[SOLVED] VLAN priority modification

Guest · Oct 28, 2017, 8:54 PM

This
https://redmine.pfsense.org/issues/7973#change-34766

I believe should allow me to change the 802.1q packets priority on a dhcp6c request. Yes I know that a weird thing to do but my FTTH vendor requires that all traffic is sent on VLAN 832 with 802.1p of 0 except the dhcp6c request which should be 802.1p of 6.
So I have set up a floating firewall rule in the GUI on WAN out using "VLAN Prio Set" which gives me the following in /tmp/rules.debug of

pass out quick on { igb0.832 } inet6 proto udp from any port 546 to any port 547 tracker 1509112004 set prio 6 keep state

But its not changing the priority

What am I missing ?

Guest · Oct 28, 2017, 9:11 PM

Ok so I solved this

As I'm using dhcp6 to get my IPv6 prefix, pfSense auto creates a rule to allow the solicit request out on the WAN in
/etc/inc/filter.inc

like this

pass out {$log['pass']} quick on ${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"

this rule appears before my GUI created rule in /tmp/rules.debug

As this pfSense created rule has the "quick" option my rule is never matched.

I have therefore resorted to the following patch in system patches which solves the problem for me.
Whilst this is not ideal I see no other way to achieve this


--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -3275,8 +3275,8 @@
 			// The DHCPv6 client rules ***MUST BE ABOVE BOGONSV6!***  https://redmine.pfsense.org/issues/3395
 			$ipfrules .= << <eod<br># allow our DHCPv6 client out to the {$oc['descr']}
 pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
 pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
-pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
+pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" set prio 6
 EOD;</eod<br>

Guest · Oct 28, 2017, 10:38 PM

Nice one!

Is this a total fix or does it need some logic?

Guest · Oct 29, 2017, 4:29 AM

You know I like logic marjohn :-)

It would be cool if perhaps this could be set by having an option in the advanced configuration parameters for the WAN interface when dhcpv6 was selected as connection method

Maybe 802.1p as the option field name ?

dotOne · Oct 29, 2017, 11:00 AM

I agree it would be a nice addition to the DHCP options.
Would suggest to follow the carrier ethernet naming for this field, vpt (vlan priority tag)

Guest · Oct 29, 2017, 12:04 PM

@avink:

I agree it would be a nice addition to the DHCP options.
Would suggest to follow the carrier ethernet naming for this field, vpt (vlan priority tag)

Good idea and I know someone who would be able to make that happen very quickly dont I @marjohn :-)

Guest · Oct 29, 2017, 4:21 PM

Not whilst I am wandering around Norfolk…. next week though if someone else has not added it.

Still need that dhcp6c client to be upstreamed.

Guest · Oct 29, 2017, 5:50 PM

Yes dhcp6c and the dhclient both seem to be getting pushed back for some reason

Guess there is a lot going on right now