1
$cmd queue 3 config pipe 2 weight 30 queue 100 mask dst-ip 0xffffffff gred 0.002/17/51/0.1
$cmd add 8 deny ip from any to any not antispoof in
# allow on localhost
$cmd add 9 deny all from any to any frag
$cmd add 10 allow ip from any to any via lo0
$cmd add 11 allow ip from any to any via bridge0
$cmd add 12 allow ip from any to any via re0
$cmd add 13 allow ip from any to any via re1
# deny on 127.0.0.0/8
$cmd add 20 deny ip from any to 127.0.0.0/8
$cmd add 21 deny ip from 127.0.0.0/8 to any
###natiranje
$cmd nat 1 config if $wan_if unreg_only same_ports \
redirect_port udp 10.10.1.20:162 162 \
redirect_port udp 10.10.1.20:161 161
$cmd add 50 nat 1 all from any to any in recv $wan_if
$cmd add 51 nat 1 all from any to any out xmit $wan_if
##freebsd moze di hoce
#$cmd add 20 allow ip from any to me
#$cmd add 30 allow ip from me to any
####download
$cmd add 101 queue 3 ip from any to 10.31.1.0/24 in recv $wan_if
####upload
$cmd add 103 queue 4 ip from 10.31.1.0/24 to any via $vlan_wifi
###zabrane za wifi prema lan-u i managementu
$cmd add 150 deny all from 10.31.1.0/24 to 192.168.1.0/24
$cmd add 151 deny all from 10.31.1.0/24 to 10.10.1.0/24
####stateful
$cmd add 200 check-state
$cmd add 201 allow tcp from any to any established
####dozvola za freebsd
$cmd add 300 allow tcp from me to any out xmit $wan_if setup keep-state
$cmd add 301 allow udp from me to any out xmit $wan_if keep-state
$cmd add 302 allow icmp from any to any icmptypes 0,3,8,11 keep-state
$cmd add 400 allow tcp from any to me 22 in via $wan_if setup keep-state
###ostala pravila za lan
$cmd add 1200 allow tcp from 192.168.1.0/24 to any setup keep-state
$cmd add 1201 allow udp from 192.168.1.0/24 to any keep-state
$cmd add 1202 allow ip from any to 192.168.1.0/24
###za wifi
$cmd add 1404 allow tcp from 10.31.1.0/24 to any setup keep-state
$cmd add 1405 allow udp from 10.31.1.0/24 to any keep-state
$cmd add 1406 allow ip from any to 10.31.1.0/24
###za wifi management
$cmd add 1500 allow tcp from 10.10.1.0/24 to any setup keep-state
$cmd add 1501 allow udp from 10.10.1.0/24 to any keep-state
$cmd add 1502 allow ip from any to 10.10.1.0/24I have 3 subnets :
192.168.1.0/24 - local network (bridge1 / re2 - wlan0)
10.10.1.0/24 - vlan10 for management wifi devices (vlan10 wlandev re2)
10.31.1.0/24 - vlan31 for WiFi clients (vlan31 wlandev re2 / with restrictions to communicate with local LAN and management)
bridge0 re0 and re1 are devices for IpTV and VoIP so there is no need for any rules just pass.
So I need review and some suggestion for this rules and I have one question about QoS .. With this setup any IP from 10.31.1.0/24 range will have Down/Up (4Mbits / 2Mbit/s) ?
Thanks