PF PPPoE and pfctl not loading on boot time and no buffer space available issue

Hello everyone,

I've got an issue with my server running on FreeBSD, I had a thread in the past regarding setting it all up and I managed but now I'm stuck a little bit.
Basically when I restart machine with reboot command it doesn't load firewall config due to tun0 (PPPoE) doesn't exist during firewall load time. I've looked everywhere and I am hoping somebody can help me with it.

A bit details from uname -a

Code:
FreeBSD mclose 10.3-RC2 FreeBSD 10.3-RC2 #0: Mon May 23 22:45:23 BST 2016     airost@mclose:/usr/obj/usr/src/sys/MCLOSE  amd64

A bit details from /etc/rc.conf

Code:
#Sysinstall config
hostname="mclose"
keymap="pl_PL.ISO8859-2.kbd"
local_unbound_enable="YES"
sshd_enable="YES"
#moused_enable="YES"
ntpd_enable="YES"
#powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
##############
#Network interfaces
ifconfig_bce1="DHCP"
ifconfig_bce0="inet 172.16.0.1 netmask 255.255.0.0"
##############
#PPPoE connection
ppp_enable="YES"
ppp_mode="ddial"
#ppp_program="/usr/sbin/ppp"
ppp_nat="NO"
#ppp_user="root"
ppp_profile="ee"
#ppp_ee_mode="ddial"
#ppp_ee_nat="NO"
##############
#Internet forwarding
gateway_enable="YES"
#defaultrouter=""
##############
#DHCPd
dhcpd_enable="YES"
#dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bce0"
#dhcp_withumask="022"
##############
#NO-IP domain
noip_enable="YES"
##############
#Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
##############
#Network File System Client
nfs_client_enable="YES"
nfs_client_flags="-n 4"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
##############
#Plexmediaserver
plexmediaserver_enable="YES"
##############
#Port forwarding with miniupnpd
miniupnpd_enable="YES"
##############

A bit details from my PPPoE config from /etc/ppp/ppp.conf

Code:
ee:
 # Replace bce1 with the interface connected to the VDSL2 modem
 set device PPPoE:bce1
 set speed sync
 set mru 1492
 set mtu 1492
 set ctsrts off
 enable echo
 set echoperiod 15
 enable lqr
 set lqrperiod 15
 set log Phase tun
 enable ipcp
 disable dns
 # Replace vr2 with the interface connected to the VDSL2 modem
 set server /tmp/pppoe-bce1 "" 0177
 set authname PRODUCTIONHQNUN55311962@fs
 set authkey HQNPASS55311962
 # HISADDR is shorthand for the remote end of the link,
 # pppd will set this as the default route
 add! default HISADDR

Also created file /etc/ppp/ppp.linkup as suggested on one thread

Code:
 ee:
 shell /sbin/pfctl -d
 shell /sbin/pfctl -e -f /etc/pf.conf

Finally my /etc/pf.conf

Code:
#
#  KONFIGURACJA FIREWALLA
#
#########################################################


# Potrzebne makra i tabele
lo_if="lo0"                             # loopback
wan_if="tun0"                           # EE
lan_if="bce0"                           # LAN

lan_net="172.16.0.1/24"                 # Siec LAN
my_ip="172.16.0.1"                      # IP LAN
server="192.168.1.1"                    # Serwer WAN

ludzie="{       172.16.0.1,
                172.16.0.2,
                172.16.0.3,
                172.16.0.4,
                172.16.0.5,
                172.16.0.6,
                172.16.0.7,
                172.16.0.8,
                172.16.0.9,
                172.16.0.10,
                172.16.0.11,
                172.16.0.12,
                172.16.0.13,
                172.16.0.14,
                172.16.0.15,
                172.16.0.16,
                172.16.0.17,
                172.16.0.18,
                172.16.0.19,
                172.16.0.20,
                172.16.0.21,
                172.16.0.22,
                172.16.0.23,
                172.16.0.24,
                172.16.0.25  }"


set loginterface tun0
set fingerprints "/etc/pf.os"


# Normalizacja pakietow:
scrub in all
scrub on $wan_if no-df

#
# AltQ - upload:
#
#########################

altq on $wan_if cbq bandwidth 64Mb queue {      std_out         \
                                                accesspoint_out \
                                                airost_out      \
                                                airost8560w_out \
                                                airostmob_out   \
                                                iphone4s_out    \
                                                magda_out       \
                                                mclosedata_out  \
                                                staffline1_out  \
                                                amazon_out}
queue std_out           bandwidth 12Mb cbq(default red)
queue accesspoint_out   bandwidth 12Mb cbq(red)
queue airost_out        bandwidth 12Mb cbq(red)
queue airost8560w_out   bandwidth 2Mb cbq(red)
queue airostmob_out     bandwidth 2Mb cbq(red)
queue iphone4s_out      bandwidth 2Mb cbq(red)
queue magda_out         bandwidth 1Mb cbq(red)
queue mclosedata_out    bandwidth 10Mb cbq(red)
queue staffline1_out    bandwidth 1Mb cbq(red)
queue amazon_out        bandwidth 2Mb cbq(red)

