Floating Match Rules Not Queuing Traffic
-
I want to prioritize all UDP traffic from a PBX to the Internet. I've set up a floating rule, inbound on the LAN interface, that marks all UDP traffic from the private IP of the PBX, then another rule to match the marked packets on the WAN to place them in a queue. The floating rules are showing a green check in the firewall log, but the queues show no traffic. I maybe get an occasional blip of packets in the queue, but not the expected 85 kbps or so you'd see for an RTP stream during a call.
Yes, I've reset the firewall states many, many times. I've tried quick and not quick on the floating rules (seems to be conflicting opinions on using quick with match rules for traffic shapers).
Screenshot of my rules
Running pfSense CE 2.6
Installed packages:
acme
lldpd
ntopng
openvpn-client-export
pfBlockerNG
snort (disabled for the time being to troubleshoot) -
- DNS is UDP. pfBlockerNG may not be fully compatible with altQ
- Think of Snort as a traffic shaper. It typically breaks altq links on interfaces it is assigned to.
- Match rules don't necessarily match with the quick option and it probably shouldn't be used with matching for altq or limiters.
Try tagging the traffic on the LAN interface, inbound (which means on upload), as a floating match rule, THEN match traffic on the LAN interface with a floating rule for altQ, THEN match traffic on the WAN for altQ. It is confusing because of how states are created and NAT. States are created on the interface they are seen. First on the LAN, and then on the WAN.
Quick rules match first, in order, and non quick rules match on a last-seen match basis, both top-to-bottom on firewall rules.
