https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162015-01-28T14:53:58ZpfSense bugtrackerpfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=170142015-01-28T14:53:58ZAdam Hirschadam@baz.org
<ul></ul><p>I'm seeing this when the limiter is applied to a filter on the WAN interface, but not the LAN interface. Odd.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=170442015-01-29T02:47:06ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Subject</strong> changed from <i>In/Out Limiter on filter rule silently discards all traffic once limit rate reached</i> to <i>In/Out Limiter on rule w/reply-to silently discards all traffic once limit rate reached</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Confirmed</i></li><li><strong>Assignee</strong> set to <i>Ermal Luçi</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li><li><strong>Target version</strong> set to <i>2.2.1</i></li></ul><p>I believe it only happens where the matching rule with limiter includes reply-to.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=170582015-01-29T07:50:30ZAdam Hirschadam@baz.org
<ul><li><strong>File</strong> <a href="/attachments/1144">no-reply-to.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1144/no-reply-to.png">no-reply-to.png</a> added</li></ul><p>I suppose that's possible, although manually checking the box to disable the generated reply-to doesn't seem to change the behavior. (I have only a single WAN link, however, so reply-to has not been a consideration for me before this.)</p>
<p>... looking in /tmp/rules.debug after removing the reply-to shows that it's not listed there, but the behavior continues.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=170662015-01-29T11:55:53ZTravis Kreikemeiertravis@travko.com
<ul></ul><p>I this affected us at PAX South. We had limiters in place and had certain downloads dropping to 0 bytes/sec until we restarted them. I guess we'll have to go back to 2.1.5 for events and wait for 2.2.1 which hopefully comes out soon.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=171562015-02-03T22:39:52ZTravis Kreikemeiertravis@travko.com
<ul></ul><p>Have we confirmed if having reply-to enabled or disabled affects if the limiter works correctly? As well, what about if the limiter has source or destination hash enabled? I believe at the event, the limiters that were not working were ones that did not have source/destination has enabled. Much like your reproduction steps above.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=171572015-02-03T23:21:22ZChris Buechlercbuechler@gmail.com
<ul></ul><p>I haven't had a chance to get back to testing this scenario yet, but will soon. Seems like it may not be specific to reply-to, that seemed a likely culprit given history of reply-to/route-to related issues in this area and the fact it only applied to WAN rules, but Adam's testing seems to indicate otherwise. I'm pretty tied up with our training this week, so might be this weekend before I can get back to it.</p>
<p>If any of you want to try things out in the mean time to help narrow down the issue, here are the things I'll be looking to test:</p>
<p>- does it definitely happen with or without reply-to? <br />- is it specific to traffic hitting rdr (a port forward)? based on testing I've already done, and what's been reported by others here, I'm thinking this is probably the likely root problem area<br />- does the mask configuration have any impact?</p>
<p>make sure to reset all states between making config changes in this scenario, to make really sure all your changes are being applied. Review the output of "ipfw pipe show" while testing for details there.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=171622015-02-04T09:52:33ZAdam Hirschadam@baz.org
<ul></ul><p>I can verify that turning off reply-to doesn't seem to make a difference, here:</p>
