Traffic Shaper: Floating Tab ineffective



  • For traffic shaping I've been using Floating Tab (with mostly the default settings) exclusively.

    It worked for me for about two years. But starting from a snapshot that was released some time in the last few months, it has accidentally stopped working.

    For example, I have an NTP server that I've configured to queue into qGames (which is reserved exclusively for NTP traffics). But only downloaded NTP packets are queued qGames (on LAN interface). The uploaded packets do not get to the expected WAN's and OPTx's qGames.

    I'm using Mon Mar 21 16:31:05 EDT 2011 snapshot and the problem remains.



  • Are you using the new Queue Action instead of the PASS Action within your rules?



  • @onhel:

    Are you using the new Queue Action instead of the PASS Action within your rules?

    No I'm not. I use the Pass action everywhere.

    Should I change it to Queue action in the Floating tab? (May be dumb question but I really don't know what is the Queue action supposed to do.)

    Thanks,



  • Be sure to set Direction to Any as well.  Ermal has made several changes to the Traffic Shaper within the last couple of months.

    The following links should explain some of his most recent commits.

    http://forum.pfsense.org/index.php/topic,33813.msg175472.html#msg175472

    http://forum.pfsense.org/index.php/topic,33568.msg174021.html#msg174021



  • I can confirm that using the Queue action for rules on the floating tab seems to be working correctly.



  • @dusan,

    it should not matter though. Previous rules should work as is without any changes!
    You are sure that they are not overriden by any other rule?



  • @Ermal:  Do quickmatch floating rules take priority over interface rules?



  • @ermal:

    @dusan,

    it should not matter though. Previous rules should work as is without any changes!
    You are sure that they are not overriden by any other rule?

    But setting the direction from Out to Any should matter with the changes you've made.

    https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/c54c9d15d3c1658e959df44125fa8a4aaee2f4d7



  • @onhel,tacfit: I'll try to change the action from Pass to Queue and will report back. Thanks.

    But I'm afraid I can't change the direction from Out to Any since it would generate an In rule (rather than an In rule plus an Out rule, an Any rule, or anything meaningful) that would lead to routing problem in my pfsense.

    @ermal: I'm sure the NTP rule is not overriden. Bellow is my rule list. The NTP rule is @65. The only other NTP related rules are @94 and @95.

