Shaping HTTPS uploads
-
I'm trying to send all HTTPS uploads from a specific host on the LAN to the qOthersLow queue, but it allways ends up in the qDefault.
I used the wizard with the HFSC for WAN and LAN. I then created a floating rule:
Action: Match
Quick: Checked
Interface: (Tried LAN, WAN and both LAN/WAN)
Direction: Any
IPV4/TCP
Source: 192.168.1.25
Destination: Any
Destination Port: HTTPS
Log: Enabled
Ackqueue / Queue: qACK / qOthersLowWhen I start an upload from that host to Google Drive for example, I can see the rule being logged in the firewall logs, but if I look at the Queue Status page I see that the upload is going through qDefault instead of qOthersLow as it is supposed to.
Am I doing something wrong?
-
Should work on LAN direction in. You can't match the 192.168.1.25 address on WAN because NAT has already happened.
Another option is to place a rule on LAN that passes tcp/443 source 192.168.1.25 dest any and sets the queues there. Put it above the pass any any rule. But the floating rule should work.
Be sure to clear states between tests.
-
Thanks for the reply. I tried both your suggestions and still the traffic goes to the qDefault. I enabled logging on the rule and I can see it being triggered, but for some reason the https traffic is not going in the qOthersLow as I want it to.
Is there any built in rule for https traffic that overrides custom rules? I haven't tweaked any of the wizard generated settings. It should be pretty straight forward.
-
Probably best to post screen shots of the rule(s) and the queue setups.
-
Here are the screenshots of the floating rule and the queues created by the wizard. 192.168.1.25 in on LAN and is going out the net on WAN.
-
Can you post the floating & LAN rules list?
I try to avoid floating rules unless they are required.
Can you use a LAN interface rule instead? (Just use "PASS" instead of "MATCH".)
-
I tried to set the rule on the LAN using Pass just above the standard rule to allow LAN traffic out. HTTPS uploads still go to qDefault
-
One more screenshot showing that in the logs the floating rule is actually triggered while uploading to Google Drive (in this case), but the traffic is not sent to the correct queue
-
If you are using floating rules , use WAN for the interface.
-
Can't use WAN for the interface and match on a LAN address after NAT.
Just so we know exactly what we're looking at, is LAN's qOthersLow just cropped off of that last Status > Queues you posted? I know it's in the shaper config further up but…- Nevermind. That's a select list not freeform text where you set the queue.Something else has to be matching the traffic and not setting the queue.
You running squid by any chance?
-
sideout suggestion worked! Changing the floating rule to use WAN with direction out, source IP set to the host on the LAN and HTTPS as destination port did the trick. I thought I tried that combination before, but apparently I didn't. Now whenever I upload from 192.168.1.25 to GDrive for example I can finally see the traffic going on the qOthersLow queue on the WAN interface.
Thanks for the help everybody! :D
-
That doesn't make any sense to me.
When you match on WAN out NAT has already happened and source address is the WAN address (by default).
-
That doesn't make any sense to me.
When you match on WAN out NAT has already happened and source address is the WAN address (by default).
Strange or not, it works :o
-
I generally set the direction to both on Floating rules when choosing direction and WAN as the interface.