<p>The rule:<br /><pre>
/tmp/rules.debug:rdr on vr2 proto tcp from any to 68.XXX.170.XXX port 7500 -> 172.17.1.11
/tmp/rules.debug:pass in quick on $WAN inet proto tcp from any to 172.17.1.11 port 7500
tracker 1422416208 flags S/SA keep state dnpipe ( 1,2) label "USER_RULE: NAT testing 7500 forward"
</pre></p>
<p>I've got 1Mb/s limits on both inbound and outbound sides of that WAN rule.</p>
<pre>
[2.2-RELEASE][admin@rampart]/root: ipfw pipe show
00001: 1.000 Mbit/s 0 ms burst 0
q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 1.000 Mbit/s 0 ms burst 0
q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 active
</pre> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=171702015-02-05T02:53:13ZErmal Luçieri@pfsense.org
<ul></ul><p>Does net.inet.ip.dummynet.io_pkt_drop increase during this time?</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=172002015-02-08T10:58:06ZAdam Hirschadam@baz.org
<ul></ul><p>Nope! Stays at 0 throughout.</p>
<pre>
[2.2-RELEASE][admin@rampart]/root: sysctl net.inet.ip.dummynet.io_pkt_drop
net.inet.ip.dummynet.io_pkt_drop: 0
</pre> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=173052015-02-12T13:58:08ZErmal Luçieri@pfsense.org
<ul></ul><p>Can you do another test to have full information?</p>
<p>Do the usual breaking test you have reported and show the output of:<br />sysctl net.inet.ip.dummynet</p>
<p>than set <br />sysctl net.inet.ip.dummynet.io_fast=1</p>
<p>Run the test and see if the issue happens again and show again <br />sysctl net.inet.ip.dummynet</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=173132015-02-12T16:27:10ZTravis Kreikemeiertravis@travko.com
<ul></ul><p>Finally able to get around to building a VM lab for this. Here is what I have found.</p>
<ul>
<li>Appears to only be an issue on a NAT rule, I was unable to reproduce this issue on a LAN limiter</li>
<li>Turning off reply-to does not resolve the issue, I even turned it off globally in Advanced settings</li>
<li>Enabling source or destination mask does not resolve the issue</li>
<li>Taildrop does not increase, stays at 0 during testing</li>
<li>dummynet.io_pkt_drop stays the same number during testing</li>
<li>net.inet.ip.dummynet.io_fast was already set to 1 for me, I changed it to 0 and my test no longer worked at all (no connection)</li>
</ul>
<p>I used iperf for my testing:</p>
<p>No NAT limiter<br /><code>iperf.exe -c 192.168.11.131 -w 256k -i 1<br />------------------------------------------------------------<br />Client connecting to 192.168.11.131, TCP port 5001<br />TCP window size: 256 KByte<br />------------------------------------------------------------<br />[ 3] local 192.168.11.1 port 55351 connected with 192.168.11.131 port 5001<br />[ ID] Interval Transfer Bandwidth<br />[ 3] 0.0- 1.0 sec 73.5 MBytes 617 Mbits/sec<br />[ 3] 1.0- 2.0 sec 69.5 MBytes 583 Mbits/sec<br />[ 3] 2.0- 3.0 sec 68.1 MBytes 571 Mbits/sec<br />[ 3] 3.0- 4.0 sec 67.4 MBytes 565 Mbits/sec<br />[ 3] 4.0- 5.0 sec 58.6 MBytes 492 Mbits/sec<br />[ 3] 5.0- 6.0 sec 66.1 MBytes 555 Mbits/sec<br />[ 3] 6.0- 7.0 sec 76.6 MBytes 643 Mbits/sec<br />[ 3] 7.0- 8.0 sec 78.2 MBytes 656 Mbits/sec<br />[ 3] 8.0- 9.0 sec 62.4 MBytes 523 Mbits/sec<br />[ 3] 9.0-10.0 sec 80.6 MBytes 676 Mbits/sec<br />[ 3] 0.0-10.0 sec 701 MBytes 588 Mbits/sec<br /></code></p>
<p>Enabled a 20Mb limiter<br /><code>iperf.exe -c 192.168.11.131 -i 1 -w 256k<br />------------------------------------------------------------<br />Client connecting to 192.168.11.131, TCP port 5001<br />TCP window size: 256 KByte<br />------------------------------------------------------------<br />[ 3] local 192.168.11.1 port 55401 connected with 192.168.11.131 port 5001<br />[ ID] Interval Transfer Bandwidth<br />[ 3] 0.0- 1.0 sec 384 KBytes 3.15 Mbits/sec<br />[ 3] 1.0- 2.0 sec 128 KBytes 1.05 Mbits/sec<br />[ 3] 2.0- 3.0 sec 0.00 Bytes 0.00 bits/sec<br />[ 3] 3.0- 4.0 sec 128 KBytes 1.05 Mbits/sec<br />[ 3] 4.0- 5.0 sec 0.00 Bytes 0.00 bits/sec<br />[ 3] 5.0- 6.0 sec 128 KBytes 1.05 Mbits/sec<br />[ 3] 6.0- 7.0 sec 0.00 Bytes 0.00 bits/sec<br />[ 3] 7.0- 8.0 sec 128 KBytes 1.05 Mbits/sec<br />[ 3] 8.0- 9.0 sec 0.00 Bytes 0.00 bits/sec<br />[ 3] 9.0-10.0 sec 128 KBytes 1.05 Mbits/sec<br />[ 3] 10.0-11.0 sec 0.00 Bytes 0.00 bits/sec<br />[ 3] 0.0-13.2 sec 1.12 MBytes 715 Kbits/sec</code></p>
