matching on vlan prio does not work as expected
-
@thecancel Guessing you are from france (Orange subscriber like me :-))
See here how I made it work. Read the intire thread: https://forum.netgate.com/topic/180212/how-to-hack-built-in-dhcp-client-pfrule
EDIT: It does not require an actual hack - just a slight “double” setting in the UI
-
Thanks @keyser !
Indeed. Wondering how hard it was for people to understand where on this world there can be such problems :)
Still I even with that config, I still get disconnected after 24h
I will continue to play with it, maybe is my setup that adds extra layer of complexity.
I would try 2 things :
- disable the DHCP VLAN Priority , add Floating rule with same config.
- edit the filter.inc
Still in my case what is strange is the fact that while the rule is fine in /tmp/rules.debug, the configuration applied shows ( pfctl -sr )
prio 6 set ( prio 6 )
Which for me it will match only packets with priority 6. For this to work I need
prio 0 set prio 6
-
@thecancel Strange - maybe there is a difference between my 23.01/05 pfSense+ and 2.6, but I would be really surprised if that is the case.
Do you have IPv6 active? Orange clearly states that it has to be similarly in compliance, otherwise both will be denied renewal.
I have not activated IPv6 yet because of my inabilithy to get it to work. I’m due for some testing on 23.05 soon - my last attempt was on 22.05 -
Thanks for the hint on the version.
I also don't have IPv6 configured for the moment.
I will try upgrade to pfSense+ 23.01 / 23.05 when I get some time and approval from family ( you cannot do maintenance while TV is running )
Once completed I will report back
-
@thecancel Try that. My renews works now on 23.05 when I have both settings configured.
-
Upgrade completed.
Also I checked the rule added by the 'VLAN Priority tagging' and it looks like this9 ( in pfctl -sr ):
pass out quick on cxgbe2.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "allow dhcp client out WAN_832_INTERNET" ridentifier 1000002562
Also did a test and tagged with PRIO 6 the outgoing SSH packets ( which did not work before ) and I can clearly see that the outgoing packets are being properly tagged with PRIO 6.
08:56:59.356618 YYYY > ZZZZ, ethertype 802.1Q (0x8100), length 154: vlan 832, p 6, ethertype IPv4, MY_IP.29533 > OTHER_IP.22: Flags [P.], seq 1946:2030, ack 1831, win 269, options [nop,nop,TS val 2437057251 ecr 720995747], length 84 08:57:05.388352 ZZZZ > YYYY, ethertype 802.1Q (0x8100), length 154: vlan 832, p 0, ethertype IPv4, OTHER_IP.22 > MY_IP.29533: Flags [P.], seq 1831:1915, ack 2030, win 514, options [nop,nop,TS val 720995818 ecr 2437057251], length 84
Before, setting the prio on SSH did not work at all.
Hopefully the RENEW will now work . I'll have to wait until tomorrow for that !
Again, thanks !
-
@thecancel Excellent - I’m a little surprised there is a difference between 23.xx and 2.6 on this point, but it has been an issue earlier, so perhaps the fix first came with 22.05 in the pfSense Plus series (Which is after 2.6 in CE).
-
I am still waiting on my RENEW for the moment, still I think it will work at 99%.
As it seems there is a difference in how the rule is constructed . In /tmp/rules.debug the prio on VLAN now seems different:
pass out quick on $WAN_832_INTERNET proto udp from any port = 68 to any port = 67 ridentifier 1000002562 label "allow dhcp client out WAN_832_INTERNET" set prio 6
which translated to the above rule in pfctl.
Seem that the fix was to remove the
prio X
from
prio 6 set ( prio 6 )
While upgrading, I went this path : pfSense CE - 23.01 - 23.05.
Also this seems the cleanest solution for the moment, since having hacks in place will not help on the long run.
Thanks for your help on this one ! . Also updated lafibre thread on these findings, to spare others on the headache we both went !
-
@thecancel My pleasure - I have actually also updated a thread on lafibre about these findings. But maybe not the same one you are reading :-)
-
Confirming that the RENEW is working:
-
@thecancel said in matching on vlan prio does not work as expected:
Confirming that the RENEW is working:
EXCELLENT :-) Happy to help