    @0 scrub in on em1 all fragment reassemble
      [ Evaluations: 189088810  Packets: 43633412  Bytes: 3055431624  States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @1 scrub in on em4 all fragment reassemble
      [ Evaluations: 96208300  Packets: 8887050   Bytes: 4616567210  States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @2 scrub in on em5 all fragment reassemble
      [ Evaluations: 79370034  Packets: 10245929  Bytes: 4856074451  States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @3 scrub in on em3 all fragment reassemble
      [ Evaluations: 60239249  Packets: 18805514  Bytes: 11537249930  States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @4 scrub in on em2 all fragment reassemble
      [ Evaluations: 22486005  Packets: 11931611  Bytes: 6053874459  States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @0 anchor "relayd/*" all
      [ Evaluations: 2332464   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @1 block drop in all label "Default deny rule"
      [ Evaluations: 2332464   Packets: 31588     Bytes: 43027955    States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @2 block drop out all label "Default deny rule"
      [ Evaluations: 2332464   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @3 block drop in quick inet6 all
      [ Evaluations: 2332464   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @4 block drop out quick inet6 all
      [ Evaluations: 1150444   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @5 block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 2332464   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @6 block drop quick proto tcp from any to any port = 0
      [ Evaluations: 789291    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @7 block drop quick proto udp from any port = 0 to any
      [ Evaluations: 2332464   Packets: 1         Bytes: 76          States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @8 block drop quick proto udp from any to any port = 0
      [ Evaluations: 1538770   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @9 block drop quick from <snort2c:0> to any label "Block snort2c hosts"
      [ Evaluations: 2332463   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @10 block drop quick from any to <snort2c:0> label "Block snort2c hosts"
      [ Evaluations: 2332463   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @11 block drop quick from <pfsnortsamout:0> to any label "Block pfSnortSamOut hosts"
      [ Evaluations: 2332463   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @12 block drop quick from any to <pfsnortsamin:0> label "Block pfSnortSamIn hosts"
      [ Evaluations: 2332463   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @13 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout"
      [ Evaluations: 2332463   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @14 block drop in log quick proto tcp from <webconfiguratorlockout:0> to any port = 31443 label "webConfiguratorlockout"
      [ Evaluations: 410343    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @15 block drop in quick from <virusprot:0> to any label "virusprot overload table"
      [ Evaluations: 1182019   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @16 block drop in on ! em1 inet from 192.168.0.72/29 to any
      [ Evaluations: 1182019   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @17 block drop in inet from 192.168.0.74 to any
      [ Evaluations: 1182019   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @18 block drop in on em1 inet6 from fe80::20c:29ff:fe45:205e to any
      [ Evaluations: 1182019   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @19 pass in on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 521344    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @20 pass in on em1 inet proto udp from any port = bootpc to 192.168.0.74 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 5         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @21 pass out on em1 inet proto udp from 192.168.0.74 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 1294184   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @22 block drop in on ! em4 inet from 192.168.0.64/30 to any
      [ Evaluations: 2332465   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @23 block drop in inet from 192.168.0.66 to any
      [ Evaluations: 1271553   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @24 block drop in on ! em5 inet from 192.168.0.68/30 to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @25 block drop in inet from 192.168.0.70 to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @26 block drop in on ! em3 inet from 192.168.0.80/29 to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @27 block drop in inet from 192.168.0.82 to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @28 block drop in on ! em2 inet from 192.168.0.88/30 to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @29 block drop in inet from 192.168.0.90 to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @30 block drop in on em4 inet6 from fe80::20c:29ff:fe45:207c to any
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @31 block drop in on em5 inet6 from fe80::20c:29ff:fe45:2086 to any
      [ Evaluations: 998890    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @32 block drop in on em3 inet6 from fe80::20c:29ff:fe45:2072 to any