<p>During testing<br /><code>ipfw pipe show<br />00001: 20.000 Mbit/s 0 ms burst 0<br />q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail<br /> sched 65537 type FIFO flags 0x0 0 buckets 0 active<br />00002: 20.000 Mbit/s 0 ms burst 0<br />q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail<br /> sched 65538 type FIFO flags 0x0 0 buckets 0 active<br />[2.2-RELEASE][admin@pfSense.localdomain]/root: ipfw pipe show<br />00001: 20.000 Mbit/s 0 ms burst 0<br />q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail<br /> sched 65537 type FIFO flags 0x0 0 buckets 1 active<br />BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp<br /> 0 ip 0.0.0.0/0 0.0.0.0/0 11 524 0 0 0<br />00002: 20.000 Mbit/s 0 ms burst 0<br />q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail<br /> sched 65538 type FIFO flags 0x0 0 buckets 1 active<br /> 0 ip 0.0.0.0/0 0.0.0.0/0 20 30000 0 0 0<br />[2.2-RELEASE][admin@pfSense.localdomain]/root: ipfw pipe show<br />00001: 20.000 Mbit/s 0 ms burst 0<br />q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail<br /> sched 65537 type FIFO flags 0x0 0 buckets 1 active<br />BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp<br /> 0 ip 0.0.0.0/0 0.0.0.0/0 28 1276 0 0 0<br />00002: 20.000 Mbit/s 0 ms burst 0<br />q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail<br /> sched 65538 type FIFO flags 0x0 0 buckets 1 active<br /> 0 ip 0.0.0.0/0 0.0.0.0/0 60 90000 0 0 0<br />[2.2-RELEASE][admin@pfSense.localdomain]/root: ipfw pipe show<br />00001: 20.000 Mbit/s 0 ms burst 0<br />q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail<br /> sched 65537 type FIFO flags 0x0 0 buckets 1 active<br />BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp<br /> 0 ip 0.0.0.0/0 0.0.0.0/0 12 552 0 0 0<br />00002: 20.000 Mbit/s 0 ms burst 0<br />q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail<br /> sched 65538 type FIFO flags 0x0 0 buckets 1 active<br /> 0 ip 0.0.0.0/0 0.0.0.0/0 22 33000 0 0 0<br /></code></p>
<p>Outbound from LAN test with no limiter</p>
<p><code>iperf.exe -c 192.168.11.1 -w 256k<br />-i 1 -M 1460<br />WARNING: attempt to set TCP maximum segment size to 1460, but got 1281<br />------------------------------------------------------------<br />Client connecting to 192.168.11.1, TCP port 5001<br />TCP window size: 256 KByte<br />------------------------------------------------------------<br />[ 3] local 192.168.12.41 port 49353 connected with 192.168.11.1 port 5001<br />[ ID] Interval Transfer Bandwidth<br />[ 3] 0.0- 1.0 sec 55.4 MBytes 465 Mbits/sec<br />[ 3] 1.0- 2.0 sec 52.9 MBytes 444 Mbits/sec<br />[ 3] 2.0- 3.0 sec 39.5 MBytes 331 Mbits/sec<br />[ 3] 3.0- 4.0 sec 38.0 MBytes 319 Mbits/sec<br />[ 3] 4.0- 5.0 sec 41.8 MBytes 350 Mbits/sec<br />[ 3] 5.0- 6.0 sec 40.9 MBytes 343 Mbits/sec<br />[ 3] 6.0- 7.0 sec 37.9 MBytes 318 Mbits/sec<br />[ 3] 7.0- 8.0 sec 40.5 MBytes 340 Mbits/sec<br />[ 3] 8.0- 9.0 sec 42.8 MBytes 359 Mbits/sec<br />[ 3] 9.0-10.0 sec 44.5 MBytes 373 Mbits/sec<br />[ 3] 0.0-10.0 sec 434 MBytes 364 Mbits/sec</code></p>
