Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating rules interface ignored?

    Scheduled Pinned Locked Moved Traffic Shaping
    5 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eafunk
      last edited by

      I recently upgraded from pfSense 1.2.3 to 2.01.  I am now in the process of rebuilding my traffic shaping policies and have run into a few problems that I just can't seem to figure out.  My secondary problem is this:

      I have a floating rule to queue traffic in my qVOIP queue that specifies the OPT1 and WAN as the input interface for VoIP packets, and a destination port number (IAX2 protocol) to match.  When I place a test call from my VoIP system on the lan out to the wan, I see the traffic being queued in the qVOIP for both lan and wan queue, when I expect to see it just in the lan queue, since packets going out the wan originated from the lan and should not match the floating rule.

      What am I missing?

      Thanks,
      Ethan…

      1 Reply Last reply Reply Quote 0
      • D
        dreamslacker
        last edited by

        Erm..  Because communication works both ways?

        A connection is 2 way traffic.  You have your voice going out and also the recipient of the call transmitting their voice back to you.  It follows that you should see traffic coming in on WAN as well.

        1 Reply Last reply Reply Quote 0
        • E
          eafunk
          last edited by

          traffic is going in both directions, but it should only match the floating rule in the direction coming in from the WAN and out the LAN, so the LAN's qVOIP queue should should only show traffic.  The traffic passing out the WAN should go to the WAN's default queue.

          But I am seeing the traffic in both direction passing through each interfaces qVOIP.  What am I missing here?

          Ethan…

          1 Reply Last reply Reply Quote 0
          • D
            dreamslacker
            last edited by

            Do you have a rule on the LAN tab that references the VOIP traffic?  Or do you have a NAT rule that does?

            Those rules have the capability to affect the queue that traffic is sent to.

            Also, if you actually have a NAT rule for the VOIP traffic, you can use the associated firewall rule to pipe the traffic into the queue you want rather than to create a floating rule.

            1 Reply Last reply Reply Quote 0
            • E
              eafunk
              last edited by

              The closest thing I have to a NAT rule is a 1:1 NAT forward using an WAN alias IP address, and an associated WAN rule to allows the port and address.  As I understand it, the floating rules are executed first, tagging the queue then the usual rules for the interface the packet is entering on run, stopping on a match.  Is this correct?

              Is it possible that the direction (source and destination) of floating rules are interpreted differently for ports defined as LAN vs WAN?

              Also, do firewall states effect floating rules, possibly adding a rule for the other direction/interface through the state table?

              The Definitive Guide to pfSense book is a great resource, but there have been a lot of changes (traffic shaping to be sure) that need updating in the book. Will an update to the book be available any time soon to cover the new traffic shaping in 2.0?

              Ethan…

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.