Traffic shaper keeps sending everything from pfsense via default queue



  • My pfsense control traffic is using HTTPS on port 44443. I'm trying to shape it with a Floating rule which is similar to ones created by the wizard:

    Proto=TCP Source=* SourcePort=* Dest=* DestPort=44443 Interface=any Direction=out AckQueue/Queue=qAck/qOthersHigh

    But rather than qAck/qOthersHigh pfsense passes the traffic via the default queue (qP2P) instead.

    In general, everything from pfsense are passed via the default queue. This is quite strange since pfsense works correctly otherwise – everything through it are passed via the correct queue.

    Is it a bug, a feature by design, or am I missing something?


  • Rebel Alliance Developer Netgate

    You are specifying the direction as out and the destination port as 44443. This would be traffic leaving pfSense going to that port. If you change the directory to in, it may work.



  • @jimp:

    You are specifying the direction as out and the destination port as 44443. This would be traffic leaving pfSense going to that port. If you change the directory to in, it may work.

    I've tried out, in and any. None works.

    BTW, as out is set as default in all Floating rules created by the wizard and as such it works for both LAN-to-WAN and WAN-to-LAN access directions, I think that the out specifier is for the transmitting queues/interfaces and in is for the receiving queues/interfaces. The out specifier is used everywhere since it means to shape traffics at the departure point. The in and any specifiers should not be used since it makes (almost) no senses to shape arriving traffics.



  • Probably you have a rule that is overriding it.
    Try clicking quick and see if it works :)



  • I just had a similar problem with April 30th version, using PRIQ.  Nothing ever went in the non-default queues, and there were no obvious reasons why.  We restarted the traffic shapers rules many, many times and we ended up using the wizard out of desperation, and then tweaked the rules created by the wizard to get where we wanted. And it worked!

    I don't know why, because the rules that were built were simlar to what was manually entered previously.

    Is the wizard doing something the manual-building of rules isn't?



  • @ermal:

    Probably you have a rule that is overriding it.
    Try clicking quick and see if it works :)

    The quick specifier does not work.

    The following is my complete rule list, unedited. The rule in question is @80.