<p>Outbound LAN test with 20Mb limiter<br /><code>iperf.exe -c 192.168.11.1 -w 256k<br />-i 1 -M 1460<br />WARNING: attempt to set TCP maximum segment size to 1460, but got 1281<br />------------------------------------------------------------<br />Client connecting to 192.168.11.1, TCP port 5001<br />TCP window size: 256 KByte<br />------------------------------------------------------------<br />[ 3] local 192.168.12.41 port 49354 connected with 192.168.11.1 port 5001<br />[ ID] Interval Transfer Bandwidth<br />[ 3] 0.0- 1.0 sec 2.62 MBytes 22.0 Mbits/sec<br />[ 3] 1.0- 2.0 sec 2.38 MBytes 19.9 Mbits/sec<br />[ 3] 2.0- 3.0 sec 2.25 MBytes 18.9 Mbits/sec<br />[ 3] 3.0- 4.0 sec 2.25 MBytes 18.9 Mbits/sec<br />[ 3] 4.0- 5.0 sec 2.38 MBytes 19.9 Mbits/sec<br />[ 3] 5.0- 6.0 sec 2.38 MBytes 19.9 Mbits/sec<br />[ 3] 6.0- 7.0 sec 2.25 MBytes 18.9 Mbits/sec<br />[ 3] 7.0- 8.0 sec 2.38 MBytes 19.9 Mbits/sec<br />[ 3] 8.0- 9.0 sec 2.25 MBytes 18.9 Mbits/sec<br />[ 3] 9.0-10.0 sec 2.38 MBytes 19.9 Mbits/sec<br />[ 3] 0.0-10.1 sec 23.6 MBytes 19.6 Mbits/sec</code></p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=173142015-02-12T16:33:47ZTravis Kreikemeiertravis@travko.com
<ul></ul><p>I also increased the limiter to 700Mb, higher than throughput without limiter and it worked without issue, got the normal speed I had without a limiter. So it's not that a limiter is in place, it is when the limit is exceeded that it starts to drop packets excessively. iperf might be opening a new connection is why I start getting a little bit of traffic again, then it drops and repeats.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=173222015-02-13T05:49:02ZErmal Luçieri@pfsense.org
<ul></ul><p>Ok thank you i think i know where the issue is now.</p>
<p>I will update here when the issue is fixed but will need a kernel rebuild.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=174592015-02-23T14:46:31ZErmal Luçieri@pfsense.org
<ul><li><strong>Subject</strong> changed from <i>In/Out Limiter on rule w/reply-to silently discards all traffic once limit rate reached</i> to <i>In/Out Limiter silently discards all traffic once limit rate reached</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=176162015-03-05T09:28:36ZSteve Wheeler
<ul></ul><p>Just to add some further information. This bug is hit if you use Limiters on LAN and are also running Squid in transparent mode, presumably because it adds rules to forward the traffic.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=177562015-03-11T18:10:13ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>2.2.1</i> to <i>2.2.2</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=179522015-04-02T01:23:49ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>2.2.2</i> to <i>2.2.3</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=188122015-06-15T10:37:55ZErmal Luçieri@pfsense.org
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li></ul><p>This seems affecting only NAT with limiters.<br />It should be handled properly now in 2.2.3 i will re-test this again as i did for a similar report.</p>
<p>If anyone can confirm it works for them on 2.2.3 as well it would be good.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=188912015-06-18T21:08:49ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>2.2.3</i> to <i>2.3</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=190102015-06-29T14:54:13ZRyan Cloughryan.clough@dsic.com
<ul></ul><p>Ermal Luçi wrote:</p>
<blockquote>
<p>This seems affecting only NAT with limiters.<br />It should be handled properly now in 2.2.3 i will re-test this again as i did for a similar report.</p>
<p>If anyone can confirm it works for them on 2.2.3 as well it would be good.</p>
</blockquote>
<p>I had disabled the limiter by turning off the associated Firewall Rule. I have upgraded to 2.2.3 and tried re-enabling the Firewall rule and once the threshold limit is reached traffic is no longer passed.</p>
<p>I also tried deleting the Firewall Rules and the Limiters then recreating them from scratch. But alas the same result. When the threshold is reached traffic captured by the Firewall rule that feeds the Limiter just stops passing traffic.</p>
