[SOLVED] VLAN priority modification
-
This
https://redmine.pfsense.org/issues/7973#change-34766I believe should allow me to change the 802.1q packets priority on a dhcp6c request. Yes I know that a weird thing to do but my FTTH vendor requires that all traffic is sent on VLAN 832 with 802.1p of 0 except the dhcp6c request which should be 802.1p of 6.
So I have set up a floating firewall rule in the GUI on WAN out using "VLAN Prio Set" which gives me the following in /tmp/rules.debug ofpass out quick on { igb0.832 } inet6 proto udp from any port 546 to any port 547 tracker 1509112004 set prio 6 keep state
But its not changing the priority
What am I missing ?
-
Ok so I solved this
As I'm using dhcp6 to get my IPv6 prefix, pfSense auto creates a rule to allow the solicit request out on the WAN in
/etc/inc/filter.inclike this
pass out {$log['pass']} quick on ${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
this rule appears before my GUI created rule in /tmp/rules.debug
As this pfSense created rule has the "quick" option my rule is never matched.
I have therefore resorted to the following patch in system patches which solves the problem for me.
Whilst this is not ideal I see no other way to achieve this--- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -3275,8 +3275,8 @@ // The DHCPv6 client rules ***MUST BE ABOVE BOGONSV6!*** https://redmine.pfsense.org/issues/3395 $ipfrules .= << <eod<br># allow our DHCPv6 client out to the {$oc['descr']} pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" +pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" set prio 6 EOD;</eod<br> -
Nice one!
Is this a total fix or does it need some logic?
-
You know I like logic marjohn :-)
It would be cool if perhaps this could be set by having an option in the advanced configuration parameters for the WAN interface when dhcpv6 was selected as connection method
Maybe 802.1p as the option field name ?
-
I agree it would be a nice addition to the DHCP options.
Would suggest to follow the carrier ethernet naming for this field, vpt (vlan priority tag) -
@avink:
I agree it would be a nice addition to the DHCP options.
Would suggest to follow the carrier ethernet naming for this field, vpt (vlan priority tag)Good idea and I know someone who would be able to make that happen very quickly dont I @marjohn :-)
-
Not whilst I am wandering around Norfolk…. next week though if someone else has not added it.
Still need that dhcp6c client to be upstreamed.
-
Yes dhcp6c and the dhclient both seem to be getting pushed back for some reason
Guess there is a lot going on right now