      [ Evaluations: 821277    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @33 block drop in on em2 inet6 from fe80::20c:29ff:fe45:2068 to any
      [ Evaluations: 670135    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @34 pass in on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 1182020   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @35 pass out on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 1150445   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @36 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 2332465   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @37 pass out route-to (em1 192.168.0.75) inet from 192.168.0.74 to ! 192.168.0.72/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1150445   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @38 pass out route-to (em4 192.168.0.65) inet from 192.168.0.66 to ! 192.168.0.64/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1150445   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @39 pass out route-to (em5 192.168.0.69) inet from 192.168.0.70 to ! 192.168.0.68/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1150445   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @40 pass out route-to (em3 192.168.0.81) inet from 192.168.0.82 to ! 192.168.0.80/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1150445   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @41 pass out route-to (em2 192.168.0.89) inet from 192.168.0.90 to ! 192.168.0.88/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1150445   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @42 pass out proto udp all keep state label "USER_RULE: Default UDP" queue qP2P
      [ Evaluations: 1150445   Packets: 2332001   Bytes: 1904433733  States: 92    ]
      [ Inserted: uid 0 pid 20568 ]
    @43 pass out proto tcp all flags S/SA keep state label "USER_RULE: Default TCP" queue qP2P
      [ Evaluations: 1150445   Packets: 3577717   Bytes: 1506347283  States: 219   ]
      [ Inserted: uid 0 pid 20568 ]
    @44 pass out quick inet proto icmp all keep state label "USER_RULE: ICMP outbound" queue qOthersHigh
      [ Evaluations: 1150445   Packets: 35171     Bytes: 1536464     States: 5     ]
      [ Inserted: uid 0 pid 20568 ]
    @45 pass out proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: HTTP outbound" queue(qOthersDefault, qACK)
      [ Evaluations: 1148363   Packets: 34184414  Bytes: 25795061695  States: 1918  ]
      [ Inserted: uid 0 pid 20568 ]
    @46 pass out proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: HTTPS outbound" queue(qOthersDefault, qACK)
      [ Evaluations: 378948    Packets: 980611    Bytes: 544192634   States: 209   ]
      [ Inserted: uid 0 pid 20568 ]
    @47 pass out proto tcp from any to any port 6880 >< 7000 flags S/SA keep state label "USER_RULE: m_P2P BitTorrent outbound" queue qP2P
      [ Evaluations: 378948    Packets: 934       Bytes: 116157      States: 1     ]
      [ Inserted: uid 0 pid 20568 ]
    @48 pass out proto udp from any to any port 6880 >< 7000 keep state label "USER_RULE: m_P2P BitTorrent outbound" queue qP2P
      [ Evaluations: 769518    Packets: 5983      Bytes: 1224252     States: 12    ]
      [ Inserted: uid 0 pid 20568 ]
    @49 pass out proto udp from any to any port = isakmp keep state label "USER_RULE: IPSEC outbound" queue qOthersHigh
      [ Evaluations: 1148261   Packets: 7         Bytes: 3243        States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @50 pass out proto udp from any to any port = sae-urn keep state label "USER_RULE: IPSEC outbound" queue qOthersHigh
      [ Evaluations: 769415    Packets: 1097      Bytes: 341747      States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @51 pass out proto tcp from any to any port = rtsp flags S/SA keep state label "USER_RULE: RTSP1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 1148365   Packets: 243199    Bytes: 227887991   States: 1     ]
      [ Inserted: uid 0 pid 20568 ]
    @52 pass out proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: SMTP outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 395639    Bytes: 338354814   States: 1     ]
      [ Inserted: uid 0 pid 20568 ]
    @53 pass out proto tcp from any to any port = smtps flags S/SA keep state label "USER_RULE: SMTP/S outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 577       Bytes: 86166       States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @54 pass out proto tcp from any to any port = pop3 flags S/SA keep state label "USER_RULE: POP3 outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 23967     Bytes: 18211975    States: 4     ]
      [ Inserted: uid 0 pid 20568 ]
    @55 pass out proto tcp from any to any port = pop3s flags S/SA keep state label "USER_RULE: POP3/S outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 1070      Bytes: 156927      States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @56 pass out proto tcp from any to any port = imap flags S/SA keep state label "USER_RULE: IMAP outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 19139     Bytes: 3674741     States: 9     ]
      [ Inserted: uid 0 pid 20568 ]
    @57 pass out proto tcp from any to any port = imaps flags S/SA keep state label "USER_RULE: IMAP/S outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 5754      Bytes: 1685275     States: 2     ]
