Traffic shaper keeps sending everything from pfsense via default queue
-
You are specifying the direction as out and the destination port as 44443. This would be traffic leaving pfSense going to that port. If you change the directory to in, it may work.
-
You are specifying the direction as out and the destination port as 44443. This would be traffic leaving pfSense going to that port. If you change the directory to in, it may work.
I've tried out, in and any. None works.
BTW, as out is set as default in all Floating rules created by the wizard and as such it works for both LAN-to-WAN and WAN-to-LAN access directions, I think that the out specifier is for the transmitting queues/interfaces and in is for the receiving queues/interfaces. The out specifier is used everywhere since it means to shape traffics at the departure point. The in and any specifiers should not be used since it makes (almost) no senses to shape arriving traffics.
-
Probably you have a rule that is overriding it.
Try clicking quick and see if it works :) -
I just had a similar problem with April 30th version, using PRIQ. Nothing ever went in the non-default queues, and there were no obvious reasons why. We restarted the traffic shapers rules many, many times and we ended up using the wizard out of desperation, and then tweaked the rules created by the wizard to get where we wanted. And it worked!
I don't know why, because the rules that were built were simlar to what was manually entered previously.
Is the wizard doing something the manual-building of rules isn't?
-
@ermal:
Probably you have a rule that is overriding it.
Try clicking quick and see if it works :)The quick specifier does not work.
The following is my complete rule list, unedited. The rule in question is @80.
@0 scrub in on em0 all fragment reassemble [ Evaluations: 2484865 Packets: 632 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @1 scrub in on em1 all fragment reassemble [ Evaluations: 2483601 Packets: 593191 Bytes: 35082877 States: 0 ] [ Inserted: uid 0 pid 48761 ] @2 scrub in on em4 all fragment reassemble [ Evaluations: 1276179 Packets: 201388 Bytes: 65621028 States: 0 ] [ Inserted: uid 0 pid 48761 ] @3 scrub in on em5 all fragment reassemble [ Evaluations: 895475 Packets: 151512 Bytes: 49888067 States: 0 ] [ Inserted: uid 0 pid 48761 ] @4 scrub in on em3 all fragment reassemble [ Evaluations: 602366 Packets: 252476 Bytes: 129612147 States: 0 ] [ Inserted: uid 0 pid 48761 ] @0 anchor "relayd/*" all [ Evaluations: 132844 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @1 anchor "firewallrules" all [ Evaluations: 132844 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @2 block drop in all label "Default deny rule" [ Evaluations: 132844 Packets: 5 Bytes: 3004 States: 0 ] [ Inserted: uid 0 pid 48761 ] @3 block drop out all label "Default deny rule" [ Evaluations: 132844 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @4 block drop in quick inet6 all [ Evaluations: 132844 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @5 block drop out quick inet6 all [ Evaluations: 67212 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @6 block drop quick proto tcp from any port = 0 to any [ Evaluations: 132844 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @7 block drop quick proto tcp from any to any port = 0 [ Evaluations: 24292 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @8 block drop quick proto udp from any port = 0 to any [ Evaluations: 132844 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @9 block drop quick proto udp from any to any port = 0 [ Evaluations: 106572 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @10 block drop quick from <snort2c:0> to any label "Block snort2c hosts" [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @11 block drop quick from any to <snort2c:0> label "Block snort2c hosts" [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @12 anchor "packageearly" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @13 anchor "carp" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @14 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout" [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @15 block drop in quick from <virusprot:0> to any label "virusprot overload table" [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @16 block drop in on ! em0 inet from 10.0.0.0/24 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @17 block drop in inet from 10.0.0.3 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @18 block drop in on ! em1 inet from 192.168.0.72/29 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @19 block drop in inet from 192.168.0.74 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @20 block drop in on em0 inet6 from fe80::20c:29ff:fe45:2054 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @21 block drop in on em1 inet6 from fe80::20c:29ff:fe45:205e to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @22 