#
# AltQ - download:
#
#########################

altq on $lan_if cbq bandwidth 76Mb queue {      std_in          \
                                                accesspoint_in  \
                                                airost_in       \
                                                airost8560w_in  \
                                                airostmob_in    \
                                                iphone4s_in     \
                                                magda_in        \
                                                mclosedata_in   \
                                                staffline1_in   \
                                                amazon_in}
queue std_in            bandwidth 12Mb cbq(default red)
queue accesspoint_in    bandwidth 12Mb cbq(red)
queue airost_in         bandwidth 12Mb cbq(red)
queue airost8560w_in    bandwidth 5Mb cbq(red)
queue airostmob_in      bandwidth 5Mb cbq(red)
queue iphone4s_in       bandwidth 5Mb cbq(red)
queue magda_in          bandwidth 10Mb cbq(red)
queue mclosedata_in     bandwidth 1Mb cbq(red)
queue staffline1_in     bandwidth 1Mb cbq(red)
queue amazon_in         bandwidth 2Mb cbq(red)

#
# NAT -> LAN
#
#########################

# NAT dla sieci LAN i Serwera:
#nat on $wan_if from $ludzie to any -> ($wan_if)
nat on $wan_if from $lan_if:network to any -> $wan_if static-port


#
# Redirecty LAN -> WAN:
#
#########################
rdr-anchor miniupnpd
#rdr on $wan_if proto {tcp, udp} from any to any port 6112 -> 192.168.10.2 port 6112
#rdr on $wan_if proto tcp from 88.55.79.190 to 192.168.10.1 port 8000 -> 80.55.79.190 port 8000
#rdr on $lan_if proto tcp from 192.168.10.1 to 192.168.10.254 port 8000 -> 80.55.79.190 port 8000
# Redirect portow dla eMule
#rdr on $wan_if proto tcp from any to any port 24859 -> 172.16.0.2 port 24859
#rdr on $wan_if proto udp from any to any port 43212 -> 172.16.0.2 port 43212
# Redirect portow dla DC++
#rdr on $wan_if proto tcp from any to any port 24860 -> 172.16.0.2 port 24860
#rdr on $wan_if proto udp from any to any port 43213 -> 172.16.0.2 port 43213
#rdr on $wan_if proto tcp from any to any port 24860 -> 172.16.0.4 port 24860
#rdr on $wan_if proto udp from any to any port 43213 -> 172.16.0.4 port 43213
# Redirect portow dla FTP:
#rdr on $lan_if proto tcp from any to any port 21 -> 192.168.1.254 port 8021
# Redirect portow dla  Warcraft III
#rdr on $lan_if proto {tcp, udp} from 172.16.0.1 to 192.168.0.1 port 6112 -> 80.54.27.29 port 61120
rdr on $wan_if proto {tcp, udp} from any to any port 6112 -> 172.16.0.3 port 6112
# Redirect portow dla Bitcomet
rdr on $wan_if proto {tcp, udp} from any to any port 21364 -> 172.16.0.3 port 21364
# Redirect portow dla Black Ops 3
rdr on $wan_if proto {tcp, udp} from any to any port 3074 -> 172.16.0.3 port 3074
# Redirect portow dla Battlefield Hardline
rdr on $wan_if proto udp from any to any port 3659 -> 172.16.0.3 port 3659

#
# Firewall:
#
#########################
pass out all
pass in all


#
# AltQ - Klienci:
#
#########################
pass in on $lan_if inet proto tcp from any to $wan_if port 1723 flags S/SAFR queue (q_normal, q_ack)
pass in on $lan_if inet proto gre from any to $wan_if queue (q_normal, q_ack)

# Tagowanie pakietow w sieci LAN:
pass in on $lan_if from 172.16.0.1 to any tag server            keep state
pass in on $lan_if from 172.16.0.2 to any tag accesspoint       keep state
pass in on $lan_if from 172.16.0.3 to any tag airost            keep state
pass in on $lan_if from 172.16.0.12 to any tag airost8560w      keep state
pass in on $lan_if from 172.16.0.5 to any tag airostmob         keep state
pass in on $lan_if from 172.16.0.7 to any tag iphone4s          keep state
pass in on $lan_if from 172.16.0.6 to any tag magda             keep state
pass in on $lan_if from 172.16.0.17 to any tag mclosedata       keep state
pass in on $lan_if from 172.16.0.9 to any tag staffline1        keep state
pass in on $lan_if from 172.16.0.4 to any tag amazon            keep state

# Altq - UPLOAD:
pass out on $wan_if all tagged server           keep state queue server_out
pass out on $wan_if all tagged accesspoint      keep state queue accesspoint_out
pass out on $wan_if all tagged airost           keep state queue airost_out
pass out on $wan_if all tagged airost8560w      keep state queue airost8560w_out
pass out on $wan_if all tagged airostmob        keep state queue airostmob_out
pass out on $wan_if all tagged iphone4s         keep state queue iphone4s_out
pass out on $wan_if all tagged magda            keep state queue magda_out
pass out on $wan_if all tagged mclosedata       keep state queue mclosedata_out
pass out on $wan_if all tagged staffline1       keep state queue staffline1_out
pass out on $wan_if all tagged amazon           keep state queue amazon_out

