Incorrect state / traffic counters for floating match rules
-
I maintain two different pfsense systems at different sites. At each site, I’m using a handful of floating match rules across a few VLANs for traffic shaping. These match rules just put traffic into various limiter child queues and this is working. I’ve performed a series of tests to confirm that traffic is being routed into the child queues as I expect.
However, I always see very low numbers for the state and traffic counters in the UI. I'll see a few hundred active states and gigs of traffic in ntop, and be able to confirm that traffic is going into various limiter child-queues, the but match rules will show 0 states and only a few hundred megabytes of traffic.
I’ve done some googling to try to see if this is just a bug or something I’ve misconfigured, and haven’t come up with anything. Can somebody please point me in the right direction?
-
The rules opening the firewall states for that traffic are the pass rules on the individual interfaces. Not the floating match rules.
The traffic counters on match rules have always seemed suspect IMO.Steve
-
Thanks for the context!
Unless I hear otherwise, I'll assume the answer is "don't expect match rules to have accurate traffic counters" for the reason you specified.
-
Might only be counting the SYNs at state creation.
-
Yes it's unclear exactly what they are counting or should be counting. To me at least.
I would not rely on them for any accurate measure of traffic that is matched.Steve
