Traffic Shaper: Floating Tab ineffective
-
For traffic shaping I've been using Floating Tab (with mostly the default settings) exclusively.
It worked for me for about two years. But starting from a snapshot that was released some time in the last few months, it has accidentally stopped working.
For example, I have an NTP server that I've configured to queue into qGames (which is reserved exclusively for NTP traffics). But only downloaded NTP packets are queued qGames (on LAN interface). The uploaded packets do not get to the expected WAN's and OPTx's qGames.
I'm using Mon Mar 21 16:31:05 EDT 2011 snapshot and the problem remains.
-
Are you using the new Queue Action instead of the PASS Action within your rules?
-
@onhel:
Are you using the new Queue Action instead of the PASS Action within your rules?
No I'm not. I use the Pass action everywhere.
Should I change it to Queue action in the Floating tab? (May be dumb question but I really don't know what is the Queue action supposed to do.)
Thanks,
-
Be sure to set Direction to Any as well. Ermal has made several changes to the Traffic Shaper within the last couple of months.
The following links should explain some of his most recent commits.
http://forum.pfsense.org/index.php/topic,33813.msg175472.html#msg175472
http://forum.pfsense.org/index.php/topic,33568.msg174021.html#msg174021
-
I can confirm that using the Queue action for rules on the floating tab seems to be working correctly.
-
it should not matter though. Previous rules should work as is without any changes!
You are sure that they are not overriden by any other rule? -
@Ermal: Do quickmatch floating rules take priority over interface rules?
-
@ermal:
it should not matter though. Previous rules should work as is without any changes!
You are sure that they are not overriden by any other rule?But setting the direction from Out to Any should matter with the changes you've made.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/c54c9d15d3c1658e959df44125fa8a4aaee2f4d7
-
@onhel,tacfit: I'll try to change the action from Pass to Queue and will report back. Thanks.
But I'm afraid I can't change the direction from Out to Any since it would generate an In rule (rather than an In rule plus an Out rule, an Any rule, or anything meaningful) that would lead to routing problem in my pfsense.
@ermal: I'm sure the NTP rule is not overriden. Bellow is my rule list. The NTP rule is @65. The only other NTP related rules are @94 and @95.
@0 scrub in on em1 all fragment reassemble [ Evaluations: 189088810 Packets: 43633412 Bytes: 3055431624 States: 0 ] [ Inserted: uid 0 pid 20568 ] @1 scrub in on em4 all fragment reassemble [ Evaluations: 96208300 Packets: 8887050 Bytes: 4616567210 States: 0 ] [ Inserted: uid 0 pid 20568 ] @2 scrub in on em5 all fragment reassemble [ Evaluations: 79370034 Packets: 10245929 Bytes: 4856074451 States: 0 ] [ Inserted: uid 0 pid 20568 ] @3 scrub in on em3 all fragment reassemble [ Evaluations: 60239249 Packets: 18805514 Bytes: 11537249930 States: 0 ] [ Inserted: uid 0 pid 20568 ] @4 scrub in on em2 all fragment reassemble [ Evaluations: 22486005 Packets: 11931611 Bytes: 6053874459 States: 0 ] [ Inserted: uid 0 pid 20568 ] @0 anchor "relayd/*" all [ Evaluations: 2332464 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @1 block drop in all label "Default deny rule" [ Evaluations: 2332464 Packets: 31588 Bytes: 43027955 States: 0 ] [ Inserted: uid 0 pid 20568 ] @2 block drop out all label "Default deny rule" [ Evaluations: 2332464 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @3 block drop in quick inet6 all [ Evaluations: 2332464 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @4 block drop out quick inet6 all [ Evaluations: 1150444 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @5 block drop quick proto tcp from any port = 0 to any [ Evaluations: 2332464 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @6 block drop quick proto tcp from any to any port = 0 [ Evaluations: 789291 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @7 block drop quick proto udp from any port = 0 to any [ Evaluations: 2332464 Packets: 1 Bytes: 76 States: 0 ] [ Inserted: uid 0 pid 20568 ] @8 block drop quick proto udp from any to any port = 0 [ Evaluations: 1538770 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @9 block drop quick from <snort2c:0> to any label "Block snort2c hosts" [ Evaluations: 2332463 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @10 block drop quick from any to <snort2c:0> label "Block snort2c hosts" [ Evaluations: 2332463 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @11 block drop quick from <pfsnortsamout:0> to any label "Block pfSnortSamOut hosts" [ Evaluations: 2332463 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @12 block drop quick from any to <pfsnortsamin:0> label "Block pfSnortSamIn hosts" [ Evaluations: 2332463 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @13 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout" [ Evaluations: 2332463 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @14 block drop in log quick proto tcp from <webconfiguratorlockout:0> to any port = 31443 label "webConfiguratorlockout" [ Evaluations: 410343 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @15 block drop in quick from <virusprot:0> to any label "virusprot overload table" [ Evaluations: 1182019 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @16 block drop in on ! em1 inet from 192.168.0.72/29 to any [ Evaluations: 1182019 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @17 block drop in inet from 192.168.0.74 to any [ Evaluations: 1182019 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @18 block drop in on em1 inet6 from fe80::20c:29ff:fe45:205e to any [ Evaluations: 1182019 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @19 pass in on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 521344 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @20 pass in on em1 inet proto udp from any port = bootpc to 192.168.0.74 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @21 pass out on em1 inet proto udp from 192.168.0.74 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 1294184 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @22 block drop in on ! em4 inet from 192.168.0.64/30 to any [ Evaluations: 2332465 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @23 block drop in inet from 192.168.0.66 to any [ Evaluations: 1271553 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @24 block drop in on ! em5 inet from 192.168.0.68/30 to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @25 block drop in inet from 192.168.0.70 to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @26 block drop in on ! em3 inet from 192.168.0.80/29 to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @27 block drop in inet from 192.168.0.82 to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @28 block drop in on ! em2 inet from 192.168.0.88/30 to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @29 block drop in inet from 192.168.0.90 to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @30 block drop in on em4 inet6 from fe80::20c:29ff:fe45:207c to any [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @31 block drop in on em5 inet6 from fe80::20c:29ff:fe45:2086 to any [ Evaluations: 998890 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @32 block drop in on em3 inet6 from fe80::20c:29ff:fe45:2072 to any [ Evaluations: 821277 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @33 block drop in on em2 inet6 from fe80::20c:29ff:fe45:2068 to any [ Evaluations: 670135 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @34 pass in on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 1182020 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @35 pass out on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 1150445 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @36 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 2332465 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @37 pass out route-to (em1 192.168.0.75) inet from 192.168.0.74 to ! 192.168.0.72/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 1150445 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @38 pass out route-to (em4 192.168.0.65) inet from 192.168.0.66 to ! 192.168.0.64/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 1150445 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @39 pass out route-to (em5 192.168.0.69) inet from 192.168.0.70 to ! 192.168.0.68/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 1150445 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @40 pass out route-to (em3 192.168.0.81) inet from 192.168.0.82 to ! 192.168.0.80/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 1150445 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @41 pass out route-to (em2 192.168.0.89) inet from 192.168.0.90 to ! 