    @0 scrub in on em0 all fragment reassemble
      [ Evaluations: 2484865   Packets: 632       Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @1 scrub in on em1 all fragment reassemble
      [ Evaluations: 2483601   Packets: 593191    Bytes: 35082877    States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @2 scrub in on em4 all fragment reassemble
      [ Evaluations: 1276179   Packets: 201388    Bytes: 65621028    States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @3 scrub in on em5 all fragment reassemble
      [ Evaluations: 895475    Packets: 151512    Bytes: 49888067    States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @4 scrub in on em3 all fragment reassemble
      [ Evaluations: 602366    Packets: 252476    Bytes: 129612147   States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @0 anchor "relayd/*" all
      [ Evaluations: 132844    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @1 anchor "firewallrules" all
      [ Evaluations: 132844    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @2 block drop in all label "Default deny rule"
      [ Evaluations: 132844    Packets: 5         Bytes: 3004        States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @3 block drop out all label "Default deny rule"
      [ Evaluations: 132844    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @4 block drop in quick inet6 all
      [ Evaluations: 132844    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @5 block drop out quick inet6 all
      [ Evaluations: 67212     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @6 block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 132844    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @7 block drop quick proto tcp from any to any port = 0
      [ Evaluations: 24292     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @8 block drop quick proto udp from any port = 0 to any
      [ Evaluations: 132844    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @9 block drop quick proto udp from any to any port = 0
      [ Evaluations: 106572    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @10 block drop quick from <snort2c:0> to any label "Block snort2c hosts"
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @11 block drop quick from any to <snort2c:0> label "Block snort2c hosts"
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @12 anchor "packageearly" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @13 anchor "carp" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @14 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout"
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @15 block drop in quick from <virusprot:0> to any label "virusprot overload table"
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @16 block drop in on ! em0 inet from 10.0.0.0/24 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @17 block drop in inet from 10.0.0.3 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @18 block drop in on ! em1 inet from 192.168.0.72/29 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @19 block drop in inet from 192.168.0.74 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @20 block drop in on em0 inet6 from fe80::20c:29ff:fe45:2054 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @21 block drop in on em1 inet6 from fe80::20c:29ff:fe45:205e to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @22 anchor "dhcpserverLAN" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @23 pass in on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @24 pass in on em1 inet proto udp from any port = bootpc to 192.168.0.74 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @25 pass out on em1 inet proto udp from 192.168.0.74 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 59008     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @26 block drop in on ! em4 inet from 192.168.0.64/30 to any
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @27 block drop in inet from 192.168.0.66 to any
      [ Evaluations: 69100     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @28 block drop in on ! em5 inet from 192.168.0.68/30 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @29 block drop in inet from 192.168.0.70 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @30 block drop in on ! em3 inet from 192.168.0.80/29 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @31 block drop in inet from 192.168.0.82 to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @32 block drop in on em4 inet6 from fe80::20c:29ff:fe45:207c to any
      [ Evaluations: 65634     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @33 block drop in on em5 inet6 from fe80::20c:29ff:fe45:2086 to any
      [ Evaluations: 49817     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @34 block drop in on em3 inet6 from fe80::20c:29ff:fe45:2072 to any
      [ Evaluations: 33905     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @35 anchor "spoofing" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @36 anchor "loopback" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @37 pass in on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @38 pass out on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @39 anchor "firewallout" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @40 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 132850    Packets: 81347     Bytes: 30100514    States: 945   ]
      [ Inserted: uid 0 pid 48761 ]
    @41 pass out route-to (em0 10.0.0.2) inet from 10.0.0.3 to ! 10.0.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 67216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @42 pass out route-to (em1 192.168.0.75) inet from 192.168.0.74 to ! 192.168.0.72/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 67216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @43 pass out route-to (em4 192.168.0.65) inet from 192.168.0.66 to ! 192.168.0.64/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 67216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @44 pass out route-to (em5 192.168.0.69) inet from 192.168.0.70 to ! 192.168.0.68/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 67216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @45 pass out route-to (em3 192.168.0.81) inet from 192.168.0.82 to ! 192.168.0.80/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 67216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @46 pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
      [ Evaluations: 67216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @47 anchor "staticrouted" all
