Question about firewall rules for FQ_Codel Limiter
-
Hi,
I know that the recommended way to create firewall rules for the FQ_Codel limiter is to create a floating rule for the WAN adapter, but by then NAT has already taken place, and now the source address is the address of the WAN adapter itself, instead of the address of the LAN PC that initiated the connection, right? Won't that hurt the algorithm's ability to fairly manage flows?The paper on FQ_Codel says that:
"By default, the flow hashing is performed on the 5-tuple of source and destination IP addresses and port numbers and IP protocol number."That sounds to me like the source IP is important.
How can it fairly distribute bandwidth, if all packets it receives have the same source IP address? I mean, it obviously will work to some extent, but is it really going to fully work like it's intended to?
Regards
-
@fsr the source port randomization should alleviate the issue:
By default, pfSense rewrites the source port on all outgoing connections
-
@thiasaef said in Question about firewall rules for FQ_Codel Limiter:
@fsr the source port randomization should alleviate the issue:
By default, pfSense rewrites the source port on all outgoing connections
Thanks for your answer. It certainly looks like the limiter does a good job, even after NAT.