      [ Inserted: uid 0 pid 20568 ]
    @58 pass out proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: DNS1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 378949    Packets: 254       Bytes: 14873       States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @59 pass out proto udp from any to any port = domain keep state label "USER_RULE: DNS2 outbound" queue qOthersHigh
      [ Evaluations: 769441    Packets: 154701    Bytes: 16587972    States: 116   ]
      [ Inserted: uid 0 pid 20568 ]
    @60 pass out proto tcp from any to any port = microsoft-ds flags S/SA keep state label "USER_RULE: SMB1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 1148366   Packets: 1725      Bytes: 78256       States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @61 pass out proto tcp from any to any port 136 >< 140 flags S/SA keep state label "USER_RULE: SMB2 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 378949    Packets: 118       Bytes: 7176        States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @62 pass out proto tcp from any to any port = 10443 flags S/SA keep state label "USER_RULE: Central SSL VPN outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 378949    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @63 pass out proto tcp from any to any port = nntp flags S/SA keep state label "USER_RULE: NNTP1 outbound" queue(qOthersLow, qACK)
      [ Evaluations: 378949    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @64 pass out proto udp from any to any port = nntp keep state label "USER_RULE: NNTP2 outbound" queue qOthersLow
      [ Evaluations: 769417    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @65 pass out proto udp from any to any port = ntp keep state label "USER_RULE: NTP outbound" queue qGames
      [ Evaluations: 1148366   Packets: 2151511   Bytes: 179299447   States: 1486  ]
      [ Inserted: uid 0 pid 20568 ]
    @66 pass out proto tcp from any to any port = 30443 flags S/SA keep state label "USER_RULE: Central Control outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 1148366   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @67 pass out proto tcp from any to any port = 32443 flags S/SA keep state label "USER_RULE: Central Control 2 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 378949    Packets: 737609    Bytes: 126107838   States: 365   ]
      [ Inserted: uid 0 pid 20568 ]
    @68 pass out quick proto tcp from <netvoip:2> to any flags S/SA keep state label "USER_RULE: VoIP out" queue qVoIP
      [ Evaluations: 378949    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @69 pass out quick proto udp from <netvoip:2> to any keep state label "USER_RULE: VoIP out" queue qVoIP
      [ Evaluations: 769417    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @70 pass out quick proto tcp from any to <netvoip:2> flags S/SA keep state label "USER_RULE: VoIP out" queue qVoIP
      [ Evaluations: 1148366   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @71 pass out quick proto udp from any to <netvoip:2> keep state label "USER_RULE: VoIP out" queue qVoIP
      [ Evaluations: 769417    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @72 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.64/29 flags S/SA keep state label "USER_RULE: route to VP8+VP9 via default"
      [ Evaluations: 2330389   Packets: 368854    Bytes: 63484256    States: 183   ]
      [ Inserted: uid 0 pid 20568 ]
    @73 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.80/29 flags S/SA keep state label "USER_RULE: route to vt4 via default"
      [ Evaluations: 495017    Packets: 184394    Bytes: 30896045    States: 91    ]
      [ Inserted: uid 0 pid 20568 ]
    @74 pass in quick on em1 reply-to (em1 192.168.0.75) inet from any to 192.168.0.88/30 flags S/SA keep state label "USER_RULE: route to VP5 device via default"
      [ Evaluations: 481854    Packets: 184363    Bytes: 31728186    States: 91    ]
      [ Inserted: uid 0 pid 20568 ]
    @75 pass in quick on em1 reply-to (em1 192.168.0.75) inet from <netc:1> to <gateway_public:4> flags S/SA keep state label "USER_RULE: enroute pub IPs. Useless. No NAT refl in m0n0"
      [ Evaluations: 468699    Packets: 2642      Bytes: 134532      States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @76 pass in quick on em1 inet proto tcp from 192.168.12.23 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 467684    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @77 pass in quick on em1 route-to (em4 192.168.0.65) inet proto tcp from 192.168.12.23 to any port = smtp flags S/SA keep state label "USER_RULE: mx1.corp1.com, VP8 only"
      [ Evaluations: 3         Packets: 5205      Bytes: 4710855     States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @78 pass in quick on em1 inet proto tcp from 192.168.12.5 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 321920    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @79 pass in quick on em1 route-to (em5 192.168.0.69) inet proto tcp from 192.168.12.5 to any port = smtp flags S/SA keep state label "USER_RULE: mail.corp9.com, VP9 only"
      [ Evaluations: 305       Packets: 215813    Bytes: 192739232   States: 1     ]
      [ Inserted: uid 0 pid 20568 ]
