Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Since version 25.11, all interface rules are bypassed if a floating rule is set to 'match' and 'quick' (but not 'deny', 'pass' or 'block'), and matches.

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 187 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lvrmscL Offline
      lvrmsc
      last edited by lvrmsc

      Since version 25.11, all interface rules are bypassed if a floating rule is set to 'match' and 'quick' (but not 'deny', 'pass' or 'block'), and matches.

      Following this, the slightest floating rule for queuing matters using 'match' and 'quick' rules out every other interface-specific rule. In my case, this resulted in all LAN traffic falling under the 'Default deny rule' because the LAN-specific rules were no longer applied.

      I agree that 'quick' should have that effect for a pass, deny or block rule. However, this should not apply to a 'match' rule, which is not intended to block or allow traffic.

      Probably related to the fix of bug #16475
      https://redmine.pfsense.org/issues/16475

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @lvrmsc
        last edited by

        @lvrmsc I think that is the goal of the bug fix…
        https://forum.netgate.com/topic/199552/vlans-stop-working-after-upgrading-from-24.11-for-both-25.07.1-25.11/12
        https://forum.netgate.com/post/1233354

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • lvrmscL Offline
          lvrmsc
          last edited by

          The 'match' rules (in the floating rules section) are not intended for filtering incoming (pass) or outgoing (deny, block) traffic.
          Am I mistaken?
          Therefore, 'quick' on them (match rules, not other rules) should not cancel any other pass, deny or block rules.
          Just add a floating rule using match mode (not deny, block or pass) to associate traffic with queues, for example. Add 'quick' to that one. All your other interface-specific rules will be skipped and fall on the default rule, which is a block rule.
          I removed 'quick' from all my floating 'match' rules to solve the issue, but now I have to reconsider their order to ensure that tagging done by one of those rules is not mistakenly changed by another. It's not a major issue, but we've lost a feature. This can cripple communications while upgrading to 25.11.

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            SteveITS Rebel Alliance @lvrmsc
            last edited by

            @lvrmsc I hear what you’re saying. “Without Quick checked, the rule will only take effect if no other rules match the packet,” which makes it seem like a pass rule would be required to set traffic shaping? Unless the docs should say match will take effect without quick? We have no routers on 25.11 yet to check.

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.