Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem classifying SSH traffic

    Scheduled Pinned Locked Moved Traffic Shaping
    6 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      j0ris
      last edited by

      I thought I'd add a queue with a high priority for SSH traffic. Seemed quite straightforward: just create traffic shaper rules that match TCP port 22 as destination:

      If               | Proto | Source  | Destination          | Target

      LAN->WAN | TCP   | *          | * Port 22 (SSH)    | qShellUp/qShellDown

      WAN->LAN | TCP   | *          | * Port 22 (SSH)    | qShellDown/qShellUp

      However, I only see traffic going into these qShellUp/qShellDown queues during the login process of an SSH terminal session. When I repeatedly cat a large text file in this terminal to generate some traffic, I see qlanacks jumping up, not qShellDown.

      Any idea what's going on here?

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        My guess is that the subsequent packets have ToS already set causing them to go into the ack queue, and that rule is firing first?

        1 Reply Last reply Reply Quote 0
        • J
          j0ris
          last edited by

          There is no rule above the SSH rules that should be firing first: those SSH rules are number 2 & 3 in my list of traffic shaping rules, rule #1 checks for DNS (port 53).

          Is there something unusual about SSH traffic that I don't understand?

          Is there some way I can check on a lower level, in the pfsense shelll, with pfctl for example?

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            Sorry if I was unclear.  There are rules and such operating behind the scenes that do things like shaping for ACks and such.

            1 Reply Last reply Reply Quote 0
            • J
              j0ris
              last edited by

              Thanks for the clarification!

              For me it's not really a problem that the SSH traffic ends up in qlanacks as this queue has the highest priority anyway, but it certainly is not what I'd expect to happen. I can't help but wonder if it's not a bug?

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by

                I don't think it will be considered that way - I ran into the same issue with VOIP packets, where because they had ToS of low delay they got put on the ACK queue.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.