Match Floating Rules bypassing NAT Port Forwards
-
Hello all,
We have a setup that uses a Squid caching server on another box, and to make that work we also have a NAT rule to redirect port 80 to our transparent proxy server.
An issue that I'm seeing is that if we have a floating rule that Matches (but not set to Quick) to enforce the traffic limiter, the NAT rules are bypassed.
As I understand, NAT rules should be parsed first, but this doesn't appear to be happening. If I disable the floating limiters, the NAT begins redirecting traffic with no issue.
Has anyone seen this before? I've never seen match rules and non-quick rules causing all other rules to be ignored, especially NAT rules.
Thanks!
-
Why not just set the limiter on the port forward rule? That's generally what people do. You have to have the rule anyway.
Floating rules are processed first. If it is a match rule without quick, all it should do is set the limiter.
Maybe someone who knows more about the internals will chime in.
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
ETA: I think this is a nevermind. I believe I misunderstood your setup.
-
Why not just set the limiter on the port forward rule? That's generally what people do. You have to have the rule anyway.
Floating rules are processed first. If it is a match rule without quick, all it should do is set the limiter.
Maybe someone who knows more about the internals will chime in.
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
Indeed that is the "fix" but then it requires that each of our rules be duplicated multiple times so we can apply different speed tiers with the limiters. This really isn't an outage causing issue, but it does appear to be a break of user-land functionality.
