Missing something obvious, matching packets
-
Ok, I must be missing something obvious here.
I have two rules used for traffic shaping related to 'work' traffic.
match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5
– From WAN/internet to 'work' interface, place in work queue for QoS. This is working as expected.match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5
-- From 'work' to WAN/internet interface, place in work queue for QoS. This is 'mostly' fails to do what I thought it would...I have one device attached to the work interface (vr2), a hardware VPN appliance which establishes some IPSEC tunnels to the offices. Here's the odd thing (to me). I can match the packets where the device is doing DNS lookups (UDP / 53) and where it establishes the tunnel (UDP / 4500), but subsequent tunneled packets are not matched and not QoS'd properly.
I do not want to match based on anything in the tunnel, I want to match ALL packets coming from that interface so I can give them a high priority.
Does this make any sense? What am I missing? ???
Thanks!
-
Update and more info…
I'm running: 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6...
I found that a different rule was stepping on the one above and placing it in the default queue. (I feel a little more sane now). Here's where I'm getting tripped up. if I remove all floating rules and ensure that no other rules have a queue action and add a default rule for to prioritize ACK traffic things start to fall apart.
Here's a test I performed trying to understand how 'quick' performs on non-final rules (Queue only, not pass, block, reject, etc.)
Test 1: Default rules before specific 'work' rules. In this test all work 'outbound' traffic is placed in the default rule.
pfctl -sr | grep queue match quick on vr0 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6) match quick on vr1 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6) match quick on vr2 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6) match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5 match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5 pfctl -k 192.168.0.0/16 killed 49 states from 1 sources and 0 destinations re-establish tunnels on appliance and watch pftop
Test 2: Default rules after specific 'work' rules. In this test all work 'outbound' traffic is placed in the default rule.
pfctl -sr | grep queue match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5 match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5 match quick on vr0 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6) match quick on vr1 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6) match quick on vr2 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6) pfctl -k 192.168.0.0/16 killed 49 states from 1 sources and 0 destinations re-establish tunnels on appliance and watch pftop
Test 3: No Default Rules. In this test all work traffic is placed in the correct q_Work_5 queue.
pfctl -sr | grep queue match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5 match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5 pfctl -k 192.168.0.0/16 killed 49 states from 1 sources and 0 destinations re-establish tunnels on appliance and watch pftop
I guess I'm confused at how 'queue' type rules work when there are multiple matches in the ruleset. Can someone provide any clarity.
Thanks!