anchor "dhcpserverLAN" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @23 pass in on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @24 pass in on em1 inet proto udp from any port = bootpc to 192.168.0.74 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @25 pass out on em1 inet proto udp from 192.168.0.74 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 59008 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @26 block drop in on ! em4 inet from 192.168.0.64/30 to any [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @27 block drop in inet from 192.168.0.66 to any [ Evaluations: 69100 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @28 block drop in on ! em5 inet from 192.168.0.68/30 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @29 block drop in inet from 192.168.0.70 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @30 block drop in on ! em3 inet from 192.168.0.80/29 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @31 block drop in inet from 192.168.0.82 to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @32 block drop in on em4 inet6 from fe80::20c:29ff:fe45:207c to any [ Evaluations: 65634 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @33 block drop in on em5 inet6 from fe80::20c:29ff:fe45:2086 to any [ Evaluations: 49817 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @34 block drop in on em3 inet6 from fe80::20c:29ff:fe45:2072 to any [ Evaluations: 33905 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @35 anchor "spoofing" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @36 anchor "loopback" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @37 pass in on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @38 pass out on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @39 anchor "firewallout" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @40 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 132850 Packets: 81347 Bytes: 30100514 States: 945 ] [ Inserted: uid 0 pid 48761 ] @41 pass out route-to (em0 10.0.0.2) inet from 10.0.0.3 to ! 10.0.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 67216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @42 pass out route-to (em1 192.168.0.75) inet from 192.168.0.74 to ! 192.168.0.72/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 67216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @43 pass out route-to (em4 192.168.0.65) inet from 192.168.0.66 to ! 192.168.0.64/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 67216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @44 pass out route-to (em5 192.168.0.69) inet from 192.168.0.70 to ! 192.168.0.68/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 67216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @45 pass out route-to (em3 192.168.0.81) inet from 192.168.0.82 to ! 192.168.0.80/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 67216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @46 pass out on enc0 all flags S/SA keep state label "IPsec internal host to host" [ Evaluations: 67216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @47 anchor "staticrouted" all [ Evaluations: 132850 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @48 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.0.0/20 no state label "pass traffic between statically routed subnets" [ Evaluations: 132850 Packets: 632 Bytes: 40448 States: 0 ] [ Inserted: uid 0 pid 48761 ] @49 pass in quick on em1 inet from 192.168.0.0/20 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 16783 Packets: 3499 Bytes: 299051 States: 0 ] [ Inserted: uid 0 pid 48761 ] @50 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.0.0/20 no state label "pass traffic between statically routed subnets" [ Evaluations: 67217 Packets: 5717 Bytes: 4551593 States: 0 ] [ Inserted: uid 0 pid 48761 ] @51 pass out quick on em1 inet from 192.168.0.0/20 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 48216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @52 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.18.0/24 no state label "pass traffic between statically routed subnets" [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @53 pass in quick on em1 inet from 192.168.18.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 13284 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @54 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.18.0/24 no state label "pass traffic between statically routed subnets" [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @55 pass out quick on em1 inet from 192.168.18.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 48216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @56 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.20.0/24 no state label "pass traffic between statically routed subnets" [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @57 pass in quick on em1 inet from 192.168.20.