Missing something obvious, matching packets



  • Ok, I must be missing something obvious here.

    I have two rules used for traffic shaping related to 'work' traffic.

    match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5
    – From WAN/internet to 'work' interface, place in work queue for QoS.   This is working as expected.

    match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5
    -- From 'work' to WAN/internet interface, place in work queue for QoS.   This is 'mostly' fails to do what I thought it would...

    I have one device attached to the work interface (vr2), a hardware VPN appliance which establishes some IPSEC tunnels to the offices.  Here's the odd thing (to me).   I can match the packets where the device is doing DNS lookups (UDP / 53) and where it establishes the tunnel (UDP / 4500), but subsequent tunneled packets are not matched and not QoS'd properly.

    I do not want to match based on anything in the tunnel, I want to match ALL packets coming from that interface so I can give them a high priority.

    Does this make any sense?  What am I missing? ???

    Thanks!



  • Update and more info…

    I'm running: 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6...

    I found that a different rule was stepping on the one above and placing it in the default queue.   (I feel a little more sane now).   Here's where I'm getting tripped up.   if I remove all floating rules and ensure that no other rules have a queue action and add a default rule for to prioritize ACK traffic things start to fall apart.

    Here's a test I performed trying to understand how 'quick' performs on non-final rules (Queue only, not pass, block, reject, etc.)

    Test 1: Default rules before specific 'work' rules. In this test all work 'outbound' traffic is placed in the default rule.

    
         pfctl -sr | grep queue
         match quick on vr0 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)
         match quick on vr1 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)
         match quick on vr2 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)
         match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5
         match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5
    
         pfctl -k 192.168.0.0/16
         killed 49 states from 1 sources and 0 destinations
    
         re-establish tunnels on appliance and watch pftop 
    
    

    Test 2: Default rules after specific 'work' rules. In this test all work 'outbound' traffic is placed in the default rule.

    
         pfctl -sr | grep queue
         match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5
         match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5
         match quick on vr0 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)
         match quick on vr1 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)
         match quick on vr2 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)
    
         pfctl -k 192.168.0.0/16
         killed 49 states from 1 sources and 0 destinations
    
         re-establish tunnels on appliance and watch pftop 
    

    Test 3: No Default Rules. In this test all work traffic is placed in the correct q_Work_5 queue.

    
         pfctl -sr | grep queue
         match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5
         match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5
    
         pfctl -k 192.168.0.0/16
         killed 49 states from 1 sources and 0 destinations
    
         re-establish tunnels on appliance and watch pftop 
    
    

    I guess I'm confused at how 'queue' type rules work when there are multiple matches in the ruleset.  Can someone provide any clarity.

    Thanks!


Log in to reply