subject:"\[pfSense Support\] Traffic Shaping, killing my DSL link speed to less than 100k"

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-30 Thread Mojo Jojo


Scott,

Trying to get the latest full version since you explained that the update 
doesn't update the BSD code.


You gave me this URL:
http://www.pfsense.com/~sullrich/

The files were there the other day but are gone now, I don't see this 
version on the mirrors.


Todd

- Original Message - 
From: Scott Ullrich [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:17 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k



Nope.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:

Doh!

No better way to do this than removing the CF card and rewriting the whole
thing?

Just curious..

Thanks


- Original Message -
From: Scott Ullrich [EMAIL PROTECTED]
To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:52 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed 
to

less than 100k


If you are on a embedded image you need to reflash.  The mini update
does not contain freebsd changes!



On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 OK, I got the latest version from the URL below..

 I changed the line from sis1 to ng0 in /tmp/rules.debug

 I ran:

 # pfctl -f /tmp/rules.debug
 pfctl: ng0: driver does not support altq

 As you can see I still get the same error.

 Todd
 - Original Message -
 From: Scott Ullrich [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 4:11 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link 
 speed

 to
 less than 100k


 Grab the latest version which does support ALTQ on NG0.

 http://www.pfsense.com/~sullrich/

 Repeat tests and report back what Dan is looking for.

 On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
  Hmmm...
 
  Since I turned shaper back off.. I had to turn it back on, I noticed
  that
  my
  changes to /tmp/rules.debug had gone away so I put the ng0 back on the
  line
  where it belongs.
 
  After doing so, I ran:
 
  # pfctl -f /tmp/rules.debug
  pfctl: ng0: driver does not support altq
 
  and you see what I am getting.
 
  So...
 
  What now?
 
  Todd
  - Original Message -
  From: Dan Swartzendruber [EMAIL PROTECTED]
  To: support@pfsense.com
  Sent: Wednesday, October 26, 2005 3:53 PM
  Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link
  speed
  to
  less than 100k
 
 
   At 04:51 PM 10/26/2005, you wrote:
  OK, I did it and my link is still hosed.
  
  Do you want me to run any of those commands again or anything else 
  now

  that I have reloaded the rules?
  
   yes, please send 'pfctl -sq' now that you reloaded 'em.
  
  
  
   -
   To unsubscribe, e-mail: [EMAIL PROTECTED]
   For additional commands, e-mail: [EMAIL PROTECTED]
  
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Here is my setup:

WRAP
128 mb CF Card

First install 0.864 then upgraded via the web GUI to 0.892 WRAP.

Currently using WAN/LAN only, OPT1 is not doing anything.

This is a home setup using a DSL connection with PPPOE.

All is well until I turn on traffic shaping and run the wizard, then my data 
speed using most speedtest sites goes from 1500/768 or so, to approx 94/46 
or so. Happens everytime I turn shaping on or off, it's definitely the 
shaping causing this issue without a doubt.


All I did in the traffic shaper wizard is tell it to prioritize VOIP and 
guarantee 768k of the bandwidth for this purpose. I selected Generic for the 
type of VOIP service. I finished the wizard and that's it..


So, I am confused what I did wrong which made this kill my bandwidth. 
Thoughts?


Thanks,
Todd



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 02:31 PM 10/26/2005, you wrote:

Here is my setup:

WRAP
128 mb CF Card

First install 0.864 then upgraded via the web GUI to 0.892 WRAP.

Currently using WAN/LAN only, OPT1 is not doing anything.

This is a home setup using a DSL connection with PPPOE.

All is well until I turn on traffic shaping and run the wizard, then 
my data speed using most speedtest sites goes from 1500/768 or so, 
to approx 94/46 or so. Happens everytime I turn shaping on or off, 
it's definitely the shaping causing this issue without a doubt.


All I did in the traffic shaper wizard is tell it to prioritize VOIP 
and guarantee 768k of the bandwidth for this purpose. I selected 
Generic for the type of VOIP service. I finished the wizard and that's it..


So, I am confused what I did wrong which made this kill my 
bandwidth. Thoughts?


why on earth do you need 768kb for VOIP???





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo

I probably don't but I do testing sometimes with multiple lines back to my 
SoftSwitch at the office and don't want to yank it down to 100k or so and 
have problems.


Either way the bandwidth here is only suppose to be reserved for the VOIP if 
the VOIP is actually using it, when it's not being used then it's allocated 
back to data etc. At least this is the way I understand it..


Todd

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 1:34 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 02:31 PM 10/26/2005, you wrote:

Here is my setup:

WRAP
128 mb CF Card

First install 0.864 then upgraded via the web GUI to 0.892 WRAP.

Currently using WAN/LAN only, OPT1 is not doing anything.

This is a home setup using a DSL connection with PPPOE.

All is well until I turn on traffic shaping and run the wizard, then my 
data speed using most speedtest sites goes from 1500/768 or so, to approx 
94/46 or so. Happens everytime I turn shaping on or off, it's definitely 
the shaping causing this issue without a doubt.


All I did in the traffic shaper wizard is tell it to prioritize VOIP and 
guarantee 768k of the bandwidth for this purpose. I selected Generic for 
the type of VOIP service. I finished the wizard and that's it..


So, I am confused what I did wrong which made this kill my bandwidth. 
Thoughts?


why on earth do you need 768kb for VOIP???





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

It guarantees that his entire line could be used for VOIP if needed. 
From my understanding of the shaper (until it was recently changed)
was that you can dedicate all the bandwidth you want and if it's not
using it other queues would borrow from it.   It appears that this
behavior has changed.

On 10/26/05, Dan Swartzendruber [EMAIL PROTECTED] wrote:
 At 02:31 PM 10/26/2005, you wrote:
 Here is my setup:
 
 WRAP
 128 mb CF Card
 
 First install 0.864 then upgraded via the web GUI to 0.892 WRAP.
 
 Currently using WAN/LAN only, OPT1 is not doing anything.
 
 This is a home setup using a DSL connection with PPPOE.
 
 All is well until I turn on traffic shaping and run the wizard, then
 my data speed using most speedtest sites goes from 1500/768 or so,
 to approx 94/46 or so. Happens everytime I turn shaping on or off,
 it's definitely the shaping causing this issue without a doubt.
 
 All I did in the traffic shaper wizard is tell it to prioritize VOIP
 and guarantee 768k of the bandwidth for this purpose. I selected
 Generic for the type of VOIP service. I finished the wizard and that's it..
 
 So, I am confused what I did wrong which made this kill my
 bandwidth. Thoughts?

 why on earth do you need 768kb for VOIP???





 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 I probably don't but I do testing sometimes with multiple lines back to my
 SoftSwitch at the office and don't want to yank it down to 100k or so and
 have problems.

 Either way the bandwidth here is only suppose to be reserved for the VOIP if
 the VOIP is actually using it, when it's not being used then it's allocated
 back to data etc. At least this is the way I understand it..