    @80 pass in quick on em1 inet proto tcp from 192.168.12.17 to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 321877    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @81 pass in quick on em1 route-to (em2 192.168.0.89) inet proto tcp from 192.168.12.17 to any port = smtp flags S/SA keep state label "USER_RULE: mail.corp5.com, VP5 only"
      [ Evaluations: 549       Packets: 15        Bytes: 844         States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @82 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 321873    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @83 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to any port = smtp flags S/SA keep state label "USER_RULE: other SMTP servers out, VT4 only"
      [ Evaluations: 321873    Packets: 4089      Bytes: 3647784     States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @84 pass in quick on em1 proto tcp from <netcservers:4> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 321865    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @85 pass in quick on em1 proto udp from <netcservers:4> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 145761    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @86 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netcservers:4> to any port = domain flags S/SA keep state label "USER_RULE: critical DNS servers out, VT4 first"
      [ Evaluations: 73924     Packets: 254       Bytes: 14873       States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @87 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netcservers:4> to any port = domain keep state label "USER_RULE: critical DNS servers out, VT4 first"
      [ Evaluations: 72886     Packets: 135055    Bytes: 14689722    States: 112   ]
      [ Inserted: uid 0 pid 20568 ]
    @88 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 398903    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @89 pass in quick on em1 proto udp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 77063     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @90 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: other DNS clients out, VP first"
      [ Evaluations: 398903    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @91 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto udp from any to any port = domain keep state label "USER_RULE: other DNS clients out, VP first"
      [ Evaluations: 77063     Packets: 19638     Bytes: 1897430     States: 4     ]
      [ Inserted: uid 0 pid 20568 ]
    @92 pass in quick on em1 proto tcp from <netcservers:4> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 391395    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @93 pass in quick on em1 proto udp from <netcservers:4> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 69555     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @94 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netcservers:4> to any port = ntp flags S/SA keep state label "USER_RULE: critical NTP clients out, VT4 first"
      [ Evaluations: 5201      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @95 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netcservers:4> to any port = ntp keep state label "USER_RULE: critical NTP clients out, VT4 first"
      [ Evaluations: 4188      Packets: 3919      Bytes: 297844      States: 1     ]
      [ Inserted: uid 0 pid 20568 ]
    @96 pass in quick on em1 route-to (em2 192.168.0.89) inet proto tcp from any to <uniplex:1> port = http flags S/SA keep state label "USER_RULE: Websites that allow single IP clients only"
      [ Evaluations: 389403    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @97 pass in quick on em1 route-to (em2 192.168.0.89) inet proto tcp from any to <uniplex:1> port = https flags S/SA keep state label "USER_RULE: Websites that allow single IP clients only"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @98 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to <vtblocked:3> port = http flags S/SA keep state label "USER_RULE: HTTP abroad blocked by VT4"
      [ Evaluations: 321840    Packets: 34865     Bytes: 1883688     States: 47    ]
      [ Inserted: uid 0 pid 20568 ]
    @99 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to <vtblocked:3> port = https flags S/SA keep state label "USER_RULE: HTTPS abroad blocked by VT4"
      [ Evaluations: 133       Packets: 6385      Bytes: 3475721     States: 3     ]
      [ Inserted: uid 0 pid 20568 ]
    @100 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to <domestic:142> port = http flags S/SA keep state label "USER_RULE: HTTP domestic out, VT4 first"
      [ Evaluations: 314414    Packets: 16035634  Bytes: 12195379855  States: 748   ]
      [ Inserted: uid 0 pid 20568 ]
    @101 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from any to <domestic:142> port = https flags S/SA keep state label "USER_RULE: HTTPS domestic out, VT4 first"
      [ Evaluations: 8693      Packets: 64888     Bytes: 18790201    States: 7     ]
      [ Inserted: uid 0 pid 20568 ]
    @102 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 147381    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @103 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: HTTP abroad out VP first"
      [ Evaluations: 147381    Packets: 17572320  Bytes: 12935158689  States: 1092  ]
      [ Inserted: uid 0 pid 20568 ]
