Diffserv Code Point Match rule not working
I'm trying to setup a traffic shaping rule to move all traffic for my Crashplan backup service (running on an Ubuntu server) to a queue called "qOthersLow". Crashplan supports setting the Diffserv Code Point value and I've followed this guide (https://www.tucny.com/Home/dscp-tos) to configure Crashplan with a TOS Dec value of 40, which translates into a DSCP class of af11. I've confirmed that Crashplan is adding this DSCP designation to the packets by running this on my Ubuntu server:
sudo tcpdump -v -n -i bond0 'ip and ip & 0xfc == 40'
07:19:22.299726 IP (tos 0x28, ttl 50, id 21841, offset 0, flags [DF], proto TCP (6), length 52)
18.104.22.168.443 > 192.168.1.10.52530: Flags [.], cksum 0xde7c (correct), ack 1199785, win 3801, options [nop,nop,TS val 1399313738 ecr 19232212], length 0
Next I've setup a pfSense Floating Match rule to do the following:
- Under Advanced Options Diffserv Code Point = af11
- Queue is set to qOtherLows
- Everything else in the rule left alone
Unfortunately after saving and applying this rule all my Crashplan traffic remains in the "qDefault" queue. Any ideas? Anyone else have a better/different strategy to isolate Crashplan traffic?
Did you reset pfSense's states?
If you still have problems, you can use pfSense's firewall logs or tcpdump to see what is happening from pfSense's perspective.
Do you need to use DSCP? Could use standard source/destination IP/port filtering?