That's correct.   Bill will have to chime in here on if this is no
longer the way it works.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 02:48 PM 10/26/2005, you wrote:

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 I probably don't but I do testing sometimes with multiple lines back to my
 SoftSwitch at the office and don't want to yank it down to 100k or so and
 have problems.

 Either way the bandwidth here is only suppose to be reserved for 
the VOIP if

 the VOIP is actually using it, when it's not being used then it's allocated
 back to data etc. At least this is the way I understand it..

That's correct.   Bill will have to chime in here on if this is no
longer the way it works.


Yeah, I dig that, just wondering.  Does seem like the wrong behavior...



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo

Also, I tried lower the guarantee to 256k just in case this part of the 
problem.


No joy, same issue..

Todd
- Original Message - 
From: Scott Ullrich [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 1:48 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k



On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:

I probably don't but I do testing sometimes with multiple lines back to my
SoftSwitch at the office and don't want to yank it down to 100k or so and
have problems.

Either way the bandwidth here is only suppose to be reserved for the VOIP 
if
the VOIP is actually using it, when it's not being used then it's 
allocated

back to data etc. At least this is the way I understand it..


That's correct.   Bill will have to chime in here on if this is no
longer the way it works.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 02:54 PM 10/26/2005, you wrote:
Also, I tried lower the guarantee to 256k just in case this part of 
the problem.


No joy, same issue..


now *that* is really weird.  can you post your rules and queues?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Sure, what would be the easiest way to do this?

I have nothing more than I mentioned before.. Plain vanilla setup with just 
the shaper stuff I mentioned. I don't even have any firewall rules or 
anything else really in place.


Todd

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 1:56 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 02:54 PM 10/26/2005, you wrote:
Also, I tried lower the guarantee to 256k just in case this part of the 
problem.


No joy, same issue..


now *that* is really weird.  can you post your rules and queues?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

Sending /tmp/rules.debug may help show the problem.  Sanitize any
personal data before sending (if you don't want your ips shown,etc)

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 Sure, what would be the easiest way to do this?

 I have nothing more than I mentioned before.. Plain vanilla setup with just
 the shaper stuff I mentioned. I don't even have any firewall rules or
 anything else really in place.

 Todd

 - Original Message -
 From: Dan Swartzendruber [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 1:56 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to
 less than 100k


  At 02:54 PM 10/26/2005, you wrote:
 Also, I tried lower the guarantee to 256k just in case this part of the
 problem.
 
 No joy, same issue..
 
  now *that* is really weird.  can you post your rules and queues?
 
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 02:58 PM 10/26/2005, you wrote:

Sure, what would be the easiest way to do this?


Get a shell on your box and do:

pfctl -sq
pftcl -sr

I have nothing more than I mentioned before.. Plain vanilla setup 
with just the shaper stuff I mentioned. I don't even have any 
firewall rules or anything else really in place.


Not questioning that, but hard to know what's wrong without seeing 'em.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


I think this is what you want:



- shaper
 schedulertypehfsc/schedulertype
- queue
 nameqWANRoot/name
 associatedrule0/associatedrule
 priority6/priority
 parentqueueon/parentqueue
 bandwidth768/bandwidth
 bandwidthtypeKb/bandwidthtype
 /queue
- queue
 nameqWANdef/name
 attachtoqueueqWANRoot/attachtoqueue
 associatedrule0/associatedrule
 defaultqueuetrue/defaultqueue
 priority3/priority
 realtimeon/realtime
 realtime110%/realtime1
 realtime21/realtime2
 realtime310%/realtime3
 linkshareon/linkshare
 linkshare10%/linkshare1
 linkshare21000/linkshare2
 linkshare310%/linkshare3
 upperlimiton/upperlimit
 upperlimit1100%/upperlimit1
 upperlimit2100/upperlimit2
 upperlimit390%/upperlimit3
 bandwidth1/bandwidth
 bandwidthtype%/bandwidthtype
 /queue
- queue
 nameqLANRoot/name
 associatedrule0/associatedrule
 priority6/priority
 parentqueueon/parentqueue
 bandwidth1500/bandwidth
 bandwidthtypeKb/bandwidthtype
 /queue
- queue
 nameqLANdef/name
 priority3/priority
 attachtoqueueqLANRoot/attachtoqueue
 associatedrule0/associatedrule
 defaultqueuetrue/defaultqueue
 realtimeon/realtime
 realtime110%/realtime1
 realtime21/realtime2
 realtime310%/realtime3
 linkshareon/linkshare
 linkshare10%/linkshare1
 linkshare21000/linkshare2
 linkshare310%/linkshare3
 upperlimiton/upperlimit
 upperlimit1100%/upperlimit1
 upperlimit2100/upperlimit2
 upperlimit390%/upperlimit3
 bandwidth1/bandwidth
 bandwidthtype%/bandwidthtype
 /queue
- queue
 nameqLANacks/name
 ack /
 attachtoqueueqLANRoot/attachtoqueue
 associatedrule0/associatedrule
 priority6/priority
 realtimeon/realtime
 realtime110%/realtime1
 realtime21/realtime2
 realtime310%/realtime3
 linkshareon/linkshare
 linkshare10%/linkshare1
 linkshare21000/linkshare2
 linkshare310%/linkshare3
 upperlimiton/upperlimit
 upperlimit180%/upperlimit1
 upperlimit21/upperlimit2
 upperlimit380%/upperlimit3
 bandwidth1/bandwidth
 bandwidthtype%/bandwidthtype
 /queue
- queue
 nameqWANacks/name
 ack /
 attachtoqueueqWANRoot/attachtoqueue
 associatedrule0/associatedrule
 priority6/priority
 realtimeon/realtime
 realtime110%/realtime1
 realtime21/realtime2
 realtime310%/realtime3
 linkshareon/linkshare
 linkshare10%/linkshare1
 linkshare21000/linkshare2
 linkshare310%/linkshare3
 upperlimiton/upperlimit
 upperlimit180%/upperlimit1
 upperlimit21/upperlimit2
 upperlimit380%/upperlimit3
 bandwidth1/bandwidth
 bandwidthtype%/bandwidthtype
 /queue
- queue
 nameqVOIPUp/name
 associatedrule0/associatedrule
 priority7/priority
 ecnon/ecn
 realtimeon/realtime
 realtime1256Kb/realtime1
 realtime21/realtime2
 realtime3256Kb/realtime3
 linkshareon/linkshare
 linkshare10%/linkshare1
 linkshare21000/linkshare2
 linkshare310%/linkshare3
 upperlimiton/upperlimit
 upperlimit1256Kb/upperlimit1
 upperlimit21/upperlimit2
 upperlimit3256Kb/upperlimit3
 bandwidth1/bandwidth
 bandwidthtype%/bandwidthtype
 attachtoqueueqWANRoot/attachtoqueue
 /queue
- queue
 nameqVOIPDown/name
 associatedrule0/associatedrule
 priority7/priority
 ecnon/ecn
 realtimeon/realtime
 realtime1256Kb/realtime1
 realtime21/realtime2
 realtime3256Kb/realtime3
 linkshareon/linkshare
 linkshare10%/linkshare1
 linkshare21000/linkshare2
 linkshare310%/linkshare3
 upperlimiton/upperlimit
 upperlimit1256Kb/upperlimit1
 upperlimit21/upperlimit2
 upperlimit3256Kb/upperlimit3
 bandwidth1/bandwidth
 bandwidthtype%/bandwidthtype
 attachtoqueueqLANRoot/attachtoqueue
 /queue
- rule
 descrDiffServ/Lowdelay/Upload/descr
 inqueueqVOIPDown/inqueue
 outqueueqVOIPUp/outqueue
 interfacelan/interface
- source
 networklan/network
 /source
- destination
 any /
 /destination
 iptoslowdelay/iptos
 /rule
- rule
 descrDiffServ/Lowdelay/Download/descr
 inqueueqVOIPUp/inqueue
 outqueueqVOIPDown/outqueue
 interfacewan/interface
- source
 any /
 /source
- destination
 networklan/network
 /destination
 iptoslowdelay/iptos
 /rule
 /shaper


- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 1:56 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 02:54 PM 10/26/2005, you wrote:
Also, I tried lower the guarantee to 256k just in case this part of the 
problem.


No joy, same issue..


now *that* is really weird.  can you post your rules and queues?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:00 PM 10/26/2005, you wrote:

I think this is what you want:



- shaper
 schedulertypehfsc/schedulertype
- queue


ewww, no thanks.  reading raw xml is not fun.  as scott said, go to 
/tmp and post rules.debug (removing IP addresses etc if you're 
worried about security.,,)




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo




Sending /tmp/rules.debug may help show the problem.  Sanitize any
personal data before sending (if you don't want your ips shown,etc)






# System Aliases
lan = { sis0  }
wan = { ng0  }
pptp = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
pppoe = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
DMZ = { sis2 }
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452


nat-anchor pftpx/*
nat-anchor natearly/*
nat-anchor natrules/*
nat on ng0 from 192.168.1.0/24 to any port 500  - (ng0) port 500
nat on ng0 from 192.168.1.0/24 to any  - (ng0)
#SSH Lockout Table
table sshlockout persist


# spam table
table spamd persist


# Load balancing anchor - slbd updates
rdr-anchor slb
# FTP proxy
rdr-anchor pftpx/*
rdr on sis0 proto tcp from any to any port 21 - 127.0.0.1 port 8021



anchor firewallrules

# loopback
anchor loopback
pass in quick on lo0 all label pass loopback
pass out quick on lo0 all label pass loopback

# package manager early specific hook
anchor packageearly


# carp
anchor carp

# enable ftp-proxy
anchor ftpproxy
anchor pftpx/*
pass in quick on ng0 inet proto tcp from port 20 to (ng0) port  49000 user 
proxy flags S/SA keep state label FTP PROXY: PASV mode data connection


# allow access to DHCP server on LAN
anchor dhcpserverlan
pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255 port = 
67 label allow access to DHCP server on LAN
pass in quick on sis0 proto udp from any port = 68 to 192.168.1.1 port = 67 
label allow access to DHCP server on LAN
pass out quick on sis0 proto udp from 192.168.1.1 port = 67 to any port = 68 
label allow access to DHCP server on LAN


# WAN spoof check
anchor wanspoof
block in log quick on ng0 from 192.168.1.0/24 to any label WAN spoof check

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
anchor wandhcp
pass out quick on ng0 proto udp from any port = 68 to any port = 67 label 
allow dhcp client out wan
block in log quick on ng0 proto udp from any port = 67 to 192.168.1.0/24 
port = 68 label allow dhcp client out wan
pass in quick on ng0 proto udp from any port = 67 to any port = 68 label 
allow dhcp client out wan


# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)

antispoof for sis0


# block anything from private networks on WAN interface
anchor spoofing
block in log quick on ng0 from 10.0.0.0/8 to any label block private 
networks from wan block 10/8
block in log quick on ng0 from 127.0.0.0/8 to any label block private 
networks from wan block 127/8
block in log quick on ng0 from 172.16.0.0/12 to any label block private 
networks from wan block 172.16/12
block in log quick on ng0 from 192.168.0.0/16 to any label block private 
networks from wan block 192.168/16

# Support for allow limiting of TCP connections by establishment rate
anchor limitingesr
table virusprot

# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor wanbogons
table bogons persist file /etc/bogons
block in log quick on ng0 from bogons to any label block bogon networks 
from wan


# let out anything from the firewall host itself and decrypted IPsec traffic
# pass out quick on ng0 all keep state label let out anything from firewall 
host itself

# pass traffic from firewall - out
anchor firewallout
pass out quick on ng0 all keep state label let out anything from firewall 
host itself
pass out quick on sis0 all keep state label let out anything from firewall 
host itself
pass out quick on ng0 all keep state label let out anything from firewall 
host itself pptp
pass out quick on ng0 all keep state label let out anything from firewall 
host itself pppoe


# make sure the user cannot lock himself out of the webGUI or SSH
anchor anti-lockout
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state label 
anti-lockout web rule


# SSH lockout
block in log proto tcp from sshlockout to any port 22 label sshlockout


# User-defined rules follow
pass in quick on $lan from 192.168.1.0/24 to any keep state  label 
USER_RULE: Default LAN - any


# VPN Rules

#---
# default rules (just to be sure)
#---
block in log quick all label Default block all just to be sure.
block out log quick all label Default block all just to be sure.




- Original Message - 
From: Scott Ullrich [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:00 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k



Sending /tmp/rules.debug may help show the problem.  Sanitize any
personal data before sending (if you don't want your ips shown,etc

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber



this is really odd.  no queue stuff at all?  what happens if you manually type:

pfctl -f /tmp/rules.debug

any errors?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Sorry...

I have it turned off at the moment because it kills my connection speed :)

I guess I have to turn it back on so the info will show up in this file?

Todd
- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:11 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k





this is really odd.  no queue stuff at all?  what happens if you manually 
type:


pfctl -f /tmp/rules.debug

any errors?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

ng0 --- this shows that your using pppoe.  I  don't think the traffic
shaper is compatible with this.   I have a patch in the system today
that will change this, but I am not sure how this would affect your
situation.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 Sorry...

 I have it turned off at the moment because it kills my connection speed :)

 I guess I have to turn it back on so the info will show up in this file?

 Todd
 - Original Message -
 From: Dan Swartzendruber [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 2:11 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to
 less than 100k


 
  this is really odd.  no queue stuff at all?  what happens if you manually
  type:
 
  pfctl -f /tmp/rules.debug
 
  any errors?
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:12 PM 10/26/2005, you wrote:

Sorry...