      [ Evaluations: 132850    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @48 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.0.0/20 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 132850    Packets: 632       Bytes: 40448       States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @49 pass in quick on em1 inet from 192.168.0.0/20 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 16783     Packets: 3499      Bytes: 299051      States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @50 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.0.0/20 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 67217     Packets: 5717      Bytes: 4551593     States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @51 pass out quick on em1 inet from 192.168.0.0/20 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 48216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @52 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.18.0/24 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @53 pass in quick on em1 inet from 192.168.18.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 13284     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @54 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.18.0/24 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @55 pass out quick on em1 inet from 192.168.18.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 48216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @56 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.20.0/24 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @57 pass in quick on em1 inet from 192.168.20.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 13284     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @58 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.20.0/24 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @59 pass out quick on em1 inet from 192.168.20.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 48216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @60 pass in quick on em1 inet from 192.168.0.72/29 to 192.168.25.0/24 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @61 pass in quick on em1 inet from 192.168.25.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 13284     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @62 pass out quick on em1 inet from 192.168.0.72/29 to 192.168.25.0/24 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @63 pass out quick on em1 inet from 192.168.25.0/24 to 192.168.0.72/29 no state label "pass traffic between statically routed subnets"
      [ Evaluations: 48216     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @64 anchor "anti-lockout" all
      [ Evaluations: 123002    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @65 pass in quick on em1 from any to (em1:2) flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 123002    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @66 pass out proto tcp from any to any port = rtsp flags S/SA keep state label "USER_RULE: m_Other RTSP1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 123002    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @67 pass out proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: m_Other HTTP outbound" queue(qOthersDefault, qACK)
      [ Evaluations: 7861      Packets: 228252    Bytes: 158344140   States: 711   ]
      [ Inserted: uid 0 pid 48761 ]
    @68 pass out proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: m_Other HTTPS outbound" queue(qOthersDefault, qACK)
      [ Evaluations: 7861      Packets: 5780      Bytes: 2708153     States: 69    ]
      [ Inserted: uid 0 pid 48761 ]
    @69 pass out proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: m_Other SMTP outbound" queue(qOthersLow, qACK)
      [ Evaluations: 7861      Packets: 169       Bytes: 90001       States: 1     ]
      [ Inserted: uid 0 pid 48761 ]
    @70 pass out proto tcp from any to any port = pop3 flags S/SA keep state label "USER_RULE: m_Other POP3 outbound" queue(qOthersLow, qACK)
      [ Evaluations: 7861      Packets: 419       Bytes: 30742       States: 2     ]
      [ Inserted: uid 0 pid 48761 ]
    @71 pass out proto tcp from any to any port = imap flags S/SA keep state label "USER_RULE: m_Other IMAP outbound" queue(qOthersLow, qACK)
      [ Evaluations: 7861      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @72 pass out proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: m_Other DNS1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 7861      Packets: 11        Bytes: 1410        States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @73 pass out proto udp from any to any port = domain keep state label "USER_RULE: m_Other DNS2 outbound" queue qOthersHigh
      [ Evaluations: 53639     Packets: 2924      Bytes: 262648      States: 78    ]
      [ Inserted: uid 0 pid 48761 ]
    @74 pass out proto tcp from any to any port = microsoft-ds flags S/SA keep state label "USER_RULE: m_Other SMB1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 61499     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @75 pass out proto tcp from any to any port 136 >< 140 flags S/SA keep state label "USER_RULE: m_Other SMB2 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 7861      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @76 pass out proto tcp from any to any port = nntp flags S/SA keep state label "USER_RULE: m_Other NNTP1 outbound" queue(qOthersLow, qACK)
      [ Evaluations: 7861      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @77 pass out proto udp from any to any port = nntp keep state label "USER_RULE: m_Other NNTP2 outbound" queue qOthersLow
      [ Evaluations: 53638     Packets: 2         Bytes: 436         States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @78 pass out proto udp from any to any port = ntp keep state label "USER_RULE: m_Other NTP outbound" queue qOthersHigh
      [ Evaluations: 61141     Packets: 186326    Bytes: 15993614    States: 2134  ]
      [ Inserted: uid 0 pid 48761 ]
    @79 pass out proto tcp from any to any port = 30443 flags S/SA keep state label "USER_RULE: m_Other FW Control outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 61500     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @80 pass out quick proto tcp from any to any port = 31443 flags S/SA keep state label "USER_RULE: m_Other FW Control 1 outbound" queue qOthersHigh
      [ Evaluations: 7861      Packets: 3         Bytes: 144         States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @81 pass in quick on em3 reply-to (em3 192.168.0.81) inet proto icmp from any to 192.168.0.80/29 keep state label "USER_RULE: Pass ICMP to this gateway"
      [ Evaluations: 123003    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @82 pass in quick on em3 reply-to (em3 192.168.0.81) inet all flags S/SA keep state label "USER_RULE: Pass all in VietTel"
      [ Evaluations: 16491     Packets: 42425     Bytes: 3255820     States: 777   ]
      [ Inserted: uid 0 pid 48761 ]
    @83 pass in quick on em5 reply-to (em5 192.168.0.69) inet proto icmp from any to 192.168.0.68/30 keep state label "USER_RULE: Pass ICMP to this gateway"
      [ Evaluations: 100162    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @84 pass in quick on em5 reply-to (em5 192.168.0.69) inet all flags S/SA keep state label "USER_RULE: Pass in on VNPT9 all"
      [ Evaluations: 15912     Packets: 79824     Bytes: 6551104     States: 676   ]
      [ Inserted: uid 0 pid 48761 ]
    @85 pass in quick on em4 reply-to (em4 192.168.0.65) inet proto icmp from any to 192.168.0.64/30 keep state label "USER_RULE: Pass ICMP to this gateway"
      [ Evaluations: 80787     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @86 pass in quick on em4 reply-to (em4 192.168.0.65) inet all flags S/SA keep state label "USER_RULE: Pass in on VNPT8 all"
      [ Evaluations: 15817     Packets: 135914    Bytes: 11719359    States: 681   ]
      [ Inserted: uid 0 pid 48761 ]
    @87 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.64/29 flags S/SA keep state label "USER_RULE: pass all to vnpt8-vnpt9 splitters"
