Project

General

Profile

Actions

Bug #16430

open

Floating rule VLAN priority tag causes packets to be dropped.

Added by npr . 17 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.8.1
Affected Architecture:
amd64

Description

After updating from 2.8.0 to 2.8.1 the hosts behind one pfsense firewall stopped being able to access their voip server.

pfsense was configured to set 'VO' (voice) priority (0x05) for the 802.1p/q part of the packet for outgoing packets. This functioned normally with previous pfsense versions. However, all traffic is somehow lost without a trace when doing this with version 2.8.1.

I can verify when/if it works by doing;

traceroute -d -I myvoip.com

This functions normally with everything configured except the 802.1q priority tag. Add the priority tag, and the packets are lost; only the pfsense will reply, everything after it won't.

I know it has to be the pfsense and not the provider, because the first hop is also controlled by us, has no firewall rules whatsoever, and the traceroute fails to even identify that. Remove the priority tag (or downgrade to 2.8), and things work properly.

I can still see the first 3 replies to the traceroute (3 packets per hop, 7 hops total) in a packet capture filtered on icmp and the ip of a LAN-side test client assigned to be a 'phone' on the pfsense, as well as all 90 pings, but the other 18 replies and 69 refusals are nowhere to be seen.

I've tried a bunch of different ways of achieving the same thing, and with each way of filtering, it's always adding the priority tag that turns any match rule into what's effectively a 'drop all' rule. It doesn't matter if the priority tag is added on ingress or egress (using 'packet tag' matching).

Actions #1

Updated by Kris Phillips 5 days ago

Hello,

Are you operating with Interface Bound firewall rules or Floating rules? Can you try switching to Floating rules instead, if on Interface Bound, and see if this is still an issue?

Actions #2

Updated by npr . 4 days ago

We are already using Floating rules to direct packets into queues as suggested by the netgate docs.

Changing the floating rule to remove the 802.1 tag on this floating rule (or disabling or removing it then re-applying the firewall rules) blackholes all voip traffic. This issue also remains past reboots or configuration reloads.

Actions

Also available in: Atom PDF