DSCP leak from comcast Business class on Netgate SG5100
-
I am building out a fleet of Netgate SG-3100/5100 Firewalls at 19 locations. We are going to have dual WAN connections and are have implemented at about half the sites. One connection is a MOE connection and we are allowed to pass DSCP tags without trouble. Our secondary connection is a mixture of Comcast Business Class Internet or fiber DIA connections. We are noticing that connection Zoom and Teams traffic from the Comcast Business Class Internet connect often have poor connectivity on wifi only (unifi). After further testing it seems that packets from the ingress seem to leak DSCP settings Comcasts network and WMM is reading these settings and categorizing the traffic to the endpoints as CS1 instead of EF. My thoughts on countermeasures are:
- see if there is a way to reset the DSCP tag to DF or AF on inbound traffic from the Comcast Business class connection.
- Reach out to Comcast and see if they can strip the DSCP tag coming into our network (I am not hopeful that their support number will understand what I am asking for).
- see if it is possible to set the wireless AP to ignore WMM.
Has anyone else had this problem and been able to address it?
-
@kerat Unfortunately, I am seeing the same issue. From https://docs.netgate.com/pfsense/en/latest/trafficshaper/dscp.html, all I can see is "Warning: pfSense software does not support the setting or changing of DiffServ values, only matching."
-
@kerat Why would you not strip the tags or mark how you want as it enters the network from the AP.. At your switch?
As to disable wmm on unifi ap I found this.
https://omg.dje.li/2020/02/disabling-wmm-on-ubiquiti-unifi-uaps/