# AltQ - DOWNLOAD:
pass in on $lan_if all tagged server            keep state queue server_in
pass in on $lan_if all tagged accesspoint       keep state queue accesspoint_in
pass in on $lan_if all tagged airost            keep state queue airost_in
pass in on $lan_if all tagged airost8560w       keep state queue airost8560w_in
pass in on $lan_if all tagged airostmob         keep state queue airostmob_in
pass in on $lan_if all tagged iphone4s          keep state queue iphone4s_in
pass in on $lan_if all tagged magda             keep state queue magda_in
pass in on $lan_if all tagged mclosedata        keep state queue mclosedata_in
pass in on $lan_if all tagged staffline1        keep state queue staffline1_in
pass in on $lan_if all tagged amazon            keep state queue amazon_in

#
# Blokada portow
#
########################
block in log quick on wan_if proto tcp from any to any port = 135
block in log quick on wan_if proto tcp from any to any port = 136
block in log quick on wan_if proto tcp from any to any port = 137
block in log quick on wan_if proto tcp from any to any port = 138
block in log quick on wan_if proto tcp from any to any port = 139
block in log quick on wan_if proto tcp from any to any port = 445
block in log quick on wan_if proto tcp from any to any port = 593
block in log quick on wan_if proto tcp from any to any port = 1024
block in log quick on wan_if proto tcp from any to any port = 1025
block in log quick on wan_if proto tcp from any to any port = 1026
block in log quick on wan_if proto tcp from any to any port = 1027
block in log quick on wan_if proto tcp from any to any port = 1028
block in log quick on wan_if proto tcp from any to any port = 1029
block in log quick on wan_if proto tcp from any to any port = 1030

block in log quick on lan_if proto tcp from any to any port = 135
block in log quick on lan_if proto tcp from any to any port = 136
block in log quick on lan_if proto tcp from any to any port = 137
block in log quick on lan_if proto tcp from any to any port = 138
block in log quick on lan_if proto tcp from any to any port = 139
block in log quick on lan_if proto tcp from any to any port = 445
block in log quick on lan_if proto tcp from any to any port = 593
block in log quick on lan_if proto tcp from any to any port = 1024
block in log quick on lan_if proto tcp from any to any port = 1025
block in log quick on lan_if proto tcp from any to any port = 1026
block in log quick on lan_if proto tcp from any to any port = 1027
block in log quick on lan_if proto tcp from any to any port = 1028
block in log quick on lan_if proto tcp from any to any port = 1029
block in log quick on lan_if proto tcp from any to any port = 1030

When I load manually firewall I can do whatever online for 1 day sometimes 1 hour sometimes 1 week and then I get cut off. When I login to my server via putty I tried ping an random external IP address I only get a message:
No buffer space available
I have to reboot machine and load manually firewall again. It is a bit annoying but I really wanted stick to BSD system and learn it. I am a bit new so any ideas will help as long as it is explained to me like to a child.

With the firewall the idea of traffic shaping was to get everything working smooth by giving every computer speed limit. Like for example 4 computers downloading some stuff I cannot play black ops 3 or anything coz my ping is high. Also installed port called miniupnpd so I get NAT open for my games. If I have to reconfigure my firewall give me advice how. I was reading some online FAQs and decided to modify a bit my old one which worked fine.

For the devices I use:
Draytek Vigor 130 (for PPPoE connection) connected to Dell PowerEdge 1950 on bce1 interface and 3COM 1Gbit 24 ports Switch connected on bce0 interface with CISCO WAP4410N Access point connected to 3COM Switch.
 
FreeBSD 10.3 was released quite some time ago, meaning all the previous release candidates are unsupported. Please update your system to the full 10.3-RELEASE.
 
FreeBSD 10.3 was released quite some time ago, meaning all the previous release candidates are unsupported. Please update your system to the full 10.3-RELEASE.

FreeBSD is up to date, will test if an issue with No buffer space available comes up again.

Try to switch from ppp to net/mpd5 and then configure in mpd.conf up/down script to reload pf after link is up.

I would really like to stick what's build into the system rather than installing additional ports if possible but thanks for advise.
 
FreeBSD is up to date, will test if an issue with No buffer space available comes up again.

I would really like to stick what's build into the system rather than installing additional ports if possible but thanks for advise.
That is totally possible, I have been using a very similar setup for years. First of all you need to understand, that the IP address on your tun interface is likely going to change every time your ISP (or you) disconnects the line. This means you need to design your firewall rules in a way that PF is aware of such an address change without having to reload the configuration file. The correct way to do that is to put the interface name in parentheses wherever you want the address of the interface, not the interface name itself. PF will then automatically adjust to a change of the interface's IP address.
pf.conf(5) said:
Host name resolution and interface to address translation are done at ruleset load-time. When the address of an interface (or host name) changes (under DHCP or PPP, for instance), the ruleset must be reloaded for the change to be reflected in the kernel. Surrounding the interface name (and optional modifiers) in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with nat.
 
Back
Top