weixin_39902608
weixin_39902608
2020-11-27 22:50

Traffic Shaper ignored outgoing traffic from WAN, when using route to / gateway firewall rules

Configuring a traffic shaper with standard gateways works using shaper rules for wan all outgoing an all incoming traffic (two rules for two pipes for upload and download).

But traffic shaper ignores outgoing traffic from wan-interface, when routed by an route to / gateway firewall rule. So all connections, routed to an specific gateway by a firewall rule, bypasses the limiter / traffice shaper.

该提问来源于开源项目:opnsense/core

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

12条回答

  • weixin_39902608 weixin_39902608 5月前

    To check behaviour I disabled shared forwarding. Nothing changed - same behaviour like described above. Same after reboot.

    There is an other buggy(?) behaviour in both cases traffic shaping on or off. We have only one interface for our specific net an a single firewall rule, which routes to the specific gateway. But traffic shaper shows some few connections from that specific interface on default-wan/gateway-pipes (upload and download also).

    Here our rule (GW3 is our specific gateway): 089rule

    Seems like traffic shaper detectes packages wrong or firewall-gateway-setting does not match all packages but passes packages to default gateway...

    Tell me, which information do you need or how I can help you.

    点赞 评论 复制链接分享
  • weixin_39887546 weixin_39887546 5月前

    Any new on that issue? I was using limiter into pfsense with gateway groups but right now it's an issue issue for me into opnsense...

    Thanks and good luck!

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    Should work since 17.1 with the "shared forwarding" option enabled in normal setups. Closing this.

    点赞 评论 复制链接分享
  • weixin_39887546 weixin_39887546 5月前

    Thanks!

    点赞 评论 复制链接分享
  • weixin_39902608 weixin_39902608 5月前

    Shared forwarding is on.

    OPNsense 17.1.4-amd64 FreeBSD 11.0-RELEASE-p8 OpenSSL 1.0.2k 26 Jan 2017

    Here some screenshots: pipe shaper-rule status

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    This is true for IPv6 but not IPv4?

    点赞 评论 复制链接分享
  • weixin_39902608 weixin_39902608 5月前

    We are using IPv4 only (for now) - so alle rules are true for IPv4 and IPv6 or IPv4 only. I have added a second traffic shaper with default gateway... I found all uploading IPs (against firewall-rule-gateway-setting) there.

    Our Setup: Default local nets - some firewall rules without gateway settings - default gateway Specific local net - firewall rule with gateway setting - specific gateway

    Now, with traffic shaper configured like posted - with download and upload pipe for default nets/gateway and download and upload pipe for specific net/gateway.

    Alle incoming/download packages are assigned to the correct pipe: download to specific nets to specific-net-download-pipe; download to default nets to default-net-download-pipe. But all outgoing/upload packages are assigned to the default-net-upload-pipe, no matter whether from specific net (with specific-gateway-rule) or from default nets (without specific-gateway-rule).

    Maybe that helps to solve our issue.

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    Ok, I'll have to forward this to for a peek

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    Yup, it's a very old bug between pf route-to and the network stack. You can try to use the Firewall: Settings: Advanced [ x ] use shared forwarding option, but it doesn't work in all cases yet.

    More work is needed here, which we will pick up as time permits. For now, the option should address the problem for the most part.

    Cheers, Franco

    点赞 评论 复制链接分享
  • weixin_39902608 weixin_39902608 5月前

    Thank You for your explaination, but it is not working. - Firewall rule with sepcific gateway - Traffic shaper for download, assigend all incoming traffic from specific wan connection: Working. - Traffic shaper for upload, assigend all outgoing traffic from specific wan connection: Not working.

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    With the shared forwarding setting on or off?

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    Also, please provide a version info, it's a crucial piece of the puzzle. :)

    点赞 评论 复制链接分享

相关推荐