Hello everyone,
I've got an issue with my server running on FreeBSD, I had a thread in the past regarding setting it all up and I managed but now I'm stuck a little bit.
Basically when I restart machine with reboot command it doesn't load firewall config due to tun0 (PPPoE) doesn't exist during firewall load time. I've looked everywhere and I am hoping somebody can help me with it.
A bit details from uname -a
A bit details from /etc/rc.conf
A bit details from my PPPoE config from /etc/ppp/ppp.conf
Also created file /etc/ppp/ppp.linkup as suggested on one thread
Finally my /etc/pf.conf
When I load manually firewall I can do whatever online for 1 day sometimes 1 hour sometimes 1 week and then I get cut off. When I login to my server via putty I tried ping an random external IP address I only get a message:
I have to reboot machine and load manually firewall again. It is a bit annoying but I really wanted stick to BSD system and learn it. I am a bit new so any ideas will help as long as it is explained to me like to a child.
With the firewall the idea of traffic shaping was to get everything working smooth by giving every computer speed limit. Like for example 4 computers downloading some stuff I cannot play black ops 3 or anything coz my ping is high. Also installed port called miniupnpd so I get NAT open for my games. If I have to reconfigure my firewall give me advice how. I was reading some online FAQs and decided to modify a bit my old one which worked fine.
For the devices I use:
Draytek Vigor 130 (for PPPoE connection) connected to Dell PowerEdge 1950 on bce1 interface and 3COM 1Gbit 24 ports Switch connected on bce0 interface with CISCO WAP4410N Access point connected to 3COM Switch.
I've got an issue with my server running on FreeBSD, I had a thread in the past regarding setting it all up and I managed but now I'm stuck a little bit.
Basically when I restart machine with reboot command it doesn't load firewall config due to tun0 (PPPoE) doesn't exist during firewall load time. I've looked everywhere and I am hoping somebody can help me with it.
A bit details from uname -a
Code:
FreeBSD mclose 10.3-RC2 FreeBSD 10.3-RC2 #0: Mon May 23 22:45:23 BST 2016 airost@mclose:/usr/obj/usr/src/sys/MCLOSE amd64
A bit details from /etc/rc.conf
Code:
#Sysinstall config
hostname="mclose"
keymap="pl_PL.ISO8859-2.kbd"
local_unbound_enable="YES"
sshd_enable="YES"
#moused_enable="YES"
ntpd_enable="YES"
#powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
##############
#Network interfaces
ifconfig_bce1="DHCP"
ifconfig_bce0="inet 172.16.0.1 netmask 255.255.0.0"
##############
#PPPoE connection
ppp_enable="YES"
ppp_mode="ddial"
#ppp_program="/usr/sbin/ppp"
ppp_nat="NO"
#ppp_user="root"
ppp_profile="ee"
#ppp_ee_mode="ddial"
#ppp_ee_nat="NO"
##############
#Internet forwarding
gateway_enable="YES"
#defaultrouter=""
##############
#DHCPd
dhcpd_enable="YES"
#dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bce0"
#dhcp_withumask="022"
##############
#NO-IP domain
noip_enable="YES"
##############
#Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
##############
#Network File System Client
nfs_client_enable="YES"
nfs_client_flags="-n 4"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
##############
#Plexmediaserver
plexmediaserver_enable="YES"
##############
#Port forwarding with miniupnpd
miniupnpd_enable="YES"
##############
A bit details from my PPPoE config from /etc/ppp/ppp.conf
Code:
ee:
# Replace bce1 with the interface connected to the VDSL2 modem
set device PPPoE:bce1
set speed sync
set mru 1492
set mtu 1492
set ctsrts off
enable echo
set echoperiod 15
enable lqr
set lqrperiod 15
set log Phase tun
enable ipcp
disable dns
# Replace vr2 with the interface connected to the VDSL2 modem
set server /tmp/pppoe-bce1 "" 0177
set authname PRODUCTIONHQNUN55311962@fs
set authkey HQNPASS55311962
# HISADDR is shorthand for the remote end of the link,
# pppd will set this as the default route
add! default HISADDR
Also created file /etc/ppp/ppp.linkup as suggested on one thread
Code:
ee:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
Finally my /etc/pf.conf
Code:
#
# KONFIGURACJA FIREWALLA
#
#########################################################
# Potrzebne makra i tabele
lo_if="lo0" # loopback
wan_if="tun0" # EE
lan_if="bce0" # LAN
lan_net="172.16.0.1/24" # Siec LAN
my_ip="172.16.0.1" # IP LAN
server="192.168.1.1" # Serwer WAN
ludzie="{ 172.16.0.1,
172.16.0.2,
172.16.0.3,
172.16.0.4,
