Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating rule: packets pass out, responses get blocked

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    4 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      clarknova
      last edited by

      2.0-RC1 (amd64)
      built on Mon Feb 28 20:07:11 EST 2011

      I'm confused. I'm trying to queue DNS packets to a high priority queue on the WAN egress. With no floating rule in place, DNS queries flow out, responses flow back in. Everybody is happy (except that it's flowing on the default queue, which does get congested).

      I have several internal interfaces, so rather than create a firewall rule on each of these to up-queue DNS packets, I created a single floating rule thus:

      Action: pass
      Proto: TCP/UDP
      Iface: WAN
      Direction: Out
      DPort: DNS
      Ackqueue/Queue: None/qHigh

      After saving and applying, DNS requests stopped being answered for all internal hosts and pfsense itself.

      I disabled the queue and enabled logging. The log shows packets being passed out to port 53 on various DNS servers. I ran tcpdump on the WAN and observed DNS queries going out and responses coming back. I then ran tcpdump on an internal interface and observed requests coming in, but no response going out.

      It appears then that DNS responses are getting blocked by pfsense. As soon as I disable my floating rule DNS resumes working as expected.

      Help?

      edit: If it de-select the interface and apply changes, DNS responses again pass and the applied rule reads:

      @79 pass out log proto udp from any to any port = domain keep state label "USER_RULE: DNS outbound" queue qOthersHigh

      with WAN selected as the interface, DNS responses don't get back through pfsense, and the applied pass rule in the log reads:

      @79 pass out log on pppoe0 reply-to (pppoe0 76.10.191.6) inet proto udp from any to any port = domain keep state label "USER_RULE: DNS outbound" queue qOthersHigh

      db

      1 Reply Last reply Reply Quote 0
      • AhnHELA Offline
        AhnHEL
        last edited by

        Not a traffic shaper guru by far but I've noticed using the wizard that TCP rules use qACK/q**** for Ackqueue/Queue, while UDP used none/q****.  Try making two separate rules, one for TCP and one for UDP and see if it helps.  I dont know the reasoning behind why the wizard creates the rules this way but I'm sure someone will enlighten us shortly.

        Also try setting Direction to any as per this recent commit and discussion

        http://forum.pfsense.org/index.php/topic,33568.msg174021.html#msg174021

        AhnHEL (Angel)

        1 Reply Last reply Reply Quote 0
        • E Offline
          eri--
          last edited by

          And use the new Queue action which does not impact traffic flow.

          1 Reply Last reply Reply Quote 0
          • AhnHELA Offline
            AhnHEL
            last edited by

            It would be cool to have a new icon on the Floating Rules Tab that shows that the rule is set to Queue instead of the green arrow that makes it appear that the rule is set to PASS.  Block and Reject are the same icon but different color, maybe the Pass and Queue can be the same icon but different color as well.  I'll put my vote in for black enabled and grey for disabled.  ;D

            AhnHEL (Angel)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.