192.168.0.88/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 1150445 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @42 pass out proto udp all keep state label "USER_RULE: Default UDP" queue qP2P [ Evaluations: 1150445 Packets: 2332001 Bytes: 1904433733 States: 92 ] [ Inserted: uid 0 pid 20568 ] @43 pass out proto tcp all flags S/SA keep state label "USER_RULE: Default TCP" queue qP2P [ Evaluations: 1150445 Packets: 3577717 Bytes: 1506347283 States: 219 ] [ Inserted: uid 0 pid 20568 ] @44 pass out quick inet proto icmp all keep state label "USER_RULE: ICMP outbound" queue qOthersHigh [ Evaluations: 1150445 Packets: 35171 Bytes: 1536464 States: 5 ] [ Inserted: uid 0 pid 20568 ] @45 pass out proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: HTTP outbound" queue(qOthersDefault, qACK) [ Evaluations: 1148363 Packets: 34184414 Bytes: 25795061695 States: 1918 ] [ Inserted: uid 0 pid 20568 ] @46 pass out proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: HTTPS outbound" queue(qOthersDefault, qACK) [ Evaluations: 378948 Packets: 980611 Bytes: 544192634 States: 209 ] [ Inserted: uid 0 pid 20568 ] @47 pass out proto tcp from any to any port 6880 >< 7000 flags S/SA keep state label "USER_RULE: m_P2P BitTorrent outbound" queue qP2P [ Evaluations: 378948 Packets: 934 Bytes: 116157 States: 1 ] [ Inserted: uid 0 pid 20568 ] @48 pass out proto udp from any to any port 6880 >< 7000 keep state label "USER_RULE: m_P2P BitTorrent outbound" queue qP2P [ Evaluations: 769518 Packets: 5983 Bytes: 1224252 States: 12 ] [ Inserted: uid 0 pid 20568 ] @49 pass out proto udp from any to any port = isakmp keep state label "USER_RULE: IPSEC outbound" queue qOthersHigh [ Evaluations: 1148261 Packets: 7 Bytes: 3243 States: 0 ] [ Inserted: uid 0 pid 20568 ] @50 pass out proto udp from any to any port = sae-urn keep state label "USER_RULE: IPSEC outbound" queue qOthersHigh [ Evaluations: 769415 Packets: 1097 Bytes: 341747 States: 0 ] [ Inserted: uid 0 pid 20568 ] @51 pass out proto tcp from any to any port = rtsp flags S/SA keep state label "USER_RULE: RTSP1 outbound" queue(qOthersHigh, qACK) [ Evaluations: 1148365 Packets: 243199 Bytes: 227887991 States: 1 ] [ Inserted: uid 0 pid 20568 ] @52 pass out proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: SMTP outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 395639 Bytes: 338354814 States: 1 ] [ Inserted: uid 0 pid 20568 ] @53 pass out proto tcp from any to any port = smtps flags S/SA keep state label "USER_RULE: SMTP/S outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 577 Bytes: 86166 States: 0 ] [ Inserted: uid 0 pid 20568 ] @54 pass out proto tcp from any to any port = pop3 flags S/SA keep state label "USER_RULE: POP3 outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 23967 Bytes: 18211975 States: 4 ] [ Inserted: uid 0 pid 20568 ] @55 pass out proto tcp from any to any port = pop3s flags S/SA keep state label "USER_RULE: POP3/S outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 1070 Bytes: 156927 States: 0 ] [ Inserted: uid 0 pid 20568 ] @56 pass out proto tcp from any to any port = imap flags S/SA keep state label "USER_RULE: IMAP outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 19139 Bytes: 3674741 States: 9 ] [ Inserted: uid 0 pid 20568 ] @57 pass out proto tcp from any to any port = imaps flags S/SA keep state label "USER_RULE: IMAP/S outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 5754 Bytes: 1685275 States: 2 ] [ Inserted: uid 0 pid 20568 ] @58 pass out proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: DNS1 outbound" queue(qOthersHigh, qACK) [ Evaluations: 378949 Packets: 254 Bytes: 14873 States: 0 ] [ Inserted: uid 0 pid 20568 ] @59 pass out proto udp from any to any port = domain keep state label "USER_RULE: DNS2 outbound" queue qOthersHigh [ Evaluations: 769441 Packets: 154701 Bytes: 16587972 States: 116 ] [ Inserted: uid 0 pid 20568 ] @60 pass out proto tcp from any to any port = microsoft-ds flags S/SA keep state label "USER_RULE: SMB1 outbound" queue(qOthersHigh, qACK) [ Evaluations: 1148366 Packets: 1725 Bytes: 78256 States: 0 ] [ Inserted: uid 0 pid 20568 ] @61 pass out proto tcp from any to any port 136 >< 140 flags S/SA keep state label "USER_RULE: SMB2 outbound" queue(qOthersHigh, qACK) [ Evaluations: 378949 Packets: 118 Bytes: 7176 States: 0 ] [ Inserted: uid 0 pid 20568 ] @62 pass out proto tcp from any to any port = 10443 flags S/SA keep state label "USER_RULE: Central SSL VPN outbound" queue(qOthersHigh, qACK) [ Evaluations: 378949 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @63 pass out