I have it turned off at the moment because it kills my connection speed :)

I guess I have to turn it back on so the info will show up in this file?


yes :)





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo






this is really odd.  no queue stuff at all?  what happens if you manually 
type:


pfctl -f /tmp/rules.debug

any errors?


Try this:

###
# System Aliases
lan = { sis0  }
wan = { ng0  }
pptp = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
pppoe = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
DMZ = { sis2 }
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452
altq on sis1 hfsc  queue {  qWANRoot }
altq on sis0 hfsc  queue {  qLANRoot }


queue qWANRoot bandwidth 768Kb priority 6 hfsc { qWANdef, qWANacks, 
qVOIPUp }
queue qWANdef bandwidth 1% priority 3 hfsc (  default upperlimit(100% 100 
90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANRoot bandwidth 1500Kb priority 6 hfsc { qLANdef, qLANacks, 
qVOIPDown }
queue qLANdef bandwidth 1% priority 3 hfsc (  default upperlimit(100% 100 
90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANacks bandwidth 1% priority 6 hfsc (  upperlimit(80% 1 80%) 
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qWANacks bandwidth 1% priority 6 hfsc (  upperlimit(80% 1 80%) 
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qVOIPUp bandwidth 1% priority 7 hfsc (  ecn upperlimit(256Kb 1 256Kb) 
linkshare(0% 1000 10%) realtime(256Kb 1 256Kb) )
queue qVOIPDown bandwidth 1% priority 7 hfsc (  ecn upperlimit(256Kb 1 
256Kb) linkshare(0% 1000 10%) realtime(256Kb 1 256Kb) )


nat-anchor pftpx/*
nat-anchor natearly/*
nat-anchor natrules/*
nat on ng0 from 192.168.1.0/24 to any port 500  - (ng0) port 500
nat on ng0 from 192.168.1.0/24 to any  - (ng0)
#SSH Lockout Table
table sshlockout persist


# spam table
table spamd persist


# Load balancing anchor - slbd updates
rdr-anchor slb
# FTP proxy
rdr-anchor pftpx/*
rdr on sis0 proto tcp from any to any port 21 - 127.0.0.1 port 8021


pass in on  sis0 from 192.168.1.0/24 to any tos lowdelay  keep state tag 
qVOIPDown

pass out on  ng0 from any to any tos lowdelay  keep state tag qVOIPUp
pass in on  ng0 from any to 192.168.1.0/24 tos lowdelay  keep state tag 
qVOIPUp
pass out on  sis0 from any to 192.168.1.0/24 tos lowdelay  keep state tag 
qVOIPDown


anchor firewallrules

# loopback
anchor loopback
pass in quick on lo0 all label pass loopback
pass out quick on lo0 all label pass loopback

# package manager early specific hook
anchor packageearly


# carp
anchor carp

# enable ftp-proxy
anchor ftpproxy
anchor pftpx/*
pass in quick on ng0 inet proto tcp from port 20 to (ng0) port  49000 user 
proxy flags S/SA keep state label FTP PROXY: PASV mode data connection


# allow access to DHCP server on LAN
anchor dhcpserverlan
pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255 port = 
67 label allow access to DHCP server on LAN
pass in quick on sis0 proto udp from any port = 68 to 192.168.1.1 port = 67 
label allow access to DHCP server on LAN
pass out quick on sis0 proto udp from 192.168.1.1 port = 67 to any port = 68 
label allow access to DHCP server on LAN


# WAN spoof check
anchor wanspoof
block in log quick on ng0 from 192.168.1.0/24 to any label WAN spoof check

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
anchor wandhcp
pass out quick on ng0 proto udp from any port = 68 to any port = 67 label 
allow dhcp client out wan
block in log quick on ng0 proto udp from any port = 67 to 192.168.1.0/24 
port = 68 label allow dhcp client out wan
pass in quick on ng0 proto udp from any port = 67 to any port = 68 label 
allow dhcp client out wan


# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)

antispoof for sis0


# block anything from private networks on WAN interface
anchor spoofing
block in log quick on ng0 from 10.0.0.0/8 to any label block private 
networks from wan block 10/8
block in log quick on ng0 from 127.0.0.0/8 to any label block private 
networks from wan block 127/8
block in log quick on ng0 from 172.16.0.0/12 to any label block private 
networks from wan block 172.16/12
block in log quick on ng0 from 192.168.0.0/16 to any label block private 
networks from wan block 192.168/16

# Support for allow limiting of TCP connections by establishment rate
anchor limitingesr
table virusprot

# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor wanbogons
table bogons persist file /etc/bogons
block in log quick on ng0 from bogons to any label block bogon networks 
from wan


# let out anything from the firewall host itself and decrypted IPsec traffic
# pass out quick on ng0 all keep state label let out anything from firewall 
host itself

# pass traffic from firewall - out
anchor firewallout
pass out quick on ng0 all keep state tagged qWANRoot queue qWANRoot label 
let out anything from firewall host itself
pass out quick on ng0 all keep state tagged qWANdef queue qWANdef label let 
out anything from firewall host itself
pass

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:15 PM 10/26/2005, you wrote:



this is really odd.  no queue stuff at all?  what happens if you 
manually type:


pfctl -f /tmp/rules.debug

any errors?


Try this:

###
# System Aliases
lan = { sis0  }
wan = { ng0  }
pptp = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
pppoe = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
DMZ = { sis2 }
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452
altq on sis1 hfsc  queue {  qWANRoot } === bingo!
altq on sis0 hfsc  queue {  qLANRoot }  bingo!


If no bandwidth is in the GUI for an interface, it tries to guess by 
the interface name.  For vlan (my problem) that doesn't work, so i 
get errors.  dunno what ppoe does.  try putting manual bandwidth for 
WAN and LAN in the gui and see if that helps.  Are you sure you get 
no errors when loading this?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:19 PM 10/26/2005, you wrote:

Huh?

Aren't lots of people using PPPOE?

This is all I can get at home these days.

Confused as to why this should matter, the bandwidth is the same.


driver may not support it.  see my mail just now

So, should I give up on PfSense working for me at home in regards to 
traffic shaping? This stinks since I have to have VOIP traffic 
prioritized or I can't us it.


Thanks for the info.

Todd

- Original Message - From: Scott Ullrich [EMAIL PROTECTED]
To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:15 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link 
speed to less than 100k



ng0 --- this shows that your using pppoe.  I  don't think the traffic
shaper is compatible with this.   I have a patch in the system today
that will change this, but I am not sure how this would affect your
situation.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:

Sorry...

I have it turned off at the moment because it kills my connection speed :)

I guess I have to turn it back on so the info will show up in this file?

