Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to less than 100k

[Mojo Jojo]

Here is the file after turning shaping back on and before making the changes 
you requested.

Working on the changes now.
Todd

-----------------
# System Aliases
lan = "{ sis0  }"
wan = "{ ng0  }"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
DMZ = "{ sis2 }"
# User Aliases

set loginterface sis1
set loginterface sis0
set loginterface sis2
set optimization normal

scrub on ng0 all max-mss 1452
altq on sis1 hfsc bandwidth 10Mb queue {  qWANRoot }
altq on sis0 hfsc bandwidth 100Mb queue {  qLANRoot }


queue qWANRoot bandwidth 768Kb priority 6 hfsc { qWANdef, qWANacks, 
qVOIPUp }
queue qWANdef bandwidth 1% priority 3 hfsc (  default upperlimit(100% 100 
90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANRoot bandwidth 1500Kb priority 6 hfsc { qLANdef, qLANacks, 
qVOIPDown }
queue qLANdef bandwidth 1% priority 3 hfsc (  default upperlimit(100% 100 
90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANacks bandwidth 1% priority 6 hfsc (  upperlimit(80% 1 80%) 
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qWANacks bandwidth 1% priority 6 hfsc (  upperlimit(80% 1 80%) 
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qVOIPUp bandwidth 1% priority 7 hfsc (  ecn upperlimit(256Kb 1 256Kb) 
linkshare(0% 1000 10%) realtime(256Kb 1 256Kb) )
queue qVOIPDown bandwidth 1% priority 7 hfsc (  ecn upperlimit(256Kb 1 
256Kb) linkshare(0% 1000 10%) realtime(256Kb 1 256Kb) )

nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
nat on ng0 from 192.168.1.0/24 to any port 500  -> (ng0) port 500
nat on ng0 from 192.168.1.0/24 to any  -> (ng0)
#SSH Lockout Table
table <sshlockout> persist


# spam table
table <spamd> persist


# Load balancing anchor - slbd updates
rdr-anchor "slb"
# FTP proxy
rdr-anchor "pftpx/*"
rdr on sis0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021


pass in on  sis0 from 192.168.1.0/24 to any tos lowdelay  keep state tag 
qVOIPDown
pass out on  ng0 from any to any tos lowdelay  keep state tag qVOIPUp
pass in on  ng0 from any to 192.168.1.0/24 tos lowdelay  keep state tag 
qVOIPUp
pass out on  sis0 from any to 192.168.1.0/24 tos lowdelay  keep state tag 
qVOIPDown

anchor "firewallrules"

# loopback
anchor "loopback"
pass in quick on lo0 all label "pass loopback"
pass out quick on lo0 all label "pass loopback"

# package manager early specific hook
anchor "packageearly"


# carp
anchor "carp"

# enable ftp-proxy
anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on ng0 inet proto tcp from port 20 to (ng0) port > 49000 user 
proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255 port = 
67 label "allow access to DHCP server on LAN"
pass in quick on sis0 proto udp from any port = 68 to 192.168.1.1 port = 67 
label "allow access to DHCP server on LAN"
pass out quick on sis0 proto udp from 192.168.1.1 port = 67 to any port = 68 
label "allow access to DHCP server on LAN"

# WAN spoof check
anchor "wanspoof"
block in log quick on ng0 from 192.168.1.0/24 to any label "WAN spoof check"

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
anchor "wandhcp"
pass out quick on ng0 proto udp from any port = 68 to any port = 67 label 
"allow dhcp client out wan"
block in log quick on ng0 proto udp from any port = 67 to 192.168.1.0/24 
port = 68 label "allow dhcp client out wan"
pass in quick on ng0 proto udp from any port = 67 to any port = 68 label 
"allow dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)
antispoof for sis0


# block anything from private networks on WAN interface
anchor "spoofing"
block in log quick on ng0 from 10.0.0.0/8 to any label "block private 
networks from wan block 10/8"
block in log quick on ng0 from 127.0.0.0/8 to any label "block private 
networks from wan block 127/8"
block in log quick on ng0 from 172.16.0.0/12 to any label "block private 
networks from wan block 172.16/12"
block in log quick on ng0 from 192.168.0.0/16 to any label "block private 
networks from wan block 192.168/16"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>

# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
table <bogons> persist file "/etc/bogons"
block in log quick on ng0 from <bogons> to any label "block bogon networks 
from wan"

# let out anything from the firewall host itself and decrypted IPsec traffic
# pass out quick on ng0 all keep state label "let out anything from firewall 
host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on ng0 all keep state tagged qWANRoot queue qWANRoot label 
"let out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qWANdef queue qWANdef label "let 
out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qLANRoot queue qLANRoot label 
"let out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qLANdef queue qLANdef label "let 
out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qLANacks queue qLANacks label 
"let out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qWANacks queue qWANacks label 
"let out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qVOIPUp queue qVOIPUp label "let 
out anything from firewall host itself"
pass out quick on ng0 all keep state tagged qVOIPDown queue qVOIPDown label 
"let out anything from firewall host itself"
pass out quick on ng0 all keep state label "let out anything from firewall 
host itself"
pass out quick on sis0 all keep state tagged qWANRoot queue qWANRoot label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qWANdef queue qWANdef label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qLANRoot queue qLANRoot label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qLANdef queue qLANdef label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qLANacks queue qLANacks label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qWANacks queue qWANacks label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qVOIPUp queue qVOIPUp label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state tagged qVOIPDown queue qVOIPDown label 
"let out anything from firewall host itself"
pass out quick on sis0 all keep state label "let out anything from firewall 
host itself"
pass out quick on ng0 all keep state label "let out anything from firewall 
host itself pptp"
pass out quick on ng0 all keep state label "let out anything from firewall 
host itself pppoe"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state label 
"anti-lockout web rule"

# SSH lockout
block in log proto tcp from <sshlockout> to any port 22 label "sshlockout"


# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qWANRoot tagged qWANRoot
anchor qWANdef tagged qWANdef
anchor qLANRoot tagged qLANRoot
anchor qLANdef tagged qLANdef
anchor qLANacks tagged qLANacks
anchor qWANacks tagged qWANacks
anchor qVOIPUp tagged qVOIPUp
anchor qVOIPDown tagged qVOIPDown
pass in quick on $lan from 192.168.1.0/24 to any keep state  queue (qLANdef, 
qLANacks)  label "USER_RULE: Default LAN -> any"

# VPN Rules

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."


----- Original Message ----- 
From: "Dan Swartzendruber" <[EMAIL PROTECTED]>
To: <support@pfsense.com>
Sent: Wednesday, October 26, 2005 2:52 PM
Subject: Re: [pfSense Support] Traffic Shaping, killing my DSL link speed to 
less than 100k


At 03:50 PM 10/26/2005, you wrote:
Yes I turned it back off, I have to leave it off or my speed is miserable 
:)

i understand your pain, but no test results with shaping off will be 
meaningful.





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]