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 13284 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @58 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.20.0/24 no state label "pass traffic between statically routed subnets" [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @59 pass out quick on em1 inet from 192.168.20.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 48216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @60 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.25.0/24 no state label "pass traffic between statically routed subnets" [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @61 pass in quick on em1 inet from 192.168.25.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 13284 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @62 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.25.0/24 no state label "pass traffic between statically routed subnets" [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @63 pass out quick on em1 inet from 192.168.25.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets" [ Evaluations: 48216 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @64 anchor "anti-lockout" all [ Evaluations: 123002 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @65 pass in quick on em1 from any to (em1:2) flags S/SA keep state label "anti-lockout rule" [ Evaluations: 123002 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @66 pass out proto tcp from any to any port = rtsp flags S/SA keep state label "USER_RULE: m_Other RTSP1 outbound" queue(qOthersHigh, qACK) [ Evaluations: 123002 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @67 pass out proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: m_Other HTTP outbound" queue(qOthersDefault, qACK) [ Evaluations: 7861 Packets: 228252 Bytes: 158344140 States: 711 ] [ Inserted: uid 0 pid 48761 ] @68 pass out proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: m_Other HTTPS outbound" queue(qOthersDefault, qACK) [ Evaluations: 7861 Packets: 5780 Bytes: 2708153 States: 69 ] [ Inserted: uid 0 pid 48761 ] @69 pass out proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: m_Other SMTP outbound" queue(qOthersLow, qACK) [ Evaluations: 7861 Packets: 169 Bytes: 90001 States: 1 ] [ Inserted: uid 0 pid 48761 ] @70 pass out proto tcp from any to any port = pop3 flags S/SA keep state label "USER_RULE: m_Other POP3 outbound" queue(qOthersLow, qACK) [ Evaluations: 7861 Packets: 419 Bytes: 30742 States: 2 ] [ Inserted: uid 0 pid 48761 ] @71 pass out proto tcp from any to any port = imap flags S/SA keep state label "USER_RULE: m_Other IMAP outbound" queue(qOthersLow, qACK) [ Evaluations: 7861 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @72 pass out proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: m_Other DNS1 outbound" queue(qOthersHigh, qACK) [ Evaluations: 7861 Packets: 11 Bytes: 1410 States: 0 ] [ Inserted: uid 0 pid 48761 ] @73 pass out proto udp from any to any port = domain keep state label "USER_RULE: m_Other DNS2 outbound" queue qOthersHigh [ Evaluations: 53639 Packets: 2924 Bytes: 262648 States: 78 ] [ Inserted: uid 0 pid 48761 ] @74 pass out proto tcp from any to any port = microsoft-ds flags S/SA keep state label "USER_RULE: m_Other SMB1 outbound" queue(qOthersHigh, qACK) [ Evaluations: 61499 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @75 pass out proto tcp from any to any port 136 >< 140 flags S/SA keep state label "USER_RULE: m_Other SMB2 outbound" queue(qOthersHigh, qACK) [ Evaluations: 7861 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @76 pass out proto tcp from any to any port = nntp flags S/SA keep state label "USER_RULE: m_Other NNTP1 outbound" queue(qOthersLow, qACK) [ Evaluations: 7861 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @77 pass out proto udp from any to any port = nntp keep state label "USER_RULE: m_Other NNTP2 outbound" queue qOthersLow [ Evaluations: 53638 Packets: 2 Bytes: 436 States: 0 ] [ Inserted: uid 0 pid 48761 ] @78 pass out proto udp from any to any port = ntp keep state label "USER_RULE: m_Other NTP outbound" queue qOthersHigh [ Evaluations: 61141 Packets: 186326 Bytes: 15993614 States: 2134 ] [ Inserted: uid 0 pid 48761 ] @79 pass out proto tcp from any to any port = 30443 flags S/SA keep state label "USER_RULE: m_Other FW Control outbound" queue(qOthersHigh, qACK) [ Evaluations: 61500 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @80 pass out quick proto tcp from any to any port = 31443 flags S/SA keep state label "USER_RULE: m_Other FW Control 1 outbound" queue qOthersHigh [ Evaluations: 7861 Packets: 3 Bytes: 144 States: 0 ] [ Inserted: uid 0 pid 48761 ] @81 pass in quick on em3 reply-to (em3 192.168.0.81) inet proto icmp from any to 192.168.0.80/29 keep state label "USER_RULE: Pass ICMP to this gateway" [ Evaluations: 123003 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @82 pass in quick on em3 reply-to (em3 192.168.0.81) inet all flags S/SA