Problem classifying SSH traffic

  • I thought I'd add a queue with a high priority for SSH traffic. Seemed quite straightforward: just create traffic shaper rules that match TCP port 22 as destination:

    If               | Proto | Source  | Destination          | Target

    LAN->WAN | TCP   | *          | * Port 22 (SSH)    | qShellUp/qShellDown

    WAN->LAN | TCP   | *          | * Port 22 (SSH)    | qShellDown/qShellUp

    However, I only see traffic going into these qShellUp/qShellDown queues during the login process of an SSH terminal session. When I repeatedly cat a large text file in this terminal to generate some traffic, I see qlanacks jumping up, not qShellDown.

    Any idea what's going on here?

  • My guess is that the subsequent packets have ToS already set causing them to go into the ack queue, and that rule is firing first?

  • There is no rule above the SSH rules that should be firing first: those SSH rules are number 2 & 3 in my list of traffic shaping rules, rule #1 checks for DNS (port 53).

    Is there something unusual about SSH traffic that I don't understand?

    Is there some way I can check on a lower level, in the pfsense shelll, with pfctl for example?

  • Sorry if I was unclear.  There are rules and such operating behind the scenes that do things like shaping for ACks and such.

  • Thanks for the clarification!

    For me it's not really a problem that the SSH traffic ends up in qlanacks as this queue has the highest priority anyway, but it certainly is not what I'd expect to happen. I can't help but wonder if it's not a bug?

  • I don't think it will be considered that way - I ran into the same issue with VOIP packets, where because they had ToS of low delay they got put on the ACK queue.

Log in to reply