Floating rules interface ignored?
-
I recently upgraded from pfSense 1.2.3 to 2.01. I am now in the process of rebuilding my traffic shaping policies and have run into a few problems that I just can't seem to figure out. My secondary problem is this:
I have a floating rule to queue traffic in my qVOIP queue that specifies the OPT1 and WAN as the input interface for VoIP packets, and a destination port number (IAX2 protocol) to match. When I place a test call from my VoIP system on the lan out to the wan, I see the traffic being queued in the qVOIP for both lan and wan queue, when I expect to see it just in the lan queue, since packets going out the wan originated from the lan and should not match the floating rule.
What am I missing?
Thanks,
Ethan… -
Erm.. Because communication works both ways?
A connection is 2 way traffic. You have your voice going out and also the recipient of the call transmitting their voice back to you. It follows that you should see traffic coming in on WAN as well.
-
traffic is going in both directions, but it should only match the floating rule in the direction coming in from the WAN and out the LAN, so the LAN's qVOIP queue should should only show traffic. The traffic passing out the WAN should go to the WAN's default queue.
But I am seeing the traffic in both direction passing through each interfaces qVOIP. What am I missing here?
Ethan…
-
Do you have a rule on the LAN tab that references the VOIP traffic? Or do you have a NAT rule that does?
Those rules have the capability to affect the queue that traffic is sent to.
Also, if you actually have a NAT rule for the VOIP traffic, you can use the associated firewall rule to pipe the traffic into the queue you want rather than to create a floating rule.
-
The closest thing I have to a NAT rule is a 1:1 NAT forward using an WAN alias IP address, and an associated WAN rule to allows the port and address. As I understand it, the floating rules are executed first, tagging the queue then the usual rules for the interface the packet is entering on run, stopping on a match. Is this correct?
Is it possible that the direction (source and destination) of floating rules are interpreted differently for ports defined as LAN vs WAN?
Also, do firewall states effect floating rules, possibly adding a rule for the other direction/interface through the state table?
The Definitive Guide to pfSense book is a great resource, but there have been a lot of changes (traffic shaping to be sure) that need updating in the book. Will an update to the book be available any time soon to cover the new traffic shaping in 2.0?
Ethan…