Todd
- Original Message -
From: Dan Swartzendruber [EMAIL PROTECTED]
To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:11 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to
less than 100k



 this is really odd.  no queue stuff at all?  what happens if 
you  manually

 type:

 pfctl -f /tmp/rules.debug

 any errors?


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo



try putting manual bandwidth for WAN and LAN in the gui and see if that 
helps.




You mean under InterfacesWAN and InterfacesLAN?





Are you sure you get no errors when loading this?




Sorry, when loading what?

Todd

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:22 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 03:15 PM 10/26/2005, you wrote:



this is really odd.  no queue stuff at all?  what happens if you manually 
type:


pfctl -f /tmp/rules.debug

any errors?


Try this:

###
# System Aliases
lan = { sis0  }
wan = { ng0  }
pptp = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
pppoe = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
DMZ = { sis2 }
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452
altq on sis1 hfsc  queue {  qWANRoot } === bingo!
altq on sis0 hfsc  queue {  qLANRoot }  bingo!


If no bandwidth is in the GUI for an interface, it tries to guess by the 
interface name.  For vlan (my problem) that doesn't work, so i get errors. 
dunno what ppoe does.  try putting manual bandwidth for WAN and LAN in the 
gui and see if that helps.  Are you sure you get no errors when loading 
this?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:29 PM 10/26/2005, you wrote:


try putting manual bandwidth for WAN and LAN in the gui and see if that helps.

You mean under InterfacesWAN and InterfacesLAN?


yes.



Are you sure you get no errors when loading this?

Sorry, when loading what?


what happens if you manually type:

pfctl -f /tmp/rules.debug

any error messages?

p.s. if you would have gotten errors, the gui should complain too - 
should be message in blue scrolling sideways up at the top of the 
browser window?




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo

After setting the LAN interface to 100 mb, the screen came back OK except I 
saw this at the very bottom of the screen:


ifconfig: not found Warning: unlink(/var/run/lan.conf.dirty): No such file 
or directory in /usr/local/www/interfaces_lan.php on line 283


Anyone know what this is about?

Todd
- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:31 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 03:29 PM 10/26/2005, you wrote:

try putting manual bandwidth for WAN and LAN in the gui and see if that 
helps.


You mean under InterfacesWAN and InterfacesLAN?


yes.



Are you sure you get no errors when loading this?

Sorry, when loading what?


what happens if you manually type:

pfctl -f /tmp/rules.debug

any error messages?

p.s. if you would have gotten errors, the gui should complain too - should 
be message in blue scrolling sideways up at the top of the browser window?




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:34 PM 10/26/2005, you wrote:
After setting the LAN interface to 100 mb, the screen came back OK 
except I saw this at the very bottom of the screen:


ifconfig: not found Warning: unlink(/var/run/lan.conf.dirty): No 
such file or directory in /usr/local/www/interfaces_lan.php on line 283


Anyone know what this is about?


sounds like a glitch.  maybe harmless.  what does /tmp/rules.debug show now?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo

try putting manual bandwidth for WAN and LAN in the gui and see if that 
helps.


You mean under InterfacesWAN and InterfacesLAN?


yes.


OK, I set my WAN to 10mb and my LAN to 100mb. I then turned traffic shaper 
back on and did a speed test and no joy, same thing, can't get past 100k or 
so.


I will run the commands you suggested and reply soon.

Todd

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:31 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 03:29 PM 10/26/2005, you wrote:

try putting manual bandwidth for WAN and LAN in the gui and see if that 
helps.


You mean under InterfacesWAN and InterfacesLAN?


yes.



Are you sure you get no errors when loading this?

Sorry, when loading what?


what happens if you manually type:

pfctl -f /tmp/rules.debug

any error messages?

p.s. if you would have gotten errors, the gui should complain too - should 
be message in blue scrolling sideways up at the top of the browser window?




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:37 PM 10/26/2005, you wrote:
try putting manual bandwidth for WAN and LAN in the gui and see if 
that helps.


You mean under InterfacesWAN and InterfacesLAN?


yes.


OK, I set my WAN to 10mb and my LAN to 100mb. I then turned traffic 
shaper back on and did a speed test and no joy, same thing, can't 
get past 100k or so.


I will run the commands you suggested and reply soon.


I'm betting I know the results :)  There is a bug (or something) 
where it seems like the BW setting in the GUI gets lost, so the 
shaper wizard can't find it and the 'altq' commands have no BW number 
in them.  Waiting for the results...






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo




what does /tmp/rules.debug show now?




##
# System Aliases
lan = { sis0  }
wan = { ng0  }
pptp = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
pppoe = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
DMZ = { sis2 }
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452


nat-anchor pftpx/*
nat-anchor natearly/*
nat-anchor natrules/*
nat on ng0 from 192.168.1.0/24 to any port 500  - (ng0) port 500
nat on ng0 from 192.168.1.0/24 to any  - (ng0)
#SSH Lockout Table
table sshlockout persist


# spam table
table spamd persist


# Load balancing anchor - slbd updates
rdr-anchor slb
# FTP proxy
rdr-anchor pftpx/*
rdr on sis0 proto tcp from any to any port 21 - 127.0.0.1 port 8021



anchor firewallrules

# loopback
anchor loopback
pass in quick on lo0 all label pass loopback
pass out quick on lo0 all label pass loopback

# package manager early specific hook
anchor packageearly


# carp
anchor carp

# enable ftp-proxy
anchor ftpproxy
anchor pftpx/*
pass in quick on ng0 inet proto tcp from port 20 to (ng0) port  49000 user 
proxy flags S/SA keep state label FTP PROXY: PASV mode data connection


# allow access to DHCP server on LAN
anchor dhcpserverlan
pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255 port = 
67 label allow access to DHCP server on LAN
pass in quick on sis0 proto udp from any port = 68 to 192.168.1.1 port = 67 
label allow access to DHCP server on LAN
pass out quick on sis0 proto udp from 192.168.1.1 port = 67 to any port = 68 
label allow access to DHCP server on LAN


# WAN spoof check
anchor wanspoof
block in log quick on ng0 from 192.168.1.0/24 to any label WAN spoof check

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
anchor wandhcp
pass out quick on ng0 proto udp from any port = 68 to any port = 67 label 
allow dhcp client out wan
block in log quick on ng0 proto udp from any port = 67 to 192.168.1.0/24 
port = 68 label allow dhcp client out wan
pass in quick on ng0 proto udp from any port = 67 to any port = 68 label 
allow dhcp client out wan


# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)

antispoof for sis0


# block anything from private networks on WAN interface
anchor spoofing
block in log quick on ng0 from 10.0.0.0/8 to any label block private 
networks from wan block 10/8
block in log quick on ng0 from 127.0.0.0/8 to any label block private 
networks from wan block 127/8
block in log quick on ng0 from 172.16.0.0/12 to any label block private 
networks from wan block 172.16/12
block in log quick on ng0 from 192.168.0.0/16 to any label block private 
networks from wan block 192.168/16