proto tcp from any to any port = nntp flags S/SA keep state label "USER_RULE: NNTP1 outbound" queue(qOthersLow, qACK) [ Evaluations: 378949 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @64 pass out proto udp from any to any port = nntp keep state label "USER_RULE: NNTP2 outbound" queue qOthersLow [ Evaluations: 769417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @65 pass out proto udp from any to any port = ntp keep state label "USER_RULE: NTP outbound" queue qGames [ Evaluations: 1148366 Packets: 2151511 Bytes: 179299447 States: 1486 ] [ Inserted: uid 0 pid 20568 ] @66 pass out proto tcp from any to any port = 30443 flags S/SA keep state label "USER_RULE: Central Control outbound" queue(qOthersHigh, qACK) [ Evaluations: 1148366 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @67 pass out proto tcp from any to any port = 32443 flags S/SA keep state label "USER_RULE: Central Control 2 outbound" queue(qOthersHigh, qACK) [ Evaluations: 378949 Packets: 737609 Bytes: 126107838 States: 365 ] [ Inserted: uid 0 pid 20568 ] @68 pass out quick proto tcp from <netvoip:2> to any flags S/SA keep state label "USER_RULE: VoIP out" queue qVoIP [ Evaluations: 378949 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @69 pass out quick proto udp from <netvoip:2> to any keep state label "USER_RULE: VoIP out" queue qVoIP [ Evaluations: 769417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @70 pass out quick proto tcp from any to <netvoip:2> flags S/SA keep state label "USER_RULE: VoIP out" queue qVoIP [ Evaluations: 1148366 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @71 pass out quick proto udp from any to <netvoip:2> keep state label "USER_RULE: VoIP out" queue qVoIP [ Evaluations: 769417 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @72 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.64/29 flags S/SA keep state label "USER_RULE: route to VP8+VP9 via default" [ Evaluations: 2330389 Packets: 368854 Bytes: 63484256 States: 183 ] [ Inserted: uid 0 pid 20568 ] @73 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.80/29 flags S/SA keep state label "USER_RULE: route to vt4 via default" [ Evaluations: 495017 Packets: 184394 Bytes: 30896045 States: 91 ] [ Inserted: uid 0 pid 20568 ] @74 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.88/30 flags S/SA keep state label "USER_RULE: route to VP5 device via default" [ Evaluations: 481854 Packets: 184363 Bytes: 31728186 States: 91 ] [ Inserted: uid 0 pid 20568 ] @75 pass in quick on em1 reply-to (em1 192.168.0.75) inet from <netc:1> to <gateway_public:4> flags S/SA keep state label "USER_RULE: enroute pub IPs. Useless. No NAT refl in m0n0" [ Evaluations: 468699 Packets: 2642 Bytes: 134532 States: 0 ] [ Inserted: uid 0 pid 20568 ] @76 pass in quick on em1 inet proto tcp from 192.168.12.23 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 467684 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @77 pass in quick on em1 route-to (em4 192.168.0.65) inet proto tcp from 192.168.12.23 to any port = smtp flags S/SA keep state label "USER_RULE: mx1.corp1.com, VP8 only" [ Evaluations: 3 Packets: 5205 Bytes: 4710855 States: 0 ] [ Inserted: uid 0 pid 20568 ] @78 pass in quick on em1 inet proto tcp from 192.168.12.5 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 321920 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @79 pass in quick on em1 route-to (em5 192.168.0.69) inet proto tcp from 192.168.12.5 to any port = smtp flags S/SA keep state label "USER_RULE: mail.corp9.com, VP9 only" [ Evaluations: 305 Packets: 215813 Bytes: 192739232 States: 1 ] [ Inserted: uid 0 pid 20568 ] @80 pass in quick on em1 inet proto tcp from 192.168.12.17 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 321877 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @81 pass in quick on em1 route-to (em2 192.168.0.89) inet proto tcp from 192.168.12.17 to any port = smtp flags S/SA keep state label "USER_RULE: mail.corp5.com, VP5 only" [ Evaluations: 549 Packets: 15 Bytes: 844 States: 0 ] [ Inserted: uid 0 pid 20568 ] @82 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 321873 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @83 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: other SMTP servers out, VT4 only" [ Evaluations: 321873 Packets: 4089 Bytes: 3647784 States: 0 ] [ Inserted: uid 0 pid 20568 ] @84 pass in quick on em1 proto tcp from <netcservers:4> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 321865 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @85 