<![CDATA[Floating Rule Not Catching Traffic]]>Hi,
I've setup a floating firewall rule with specific IP Range Sources (using an alias).  Specifically:

  • I have an alias for IP Phones by their IP
      - in this example I have 10.10.10.50 as a phone

  • I have an alias defined with the IP Ranges for the External service
      - Destination 3 ranges of IP's for RingCentral the state table showed this IP phone connected to an IP in the alias including RingCentral

  • I have a floating firewall rule defined
      - WAN OR LAN
      - Source/Dest either: RingCentralNetworks and SIPPhones

What I'm finding is that even though I have traffic that should be meeting these conditions (Screenshot is attached). But it's not showing any traffic handled by the rule.  Am I maybe missing a setting or does anyone have a suggestion for how to figure out why this fairly broad rule that should catch this traffic isn't being used?

FloatingFirewallRule.jpg
FloatingFirewallRule.jpg_thumb

]]>https://forum.netgate.com/topic/106453/floating-rule-not-catching-trafficRSS for NodeTue, 12 May 2026 01:19:23 GMTMon, 10 Oct 2016 15:56:04 GMT60<![CDATA[Reply to Floating Rule Not Catching Traffic on Tue, 11 Oct 2016 00:04:19 GMT]]>Fantastic :)

Yep that was the issue, I had to create LAN rules for the Source Alias of addresses to the Destination alias of address ranges and it lit right up.  I'm a little confused as to why pfsense didn't automatically pick up on SIP/RTP as I had thought it would using the traffic shaper rules but this will ensure any traffic from our handsets is in the right VOIP queue and prioritized properly regardless.

Thanks for the super fast response!

]]>https://forum.netgate.com/post/654404https://forum.netgate.com/post/654404Tue, 11 Oct 2016 00:04:19 GMT<![CDATA[Reply to Floating Rule Not Catching Traffic on Mon, 10 Oct 2016 16:13:02 GMT]]>I think the problem is that you need to create the firewall rule on the LAN interface.

With NAT, your LAN source address will be translated to pfSense's WAN IP, meaning your floating rule is not going to work (specifically WAN -> OUT direction… I think). I forget the details, but that's the gist.

Also, you may need to "reset your states" (Google it) to get a new firewall rule to function on currently active connections.

]]>https://forum.netgate.com/post/654314https://forum.netgate.com/post/654314Mon, 10 Oct 2016 16:13:02 GMT