Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Match floating rules do not appear to be matching traffic

    Firewalling
    3
    11
    299
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swinster last edited by swinster

      Hi,

      PfSense v2.4.4

      I have a couple of floating rules defined with a "match" action, however, they do not seem to be working as expected.

      e106ac81-1fcb-4648-954f-cca0d25be3c7-image.png

      This first rule does seem to work, however when active, the states and packet match statistics against it do not appear to match reality (they are much, much lower)

      The second rule I simply cannot get to match anything, even though packet captures taken on the LAN interface (which is the default G/W for the Dell_XPS) definitively show UDP packets destined for its IP address (and of course, I know that packets are going there as I am creating bi-directional media streams).

      My guess is that I'm doing something basic that is wrong, but I have been unable to figure out what. Pointers are very much welcome.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        none of those rules show any hits -- the 0/0... What exactly are you trying to match on??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          What interface(s) are those on?

          What is the content of the Dell_XPS alias?

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S
            swinster last edited by

            Apologies, I had just activated them for the screen grab (they would be off generally). I can certainly generate traffic and you will see the first rule match a few packets, but the second rule will still match nothing. This should be a relatively straightforward rule, just matching IPv4 UDP traffic with either source or destination address of the Dell_XPS (I have also tried with a direct IP address as well).

            FWIW, I have also tried these rules directly on the LAN interface as a PASS action. In this case, the first rule works exactly as expected, however the second rule still matches nothing.

            First Rule:
            3e1f1da1-5026-43e9-b9f6-8b882d39caf2-image.png

            Second Rule:
            3ec144a3-220b-4ee5-95aa-3941be60f3d1-image.png

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              The second rule will only match if you have passed connections into the Dell_XPS destination. Those rules match on connection establishment and cover the reply state as well. pfSense is a stateful firewall not a packet filter so reply traffic is automatically matched by the state created for it on state establishment.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S
                swinster last edited by swinster

                @Derelict said in Match floating rules do not appear to be matching traffic:

                Those rules match on connection establishment and cover the reply state as well. pfSense is a stateful firewall not a packet filter so reply traffic is automatically matched by the state created for

                Hmm, so the intention was to create separate rules to enable separate Traffic Shaping Limiters, that could be enable and disabled to simulate packet loss for up or down traffic.

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by Derelict

                  So make them. You match on connection establishment and set the in and out limiters.

                  https://docs.netgate.com/pfsense/en/latest/book/trafficshaper/limiters.html

                  Make a rule that sets limiters that have packet loss in one direction. And another rule that sets limiters that have packet loss in the other.

                  Chattanooga, Tennessee, USA
                  The pfSense Book is free of charge!
                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    swinster @Derelict last edited by swinster

                    @Derelict Ah, I think I gotcha (and trust me I have read that documentation page a few times).

                    So the two rules will actually match the same thing (i.e. source Dell -> anything), but then have differing limiters.

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      Yes.

                      Chattanooga, Tennessee, USA
                      The pfSense Book is free of charge!
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        swinster @Derelict last edited by

                        @Derelict Hmm, not quite! OK, I switched the second rule to be source IP matched on the XPS. This didn't work as it didn't match anything still. So, I switched direct to "IN", which of course matches, but the limiter doesn't affect the outbound packet TO the XPS. The limiter TO the XPS is set the the a destination mask.

                        The matches still don't make any sense either. By this I mean that whilst I can injected packet loss via the first rule for packet IN to the LAN interface (upstream) at a constant 10%, the rule says it has only matched 100 or so packets, yet 5000+ have passed.

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          Then the rule is wrong. This really does work.

                          How about you post everything you have done. The limiters, how they are set on the rules, the alias contents, etc. If you post floating rules be sure you detail the whole rule so we can see what interface the rules are on and the direction, etc.

                          Chattanooga, Tennessee, USA
                          The pfSense Book is free of charge!
                          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post