pass in quick on em1 proto udp from <netcservers:4> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 145761 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @86 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netcservers:4> to any port = domain flags S/SA keep state label "USER_RULE: critical DNS servers out, VT4 first" [ Evaluations: 73924 Packets: 254 Bytes: 14873 States: 0 ] [ Inserted: uid 0 pid 20568 ] @87 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netcservers:4> to any port = domain keep state label "USER_RULE: critical DNS servers out, VT4 first" [ Evaluations: 72886 Packets: 135055 Bytes: 14689722 States: 112 ] [ Inserted: uid 0 pid 20568 ] @88 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 398903 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @89 pass in quick on em1 proto udp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 77063 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @90 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: other DNS clients out, VP first" [ Evaluations: 398903 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @91 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto udp from any to any port = domain keep state label "USER_RULE: other DNS clients out, VP first" [ Evaluations: 77063 Packets: 19638 Bytes: 1897430 States: 4 ] [ Inserted: uid 0 pid 20568 ] @92 pass in quick on em1 proto tcp from <netcservers:4> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 391395 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @93 pass in quick on em1 proto udp from <netcservers:4> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 69555 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @94 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netcservers:4> to any port = ntp flags S/SA keep state label "USER_RULE: critical NTP clients out, VT4 first" [ Evaluations: 5201 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @95 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netcservers:4> to any port = ntp keep state label "USER_RULE: critical NTP clients out, VT4 first" [ Evaluations: 4188 Packets: 3919 Bytes: 297844 States: 1 ] [ Inserted: uid 0 pid 20568 ] @96 pass in quick on em1 route-to (em2 192.168.0.89) inet proto tcp from any to <uniplex:1> port = http flags S/SA keep state label "USER_RULE: Websites that allow single IP clients only" [ Evaluations: 389403 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @97 pass in quick on em1 route-to (em2 192.168.0.89) inet proto tcp from any to <uniplex:1> port = https flags S/SA keep state label "USER_RULE: Websites that allow single IP clients only" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @98 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to <vtblocked:3> port = http flags S/SA keep state label "USER_RULE: HTTP abroad blocked by VT4" [ Evaluations: 321840 Packets: 34865 Bytes: 1883688 States: 47 ] [ Inserted: uid 0 pid 20568 ] @99 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to <vtblocked:3> port = https flags S/SA keep state label "USER_RULE: HTTPS abroad blocked by VT4" [ Evaluations: 133 Packets: 6385 Bytes: 3475721 States: 3 ] [ Inserted: uid 0 pid 20568 ] @100 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to <domestic:142> port = http flags S/SA keep state label "USER_RULE: HTTP domestic out, VT4 first" [ Evaluations: 314414 Packets: 16035634 Bytes: 12195379855 States: 748 ] [ Inserted: uid 0 pid 20568 ] @101 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to <domestic:142> port = https flags S/SA keep state label "USER_RULE: HTTPS domestic out, VT4 first" [ Evaluations: 8693 Packets: 64888 Bytes: 18790201 States: 7 ] [ Inserted: uid 0 pid 20568 ] @102 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 147381 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @103 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: HTTP abroad out VP first" [ Evaluations: 147381 Packets: 17572320 Bytes: 12935158689 States: 1092 ] [ Inserted: uid 0 pid 20568 ] @104 pass in log quick on em1 route-to (em2 192.168.0.89) inet proto udp from any to <gw_td1:1> port = isakmp keep state label "USER_RULE: IKE to Site D -- VP5 only" queue qOthersHigh [ Evaluations: 95184 Packets: 1 Bytes: 424 States: 0 ] [ Inserted: uid 0 pid 20568 ] @105 pass in log quick on em1 route-to (em2 192.168.0.89) inet proto udp from any to <gw_td1:1> port = sae-urn keep state label "USER_RULE: ESP to Site D -- VP5 only" queue qOthersHigh [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @106 pass in quick on em1 proto tcp from <netc:1> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 95183 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @107 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netc:1> to any port = mmcc flags S/SA keep state label "USER_RULE: YIM, VT4 first" [ Evaluations: 27621 Packets: 117604 Bytes: 13593807 States: 105 ] [ Inserted: uid 0 pid 20568 ] @108 pass in quick on em1 proto tcp from <netvoip:2> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 27378 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @109 pass in quick on em1 proto udp from <netvoip:2> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 67562 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @110 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netvoip:2> to any flags S/SA keep state label "USER_RULE: VoIP out" [ Evaluations: 2128 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @111 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netvoip:2> to any keep state label "USER_RULE: VoIP out" [ Evaluations: 2128 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @112 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 94940 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @113 pass in quick on em1 proto udp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 67562 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @114 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp all flags S/SA keep state label "USER_RULE: Other TCP/UDP out" [ Evaluations: 94940 Packets: 4657593 Bytes: 2269505688 States: 321 ] [ Inserted: uid 0 pid 20568 ] @115 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto udp all keep state label "USER_RULE: Other TCP/UDP out" [ Evaluations: 67604 Packets: 2384635 Bytes: 1911039494 States: 103 ] [ Inserted: uid 0 pid 20568 ] @116 pass in quick on em1 inet proto icmp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" [ Evaluations: 2170 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @117 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em3 192.168.0.81), (em2 192.168.0.89) } round-robin inet proto icmp all keep state label "USER_RULE: ICMP out" [ Evaluations: 1891 Packets: 50915 Bytes: 2481104 States: 5 ] [ Inserted: uid 0 pid 20568 ] @118 pass in quick on em4 reply-to (em4 192.168.0.65) inet all flags S/SA keep state label "USER_RULE: Pass in on VP8 all" [ Evaluations: 1179891 Packets: 868660 Bytes: 260224431 States: 488 ] [ Inserted: uid 0 pid 20568 ] @119 pass in quick on em5 reply-to (em5 192.168.0.69) inet all flags S/SA keep state label "USER_RULE: Pass in on VP9 all" [ Evaluations: 917958 Packets: 1673675 Bytes: 245944766 States: 167 ] [ Inserted: uid 0 pid 20568 ] @120 pass in quick on em3 reply-to (em3 192.168.0.81) inet all flags S/SA keep state label "USER_RULE: Pass all in OPT3" [ Evaluations: 661689 Packets: 1034489 Bytes: 614818578 States: 324 ] [ Inserted: uid 0 pid 20568 ] @121 pass in quick on em2 reply-to (em2 192.168.0.89) inet proto udp from any to any port = isakmp keep state label "USER_RULE: IKE in" queue qOthersHigh [ Evaluations: 259423 Packets: 4 Bytes: 1648 States: 0 ] [ Inserted: uid 0 pid 20568 ] @122 pass in quick on em2 reply-to (em2 192.168.0.89) inet proto udp from any to any port = sae-urn keep state label "USER_RULE: IPSEC in" queue qOthersHigh [ Evaluations: 138234 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ] @123 pass in quick on em2 reply-to (em2 192.168.0.89) inet all flags S/SA keep state label "USER_RULE: pass all in" [ Evaluations: 148791 Packets: 574918 Bytes: 44720184 States: 534 ] [ Inserted: uid 0 pid 20568 ] @124 anchor "tftp-proxy/*" all [ Evaluations: 1179954 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 20568 ]</vpns:*></vpns:*></vpns:*></netvoip:2></netvoip:2></vpns:*></netvoip:2></vpns:*></netvoip:2></netc:1></vpns:*></netc:1></gw_td1:1></gw_td1:1></vpns:*></domestic:142></domestic:142></vtblocked:3></vtblocked:3></uniplex:1></uniplex:1></netcservers:4></netcservers:4></vpns:*></netcservers:4></vpns:*></netcservers:4></vpns:*></vpns:*></netcservers:4></netcservers:4></vpns:*></netcservers:4></vpns:*></netcservers:4></vpns:*></vpns:*></vpns:*></vpns:*></gateway_public:4></netc:1></netvoip:2></netvoip:2></netvoip:2></netvoip:2></virusprot:0></webconfiguratorlockout:0></sshlockout:0></pfsnortsamin:0></pfsnortsamout:0></snort2c:0></snort2c:0> -
I am not sure what is em1 interface but if that is wan then it will override the pass out rule.