<p>If you would like any further information just let me know.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=190652015-07-06T06:32:57ZAdam Hirschadam@baz.org
<ul></ul><p>Like Ryan, I'm still seeing the issue after upgrading to 2.2.3.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=190722015-07-06T16:31:18ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Subject</strong> changed from <i>In/Out Limiter silently discards all traffic once limit rate reached</i> to <i>Limiters on firewall rules where NAT applies drop all traffic</i></li><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Confirmed</i></li><li><strong>Assignee</strong> deleted (<del><i>Ermal Luçi</i></del>)</li><li><strong>Affected Version</strong> changed from <i>2.2</i> to <i>2.2.x</i></li></ul><p>updated subject to root problem, closing out <a class="issue tracker-1 status-11 priority-5 priority-high4 closed" title="Bug: NAT 1:1 vs VIP, limiters works on LAN, but on WAN breaks NAT (Duplicate)" href="https://redmine.pfsense.org/issues/4596">#4596</a> as duplicate of this.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=193472015-07-21T08:25:16ZSrdjan Jovanovichobezbedjenje@dm288.com
<ul></ul><p>I'm still seeing the issue after upgrading to 2.2.3. NAT with limiters means no traffic. Once the rule is saved with limiters there's basically no traffic.</p>
<p>P.S. I can not believe that this problem is already extending through several versions or better from stepping up to FreeBSD 10?</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=218162015-10-23T07:15:35Zzuber ahmedzuber.ahmed@mail.vinove.com
<ul></ul><p>Hi</p>
<p>Traffic limiter still not working with squid3 (transparent mode) + squidgaurd on version 2.2.4.<br />Is there any time line to fix this as this issue is due for a long time?</p>
<p>thanks in advance for fixing this issue or any temp fix or patch for this.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=218952015-10-26T22:56:40ZAlbert Yangkillmasta93@gmail.com
<ul></ul><p>I just wanted to re-add to what zuber ahmed, and that NAT reflection gets broken while having limiters on the LAN</p>
<p>Thank you</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=219152015-10-27T07:14:15ZBryan Bercerobryanbercero@gmail.com
<ul></ul><p>I just want to update that this bug is still present. Any developments? I have tested with 2.2.2.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=234442015-12-16T13:25:19ZCristian Cicericciceri@educ.gov.ar
<ul></ul><p>Issue still present on version 2.2.5.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=235362015-12-20T15:35:07ZSergio Handalcatuso.shz@gmail.com
<ul></ul><p>Issue still present on version 2.2.5.</p>
<p>When Limiter is enable in a Fiwerwll Rule NAT Reflection is not working.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=240752016-01-13T06:41:09ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> set to <i>Luiz Souza</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=248972016-02-05T13:58:16ZHamilton Calixtohcalixto@gmail.com
<ul></ul><p>Problem still present in version 2.2.6. What is the deadline for solving this problem?</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=255842016-03-05T16:18:54ZLuiz Souzaluiz@netgate.com
<ul><li><strong>Target version</strong> changed from <i>2.3</i> to <i>2.3.1</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=259012016-03-28T13:59:01ZAlbert Yangkillmasta93@gmail.com
<ul></ul><p>Limiters work with squid proxy(transparent and WPAD)+squidguard<br />Hopefully soon with Nat reflection :)</p>
<p>Thanks to Riroxi</p>
<p><a class="external" href="http://postimg.org/gallery/1plhek6mq/">http://postimg.org/gallery/1plhek6mq/</a></p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=259082016-03-28T16:23:02ZRiroxi .