keep state label "USER_RULE: Pass all in VietTel" [ Evaluations: 16491 Packets: 42425 Bytes: 3255820 States: 777 ] [ Inserted: uid 0 pid 48761 ] @83 pass in quick on em5 reply-to (em5 192.168.0.69) inet proto icmp from any to 192.168.0.68/30 keep state label "USER_RULE: Pass ICMP to this gateway" [ Evaluations: 100162 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @84 pass in quick on em5 reply-to (em5 192.168.0.69) inet all flags S/SA keep state label "USER_RULE: Pass in on VNPT9 all" [ Evaluations: 15912 Packets: 79824 Bytes: 6551104 States: 676 ] [ Inserted: uid 0 pid 48761 ] @85 pass in quick on em4 reply-to (em4 192.168.0.65) inet proto icmp from any to 192.168.0.64/30 keep state label "USER_RULE: Pass ICMP to this gateway" [ Evaluations: 80787 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @86 pass in quick on em4 reply-to (em4 192.168.0.65) inet all flags S/SA keep state label "USER_RULE: Pass in on VNPT8 all" [ Evaluations: 15817 Packets: 135914 Bytes: 11719359 States: 681 ] [ Inserted: uid 0 pid 48761 ] @87 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.64/29 flags S/SA keep state label "USER_RULE: pass all to vnpt8-vnpt9 splitters" [ Evaluations: 61504 Packets: 17800 Bytes: 3043798 States: 184 ] [ Inserted: uid 0 pid 48761 ] @88 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.80/29 flags S/SA keep state label "USER_RULE: pass all to viettel splitter" [ Evaluations: 12097 Packets: 8896 Bytes: 1522283 States: 92 ] [ Inserted: uid 0 pid 48761 ] @89 pass in quick on em1 reply-to (em1 192.168.0.75) inet proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE: pass FTP via default gateway" [ Evaluations: 11504 Packets: 6 Bytes: 360 States: 0 ] [ Inserted: uid 0 pid 48761 ] @90 pass in log quick on em1 inet proto tcp from 192.168.12.23 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 6075 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @91 pass in log quick on em1 route-to (em4 192.168.0.65) inet proto tcp from 192.168.12.23 to any port = smtp flags S/SA keep state label "USER_RULE: mx1.savoyage.vn, VNPT8 only" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @92 pass in log quick on em1 inet proto tcp from 192.168.12.3 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 6075 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @93 pass in log quick on em1 route-to (em5 192.168.0.69) inet proto tcp from 192.168.12.3 to any port = smtp flags S/SA keep state label "USER_RULE: mail.haiphong.vn, VNPT9 only" [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @94 pass in log quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 6075 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @95 pass in log quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: other SMTP servers out, VietTel only" [ Evaluations: 6075 Packets: 29 Bytes: 5793 States: 0 ] [ Inserted: uid 0 pid 48761 ] @96 pass in quick on em1 proto tcp from <netcservers:4> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 6074 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @97 pass in quick on em1 proto udp from <netcservers:4> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 5427 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @98 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netcservers:4> to any port = domain flags S/SA keep state label "USER_RULE: critical DNS servers out, VietTel first" [ Evaluations: 1774 Packets: 11 Bytes: 1410 States: 0 ] [ Inserted: uid 0 pid 48761 ] @99 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netcservers:4> to any port = domain keep state label "USER_RULE: critical DNS servers out, VietTel first" [ Evaluations: 1770 Packets: 2754 Bytes: 246226 States: 78 ] [ Inserted: uid 0 pid 48761 ] @100 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 10161 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @101 pass in quick on em1 proto udp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 4088 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @102 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: other DNS clients out, VNPT first" [ Evaluations: 10161 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @103 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto udp from any to any port = domain keep state label "USER_RULE: other DNS clients out, VNPT first" [ Evaluations: 4088 Packets: 170 Bytes: 16422 States: 0 ] [ Inserted: uid 0 pid 48761 ] @104 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto tcp from any to <vn01:56> port = http flags S/SA keep state label "USER_RULE: HTTP domestic1 out VNPTfirst" [ Evaluations: 10076 Packets: 59198 Bytes: 42953241 States: 209 ] [ Inserted: uid 0 pid 48761 ] @105 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto tcp from any to <vn02:76> port = http flags S/SA keep state label "USER_RULE: HTTP domestic2 out VNPTfirst" [ Evaluations: 3924 Packets: 79942 Bytes: 61938272 States: 117 ] [ Inserted: uid 0 pid 48761 ] @106 