Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating rules, quick option and traffic shaping

    Scheduled Pinned Locked Moved Traffic Shaping
    3 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netsysadmin
      last edited by

      Hi all,

      I need some confirmation on the effect of the "quick" option in floating rules.

      1. If ALL the rules in the floating tab have the quick option UNCHECKED, the "LAST match wins" behaviour applies. Correct?
      2. If ALL the rules in the floating tab have the quick option CHECKED, the "FIRST match wins" behaviour applies. Correct?
      3. What if only a few rules have the quick option checked and the rest have it unchecked? Does pfSense process the rules in the floating tab in the order it appears and when it reaches a rule with the quick option selected and the traffic matches the rule, does pfSense stop processing any further?

      Now, regarding the MATCH action, the current version of the pfSense book mentions that "Match rules do not work with quick selected".
      What exactly does this mean? Will the quick option be ignored on a rule having the match action, or does this mean that the rule will not be acted upon in case of a match?
      Can someone please clarify this?

      Finally, in section 12.6.5 of the current pfSense book, it is mentioned that "it is advised that you always leave quick selected" and in the same paragraph, "the only rules they would have without quick selected are traffic shaper rules".
      Does this mean that I should in general ALWAYS select the QUICK option and for traffic shaping rules (i.e. where the MATCH action is selected and we specify queues), I should NOT select the QUICK option?

      Please clarify.

      Thank you for any help.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @netsysadmin:

        Hi all,

        I need some confirmation on the effect of the "quick" option in floating rules.

        1. If ALL the rules in the floating tab have the quick option UNCHECKED, the "LAST match wins" behaviour applies. Correct?
        2. If ALL the rules in the floating tab have the quick option CHECKED, the "FIRST match wins" behaviour applies. Correct?
        3. What if only a few rules have the quick option checked and the rest have it unchecked? Does pfSense process the rules in the floating tab in the order it appears and when it reaches a rule with the quick option selected and the traffic matches the rule, does pfSense stop processing any further?

        All rules on interface tabs have the quick option enabled. Rule processing stops when a match is found.

        Pass/Reject/Block Rules on the floating tab have quick disabled by default. Rules without quick enabled can be thought of as default behavior that can be OVERRIDDEN by later rules, but if no other rule matches the traffic, the rule without quick selected will be enforced. Note that the rules overriding this behavior might be later in the rule processing flow, like on interface tabs.

        An example of this are the default deny any any rules that are applied to all interfaces. One might think that these rules are placed at the bottom of the rule set. They are, in fact, placed at the top without quick enabled. They are enforced if no subsequent rules match the traffic.

        https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

        Now, regarding the MATCH action, the current version of the pfSense book mentions that "Match rules do not work with quick selected".
        What exactly does this mean? Will the quick option be ignored on a rule having the match action, or does this mean that the rule will not be acted upon in case of a match?
        Can someone please clarify this?

        As far as I can tell, the quick flag has no effect on Match rules. Put your least-specific Match rules at the top and your most-specific rules at the bottom.

        Finally, in section 12.6.5 of the current pfSense book, it is mentioned that "it is advised that you always leave quick selected" and in the same paragraph, "the only rules they would have without quick selected are traffic shaper rules".
        Does this mean that I should in general ALWAYS select the QUICK option and for traffic shaping rules (i.e. where the MATCH action is selected and we specify queues), I should NOT select the QUICK option?

        That could probably use a touch-up.

        In most cases, Pass/Reject/Block rules make more sense with quick selected so the behavior matches the interface tabs.

        "traffic shaping" rules generally means "Match" rules, so last-match wins since quick on those rules is ignored.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          netsysadmin
          last edited by

          Thanks for the clarification Derelict.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.