Match/Queue action rules are not firewall rules they are just used for selecting the queue.
After a firewall rule with action pass matches and it has not a queue selected the queue from the previoused match/queue action rule will be used.
So a Queue action rule does not open any firewall ports or does not allow any traffic. -
@ermal:
I am not sure what is em1 interface but if that is wan then it will override the pass out rule.
em1 is LAN. But even if it was WAN, @94 and @95 couldn't override @65 as they are Pass In rules.
@ermal:
Match/Queue action rules are not firewall rules they are just used for selecting the queue.
After a firewall rule with action pass matches and it has not a queue selected the queue from the previoused match/queue action rule will be used.
So a Queue action rule does not open any firewall ports or does not allow any traffic.I changed action from Pass (out) to Queue for many rules in the Floating tab (including @43 and @44 which are the default pass out rules for TCP and UDP). And traffics are still passed out normally.
-
By changing only the action from Pass to Queue, nothing new happens. NTP packets outgoing OPTx are not queued in qGames.
I've then changed the direction from Out to Any (by the Web UI), following onhel's advice. pftop now shows that the actual direction has changed from Out to In, and the packet and byte counters on qGames on OPTx has started increment, indicating that NTP traffic are now queued correctly.
However, the same approach does not seem to help in case of NAT-T IPsec. My IPsec device is located in the LAN and must pass through pfsense (port 500 and 4500 UDP) to initiate a tunnel or respond to tunneling request from a remote IPsec device on the Internet. For the purpose of testing, I've reserved qVoIP for IPsec exclusively. No matter what I do, there is always one direction that gets wrong, i.e. either downloaded or uploaded packets do not appear in the expected queue.
So, I wonder what is the best approach to my simple needs – a multi-WAN router and traffic shaper, no firewalling, just pass everything through, in any directions.
-
to add to this thread, i just noticed that most of my floating tab rules also stopped working and i see traffic in the default queue
-
That could be due to recent changes in the shaper, that dropped all download queues. Check your queues on the download side.
-
By changing only the action from Pass to Queue, nothing new happens. NTP packets outgoing OPTx are not queued in qGames.
I've then changed the direction from Out to Any (by the Web UI), following onhel's advice. pftop now shows that the actual direction has changed from Out to In, and the packet and byte counters on qGames on OPTx has started increment, indicating that NTP traffic are now queued correctly.
I am not sure why pftop reports it as in although you have configured it as all directions.
You have to keep in mind that the same previous rules are used the match/queue action just helps have define firewall rules and shaping rules differently while before you had to do on the same rule.
The traffic outgoing pfSense is always allowed since there are default rules for it which policy route the traffic accordingly.However, the same approach does not seem to help in case of NAT-T IPsec. My IPsec device is located in the LAN and must pass through pfsense (port 500 and 4500 UDP) to initiate a tunnel or respond to tunneling request from a remote IPsec device on the Internet. For the purpose of testing, I've reserved qVoIP for IPsec exclusively. No matter what I do, there is always one direction that gets wrong, i.e. either downloaded or uploaded packets do not appear in the expected queue.
So, I wonder what is the best approach to my simple needs – a multi-WAN router and traffic shaper, no firewalling, just pass everything through, in any directions.
With the new approach if you put a Queue/Match action rule on the floating tab for those ports without any direction selected that should do.
Though really nothing should change for existing installs.
Do you have any previous versions of rules.debug and a new one so i can compare or even send me privately your config to verify that actually there is not something wrong in pfSense per se?! -
@ermal:
By changing only the action from Pass to Queue, nothing new happens. NTP packets outgoing OPTx are not queued in qGames.
