Traffic Shaping Plus Policy Routing



  • I have a setup with two OpenVPN clients in a gateway group.  I use policy routing via firewall rules on the LAN interface to selectively exclude some traffic from the VPN, and then have a catch-all rule at the bottom to route all traffic through the VPN that was not explicitly excluded via earlier rules.  My question concerns the overlap (or lack thereof) with these policy routing rules on the LAN interface with floating rules that use the "Match" action to assign traffic to queues for shaping.

    I know that floating rules are evaluated first, that they are "last match" unless the quick option is set, and that the quick option does not apply when the rule's action is "Match".  However, is there a way to assign traffic to a queue by way of a floating rule and policy route that same traffic through my VPN with a LAN interface rule?  If I interpret the documentation literally, I believe what I would expect to happen for traffic to which both such rules apply is the following:
    1.  The floating rule that matches the traffic and assigns it to a queue is processed first, but this does not halt further rule processing, which proceeds until . . .
    2.  The policy routing rule for the LAN interface matches the traffic; it is the last match so it overrides the earlier floating rule match, effectively undoing the queue assignment (or more accurately preventing it in the first place).  So I end up with my policy routing working as expected, but not my traffic shaping.

    Is this an accurate assessment of the expected behavior?  And if so, how would I accomplish the goal of traffic shaping plus policy routing?  Would I need to have rules that both assign the gateway and queues?

    I realize that I'm likely thinking about this incorrectly/stupidly so please be gentle :)  I'm happy to provide any further information that may help clarify the situation, if necessary.  Thanks in advance for any advice.