    @104 pass in log quick on em1 route-to (em2 192.168.0.89) inet proto udp from any to <gw_td1:1> port = isakmp keep state label "USER_RULE: IKE to Site D -- VP5 only" queue qOthersHigh
      [ Evaluations: 95184     Packets: 1         Bytes: 424         States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @105 pass in log quick on em1 route-to (em2 192.168.0.89) inet proto udp from any to <gw_td1:1> port = sae-urn keep state label "USER_RULE: ESP to Site D -- VP5 only" queue qOthersHigh
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @106 pass in quick on em1 proto tcp from <netc:1> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 95183     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @107 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netc:1> to any port = mmcc flags S/SA keep state label "USER_RULE: YIM, VT4 first"
      [ Evaluations: 27621     Packets: 117604    Bytes: 13593807    States: 105   ]
      [ Inserted: uid 0 pid 20568 ]
    @108 pass in quick on em1 proto tcp from <netvoip:2> to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 27378     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @109 pass in quick on em1 proto udp from <netvoip:2> to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 67562     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @110 pass in quick on em1 route-to (em3 192.168.0.81) inet proto tcp from <netvoip:2> to any flags S/SA keep state label "USER_RULE: VoIP out"
      [ Evaluations: 2128      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @111 pass in quick on em1 route-to (em3 192.168.0.81) inet proto udp from <netvoip:2> to any keep state label "USER_RULE: VoIP out"
      [ Evaluations: 2128      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @112 pass in quick on em1 proto tcp from any to <vpns:*> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 94940     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @113 pass in quick on em1 proto udp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 67562     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @114 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto tcp all flags S/SA keep state label "USER_RULE: Other TCP/UDP out"
      [ Evaluations: 94940     Packets: 4657593   Bytes: 2269505688  States: 321   ]
      [ Inserted: uid 0 pid 20568 ]
    @115 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em2 192.168.0.89) } round-robin inet proto udp all keep state label "USER_RULE: Other TCP/UDP out"
      [ Evaluations: 67604     Packets: 2384635   Bytes: 1911039494  States: 103   ]
      [ Inserted: uid 0 pid 20568 ]
    @116 pass in quick on em1 inet proto icmp from any to <vpns:*> keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      [ Evaluations: 2170      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @117 pass in quick on em1 route-to { (em4 192.168.0.65), (em5 192.168.0.69), (em3 192.168.0.81), (em2 192.168.0.89) } round-robin inet proto icmp all keep state label "USER_RULE: ICMP out"
      [ Evaluations: 1891      Packets: 50915     Bytes: 2481104     States: 5     ]
      [ Inserted: uid 0 pid 20568 ]
    @118 pass in quick on em4 reply-to (em4 192.168.0.65) inet all flags S/SA keep state label "USER_RULE: Pass in on VP8 all"
      [ Evaluations: 1179891   Packets: 868660    Bytes: 260224431   States: 488   ]
      [ Inserted: uid 0 pid 20568 ]
    @119 pass in quick on em5 reply-to (em5 192.168.0.69) inet all flags S/SA keep state label "USER_RULE: Pass in on VP9 all"
      [ Evaluations: 917958    Packets: 1673675   Bytes: 245944766   States: 167   ]
      [ Inserted: uid 0 pid 20568 ]
    @120 pass in quick on em3 reply-to (em3 192.168.0.81) inet all flags S/SA keep state label "USER_RULE: Pass all in OPT3"
      [ Evaluations: 661689    Packets: 1034489   Bytes: 614818578   States: 324   ]
      [ Inserted: uid 0 pid 20568 ]
    @121 pass in quick on em2 reply-to (em2 192.168.0.89) inet proto udp from any to any port = isakmp keep state label "USER_RULE: IKE in" queue qOthersHigh
      [ Evaluations: 259423    Packets: 4         Bytes: 1648        States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @122 pass in quick on em2 reply-to (em2 192.168.0.89) inet proto udp from any to any port = sae-urn keep state label "USER_RULE: IPSEC in" queue qOthersHigh
      [ Evaluations: 138234    Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]
    @123 pass in quick on em2 reply-to (em2 192.168.0.89) inet all flags S/SA keep state label "USER_RULE: pass all in"
      [ Evaluations: 148791    Packets: 574918    Bytes: 44720184    States: 534   ]
      [ Inserted: uid 0 pid 20568 ]
    @124 anchor "tftp-proxy/*" all
      [ Evaluations: 1179954   Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 20568 ]</vpns:*></vpns:*></vpns:*></netvoip:2></netvoip:2></vpns:*></netvoip:2></vpns:*></netvoip:2></netc:1></vpns:*></netc:1></gw_td1:1></gw_td1:1></vpns:*></domestic:142></domestic:142></vtblocked:3></vtblocked:3></uniplex:1></uniplex:1></netcservers:4></netcservers:4></vpns:*></netcservers:4></vpns:*></netcservers:4></vpns:*></vpns:*></netcservers:4></netcservers:4></vpns:*></netcservers:4></vpns:*></netcservers:4></vpns:*></vpns:*></vpns:*></vpns:*></gateway_public:4></netc:1></netvoip:2></netvoip:2></netvoip:2></netvoip:2></virusprot:0></webconfiguratorlockout:0></sshlockout:0></pfsnortsamin:0></pfsnortsamout:0></snort2c:0></snort2c:0>
    