      [ Evaluations: 61504     Packets: 17800     Bytes: 3043798     States: 184   ]
      [ Inserted: uid 0 pid 48761 ]
    @88 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.80/29 flags S/SA keep state label "USER_RULE: pass all to viettel splitter"
      [ Evaluations: 12097     Packets: 8896      Bytes: 1522283     States: 92    ]
      [ Inserted: uid 0 pid 48761 ]
    @89 pass in quick on em1 reply-to (em1 192.168.0.75) inet proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE: pass FTP via default gateway"
      [ Evaluations: 11504     Packets: 6         Bytes: 360         States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @90 pass in log quick on em1 inet proto tcp from 192.168.12.23 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 6075      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @91 pass in log quick on em1 route-to (em4 192.168.0.65) inet proto tcp from 192.168.12.23 to any port = smtp flags S/SA keep state label "USER_RULE: mx1.savoyage.vn, VNPT8 only"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @92 pass in log quick on em1 inet proto tcp from 192.168.12.3 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 6075      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @93 pass in log quick on em1 route-to (em5 192.168.0.69) inet proto tcp from 192.168.12.3 to any port = smtp flags S/SA keep state label "USER_RULE: mail.haiphong.vn, VNPT9 only"
      [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @94 pass in log quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 6075      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @95 pass in log quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: other SMTP servers out, VietTel only"
      [ Evaluations: 6075      Packets: 29        Bytes: 5793        States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @96 pass in quick on em1 proto tcp from <netcservers:4> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 6074      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @97 pass in quick on em1 proto udp from <netcservers:4> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 5427      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @98 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netcservers:4> to any port = domain flags S/SA keep state label "USER_RULE: critical DNS servers out, VietTel first"
      [ Evaluations: 1774      Packets: 11        Bytes: 1410        States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @99 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netcservers:4> to any port = domain keep state label "USER_RULE: critical DNS servers out, VietTel first"
      [ Evaluations: 1770      Packets: 2754      Bytes: 246226      States: 78    ]
      [ Inserted: uid 0 pid 48761 ]
    @100 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 10161     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @101 pass in quick on em1 proto udp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 4088      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @102 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: other DNS clients out, VNPT first"
      [ Evaluations: 10161     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @103 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto udp from any to any port = domain keep state label "USER_RULE: other DNS clients out, VNPT first"
      [ Evaluations: 4088      Packets: 170       Bytes: 16422       States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @104 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto tcp from any to <vn01:56> port = http flags S/SA keep state label "USER_RULE: HTTP domestic1 out VNPTfirst"
      [ Evaluations: 10076     Packets: 59198     Bytes: 42953241    States: 209   ]
      [ Inserted: uid 0 pid 48761 ]
    @105 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69) } round-robin inet proto tcp from any to <vn02:76> port = http flags S/SA keep state label "USER_RULE: HTTP domestic2 out VNPTfirst"
      [ Evaluations: 3924      Packets: 79942     Bytes: 61938272    States: 117   ]
      [ Inserted: uid 0 pid 48761 ]
    @106 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 4437      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @107 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: HTTP abroad out VietTel first"
      [ Evaluations: 4437      Packets: 89090     Bytes: 53450608    States: 387   ]
      [ Inserted: uid 0 pid 48761 ]
    @108 pass in quick on em1 inet proto tcp from 192.168.0.0/21 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 2029      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @109 pass in quick on em1 route-to (em4 192.168.0.65) inet proto tcp from 192.168.0.0/21 to any port = mmcc flags S/SA keep state label "USER_RULE: YIM 1st half, VNPT8 first"
      [ Evaluations: 1971      Packets: 251       Bytes: 60550       States: 4     ]
      [ Inserted: uid 0 pid 48761 ]
    @110 pass in quick on em1 inet proto tcp from 192.168.8.0/21 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 2022      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @111 pass in quick on em1 route-to (em5 192.168.0.69) inet proto tcp from 192.168.8.0/21 to any port = mmcc flags S/SA keep state label "USER_RULE: YIM 2nd half, VNPT9 first"
      [ Evaluations: 58        Packets: 145       Bytes: 32518       States: 3     ]
      [ Inserted: uid 0 pid 48761 ]
    @112 pass in quick on em1 from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 6022      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @113 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em3 192.168.0.81) } round-robin inet all flags S/SA keep state label "USER_RULE: pass others out via any WAN"
      [ Evaluations: 6022      Packets: 60672     Bytes: 28197392    States: 736   ]
      [ Inserted: uid 0 pid 48761 ]
    @114 pass out on em0 route-to (em0 10.0.0.2) inet proto udp from any to 222.253.89.124 port = isakmp keep state label "IPsec: Test - outbound isakmp"
      [ Evaluations: 61504     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @115 pass in on em0 reply-to (em0 10.0.0.2) inet proto udp from 222.253.89.124 to any port = isakmp keep state label "IPsec: Test - inbound isakmp"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @116 pass out on em0 route-to (em0 10.0.0.2) inet proto udp from any to 222.253.89.124 port = sae-urn keep state label "IPsec: Test - outbound nat-t"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @117 pass in on em0 reply-to (em0 10.0.0.2) inet proto udp from 222.253.89.124 to any port = sae-urn keep state label "IPsec: Test - inbound nat-t"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @118 anchor "packagelate" all
      [ Evaluations: 61504     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @119 anchor "tftp-proxy/*" all
      [ Evaluations: 61504     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @120 anchor "limitingesr" all
      [ Evaluations: 61504     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]
    @121 anchor "miniupnpd" all
      [ Evaluations: 61504     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48761 ]</vpns:*></vpns:*></vpns:*></vpns:*></vn02:76></vn01:56></vpns:*></vpns:*></netcservers:4></netcservers:4></vpns:*></netcservers:4></vpns:*></netcservers:4></vpns:*></vpns:*></vpns:*></virusprot:0></sshlockout:0></snort2c:0></snort2c:0>
    

