Hi,

Since I use an OpenBSD server as gateway, instead of a Linksys WRT54GL under OpenWRT, I find my network performances are worse than before.
I have high-latency, much deconnections and websites are often unreachable.

I don't know if it's due to hardware or configuration's errors in my pf.conf, all seems ok when i check cpu/memory/network on the gateway.

Here is my pf.conf, may be some mistakes in it which could explain this ?


#       $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext="rl0"
int="xl0"

Valistar="{172.16.85.0/27}"
Larry="172.16.85.27"

Ssh_Larry="22"
Ssh_Cyrrhus="443"block in inet
Tcp_ports="{21,53,80,443,6667,6697,8080}"
Udp_ports="{53}"

set block-policy drop
set loginterface none
set optimization high-latency
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set state-policy if-bound
set skip on lo
scrub in all

nat on $ext inet from xl0:network to any -> $ext
rdr on $ext proto tcp from any to any port $Ssh_Larry -> $Larry

antispoof quick for {lo $int} inet

block in log quick inet6
block out log quick inet6
pass in log on $int from $Valistar to any flags S/SA keep state
pass out log on $int from any to $Valistar flags S/SA keep state

pass in quick on $int proto tcp from $Valistar to ($int) port $Ssh_Cyrrhus flags S/SA keep state pass in on $ext proto tcp from any to any port $Tcp_ports flags S/SA keep state pass in log on $ext proto tcp from any to any port $Ssh_Larry flags S/SA keep state pass in log on $ext proto tcp from any to any port $Ssh_Cyrrhus flags S/SA keep state
pass in on $ext proto udp from any to any port $Udp_ports keep state
pass in log on $ext inet proto icmp all icmp-type {echorep,timex,unreach} keep state pass in log on $int inet proto icmp all icmp-type {echoreq,echorep,timex,unreach} keep state
pass out log on $ext proto tcp all flags S/SA modulate state
pass out on $ext proto {udp,icmp} all keep state


Thanks for help.



Yanic

Reply via email to