pfSense

After updating from 2.8.0 to 2.8.1 the hosts behind one pfsense firewall stopped being able to access their voip server.

pfsense was configured to set 'VO' (voice) priority (0x05) for the 802.1p/q part of the packet for outgoing packets. This functioned normally with previous pfsense versions. However, all traffic is somehow lost without a trace when doing this with version 2.8.1.

I can verify when/if it works by doing;

traceroute -d -I myvoip.com

This functions normally with everything configured except the 802.1q priority tag. Add the priority tag, and the packets are lost; only the pfsense will reply, everything after it won't.

I know it has to be the pfsense and not the provider, because the first hop is also controlled by us, has no firewall rules whatsoever, and the traceroute fails to even identify that. Remove the priority tag (or downgrade to 2.8), and things work properly.

I can still see the first 3 replies to the traceroute (3 packets per hop, 7 hops total) in a packet capture filtered on icmp and the ip of a LAN-side test client assigned to be a 'phone' on the pfsense, as well as all 90 pings, but the other 18 replies and 69 refusals are nowhere to be seen.

I've tried a bunch of different ways of achieving the same thing, and with each way of filtering, it's always adding the priority tag that turns any match rule into what's effectively a 'drop all' rule. It doesn't matter if the priority tag is added on ingress or egress (using 'packet tag' matching).