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 4437 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @107 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: HTTP abroad out VietTel first" [ Evaluations: 4437 Packets: 89090 Bytes: 53450608 States: 387 ] [ Inserted: uid 0 pid 48761 ] @108 pass in quick on em1 inet proto tcp from 192.168.0.0/21 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 2029 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @109 pass in quick on em1 route-to (em4 192.168.0.65) inet proto tcp from 192.168.0.0/21 to any port = mmcc flags S/SA keep state label "USER_RULE: YIM 1st half, VNPT8 first" [ Evaluations: 1971 Packets: 251 Bytes: 60550 States: 4 ] [ Inserted: uid 0 pid 48761 ] @110 pass in quick on em1 inet proto tcp from 192.168.8.0/21 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 2022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @111 pass in quick on em1 route-to (em5 192.168.0.69) inet proto tcp from 192.168.8.0/21 to any port = mmcc flags S/SA keep state label "USER_RULE: YIM 2nd half, VNPT9 first" [ Evaluations: 58 Packets: 145 Bytes: 32518 States: 3 ] [ Inserted: uid 0 pid 48761 ] @112 pass in quick on em1 from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 6022 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @113 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em3 192.168.0.81) } round-robin inet all flags S/SA keep state label "USER_RULE: pass others out via any WAN" [ Evaluations: 6022 Packets: 60672 Bytes: 28197392 States: 736 ] [ Inserted: uid 0 pid 48761 ] @114 pass out on em0 route-to (em0 10.0.0.2) inet proto udp from any to 222.253.89.124 port = isakmp keep state label "IPsec: Test - outbound isakmp" [ Evaluations: 61504 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @115 pass in on em0 reply-to (em0 10.0.0.2) inet proto udp from 222.253.89.124 to any port = isakmp keep state label "IPsec: Test - inbound isakmp" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @116 pass out on em0 route-to (em0 10.0.0.2) inet proto udp from any to 222.253.89.124 port = sae-urn keep state label "IPsec: Test - outbound nat-t" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @117 pass in on em0 reply-to (em0 10.0.0.2) inet proto udp from 222.253.89.124 to any port = sae-urn keep state label "IPsec: Test - inbound nat-t" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @118 anchor "packagelate" all [ Evaluations: 61504 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @119 anchor "tftp-proxy/*" all [ Evaluations: 61504 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @120 anchor "limitingesr" all [ Evaluations: 61504 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ] @121 anchor "miniupnpd" all [ Evaluations: 61504 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 48761 ]</vpns:*></vpns:*></vpns:*></vpns:*></vn02:76></vn01:56></vpns:*></vpns:*></netcservers:4></netcservers:4></vpns:*></netcservers:4></vpns:*></netcservers:4></vpns:*></vpns:*></vpns:*></virusprot:0></sshlockout:0></snort2c:0></snort2c:0>It appears that rule @80 is overridden by rule @50. But @50 is system-generated so I don't know how to change/affect it.
-
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/fad4fae8da60daf10f439e186a0b40ceb8d41bd4
Upgrade it should fix your issue.
-
@ermal:
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/fad4fae8da60daf10f439e186a0b40ceb8d41bd4
Upgrade it should fix your issue.
I applied the fix. Now all "pass traffic between statically routed subnets" rules are moved to the end of the rule list thus they cannot override other rules anymore. However the rule in question still does not take effect. All control traffics' responses from pfsense are still sent via the default queue (qP2P), as well as for ping's responses from pfsense.
Strange is, pftop shows that no pass out rules match the traffic; only the system-generated anti-lockout rule, which is a pass in rule, matches if the traffic is a ping from a local PC to pfsense.
-
Ok this is going nowhere.
Please explain where is this traffic origination from?
If it is not originating from pfSense than your rule need to be with direction in.
You can try without any direction at all if you want to be calm and want this to work no matter if you have taken coffee or not.It is normal for traffic originating from another source to match a rule with in direction and since this is 2010 and stateful firewalls are common a state will be created and will optimize the packet outgoing to allow pass out without any ruleset search but just the state search.
-
@ermal:
Ok this is going nowhere.
Please explain where is this traffic origination from?It originates from a remote PC in the LAN or Internet.
@ermal:
If it is not originating from pfSense than your rule need to be with direction in.
You can try without any direction at all if you want to be calm and want this to work no matter if you have taken coffee or not.
