Floating rules to match outgoing traffic from VLAN?
I couldn't decide between this forum and the traffic shaping one, feel free to move if appropriate.
I'm trying to use floating rules to match OUTGOING traffic from VLAN's (for traffic shaping purposes) and I think I have some fundamental misunderstanding how this works.
I've read most of the traffic shaping posts that show up on google, but most are about multi-WAN.
WAN IP: 24.35.65.xxx, Interface bce0
LAN IP: 192.168.0.1, interface bce1
VLAN 101 IP: 192.168.101.1, Name: Private, Interface bce1_vlan101
Action: Match, not quick
Interface: WAN, LAN, Private
Source: Private net
The floating rule does not match:
134 12 Out bce0 tcp 0 0 * inet from 192.168.101.0/24 to any queue(qHigh, qAck) 135 12 Out bce0 udp 0 0 * inet from 192.168.101.0/24 to any queue(qHigh, qAck) 136 12 Out bce1 tcp 0 0 * inet from 192.168.101.0/24 to any queue(qHigh, qAck) 137 12 Out bce1 udp 0 0 * inet from 192.168.101.0/24 to any queue(qHigh, qAck) 138 12 Out bce1_v tcp 0 0 * inet from 192.168.101.0/24 to any queue(qHigh, qAck) 139 12 Out bce1_v udp 0 0 * inet from 192.168.101.0/24 to any queue(qHigh, qAck)
This is what the state for one of the connections look like:
PR DIR SRC DEST STATE AGE EXP PKTS BYTES AVG RU GW tcp In 192.168.101.10:58474 22.214.171.124:443 ESTABLISHED:ESTABLISHED 00:14:07 86399 2765K 3335M 4032K * tcp Out 24.35.65.xxx:42605 126.96.36.199:443 ESTABLISHED:ESTABLISHED 00:14:07 86399 2765K 3335M 4032K 96 192.168.101.10:58474
And a captured packet (not same in both instances):
Captured on VLAN 101: 11:13:34.586708 d4:ae:52:c6:bb:ff > 00:25:90:4f:b0:70, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 59, id 16197, offset 0, flags [none], proto TCP (6), length 52) 188.8.131.52.443 > 192.168.101.10.58474: Flags [.], cksum 0x3390 (correct), seq 311217276, ack 1461490573, win 357, options [nop,nop,TS val 2699019539 ecr 240011105], length 0 Captured on WAN: 11:14:30.708445 00:f2:8b:db:13:bf > d4:ae:52:c6:bb:fe, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 60, id 22779, offset 0, flags [none], proto TCP (6), length 1470) 184.108.40.206.443 > 24.35.65.xxx.12300: Flags [.], cksum 0x3a45 (correct), seq 3159141526:3159142944, ack 122003339, win 349, options [nop,nop,TS val 2243252179 ecr 662031441], length 1418
I've got queues configured on WAN and LAN interfaces only (qAck, qHigh, qInternet, etc), but since the rule doesn't match, the traffic shaping part of this should be irrelevant.
My guess is that the floating rule does not match because by the time the packet goes "out" NAT has been formed and the source is my WAN IP, not 192.168.101.10. If I could match on GW, that'd probably work, but I don't think I can?
However, I would kind of expect that it'd match when leaving the LAN or VLAN interface?
What am I missing? Is this even possible? It doesn't seem to be that unusual case.
I've also tried with rules that match specific hosts on VLAN, but that doesn't make a difference.
I've reset states between each change. I use Hybrid NAT if that matters.
Any help would be appreciated.
I'm having the same problem…. seems hard to find Multi-WAN multi-VLAN scenarios around. So anyone keen to help please avoid writing "google it".
I can give u little advise on VLAN configuration. If using VLANS, don't use a default untagged VLAN like you are doing (LAN IP: 192.168.0.1, interface bce1), because VLAN101 traffic will be seen by LAN interface, and will be trouble when matching rules. So move your default LAN to a VLAN 1 (tagged) and reconfigure your Switch to tag VLAN1 traffic on pfSense port. Leave interface bce1 as unused.
because VLAN101 traffic will be seen by LAN interface, and will be trouble when matching rules.
No it absolutely won't be, LAN interface traffic is completely separated from the VLANs unless you're using a bridging between them or your VLAN capable switch is misconfigured.
There is zero difference between a physical network interface vs. a VLAN interface as far as the filter rules are concerned, they work all the same. To filter outgoing traffic on a VLAN interface you place the floating rule on the VLAN interface, set the direction to out and them check the "quick" option to apply the rule immediately on match. This is exactly the same procedure you would use on a physical interface to filter outgoing traffic with floating rules.