HSFC rule matching - a floating rule for an IP is not behaving as expected



  • Hi,

    If this has been asked before please direct me to the post.  I can't seem to find it.

    Our queues are quite simple:

    • qAck
    • qHigh
    • qDefault

    About the floating rules - they are all set to quick match, the majority were created by the wizard and rules added/edited as required.  All the floating rules work as expected and for this post will use HTTP/S as the example.

    There are two rules down the list for HTTP/S traffic to be directed to the high priority queue.  The first rule is for an IP on the LAN for all traffic to be placed in the default queue.  This IP creates a significant amount of HTTP/S traffic.  The HTTP/S traffic from this IP is still hitting the high priority queue.

    Have been looking around to understand how the rule matching works but haven't found anything.  Is this normal behavior?  What would be the right way to direct all traffic from an IP to particular queue?

    Thanks for any help!

    Regards



  • Think I just found the answer (in the most obvious place).

    The last rule applies….  correct?



  • Firewall rules are first-match, except for Floating rules which are last-match, unless you have the Quick option enabled.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting


Log in to reply