  • I am not sure what is em1 interface but if that is wan then it will override the pass out rule.

    Match/Queue action rules are not firewall rules they are just used for selecting the queue.
    After a firewall rule with action pass matches and it has not a queue selected the queue from the previoused match/queue action rule will be used.
    So a Queue action rule does not open any firewall ports or does not allow any traffic.



  • @ermal:

    I am not sure what is em1 interface but if that is wan then it will override the pass out rule.

    em1 is LAN. But even if it was WAN, @94 and @95 couldn't override @65 as they are Pass In rules.

    @ermal:

    Match/Queue action rules are not firewall rules they are just used for selecting the queue.
    After a firewall rule with action pass matches and it has not a queue selected the queue from the previoused match/queue action rule will be used.
    So a Queue action rule does not open any firewall ports or does not allow any traffic.

    I changed action from Pass (out) to Queue for many rules in the Floating tab (including @43 and @44 which are the default pass out rules for TCP and UDP). And traffics are still passed out normally.



  • By changing only the action from Pass to Queue, nothing new happens. NTP packets outgoing OPTx are not queued in qGames.

    I've then changed the direction from Out to Any (by the Web UI), following onhel's advice. pftop now shows that the actual direction has changed from Out to In, and the packet and byte counters on qGames on OPTx has started increment, indicating that NTP traffic are now queued correctly.

    However, the same approach does not seem to help in case of NAT-T IPsec. My IPsec device is located in the LAN and must pass through pfsense (port 500 and 4500 UDP) to initiate a tunnel or respond to tunneling request from a remote IPsec device on the Internet. For the purpose of testing, I've reserved qVoIP for IPsec exclusively. No matter what I do, there is always one direction that gets wrong, i.e. either downloaded or uploaded packets do not appear in the expected queue.

    So, I wonder what is the best approach to my simple needs – a multi-WAN router and traffic shaper, no firewalling, just pass everything through, in any directions.



  • to add to this thread, i just noticed that most of my floating tab rules also stopped working and i see traffic in the default queue



  • That could be due to recent changes in the shaper, that dropped all download queues. Check your queues on the download side.



  • @dusan:

    By changing only the action from Pass to Queue, nothing new happens. NTP packets outgoing OPTx are not queued in qGames.

    I've then changed the direction from Out to Any (by the Web UI), following onhel's advice. pftop now shows that the actual direction has changed from Out to In, and the packet and byte counters on qGames on OPTx has started increment, indicating that NTP traffic are now queued correctly.

    I am not sure why pftop reports it as in although you have configured it as all directions.
    You have to keep in mind that the same previous rules are used the match/queue action just helps have define firewall rules and shaping rules differently while before you had to do on the same rule.
    The traffic outgoing pfSense is always allowed since there are default rules for it which policy route the traffic accordingly.

    However, the same approach does not seem to help in case of NAT-T IPsec. My IPsec device is located in the LAN and must pass through pfsense (port 500 and 4500 UDP) to initiate a tunnel or respond to tunneling request from a remote IPsec device on the Internet. For the purpose of testing, I've reserved qVoIP for IPsec exclusively. No matter what I do, there is always one direction that gets wrong, i.e. either downloaded or uploaded packets do not appear in the expected queue.

    So, I wonder what is the best approach to my simple needs – a multi-WAN router and traffic shaper, no firewalling, just pass everything through, in any directions.

    With the new approach if you put a Queue/Match action rule on the floating tab for those ports without any direction selected that should do.

    Though really nothing should change for existing installs.
    Do you have any previous versions of rules.debug and a new one so i can compare or even send me privately your config to verify that actually there is not something wrong in pfSense per se?!



  • @ermal:

    @dusan:

    By changing only the action from Pass to Queue, nothing new happens. NTP packets outgoing OPTx are not queued in qGames.

    I've then changed the direction from Out to Any (by the Web UI), following onhel's advice. pftop now shows that the actual direction has changed from Out to In, and the packet and byte counters on qGames on OPTx has started increment, indicating that NTP traffic are now queued correctly.

