Bug #16430
openFloating rule VLAN priority tag causes packets to be dropped.
0%
Description
After updating from 2.8.0 to 2.8.1 the hosts behind one pfsense firewall stopped being able to access their voip server.
pfsense was configured to set 'VO' (voice) priority (0x05) for the 802.1p/q part of the packet for outgoing packets. This functioned normally with previous pfsense versions. However, all traffic is somehow lost without a trace when doing this with version 2.8.1.
I can verify when/if it works by doing;
traceroute -d -I myvoip.com
This functions normally with everything configured except the 802.1q priority tag. Add the priority tag, and the packets are lost; only the pfsense will reply, everything after it won't.
I know it has to be the pfsense and not the provider, because the first hop is also controlled by us, has no firewall rules whatsoever, and the traceroute fails to even identify that. Remove the priority tag (or downgrade to 2.8), and things work properly.
I can still see the first 3 replies to the traceroute (3 packets per hop, 7 hops total) in a packet capture filtered on icmp and the ip of a LAN-side test client assigned to be a 'phone' on the pfsense, as well as all 90 pings, but the other 18 replies and 69 refusals are nowhere to be seen.
I've tried a bunch of different ways of achieving the same thing, and with each way of filtering, it's always adding the priority tag that turns any match rule into what's effectively a 'drop all' rule. It doesn't matter if the priority tag is added on ingress or egress (using 'packet tag' matching).
Updated by Kris Phillips 5 days ago
Hello,
Are you operating with Interface Bound firewall rules or Floating rules? Can you try switching to Floating rules instead, if on Interface Bound, and see if this is still an issue?
Updated by npr . 4 days ago
We are already using Floating rules to direct packets into queues as suggested by the netgate docs.
Changing the floating rule to remove the 802.1 tag on this floating rule (or disabling or removing it then re-applying the firewall rules) blackholes all voip traffic. This issue also remains past reboots or configuration reloads.