that's interesting. I have no tun/pppoe setup to test myself - mind sharing pf.conf/pfctl -gvsq/other relevant setup?
I'm not the OP, but I'm an extra datapoint:
pfctl -gvsq: queue q_pri priority 7 [ pkts: 42600 bytes: 2043621 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ qid=8 ifname=tun0 ifbandwidth=1.35Mb ] queue q_def priq( default ) [ pkts: 17382 bytes: 6848389 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ qid=2 ifname=tun0 ifbandwidth=1.35Mb ]
Setup: i386, OpenBSD 3.3-stable, GENERIC kernel - serving as gateway + firewall for internal wired & wireless networks. Connection to the Internet is ADSL (1.5Mbps down, 384Kbps up). I'm using pppoe to connect to my ISP; external_if is rl0 (I know, I know...), and I'm filtering/queueing on tun0.
pf.conf:
# Macros: define common values, so they can be referenced and changed
# easily.
ext_if="tun0" # ADSL on rl0 uses pppoe to connect to the Internet
int_if="dc0" # private wired network
wlan_if="wi0" # private wireless network
unfilt_if="{ lo0," $int_if "}" # don't filter traffic on these
# interfaces# Tables: define large lists of host or network addresses for efficiency
table <private> persist const { 10/8, 172.16/12, 192.168/16 } # RFC 1918
table <doubleclick> persist const { 216.73.80.0/20 } # nasty hobbitses# Options: control the behavior of the pf engine set loginterface $ext_if # Collect statistics on external net usage set block-policy return # Don't hide the fact that we exist set require-order yes # Be anal about parsing pf rulesets
# Normalization: reassemble fragments and resolve or reduce traffic # ambiguities. scrub in all no-df fragment reassemble scrub out all no-df random-id fragment reassemble
# Queueing: rule-based bandwidth control.
altq on $ext_if priq bandwidth 1350Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address
# $internal_net will get translated as coming from the address of
# $ext_if, a state is created for such packets, and incoming packets
# will be redirected to the internal address.
nat on $ext_if inet from { $int_if:network, $wlan_if:network } \
to any -> ($ext_if)# rdr: packets coming in on $ext_if with destination $external_addr:1234
# will be redirected to 10.1.1.1:5678. A state is created for such
# packets, and outgoing packets will be translated as coming from the
# external address.
rdr on $int_if inet proto tcp from $int_if:network to any \
port 21 -> 127.0.0.1 port 8021
rdr on $wlan_if inet proto tcp from $wlan_if:network to any \
port 21 -> 127.0.0.1 port 8021# ============================================= # UNFILTERED INTERFACES # ============================================= pass in quick on $unfilt_if all pass out quick on $unfilt_if all
# ============================================= # BIG, BAD, HOSTILE INTERNET # =============================================
# BLOCK
# block and log all Internet traffic by default block log on $ext_if all
# block outgoing packets that do not have our address as source block out quick on $ext_if inet from !($ext_if) to any
# block incoming/outgoing packets with address from private address # space block in quick on $ext_if inet from <private> to any block out quick on $ext_if inet from ($ext_if) to <private>
# silently drop broadcasts (cable modem noise, dhcp requests, etc.) block in quick on $ext_if from any to 255.255.255.255 block out quick on $ext_if from ($ext_if) to 255.255.255.255
# block doubleclick fuckers block in quick on $ext_if inet from <doubleclick> to any block out quick on $ext_if inet from ($ext_if) to <doubleclick>
# ICMP
# pass out/in certain ICMP queries and keep state (ping) # state matching is done on host addresses and ICMP id (not type/code), # so replies (like 0/0 for 8/0) will match queries # ICMP error messages (which always refer to a TCP/UDP packet) are # handled by the TCP/UDP states pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# UDP
# pass out all UDP connections and keep state pass out on $ext_if inet proto udp from ($ext_if) to any keep state
# TCP (using ALTQ to prioritize empty TCP acks)
# only allow certain incoming TCP traffic (ssh, by default), but allow
# all outgoing TCP traffic; modulate state on all TCP connections
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port { ssh } flags S/SA modulate state queue (q_def, q_pri)
pass out on $ext_if inet proto tcp from ($ext_if) to any \
flags S/SA modulate state queue (q_def, q_pri)# allow incoming traffic for ftp-proxy(8)
pass in on $ext_if inet proto tcp from any to ($ext_if) user proxy \
flags S/SA modulate state queue (q_def, q_pri)# ============================================= # PRIVATE WIRELESS NETWORK # =============================================
# BLOCK
# block and log all wireless traffic by default block log on $wlan_if all
# ICMP
# pass out/in certain ICMP queries and keep state (ping) # state matching is done on host addresses and ICMP id (not type/code), # so replies (like 0/0 for 8/0) will match queries # ICMP error messages (which always refer to a TCP/UDP packet) are # handled by the TCP/UDP states pass on $wlan_if inet proto icmp all icmp-type 8 code 0 keep state
# UDP
# only allow dhcp udp traffic from the wireless network
pass in on $wlan_if inet proto udp from $wlan_if:network to $wlan_if \
port { bootps } keep state
pass out on $wlan_if inet proto udp from $wlan_if to $wlan_if:network \
port { bootpc } keep state# TCP
# only allow the wireless network to ssh to us (for authpf)
pass in on $wlan_if inet proto tcp from $wlan_if:network to $wlan_if \
port { ssh } flags S/SA modulate state# ESP
# allow all ipsec traffic from the wireless network to us
pass in on $wlan_if inet proto esp from $wlan_if:network to $wlan_if \
keep state
pass out on $wlan_if inet proto esp from $wlan_if to $wlan_if:network \
keep state
# ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:a0:4b:05:42:ca media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::2a0:4bff:fe05:42ca%rl0 prefixlen 64 scopeid 0x1 dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:04:5a:7c:68:a8 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::204:5aff:fe7c:68a8%dc0 prefixlen 64 scopeid 0x2 wi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:04:e2:36:6a:bc nwid notforyoureyes powersave off media: IEEE802.11 autoselect hostap (DS2) status: active inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 inet6 fe80::204:e2ff:fe36:6abc%wi0 prefixlen 64 scopeid 0x3 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 2020 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1454 inet 64.105.104.82 --> 64.105.104.1 netmask 0xffffffff tun1: flags=10<POINTOPOINT> mtu 3000 enc0: flags=0<> mtu 1536 bridge0: flags=0<> mtu 1500 bridge1: flags=0<> mtu 1500 vlan0: flags=0<> mtu 1500 address: 00:00:00:00:00:00 vlan1: flags=0<> mtu 1500 address: 00:00:00:00:00:00 gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
HTH,
-Kent
--
Kent R. Spillner
"They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety."
- Benjamin Franklin