Floating rule: packets pass out, responses get blocked

  • 2.0-RC1 (amd64)
    built on Mon Feb 28 20:07:11 EST 2011

    I'm confused. I'm trying to queue DNS packets to a high priority queue on the WAN egress. With no floating rule in place, DNS queries flow out, responses flow back in. Everybody is happy (except that it's flowing on the default queue, which does get congested).

    I have several internal interfaces, so rather than create a firewall rule on each of these to up-queue DNS packets, I created a single floating rule thus:

    Action: pass
    Proto: TCP/UDP
    Iface: WAN
    Direction: Out
    DPort: DNS
    Ackqueue/Queue: None/qHigh

    After saving and applying, DNS requests stopped being answered for all internal hosts and pfsense itself.

    I disabled the queue and enabled logging. The log shows packets being passed out to port 53 on various DNS servers. I ran tcpdump on the WAN and observed DNS queries going out and responses coming back. I then ran tcpdump on an internal interface and observed requests coming in, but no response going out.

    It appears then that DNS responses are getting blocked by pfsense. As soon as I disable my floating rule DNS resumes working as expected.


    edit: If it de-select the interface and apply changes, DNS responses again pass and the applied rule reads:

    @79 pass out log proto udp from any to any port = domain keep state label "USER_RULE: DNS outbound" queue qOthersHigh

    with WAN selected as the interface, DNS responses don't get back through pfsense, and the applied pass rule in the log reads:

    @79 pass out log on pppoe0 reply-to (pppoe0 inet proto udp from any to any port = domain keep state label "USER_RULE: DNS outbound" queue qOthersHigh

  • Not a traffic shaper guru by far but I've noticed using the wizard that TCP rules use qACK/q**** for Ackqueue/Queue, while UDP used none/q****.  Try making two separate rules, one for TCP and one for UDP and see if it helps.  I dont know the reasoning behind why the wizard creates the rules this way but I'm sure someone will enlighten us shortly.

    Also try setting Direction to any as per this recent commit and discussion


  • And use the new Queue action which does not impact traffic flow.

  • It would be cool to have a new icon on the Floating Rules Tab that shows that the rule is set to Queue instead of the green arrow that makes it appear that the rule is set to PASS.  Block and Reject are the same icon but different color, maybe the Pass and Queue can be the same icon but different color as well.  I'll put my vote in for black enabled and grey for disabled.  ;D

Log in to reply