Interesting things about this config.
* The two interfaces are on the same physical network. The Modem/Router is a gateway that the FreeBSD machine that runs this configuration accesses, doing NAT between the LAN and the Modem/Router.
* The FreeBSD system runs a transparent squid proxy. Anything addressed for the internet on port 80 is passed through it. SSL is not passed through it. The squid proxy forwards all Application/* mime type stuff to ClamAV. There is also an ad blocker and a very large cache.
* Also, requests on port 80 addressed to the firewall and sent to a webserver on port 81. There are two thttpd webservers, one that can only be accessed internally and the other only externally. This allows an internal one for configuration and another which will simply forward requests to internal webservers.
* Services are queued (this is currently dumbed down at a moment while I tweak it) and shaped to limit bandwidth use. When my monthly usage quota comes to the end I can slow down my own internet connection.


extif="rl0"
intif="xl0"

#open ports to this machine
tcp_services = "{ 22, 80, 10000 }"

#define networks
intnet = "10.0.0.0/8"
extaddr = "10.10.0.2"
atlantis = "10.0.0.1"
petra = "10.0.0.2"
petra = "10.0.0.3"
mises = "10.0.0.10"

icmp_types = "echoreq"
allproto = "{ tcp, udp, ipv6, icmp, ipencap }"
privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

set loginterface $extif
scrub on $extif reassemble tcp no-df random-id

# Actual ALTQ!
# Outgoing:
altq on extif$ priq bandwidth 6.5Mb queue { ssh_out, http_out, tcp_ack_out, low_out, medium_out , high_out }
# Outgoing rule for severe capping.
#altq on extif$ priq bandwidth 512Kb queue { ssh_out, http_out, tcp_ack_out, low_out, medium_out , high_out }
queue low_out priq(default)
queue ssh_out priority 4 priq(red)
queue medium_out priority 5
queue high_out priority 6 priq(red)
queue tcp_ack_out priority 7
# Incoming:
altq on intif$ cbq bandwidth 100Mb queue { superlow_in, low_in, medium_in, high_in }
queue high_in bandwidth 30Mb cbq(default)
queue medium_in bandwidth 8Mb priority 2
queue low_in bandwidth 2Mb priority 4
queue superlow_in bandwidth 512Kb priority 5

# Some variables for queue network layout.

superlow_hosts = "{ 10.1.0.1/24 }"
low_hosts = "{ 10.0.0.2, 10.0.0.3 }"
medium_hosts = "{ 10.0.0.11, 10.0.0.12, 10.0.0.13, 10.0.0.14 }"
high_hosts = "{ 10.0.0.10 } "
# NAT RULES

nat on $extif from $intif:network to any -> ( $extif )

# Internal Network proxy
rdr on $intif inet proto tcp from any to $atlantis port www -> 127.0.0.1 port 81
# Squid transparent proxy
rdr on $intif inet proto tcp from any to any port www -> 127.0.0.1 port 8080

# Other NAT rules
rdr on $extif inet proto tcp from any to any port 61838 -> $mises port 61838
rdr on $extif inet proto udp from any to any port 61838 -> $mises port 61838

# PPTP and L2TP to Win2k3 RAS

# Currenly the VPN is down.
#rdr on $extif proto tcp from any to any port 1701 -> $petra port 1701
#rdr on $extif proto tcp from any to any port 1723 -> $petra port 1723
#rdr on $extif proto udp from any to any port 1701 -> $petra port 1701
#rdr on $extif proto udp from any to any port 1723 -> $petra port 1723

#NAT ports for filter rules below to pass.
nat_services_tcp = "{ 61838, 1701, 1723 }"
nat_services_udp = "{ 61838, 1701, 1723 }"

# END OF NAT RULES

block log
block in on $extif
pass out on $extif
pass quick on lo0 all
pass quick on $intif

#"Block drop in quick" will kill the rdr rules above for the privnet
#block drop in on $extif from $privnets to any
#block drop in on $extif from any to $privnets

#Ports for HTTP proxy.

pass in on $intif inet proto tcp from any to 127.0.0.1 port 8080
pass out on $extif inet proto tcp from any to any port www keep state

#Ports allowed to access ALPHAZETA

pass in on $intif proto tcp from any to any port $tcp_services
#Pass redirected ports through the external interface
pass in on $extif proto tcp from any to any port $tcp_services queue medium_out
pass in on $extif proto tcp from any to any port $nat_services_tcp queue medium_out
pass in on $extif proto udp from any to any port $nat_services_udp queue medium_out

#Basic rules

#Local network filter rules.
pass in on $intif from 10.0.0.0/8 to any keep state queue medium_in
pass in on $intif from $superlow_hosts to any keep state queue superlow_in
pass in on $intif from $low_hosts to any keep state queue low_in
pass in on $intif from $high_hosts to any keep state queue high_in
#Allow fw to establish connections to internal net
pass out on $intif from any to $intif:network keep state

#Pass out TCP UDP, ICMP and ipv6 on external interfaces.
pass out on $extif proto ipv6 all
#This doesn't work, maybe needs altq?
pass out on $extif proto tcp all modulate state flags S/SA
#pass out on $extif proto { tcp, udp, icmp } all keep state
pass out on $extif all keep state