# Support for allow limiting of TCP connections by establishment rate
anchor limitingesr
table virusprot

# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor wanbogons
table bogons persist file /etc/bogons
block in log quick on ng0 from bogons to any label block bogon networks 
from wan


# let out anything from the firewall host itself and decrypted IPsec traffic
# pass out quick on ng0 all keep state label let out anything from firewall 
host itself

# pass traffic from firewall - out
anchor firewallout
pass out quick on ng0 all keep state label let out anything from firewall 
host itself
pass out quick on sis0 all keep state label let out anything from firewall 
host itself
pass out quick on ng0 all keep state label let out anything from firewall 
host itself pptp
pass out quick on ng0 all keep state label let out anything from firewall 
host itself pppoe


# make sure the user cannot lock himself out of the webGUI or SSH
anchor anti-lockout
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state label 
anti-lockout web rule


# SSH lockout
block in log proto tcp from sshlockout to any port 22 label sshlockout


# User-defined rules follow
pass in quick on $lan from 192.168.1.0/24 to any keep state  label 
USER_RULE: Default LAN - any


# VPN Rules

#---
# default rules (just to be sure)
#---
block in log quick all label Default block all just to be sure.
block out log quick all label Default block all just to be sure.
##

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:36 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 03:34 PM 10/26/2005, you wrote:
After setting the LAN interface to 100 mb, the screen came back OK except 
I saw this at the very bottom of the screen:


ifconfig: not found Warning: unlink(/var/run/lan.conf.dirty): No such file 
or directory in /usr/local/www/interfaces_lan.php

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo




what happens if you manually type:

pfctl -f /tmp/rules.debug

any error messages?




Nope..

#
#
# pfctl -f /tmp/rules.debug
#


- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:31 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 03:29 PM 10/26/2005, you wrote:

try putting manual bandwidth for WAN and LAN in the gui and see if that 
helps.


You mean under InterfacesWAN and InterfacesLAN?


yes.



Are you sure you get no errors when loading this?

Sorry, when loading what?


what happens if you manually type:

pfctl -f /tmp/rules.debug

any error messages?

p.s. if you would have gotten errors, the gui should complain too - should 
be message in blue scrolling sideways up at the top of the browser window?




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber



did you turn shaper back off?  please turn it on and add the 
following two lines before the queue directives (by editing /tmp/rules.debug)


altq on fxp1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on vlan0 hfsc bandwidth 10Mb queue {  qLANRoot }

NOTE: change fxp1 to your wan interface and change vlan0 to your lan 
interface.  then do 'pfctl -f /tmp/rules.debug' and report results...



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber



also post results of 'pfctl -sq'



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:50 PM 10/26/2005, you wrote:

Yes I turned it back off, I have to leave it off or my speed is miserable :)


i understand your pain, but no test results with shaping off will be 
meaningful.






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo

 firewall host itself
pass out quick on ng0 all keep state tagged qLANRoot queue qLANRoot label 
let out anything from firewall host itself
pass out quick on ng0 all keep state tagged qLANdef queue qLANdef label let 
out anything from firewall host itself
pass out quick on ng0 all keep state tagged qLANacks queue qLANacks label 
let out anything from firewall host itself
pass out quick on ng0 all keep state tagged qWANacks queue qWANacks label 
let out anything from firewall host itself
pass out quick on ng0 all keep state tagged qVOIPUp queue qVOIPUp label let 
out anything from firewall host itself
pass out quick on ng0 all keep state tagged qVOIPDown queue qVOIPDown label 
let out anything from firewall host itself
pass out quick on ng0 all keep state label let out anything from firewall 
host itself
pass out quick on sis0 all keep state tagged qWANRoot queue qWANRoot label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qWANdef queue qWANdef label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qLANRoot queue qLANRoot label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qLANdef queue qLANdef label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qLANacks queue qLANacks label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qWANacks queue qWANacks label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qVOIPUp queue qVOIPUp label 
let out anything from firewall host itself
pass out quick on sis0 all keep state tagged qVOIPDown queue qVOIPDown label 
let out anything from firewall host itself
pass out quick on sis0 all keep state label let out anything from firewall 
host itself
pass out quick on ng0 all keep state label let out anything from firewall 
host itself pptp
pass out quick on ng0 all keep state label let out anything from firewall 
host itself pppoe


# make sure the user cannot lock himself out of the webGUI or SSH
anchor anti-lockout
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state label 
anti-lockout web rule


# SSH lockout
block in log proto tcp from sshlockout to any port 22 label sshlockout


# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qWANRoot tagged qWANRoot
anchor qWANdef tagged qWANdef
anchor qLANRoot tagged qLANRoot
anchor qLANdef tagged qLANdef
anchor qLANacks tagged qLANacks
anchor qWANacks tagged qWANacks
anchor qVOIPUp tagged qVOIPUp
anchor qVOIPDown tagged qVOIPDown
pass in quick on $lan from 192.168.1.0/24 to any keep state  queue (qLANdef, 
qLANacks)  label USER_RULE: Default LAN - any


# VPN Rules

#---
# default rules (just to be sure)
#---
block in log quick all label Default block all just to be sure.
block out log quick all label Default block all just to be sure.


- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:52 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 03:50 PM 10/26/2005, you wrote:
Yes I turned it back off, I have to leave it off or my speed is miserable 
:)


i understand your pain, but no test results with shaping off will be 
meaningful.






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


After turning the shaper back on, I do have this already in the file:

altq on sis1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on sis0 hfsc bandwidth 100Mb queue {  qLANRoot }

Do you want me to still replace this with yours? Seems to be the same 
basically..


Todd

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:46 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k





did you turn shaper back off?  please turn it on and add the following two 
lines before the queue directives (by editing /tmp/rules.debug)


altq on fxp1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on vlan0 hfsc bandwidth 10Mb queue {  qLANRoot }

NOTE: change fxp1 to your wan interface and change vlan0 to your lan 
interface.  then do 'pfctl -f /tmp/rules.debug' and report results...



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:54 PM 10/26/2005, you wrote:
Here is the file after turning shaping back on and before making the 
changes you requested.


Working on the changes now.