172.16.0.5,
172.16.0.6,
172.16.0.7,
172.16.0.8,
172.16.0.9,
172.16.0.10,
172.16.0.11,
172.16.0.12,
172.16.0.13,
172.16.0.14,
172.16.0.15,
172.16.0.16,
172.16.0.17,
172.16.0.18,
172.16.0.19,
172.16.0.20,
172.16.0.21,
172.16.0.22,
172.16.0.23,
172.16.0.24,
172.16.0.25 }"
set loginterface tun0
set fingerprints "/etc/pf.os"
# Normalizacja pakietow:
scrub in all
scrub on $wan_if no-df
#
# AltQ - upload:
#
#########################
altq on $wan_if cbq bandwidth 64Mb queue { std_out \
accesspoint_out \
airost_out \
airost8560w_out \
airostmob_out \
iphone4s_out \
magda_out \
mclosedata_out \
staffline1_out \
amazon_out}
queue std_out bandwidth 12Mb cbq(default red)
queue accesspoint_out bandwidth 12Mb cbq(red)
queue airost_out bandwidth 12Mb cbq(red)
queue airost8560w_out bandwidth 2Mb cbq(red)
queue airostmob_out bandwidth 2Mb cbq(red)
queue iphone4s_out bandwidth 2Mb cbq(red)
queue magda_out bandwidth 1Mb cbq(red)
queue mclosedata_out bandwidth 10Mb cbq(red)
queue staffline1_out bandwidth 1Mb cbq(red)
queue amazon_out bandwidth 2Mb cbq(red)
#
# AltQ - download:
#
#########################
altq on $lan_if cbq bandwidth 76Mb queue { std_in \
accesspoint_in \
airost_in \
airost8560w_in \
airostmob_in \
iphone4s_in \
magda_in \
mclosedata_in \
staffline1_in \
amazon_in}
queue std_in bandwidth 12Mb cbq(default red)
queue accesspoint_in bandwidth 12Mb cbq(red)
queue airost_in bandwidth 12Mb cbq(red)
queue airost8560w_in bandwidth 5Mb cbq(red)
queue airostmob_in bandwidth 5Mb cbq(red)
queue iphone4s_in bandwidth 5Mb cbq(red)
queue magda_in bandwidth 10Mb cbq(red)
queue mclosedata_in bandwidth 1Mb cbq(red)
queue staffline1_in bandwidth 1Mb cbq(red)
queue amazon_in bandwidth 2Mb cbq(red)
#
# NAT -> LAN
#
#########################
# NAT dla sieci LAN i Serwera:
#nat on $wan_if from $ludzie to any -> ($wan_if)
nat on $wan_if from $lan_if:network to any -> $wan_if static-port
#
# Redirecty LAN -> WAN:
#
#########################
rdr-anchor miniupnpd
#rdr on $wan_if proto {tcp, udp} from any to any port 6112 -> 192.168.10.2 port 6112
#rdr on $wan_if proto tcp from 88.55.79.190 to 192.168.10.1 port 8000 -> 80.55.79.190 port 8000
#rdr on $lan_if proto tcp from 192.168.10.1 to 192.168.10.254 port 8000 -> 80.55.79.190 port 8000
# Redirect portow dla eMule
#rdr on $wan_if proto tcp from any to any port 24859 -> 172.16.0.2 port 24859
#rdr on $wan_if proto udp from any to any port 43212 -> 172.16.0.2 port 43212
# Redirect portow dla DC++
#rdr on $wan_if proto tcp from any to any port 24860 -> 172.16.0.2 port 24860
#rdr on $wan_if proto udp from any to any port 43213 -> 172.16.0.2 port 43213
#rdr on $wan_if proto tcp from any to any port 24860 -> 172.16.0.4 port 24860
#rdr on $wan_if proto udp from any to any port 43213 -> 172.16.0.4 port 43213
# Redirect portow dla FTP:
#rdr on $lan_if proto tcp from any to any port 21 -> 192.168.1.254 port 8021
# Redirect portow dla Warcraft III
#rdr on $lan_if proto {tcp, udp} from 172.16.0.1 to 192.168.0.1 port 6112 -> 80.54.27.29 port 61120
rdr on $wan_if proto {tcp, udp} from any to any port 6112 -> 172.16.0.3 port 6112
# Redirect portow dla Bitcomet
rdr on $wan_if proto {tcp, udp} from any to any port 21364 -> 172.16.0.3 port 21364
# Redirect portow dla Black Ops 3
rdr on $wan_if proto {tcp, udp} from any to any port 3074 -> 172.16.0.3 port 3074
# Redirect portow dla Battlefield Hardline
rdr on $wan_if proto udp from any to any port 3659 -> 172.16.0.3 port 3659
#
# Firewall:
#
#########################
pass out all
pass in all
#
# AltQ - Klienci:
#
#########################
pass in on $lan_if inet proto tcp from any to $wan_if port 1723 flags S/SAFR queue (q_normal, q_ack)
pass in on $lan_if inet proto gre from any to $wan_if queue (q_normal, q_ack)
# Tagowanie pakietow w sieci LAN:
pass in on $lan_if from 172.16.0.1 to any tag server keep state
pass in on $lan_if from 172.16.0.2 to any tag accesspoint keep state
pass in on $lan_if from 172.16.0.3 to any tag airost keep state
pass in on $lan_if from 172.16.0.12 to any tag airost8560w keep state
pass in on $lan_if from 172.16.0.5 to any tag airostmob keep state
pass in on $lan_if from 172.16.0.7 to any tag iphone4s keep state
pass in on $lan_if from 172.16.0.6 to any tag magda keep state
pass in on $lan_if from 172.16.0.17 to any tag mclosedata keep state
pass in on $lan_if from 172.16.0.9 to any tag staffline1 keep state
pass in on $lan_if from 172.16.0.4 to any tag amazon keep state