It is normal for traffic originating from another source to match a rule with in direction and since this is 2010 and stateful firewalls are common a state will be created and will optimize the packet outgoing to allow pass out without any ruleset search but just the state search.
OK it sounds reasonable to me now. I was completely misunderstood the Floating tab.
It would, however, mean that a pass out, rather than pass in/out, Floating rule will shape only half of traffic if it is passing through pfsense. For example, for Web surf: LAN -> pfsense -> WAN, a pair of (stateful) rules is created:
(1) in for the LAN -> pfsense connection
(2) out for the pfsense -> WAN connection
If the Floating (shaping) rule is out only, then data downloaded from pfsense to LAN are not queued, right?
I then wonder why the wizard-created Floating rules are all out, instead of any.
-
Its plain simple, i that wrote the new shaper, know even the internals of pf(4) :).
You shape on outoging so this happens:
1- packet comes in on LAN
2- matches a rule without any queue setup, creates respective state
3- it goes outside WAN interface
4- it matches a rule with a queue
5- marks the packet to go to that queue and records this in the state just created
6- packet goes finally out of WAN
7- response packet comes in on WAN
8- matches the previous state created and finds a queue has to be attached
9- marks the packet with the queue
10- packet goes ouside LAN interface
11 - it matches the state created previously, since there is no queue it does not take any action
NOTE: this means that the decision taken on WAN for queue still prevails
12- it goes to the queue marked since it came in on WAN(if it can find it of course)
13-finally goes out of LANThat is the reason that the queues by the wizard are created with the same name on LAN and WAN it is not just a cosmetic coincidence :).
Hope that clears it out for you.
-
:)
that in/out and floating tab and the default direction under LAN, OPT1 also took some time for me to understand in the past, mostly trial and error, mayb a page explaining the directions etc and how rules r matches based on examples would solve this question from arising again in the future as there r some things that still confuse me and might others also.for eg: a rule under LAN tab saying source as lan client and destination as * should be upload but is considered download
-
@ermal: thank you for your patch. It works. Now we can shape pfSense's control traffics completely if we remove the system rule guaranteeing complete control (the anti-lockout rule).
@ermal:
Its plain simple, i that wrote the new shaper, know even the internals of pf(4) :).
You shape on outoging so this happens:
1- packet comes in on LAN
2- matches a rule without any queue setup, creates respective state
3- it goes outside WAN interface
4- it matches a rule with a queue
5- marks the packet to go to that queue and records this in the state just created
6- packet goes finally out of WAN
7- response packet comes in on WAN
8- matches the previous state created and finds a queue has to be attached
9- marks the packet with the queue
10- packet goes ouside LAN interface
11 - it matches the state created previously, since there is no queue it does not take any action
NOTE: this means that the decision taken on WAN for queue still prevails
12- it goes to the queue marked since it came in on WAN(if it can find it of course)
13-finally goes out of LANThat is the reason that the queues by the wizard are created with the same name on LAN and WAN it is not just a cosmetic coincidence :).
Hope that clears it out for you.
Definitively. Things are much clearer to me now. Thank you very much.
I have one more question: what if the rule at step 2 is also with queue(s)?
-Will the LAN-to-WAN packet be queued twice? If only once, in what queue?
-Similarly for the response (WAN-to-LAN) packet.
Sorry if these questions are seeming dumb. But as the queue view was removed from pftop three years ago, no tools to evaluate pfSense quantitatively exist.
@xbipin: I agree. Actually I've followed the Traffic Shaping Guide (wiki page) but it does not help very much since it lacks basic information on when, where and how shaping decisions are made.
-
sorry to hijack this thread but how about if we open a thread, discussing all the rules and traffic shaping stuff and write a doc on it for dummies coz the more options that appear in gui, the more questions arise, such as:
- y do floating rules have in/out selection and wan and lan and opt1 don't
- is it necessary to select the interface in floating tab rules as we can multi select it and what if we select and what if we don't
- where should the shaping rules for download and upload appear, floating tab, lan or wan
etc etc
it will also help us better understand the internal working of the shaper as well as pfsense itself