Todd

-
# System Aliases
lan = { sis0  }
wan = { ng0  }
pptp = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
pppoe = { ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }
DMZ = { sis2 }
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452
altq on sis1 hfsc bandwidth 10Mb queue {  qWANRoot }


hmmm, this should have read:

altq on ng0 hfsc bandwidth 10Mb queue { qWANRoot }





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 03:56 PM 10/26/2005, you wrote:

After turning the shaper back on, I do have this already in the file:

altq on sis1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on sis0 hfsc bandwidth 100Mb queue {  qLANRoot }

Do you want me to still replace this with yours? Seems to be the 
same basically..


see my previous mail.  according to the rules, WAN is ng0, NOT sis1, 
so i suspect that breaks things.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo




also post results of 'pfctl -sq'





# pfctl -sq
queue root_sis1 bandwidth 10Mb priority 0 {qWANRoot}
queue  qWANRoot bandwidth 768Kb priority 6 {qWANdef, qWANacks, qVOIPUp}
queue   qWANdef bandwidth 7.68Kb priority 3 hfsc( default realtime(76.80Kb 1 
76.80Kb) linkshare(0 b 1000 76.80Kb) upperlimit(768Kb 100 691.20Kb) )
queue   qWANacks bandwidth 7.68Kb priority 6 hfsc( realtime(76.80Kb 1 
76.80Kb) linkshare(0 b 1000 76.80Kb) upperlimit(614.40Kb 1 614.40Kb) )
queue   qVOIPUp bandwidth 7.68Kb priority 7 hfsc( red ecn realtime(256Kb 1 
256Kb) linkshare(0 b 1000 76.80Kb) upperlimit(256Kb 1 256Kb) )

queue root_sis0 bandwidth 100Mb priority 0 {qLANRoot}
queue  qLANRoot bandwidth 1.50Mb priority 6 {qLANdef, qLANacks, qVOIPDown}
queue   qLANdef bandwidth 15Kb priority 3 hfsc( default realtime(150Kb 1 
150Kb) linkshare(0 b 1000 150Kb) upperlimit(1.50Mb 100 1.35Mb) )
queue   qLANacks bandwidth 15Kb priority 6 hfsc( realtime(150Kb 1 150Kb) 
linkshare(0 b 1000 150Kb) upperlimit(1.20Mb 1 1.20Mb) )
queue   qVOIPDown bandwidth 15Kb priority 7 hfsc( red ecn realtime(256Kb 1 
256Kb) linkshare(0 b 1000 150Kb) upperlimit(256Kb 1 256Kb) )

#
---

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:46 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k





also post results of 'pfctl -sq'



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo




hmmm, this should have read:

altq on ng0 hfsc bandwidth 10Mb queue { qWANRoot }




Should I change it and give it a whirl?

Todd

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 04:01 PM 10/26/2005, you wrote:


hmmm, this should have read:

altq on ng0 hfsc bandwidth 10Mb queue { qWANRoot }

Should I change it and give it a whirl?


yes, please.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


I ran:
'pfctl -f /tmp/rules.debug'

with the shaper back on and got no errors at all.

Todd
- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 2:46 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k





did you turn shaper back off?  please turn it on and add the following two 
lines before the queue directives (by editing /tmp/rules.debug)


altq on fxp1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on vlan0 hfsc bandwidth 10Mb queue {  qLANRoot }

NOTE: change fxp1 to your wan interface and change vlan0 to your lan 
interface.  then do 'pfctl -f /tmp/rules.debug' and report results...



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Looks like this now:


scrub on ng0 all max-mss 1452
#altq on sis1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on ng0 hfsc bandwidth 10Mb queue { qWANRoot }
altq on sis0 hfsc bandwidth 100Mb queue {  qLANRoot }
---
No joy.

Todd
- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 3:03 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 04:01 PM 10/26/2005, you wrote:


hmmm, this should have read:

altq on ng0 hfsc bandwidth 10Mb queue { qWANRoot }

Should I change it and give it a whirl?


yes, please.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 04:12 PM 10/26/2005, you wrote:

queue root_sis1 bandwidth 10Mb priority 0 {qWANRoot}


are you sure you reloaded the rules after changing sis1 to ng0?




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Reloaded?

How?

- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 3:27 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 04:12 PM 10/26/2005, you wrote:

queue root_sis1 bandwidth 10Mb priority 0 {qWANRoot}


are you sure you reloaded the rules after changing sis1 to ng0?




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

pfctl -f /tmp/rules.debug

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 Reloaded?

 How?

 - Original Message -
 From: Dan Swartzendruber [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 3:27 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to
 less than 100k


  At 04:12 PM 10/26/2005, you wrote:
 queue root_sis1 bandwidth 10Mb priority 0 {qWANRoot}
 
  are you sure you reloaded the rules after changing sis1 to ng0?
 
 
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


OK, I did it and my link is still hosed.

Do you want me to run any of those commands again or anything else now that 
I have reloaded the rules?


Todd
- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 3:38 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 04:36 PM 10/26/2005, you wrote:

Reloaded?

How?


after editing /tmp/rules.debug, you need to do 'pfctl -f /tmp/rules.debug' 
or your changes have no effect.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 04:51 PM 10/26/2005, you wrote:

OK, I did it and my link is still hosed.

Do you want me to run any of those commands again or anything else 
now that I have reloaded the rules?


yes, please send 'pfctl -sq' now that you reloaded 'em.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Hmmm...

Since I turned shaper back off.. I had to turn it back on, I noticed that my 
changes to /tmp/rules.debug had gone away so I put the ng0 back on the line 
where it belongs.


After doing so, I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq

and you see what I am getting.

So...

What now?

Todd
- Original Message - 
From: Dan Swartzendruber [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 3:53 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




At 04:51 PM 10/26/2005, you wrote:

OK, I did it and my link is still hosed.

Do you want me to run any of those commands again or anything else now 
that I have reloaded the rules?


yes, please send 'pfctl -sq' now that you reloaded 'em.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

Grab the latest version which does support ALTQ on NG0.

http://www.pfsense.com/~sullrich/

Repeat tests and report back what Dan is looking for.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 Hmmm...

 Since I turned shaper back off.. I had to turn it back on, I noticed that my
 changes to /tmp/rules.debug had gone away so I put the ng0 back on the line
 where it belongs.

 After doing so, I ran:

 # pfctl -f /tmp/rules.debug
 pfctl: ng0: driver does not support altq

 and you see what I am getting.

 So...

 What now?

 Todd
 - Original Message -
 From: Dan Swartzendruber [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 3:53 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to
 less than 100k


  At 04:51 PM 10/26/2005, you wrote:
 OK, I did it and my link is still hosed.
 
 Do you want me to run any of those commands again or anything else now
 that I have reloaded the rules?
 
  yes, please send 'pfctl -sq' now that you reloaded 'em.
 
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Dan Swartzendruber


At 05:07 PM 10/26/2005, you wrote:

Hmmm...

Since I turned shaper back off.. I had to turn it back on, I noticed 
that my changes to /tmp/rules.debug had gone away so I put the ng0 
back on the line where it belongs.


After doing so, I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq


well, that's a bummer.  i think you're out of luck, then :(  let me 
look at the ng driver and see what is involved in getting this to 
work.  i don't have access to the source code right now, i'll look tonight...



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


OK, I got the latest version from the URL below..

I changed the line from sis1 to ng0 in /tmp/rules.debug

I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq

As you can see I still get the same error.

Todd
- Original Message - 
From: Scott Ullrich [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:11 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k



Grab the latest version which does support ALTQ on NG0.

http://www.pfsense.com/~sullrich/

Repeat tests and report back what Dan is looking for.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:

Hmmm...