    It appears that rule @80 is overridden by rule @50. But @50 is system-generated so I don't know how to change/affect it.





  • @ermal:

    https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/fad4fae8da60daf10f439e186a0b40ceb8d41bd4

    Upgrade it should fix your issue.

    I applied the fix. Now all "pass traffic between statically routed subnets" rules are moved to the end of the rule list thus they cannot override other rules anymore. However the rule in question still does not take effect. All control traffics' responses from pfsense are still sent via the default queue (qP2P), as well as for ping's responses from pfsense.

    Strange is, pftop shows that no pass out rules match the traffic; only the system-generated anti-lockout rule, which is a pass in rule, matches if the traffic is a ping from a local PC to pfsense.



  • Ok this is going nowhere.
    Please explain where is this traffic origination from?
    If it is not originating from pfSense than your rule need to be with direction in.
    You can try without any direction at all if you want to be calm and want this to work no matter if you have taken coffee or not.

    It is normal for traffic originating from another source to match a rule with in direction and since this is 2010 and stateful firewalls are common a state will be created and will optimize the packet outgoing to allow pass out without any ruleset search but just the state search.



  • @ermal:

    Ok this is going nowhere.
    Please explain where is this traffic origination from?

    It originates from a remote PC in the LAN or Internet.

    @ermal:

    If it is not originating from pfSense than your rule need to be with direction in.

    You can try without any direction at all if you want to be calm and want this to work no matter if you have taken coffee or not.

    It is normal for traffic originating from another source to match a rule with in direction and since this is 2010 and stateful firewalls are common a state will be created and will optimize the packet outgoing to allow pass out without any ruleset search but just the state search.