    I am not sure why pftop reports it as in although you have configured it as all directions.

    I've found more pftop issues that could be related to the new Queue (match) action. In View 6, for all Queue(match) rules, the action is displayed as "11" instead of "match" or "queue". In View 6, the packet counters and byte counters are zeros for some Queue (match) action rules although View 8 (Queue View) shows that the corresponding rules do apply.

    You have to keep in mind that the same previous rules are used the match/queue action just helps have define firewall rules and shaping rules differently while before you had to do on the same rule.

    You're right. I've tried to change all Pass Out rules to Queue Any and pfsense stopped passing traffics through. Strange is, that traffic blocking did not occur immediately. For some traffics, it take hours to be effective. For others, it couldn't take effect without manual intervention (see below).

    The traffic outgoing pfSense is always allowed since there are default rules for it which policy route the traffic accordingly.

    The default rules only apply to traffic from the pfSense host itself, right?

    However, the same approach does not seem to help in case of NAT-T IPsec. My IPsec device is located in the LAN and must pass through pfsense (port 500 and 4500 UDP) to initiate a tunnel or respond to tunneling request from a remote IPsec device on the Internet. For the purpose of testing, I've reserved qVoIP for IPsec exclusively. No matter what I do, there is always one direction that gets wrong, i.e. either downloaded or uploaded packets do not appear in the expected queue.

    So, I wonder what is the best approach to my simple needs – a multi-WAN router and traffic shaper, no firewalling, just pass everything through, in any directions.

    With the new approach if you put a Queue/Match action rule on the floating tab for those ports without any direction selected that should do.

    Here are how I follow your advice:

    1. I added a "default" Pass Out rule that Passes everything Out every interface (in the Floating tab).

    2. Then I changed all other rules (which were Pass Out) in the Floating tab to Queue Any. (The rules are then listed as Match without direction in status.php rule list.)

    3. I then made sure every rule in LAN/WAN/OPTx tabs are without queues. (The rules are then listed as Pass In in rule list.)

    4. Then I stopped all IPsec devices, local and remote. (This step is necessary. Without it, new rules do not take effect.)

    5. Finally I restarted pfsense completely. (This is again necessary. Just an Apply new rules or Reset states do not suffice.)

    6. I waited for a few minutes then started IPsec devices.

    Given that, pftop View 8 now shows that IPsec traffics go in the correct queues (but View 6 doesn't confirm that). It is really pain to stop-restart-start on every change to see its effect. But thank you anyway.

    Though really nothing should change for existing installs.
    Do you have any previous versions of rules.debug and a new one so i can compare or even send me privately your config to verify that actually there is not something wrong in pfSense per se?!

    In order to test IPsec initiator / responder roles separately, I added Block/Reject rules (for IPsec in one direction), an action that I've never did before. Unfortunately, pfsense encountered a kernel panic.

    I'm now back to Feb 14 snapshot.

    I don't think I have to continue reporting on the shaping / routing topics until pftop issues and kernel panics are resolved.



  • Well pftop i will see if can be fixed to at least show action match and not action 11.
    But really the match action rules will not have counters updated for the traffic they match.
    This is a deficiency on 2.0 i might see what are the impacts of having that corrected are.

    About the panic a minidump report would have been nice. AFAIK there are no more issues related to panics and belived me Feb 14 is quite a dangerous snapshot for some uses :)



  • @ermal:

    Well pftop i will see if can be fixed to at least show action match and not action 11.
    But really the match action rules will not have counters updated for the traffic they match.
    This is a deficiency on 2.0 i might see what are the impacts of having that corrected are.

    Then I must return to old pass out rules. When I make changes I would like to see the effects and pftop is the only tool for it. I can't live without it.

    @ermal:

    About the panic a minidump report would have been nice. AFAIK there are no more issues related to panics and belived me Feb 14 is quite a dangerous snapshot for some uses :)

    Sorry. The panic occurs during a very busy work time. I went back to whatever snapshot I have in hand as quick as possible so that users couldn't even notice it :P .

    I now update to the latest snapshot. Many thanks.


Locked