Since I turned shaper back off.. I had to turn it back on, I noticed that 
my
changes to /tmp/rules.debug had gone away so I put the ng0 back on the 
line

where it belongs.

After doing so, I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq

and you see what I am getting.

So...

What now?

Todd
- Original Message -
From: Dan Swartzendruber [EMAIL PROTECTED]
To: support@pfsense.com
Sent: Wednesday, October 26, 2005 3:53 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed 
to

less than 100k


 At 04:51 PM 10/26/2005, you wrote:
OK, I did it and my link is still hosed.

Do you want me to run any of those commands again or anything else now
that I have reloaded the rules?

 yes, please send 'pfctl -sq' now that you reloaded 'em.



 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


At the beginning of the wizard when it ask for:

The download speed of your WAN link in Kbits/second.

and

The upload speed of your WAN link in Kbits/second.

It wants the speed of the DSL connection right? Not the speed of the actual 
NIC (10mb or 100mb etc.)?


How about in the InterfacesWAN and InterfacesLAN? I assume that here it 
wants the actual speed of the NIC, right?


Todd

- Original Message - 
From: Mojo Jojo [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:31 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k




OK, I got the latest version from the URL below..

I changed the line from sis1 to ng0 in /tmp/rules.debug

I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq

As you can see I still get the same error.

Todd
- Original Message - 
From: Scott Ullrich [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:11 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed 
to less than 100k



Grab the latest version which does support ALTQ on NG0.

http://www.pfsense.com/~sullrich/

Repeat tests and report back what Dan is looking for.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:

Hmmm...

Since I turned shaper back off.. I had to turn it back on, I noticed that 
my
changes to /tmp/rules.debug had gone away so I put the ng0 back on the 
line

where it belongs.

After doing so, I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq

and you see what I am getting.

So...

What now?

Todd
- Original Message -
From: Dan Swartzendruber [EMAIL PROTECTED]
To: support@pfsense.com
Sent: Wednesday, October 26, 2005 3:53 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed 
to

less than 100k


 At 04:51 PM 10/26/2005, you wrote:
OK, I did it and my link is still hosed.

Do you want me to run any of those commands again or anything else now
that I have reloaded the rules?

 yes, please send 'pfctl -sq' now that you reloaded 'em.



 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Bill Marquette

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 altq on sis1 hfsc  queue {  qWANRoot }
 altq on sis0 hfsc  queue {  qLANRoot }

Ahahhaha, oops.  Looks like I need to put a better check in the wizard
:)  I forgot that ng0 isn't what shows up in the XML config, doh.  At
this time ALTQ isn't supported for PPPOE, I believe we just backported
the FreeBSD fix for this that's in HEAD.  But that totally explains
your issue (I think) :)

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Mojo Jojo


Doh!

No better way to do this than removing the CF card and rewriting the whole 
thing?


Just curious..

Thanks


- Original Message - 
From: Scott Ullrich [EMAIL PROTECTED]

To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:52 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k



If you are on a embedded image you need to reflash.  The mini update
does not contain freebsd changes!



On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:

OK, I got the latest version from the URL below..

I changed the line from sis1 to ng0 in /tmp/rules.debug

I ran:

# pfctl -f /tmp/rules.debug
pfctl: ng0: driver does not support altq

As you can see I still get the same error.

Todd
- Original Message -
From: Scott Ullrich [EMAIL PROTECTED]
To: support@pfsense.com
Sent: Wednesday, October 26, 2005 4:11 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed 
to

less than 100k


Grab the latest version which does support ALTQ on NG0.

http://www.pfsense.com/~sullrich/

Repeat tests and report back what Dan is looking for.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 Hmmm...

 Since I turned shaper back off.. I had to turn it back on, I noticed 
 that

 my
 changes to /tmp/rules.debug had gone away so I put the ng0 back on the
 line
 where it belongs.

 After doing so, I ran:

 # pfctl -f /tmp/rules.debug
 pfctl: ng0: driver does not support altq

 and you see what I am getting.

 So...

 What now?

 Todd
 - Original Message -
 From: Dan Swartzendruber [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 3:53 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link 
 speed

 to
 less than 100k


  At 04:51 PM 10/26/2005, you wrote:
 OK, I did it and my link is still hosed.
 
 Do you want me to run any of those commands again or anything else now
 that I have reloaded the rules?
 
  yes, please send 'pfctl -sq' now that you reloaded 'em.
 
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

2005-10-26 Thread Scott Ullrich

Nope.

On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
 Doh!

 No better way to do this than removing the CF card and rewriting the whole
 thing?

 Just curious..

 Thanks


 - Original Message -
 From: Scott Ullrich [EMAIL PROTECTED]
 To: support@pfsense.com
 Sent: Wednesday, October 26, 2005 4:52 PM
 Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to
 less than 100k


 If you are on a embedded image you need to reflash.  The mini update
 does not contain freebsd changes!



 On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
  OK, I got the latest version from the URL below..
 
  I changed the line from sis1 to ng0 in /tmp/rules.debug
 
  I ran:
 
  # pfctl -f /tmp/rules.debug
  pfctl: ng0: driver does not support altq
 
  As you can see I still get the same error.
 
  Todd
  - Original Message -
  From: Scott Ullrich [EMAIL PROTECTED]
  To: support@pfsense.com
  Sent: Wednesday, October 26, 2005 4:11 PM
  Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed
  to
  less than 100k
 
 
  Grab the latest version which does support ALTQ on NG0.
 
  http://www.pfsense.com/~sullrich/
 
  Repeat tests and report back what Dan is looking for.
 
  On 10/26/05, Mojo Jojo [EMAIL PROTECTED] wrote:
   Hmmm...
  
   Since I turned shaper back off.. I had to turn it back on, I noticed
   that
   my
   changes to /tmp/rules.debug had gone away so I put the ng0 back on the
   line
   where it belongs.
  
   After doing so, I ran:
  
   # pfctl -f /tmp/rules.debug
   pfctl: ng0: driver does not support altq
  
   and you see what I am getting.
  
   So...
  
   What now?
  
   Todd
   - Original Message -
   From: Dan Swartzendruber [EMAIL PROTECTED]
   To: support@pfsense.com
   Sent: Wednesday, October 26, 2005 3:53 PM
   Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link
   speed
   to
   less than 100k
  
  
At 04:51 PM 10/26/2005, you wrote:
   OK, I did it and my link is still hosed.
   
   Do you want me to run any of those commands again or anything else now
   that I have reloaded the rules?
   
yes, please send 'pfctl -sq' now that you reloaded 'em.
   
   
   
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
   
  
  
   -
   To unsubscribe, e-mail: [EMAIL PROTECTED]
   For additional commands, e-mail: [EMAIL PROTECTED]
  
  
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

55 matches

Mail list logo