Floating rules to match outgoing traffic from VLAN?



  • Hi

    I couldn't decide between this forum and the traffic shaping one, feel free to move if appropriate.

    I'm trying to use floating rules to match OUTGOING traffic from VLAN's (for traffic shaping purposes) and I think I have some fundamental misunderstanding how this works.
    I've read most of the traffic shaping posts that show up on google, but most are about multi-WAN.

    Setup:
    PFSense:

    • WAN IP: 24.35.65.xxx, Interface bce0

    • LAN IP: 192.168.0.1, interface bce1

    • VLAN 101 IP: 192.168.101.1, Name: Private, Interface bce1_vlan101

    VLAN 101:
    Host 192.168.101.10

    Floating rule:

    • Action: Match, not quick

    • Interface: WAN, LAN, Private

    • Direction: out

    • Source: Private net

    • Destination: *

    • Queue: qAck/qHigh

    The floating rule does not match:

    
     134  12       Out       bce0   tcp                0        0        *       inet from 192.168.101.0/24 to any  queue(qHigh, qAck)     
     135  12       Out       bce0   udp                0        0        *       inet from 192.168.101.0/24 to any  queue(qHigh, qAck)     
     136  12       Out       bce1   tcp                0        0        *       inet from 192.168.101.0/24 to any  queue(qHigh, qAck)     
     137  12       Out       bce1   udp                0        0        *       inet from 192.168.101.0/24 to any  queue(qHigh, qAck)     
     138  12       Out       bce1_v tcp                0        0        *       inet from 192.168.101.0/24 to any  queue(qHigh, qAck)     
     139  12       Out       bce1_v udp                0        0        *       inet from 192.168.101.0/24 to any  queue(qHigh, qAck)     
    
    

    This is what the state for one of the connections look like:

    
    PR    DIR SRC                   DEST                           STATE                AGE   EXP  PKTS BYTES   AVG RU GW                  
    tcp   In  192.168.101.10:58474  172.217.3.193:443     ESTABLISHED:ESTABLISHED  00:14:07 86399 2765K 3335M 4032K  *                     
    tcp   Out 24.35.65.xxx:42605    172.217.3.193:443     ESTABLISHED:ESTABLISHED  00:14:07 86399 2765K 3335M 4032K 96 192.168.101.10:58474
    
    

    And a captured packet (not same in both instances):

    
    Captured on VLAN 101:
    11:13:34.586708 d4:ae:52:c6:bb:ff > 00:25:90:4f:b0:70, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 59, id 16197, offset 0, flags [none], proto TCP (6), length 52)
        172.217.3.193.443 > 192.168.101.10.58474: Flags [.], cksum 0x3390 (correct), seq 311217276, ack 1461490573, win 357, options [nop,nop,TS val 2699019539 ecr 240011105], length 0
    
    Captured on WAN:
    11:14:30.708445 00:f2:8b:db:13:bf > d4:ae:52:c6:bb:fe, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 60, id 22779, offset 0, flags [none], proto TCP (6), length 1470)
        172.217.3.193.443 > 24.35.65.xxx.12300: Flags [.], cksum 0x3a45 (correct), seq 3159141526:3159142944, ack 122003339, win 349, options [nop,nop,TS val 2243252179 ecr 662031441], length 1418
    
    

    I've got queues configured on WAN and LAN interfaces only (qAck, qHigh, qInternet, etc), but since the rule doesn't match, the traffic shaping part of this should be irrelevant.

    My guess is that the floating rule does not match because by the time the packet goes "out" NAT has been formed and the source is my WAN IP, not 192.168.101.10. If I could match on GW, that'd probably work, but I don't think I can?
    However, I would kind of expect that it'd match when leaving the LAN or VLAN interface?

    What am I missing? Is this even possible? It doesn't seem to be that unusual case.

    I've also tried with rules that match specific hosts on VLAN, but that doesn't make a difference.
    I've reset states between each change. I use Hybrid NAT if that matters.

    Any help would be appreciated.



  • Hi,

    I'm having the same problem…. seems hard to find Multi-WAN multi-VLAN scenarios around. So anyone keen to help please avoid writing "google it".

    I can give u little advise on VLAN configuration. If using VLANS, don't use a default untagged VLAN like you are doing (LAN IP: 192.168.0.1, interface bce1), because VLAN101 traffic will be seen by LAN interface, and will be trouble when matching rules. So move your default LAN to a VLAN 1 (tagged) and reconfigure your Switch to tag VLAN1 traffic on pfSense port. Leave interface bce1 as unused.



  • @vpreatoni:

    because VLAN101 traffic will be seen by LAN interface, and will be trouble when matching rules.

    No it absolutely won't be, LAN interface traffic is completely separated from the VLANs unless you're using a bridging between them or your VLAN capable switch is misconfigured.

    There is zero difference between a physical network interface vs. a VLAN interface as far as the filter rules are concerned, they work all the same. To filter outgoing traffic on a VLAN interface you place the floating rule on the VLAN interface, set the direction to out and them check the "quick" option to apply the rule immediately on match. This is exactly the same procedure you would use on a physical interface to filter outgoing traffic with floating rules.