# Altq - UPLOAD:
pass out on $wan_if all tagged server keep state queue server_out
pass out on $wan_if all tagged accesspoint keep state queue accesspoint_out
pass out on $wan_if all tagged airost keep state queue airost_out
pass out on $wan_if all tagged airost8560w keep state queue airost8560w_out
pass out on $wan_if all tagged airostmob keep state queue airostmob_out
pass out on $wan_if all tagged iphone4s keep state queue iphone4s_out
pass out on $wan_if all tagged magda keep state queue magda_out
pass out on $wan_if all tagged mclosedata keep state queue mclosedata_out
pass out on $wan_if all tagged staffline1 keep state queue staffline1_out
pass out on $wan_if all tagged amazon keep state queue amazon_out
# AltQ - DOWNLOAD:
pass in on $lan_if all tagged server keep state queue server_in
pass in on $lan_if all tagged accesspoint keep state queue accesspoint_in
pass in on $lan_if all tagged airost keep state queue airost_in
pass in on $lan_if all tagged airost8560w keep state queue airost8560w_in
pass in on $lan_if all tagged airostmob keep state queue airostmob_in
pass in on $lan_if all tagged iphone4s keep state queue iphone4s_in
pass in on $lan_if all tagged magda keep state queue magda_in
pass in on $lan_if all tagged mclosedata keep state queue mclosedata_in
pass in on $lan_if all tagged staffline1 keep state queue staffline1_in
pass in on $lan_if all tagged amazon keep state queue amazon_in
#
# Blokada portow
#
########################
block in log quick on wan_if proto tcp from any to any port = 135
block in log quick on wan_if proto tcp from any to any port = 136
block in log quick on wan_if proto tcp from any to any port = 137
block in log quick on wan_if proto tcp from any to any port = 138
block in log quick on wan_if proto tcp from any to any port = 139
block in log quick on wan_if proto tcp from any to any port = 445
block in log quick on wan_if proto tcp from any to any port = 593
block in log quick on wan_if proto tcp from any to any port = 1024
block in log quick on wan_if proto tcp from any to any port = 1025
block in log quick on wan_if proto tcp from any to any port = 1026
block in log quick on wan_if proto tcp from any to any port = 1027
block in log quick on wan_if proto tcp from any to any port = 1028
block in log quick on wan_if proto tcp from any to any port = 1029
block in log quick on wan_if proto tcp from any to any port = 1030
block in log quick on lan_if proto tcp from any to any port = 135
block in log quick on lan_if proto tcp from any to any port = 136
block in log quick on lan_if proto tcp from any to any port = 137
block in log quick on lan_if proto tcp from any to any port = 138
block in log quick on lan_if proto tcp from any to any port = 139
block in log quick on lan_if proto tcp from any to any port = 445
block in log quick on lan_if proto tcp from any to any port = 593
block in log quick on lan_if proto tcp from any to any port = 1024
block in log quick on lan_if proto tcp from any to any port = 1025
block in log quick on lan_if proto tcp from any to any port = 1026
block in log quick on lan_if proto tcp from any to any port = 1027
block in log quick on lan_if proto tcp from any to any port = 1028
block in log quick on lan_if proto tcp from any to any port = 1029
block in log quick on lan_if proto tcp from any to any port = 1030
When I load manually firewall I can do whatever online for 1 day sometimes 1 hour sometimes 1 week and then I get cut off. When I login to my server via putty I tried ping an random external IP address I only get a message:
No buffer space available
I have to reboot machine and load manually firewall again. It is a bit annoying but I really wanted stick to BSD system and learn it. I am a bit new so any ideas will help as long as it is explained to me like to a child.
With the firewall the idea of traffic shaping was to get everything working smooth by giving every computer speed limit. Like for example 4 computers downloading some stuff I cannot play black ops 3 or anything coz my ping is high. Also installed port called miniupnpd so I get NAT open for my games. If I have to reconfigure my firewall give me advice how. I was reading some online FAQs and decided to modify a bit my old one which worked fine.
For the devices I use:
Draytek Vigor 130 (for PPPoE connection) connected to Dell PowerEdge 1950 on bce1 interface and 3COM 1Gbit 24 ports Switch connected on bce0 interface with CISCO WAP4410N Access point connected to 3COM Switch.