I've then changed the direction from Out to Any (by the Web UI), following onhel's advice. pftop now shows that the actual direction has changed from Out to In, and the packet and byte counters on qGames on OPTx has started increment, indicating that NTP traffic are now queued correctly.
I am not sure why pftop reports it as in although you have configured it as all directions.
I've found more pftop issues that could be related to the new Queue (match) action. In View 6, for all Queue(match) rules, the action is displayed as "11" instead of "match" or "queue". In View 6, the packet counters and byte counters are zeros for some Queue (match) action rules although View 8 (Queue View) shows that the corresponding rules do apply.
You have to keep in mind that the same previous rules are used the match/queue action just helps have define firewall rules and shaping rules differently while before you had to do on the same rule.
You're right. I've tried to change all Pass Out rules to Queue Any and pfsense stopped passing traffics through. Strange is, that traffic blocking did not occur immediately. For some traffics, it take hours to be effective. For others, it couldn't take effect without manual intervention (see below).
The traffic outgoing pfSense is always allowed since there are default rules for it which policy route the traffic accordingly.
The default rules only apply to traffic from the pfSense host itself, right?
However, the same approach does not seem to help in case of NAT-T IPsec. My IPsec device is located in the LAN and must pass through pfsense (port 500 and 4500 UDP) to initiate a tunnel or respond to tunneling request from a remote IPsec device on the Internet. For the purpose of testing, I've reserved qVoIP for IPsec exclusively. No matter what I do, there is always one direction that gets wrong, i.e. either downloaded or uploaded packets do not appear in the expected queue.
So, I wonder what is the best approach to my simple needs – a multi-WAN router and traffic shaper, no firewalling, just pass everything through, in any directions.
With the new approach if you put a Queue/Match action rule on the floating tab for those ports without any direction selected that should do.
Here are how I follow your advice:
1. I added a "default" Pass Out rule that Passes everything Out every interface (in the Floating tab).
2. Then I changed all other rules (which were Pass Out) in the Floating tab to Queue Any. (The rules are then listed as Match without direction in status.php rule list.)
3. I then made sure every rule in LAN/WAN/OPTx tabs are without queues. (The rules are then listed as Pass In in rule list.)
4. Then I stopped all IPsec devices, local and remote. (This step is necessary. Without it, new rules do not take effect.)
5. Finally I restarted pfsense completely. (This is again necessary. Just an Apply new rules or Reset states do not suffice.)
6. I waited for a few minutes then started IPsec devices.
Given that, pftop View 8 now shows that IPsec traffics go in the correct queues (but View 6 doesn't confirm that). It is really pain to stop-restart-start on every change to see its effect. But thank you anyway.
Though really nothing should change for existing installs.
Do you have any previous versions of rules.debug and a new one so i can compare or even send me privately your config to verify that actually there is not something wrong in pfSense per se?!In order to test IPsec initiator / responder roles separately, I added Block/Reject rules (for IPsec in one direction), an action that I've never did before. Unfortunately, pfsense encountered a kernel panic.
I'm now back to Feb 14 snapshot.
I don't think I have to continue reporting on the shaping / routing topics until pftop issues and kernel panics are resolved.
-
Well pftop i will see if can be fixed to at least show action match and not action 11.
But really the match action rules will not have counters updated for the traffic they match.
This is a deficiency on 2.0 i might see what are the impacts of having that corrected are.About the panic a minidump report would have been nice. AFAIK there are no more issues related to panics and belived me Feb 14 is quite a dangerous snapshot for some uses :)
-
@ermal:
Well pftop i will see if can be fixed to at least show action match and not action 11.
But really the match action rules will not have counters updated for the traffic they match.
This is a deficiency on 2.0 i might see what are the impacts of having that corrected are.Then I must return to old pass out rules. When I make changes I would like to see the effects and pftop is the only tool for it. I can't live without it.
@ermal:
About the panic a minidump report would have been nice. AFAIK there are no more issues related to panics and belived me Feb 14 is quite a dangerous snapshot for some uses :)
Sorry. The panic occurs during a very busy work time. I went back to whatever snapshot I have in hand as quick as possible so that users couldn't even notice it :P .
I now update to the latest snapshot. Many thanks.