    OK it sounds reasonable to me now. I was completely misunderstood the Floating tab.

    It would, however, mean that a pass out, rather than pass in/out,  Floating rule will shape only half of traffic if it is passing through pfsense. For example, for Web surf: LAN -> pfsense -> WAN, a pair of (stateful) rules is created:

    (1) in for the LAN -> pfsense connection

    (2) out for the pfsense -> WAN connection

    If the Floating (shaping) rule is out only, then data downloaded from pfsense to LAN are not queued, right?

    I then wonder why the wizard-created Floating rules are all out, instead of any.



  • Its plain simple, i that wrote the new shaper, know even the internals of pf(4) :).

    You shape on outoging so this happens:
    1- packet comes in on LAN
    2- matches a rule without any queue setup, creates respective state
    3- it goes outside WAN interface
    4- it matches a rule with a queue
    5- marks the packet to go to that queue and records this in the state just created
    6- packet goes finally out of WAN
    7- response packet comes in on WAN
    8- matches the previous state created and finds a queue has to be attached
    9- marks the packet with the queue
    10- packet goes ouside LAN interface
    11 - it matches the state created previously, since there is no queue it does not take any action
    NOTE: this means that the decision taken on WAN for queue still prevails
    12- it goes to the queue marked since it came in on WAN(if it can find it of course)
    13-finally goes out of LAN

    That is the reason that the queues by the wizard are created with the same name on LAN and WAN it is not just a cosmetic coincidence :).

    Hope that clears it out for you.



  • :)
    that in/out and floating tab and the default direction under LAN, OPT1 also took some time for me to understand in the past, mostly trial and error, mayb a page explaining the directions etc and how rules r matches based on examples would solve this question from arising again in the future as there r some things that still confuse me and might others also.

    for eg: a rule under LAN tab saying source as lan client and destination as * should be upload but is considered download



  • @ermal: thank you for your patch. It works. Now we can shape pfSense's control traffics completely if we remove the system rule guaranteeing complete control (the anti-lockout rule).

    @ermal:

    Its plain simple, i that wrote the new shaper, know even the internals of pf(4) :).

    You shape on outoging so this happens:
    1- packet comes in on LAN
    2- matches a rule without any queue setup, creates respective state
    3- it goes outside WAN interface
    4- it matches a rule with a queue
    5- marks the packet to go to that queue and records this in the state just created
    6- packet goes finally out of WAN
    7- response packet comes in on WAN
    8- matches the previous state created and finds a queue has to be attached
    9- marks the packet with the queue
    10- packet goes ouside LAN interface
    11 - it matches the state created previously, since there is no queue it does not take any action
    NOTE: this means that the decision taken on WAN for queue still prevails
    12- it goes to the queue marked since it came in on WAN(if it can find it of course)
    13-finally goes out of LAN

    That is the reason that the queues by the wizard are created with the same name on LAN and WAN it is not just a cosmetic coincidence :).

    Hope that clears it out for you.

    Definitively. Things are much clearer to me now. Thank you very much.

    I have one more question: what if the rule at step 2 is also with queue(s)?

    -Will the LAN-to-WAN packet be queued twice? If only once, in what queue?

    -Similarly for the response (WAN-to-LAN) packet.

    Sorry if these questions are seeming dumb. But as the queue view was removed from pftop three years ago, no tools to evaluate pfSense quantitatively exist.

    @xbipin: I agree. Actually I've followed the Traffic Shaping Guide (wiki page) but it does not help very much since it lacks basic information on when, where and how shaping decisions are made.



  • sorry to hijack this thread but how about if we open a thread, discussing all the rules and traffic shaping stuff and write a doc on it for dummies coz the more options that appear in gui, the more questions arise, such as:

    • y do floating rules have in/out selection and wan and lan and opt1 don't
    • is it necessary to select the interface in floating tab rules as we can multi select it and what if we select and what if we don't
    • where should the shaping rules for download and upload appear, floating tab, lan or wan

    etc etc

    it will also help us better understand the internal working of the shaper as well as pfsense itself


Locked