SolarfluX
June 13th, 2003, 17:45
Anyone using pf on FreeBSD 5.x?

I just converted mine to my main firewall for testing vs. OpenBSD 3.3 and I'm having some issues with bad states...

Can't make a VPN connection and HTTP/HTTPS browsing times out, as does FTP.

SSH works, and so does Jabber over SSL (port 5223)... Odd.

I've emailed Pyun, Max and Daniel about it and they're helping me out.

Just wondering if anyone else is having the same issue. Once I get this straightened out, I'll be testing ALTQ (ACK prioritization)...

elmore
June 25th, 2003, 15:49
Hey are you modulating states by chance? I noticed modulating states doesn;t work so well with vpn traffic.

[code:1:bdd77b8fd4]
pass out on $ext_if inet proto tcp from any to any flags S/SA modulate state
[/code:1:bdd77b8fd4]

Are you agressively expiring states? I also noticed that with large vpn's aggressively expiring states always works better.

[code:1:bdd77b8fd4]
set optimization aggressive
[/code:1:bdd77b8fd4]

SolarfluX
July 2nd, 2003, 03:17
Well, I installed FreeBSD 5.1 on a different box with two fxp NICs, then installed PF 1.56. Bad state issues no longer occurring; VPN and HTTPS sites now working as expected. However, I can't test ALTQ, due to it not being supported on FreeBSD 5.1 (yet). That will have to wait for now.

I saw Gryp is having issues with bad states and one of his NICs is an rl... I have an rl (external if) in the box that had the bad states... Coincidence? Hrmmm.

bruno
July 7th, 2003, 11:33
Well, I installed FreeBSD 5.1 on a different box with two fxp NICs, then installed PF 1.56. Bad state issues no longer occurring; VPN and HTTPS sites now working as expected. However, I can't test ALTQ, due to it not being supported on FreeBSD 5.1 (yet). That will have to wait for now.

I saw Gryp is having issues with bad states and one of his NICs is an rl... I have an rl (external if) in the box that had the bad states... Coincidence? Hrmmm.

Anyone played with 1.58? I don't know how un-stable it's supposed to be. I'm playing with 1.0 port using altq on a 5.0 box. I'm really upset altq isn't in 5.1 so I can play with it plus altq on a "busier" nat box I have :-)

Anyway, anyone experienced in altq management using PF? I still have some doubts wether to use cbq or priq. I don't really have a bandwith cap (the university has though) as I'm connected using 100megbit. I mainly just want to prioritize www, ssh (some known protocols) and give some bad time to p2p. I know how hard this can be but I'm looking for pointers from experienced users :)