Queue matching: Floating vs Interface rules

moikerz

I'm a little confused on how to match traffic to a queue, vs firewalling traffic. I think I have it, but I just want some confirmations or clarifications.

I have traffic identified on the Floating Rules tab, set as 'Match' only, and directing said traffic to the relevant queue.

I also have the traffic identified on the WAN and LAN tabs, set as 'Pass', and also directing said traffic to the relevant queue.

It seems like I have a setup with unnecessary clutter. Which is the best way to match traffic to queues? Via the WAN/LAN, or via Floating Rules? I was thinking of using the Floating Rules to 'Match', and the WAN/LAN rules to pass/block - would this be better?

See attachments for firewall rules.

pfsense_fw_floatingrules.jpg_thumb

pfsense_fw_wanrules.jpg_thumb

pfsense_fw_lanrules.jpg_thumb

pfsense_fw_vlan9rules.jpg_thumb

Nullity

General rule is to match traffic (firewall rule) on the interface where the traffic originates.
Traffic-shaping queues only shape data being transmitted.

If traffic leaves the WAN through "qArbitrary", when the related traffic returns it will be assigned automatically to "qArbitrary" on the LAN (if the queue exists on the interface).

So, most of the time you only need to match traffic at the origin and name your queues accordingly.

Be careful PASSing traffic on WAN as that is allowing traffic from the internet.

moikerz

Good, thank you for the clarification.

@Nullity:

If traffic leaves the WAN through "qArbitrary", when the related traffic returns it will be assigned automatically to "qArbitrary" on the LAN (if the queue exists on the interface).

Referencing your comment above in bold:
If traffic exits on qArbitrary, then the queue logically must exist on the return leg of the journey (unless it's asymmetric routing). Else it would never have been in the queue in the first place. Is this correct?

Nullity

@moikerz:

Good, thank you for the clarification.

@Nullity:

If traffic leaves the WAN through "qArbitrary", when the related traffic returns it will be assigned automatically to "qArbitrary" on the LAN (if the queue exists on the interface).

Referencing your comment above in bold:
If traffic exits on qArbitrary, then the queue logically must exist on the return leg of the journey (unless it's asymmetric routing). Else it would never have been in the queue in the first place. Is this correct?

The return packet (download traffic) will be queued at the LAN queue. (Technically, downloads are throttled as a side-effect of rate-limiting packets being transmitted to LAN.)

Asymmetric routing is unrelated, AFAIK. The firewall rules deal with assignment of packets to the queues, while the queues only deal with scheduling any packets they are assigned.

moikerz

Got it - thanks!