Understanding differing rule concepts between pfsense (pf) and iptables

  • I currently have some experience with iptables, and so I started working with pfsense with that mindset.

    Current understanding:

    Where are rules applied: pfsense applies rules to packets on the first interface they enter. I.e. even though, to get to the internet in a standard openvpn situation, packets go ->LAN->OPT1->WAN->, only LAN rules matter. This is completely different from iptables, where packets flow through different chains (INPUT, OUPUT, FORWARD) and can be matched in any and more than once.

    There doesnt appear to be a way to mangle packets in pfsense via the GUI that is equivalent to 'match this packet, change it but dont accept or reject, that comes in a later rule'. Here is an example in iptables that sets the TOS:

    iptables -t mangle -A OUTPUT --out-interface eth0 --protocol tcp -m multiport --source-ports 40000:49999 -j TOS --set-tos "Maximize-Throughput"

    Currently this is the only non-nat mangling thing I do with iptables, but thats probably because I dont have the experience to know what other useful stuff is possible.

    I had originally expected to apply traffic shaping queues via such a mangling rule, then I realised what pass/reject/drop actually meant. Any ideas if such passive rules will be implemented at some point, and if there is somewhere to mangle packets like the TOS example?


  • Take a look at queues for traffic shaping and at advanced options on rules.

  • Hi marcelloc,

    Yes, already done that - am currently working on getting my head around the standard PRIQ shaping.

    Right, Ive found that floating rules partially satisfies 'rules that do not pass/reject/block' - it has an extra option, 'Queue'.

Log in to reply