<ul></ul><p>Albert Yang wrote:</p>
<blockquote>
<p>Limiters work with squid proxy(transparent and WPAD)+squidguard<br />Hopefully soon with Nat reflection :)</p>
<p>Thanks to Riroxi</p>
<p><a class="external" href="http://postimg.org/gallery/1plhek6mq/">http://postimg.org/gallery/1plhek6mq/</a></p>
</blockquote>
<p>Hello Albert!</p>
<p>I tested this workaround for a few days and some apps like download managers can bypass limiters with this rule set :(</p>
<p>We need to w8 for a definitive solution</p>
<p>Cya</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=263842016-04-15T22:08:17ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>2.3.1</i> to <i>2.3.2</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=263932016-04-15T23:06:42ZAaron McDiarmid
<ul></ul><p>How come this problem keeps getting pushed back to later versions? Is there an underlying issue that prevents it from being fixed?</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=263942016-04-15T23:16:33ZChris Buechlercbuechler@gmail.com
<ul></ul><p>Aaron McDiarmid wrote:</p>
<blockquote>
<p>How come this problem keeps getting pushed back to later versions? Is there an underlying issue that prevents it from being fixed?</p>
</blockquote>
<p>It's not an easy problem to fix, any OS changes like this are risky, and we're looking to release a 2.3.1 in a couple weeks which isn't enough time.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=268232016-04-28T03:29:55Zgmar almnsoorfaleh.9800@gmail.com
<ul></ul><p>Arab world<br />_<em><i></em></i>__<em>_</em>____</p>
<p>definitive solution</p>
<p><a class="external" href="https://forum.pfsense.org/index.php?topic=106640.0">https://forum.pfsense.org/index.php?topic=106640.0</a></p>
<p>enjoy <<<<<<<<<<<< <sup>_</sup></p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=271802016-05-19T19:24:07ZHamilton Calixtohcalixto@gmail.com
<ul></ul><p>We have this bug for 1 year. When a solution is presented? I am dismayed by this as it is an extremely important feature in my datacenter.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=271842016-05-20T01:59:58ZLuca De Andreisdea@corep.it
<ul></ul><p>Hamilton Calixto wrote:</p>
<blockquote>
<p>We have this bug for 1 year. When a solution is presented? I am dismayed by this as it is an extremely important feature in my datacenter.</p>
</blockquote>
<p>+1, I'm forced to use PfSense 2.1.5, limiters on NAT 1:1 are absolutely essential for me, the use of workaround is not a solution.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=274552016-06-07T13:03:26ZMatt Smith
<ul></ul><p>+1 I have dozens of 2.1.5 boxes because of this critical bug.</p>
<p>Crossed my fingers but seems 2.3 still not production ready, obviously 2.2 was not either.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=275052016-06-08T17:31:51ZRoman Spörk
<ul></ul><p>For me is that bug a big problem.<br />The traffic shaping feature was one decision to use pfsense.<br />I baught a XG-1540 with two SSD, 10 GE and 32GB RAM. To use traffic shaping with Squid proxy, I had to create a very complicated solution with cascaded virtual pfsense appliances.<br />I hope, there will be a solution for that bug.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=280482016-07-08T03:32:53ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>2.3.2</i> to <i>2.4.0</i></li></ul> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=281282016-07-09T21:11:13Zoscar velazquez
<ul></ul><p>Since we are not getting a solution any time soon, i guess we can use 2 pfsense boxes in line one with limiter and the other with cache</p>
<p>Problem is i cant get for the life of me make a trasnparent proxy cache in between my limiter box and my lan, anyone know a good guide or easy way to make a transparent proxy cache box?</p>
<p>WAN---limiter/dhcp (192.168.0.1)---- transparent web proxy cache/no dhcp(192.168.0.2)-----lan</p>
<p>i have tried many tutorials and configs but it never sends data trough when i activate the caching (not limiter) as a transparent box</p>
<p>i think its what roman spork did?</p>
<p>thanks</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=281742016-07-11T02:32:19ZLuca De Andreisdea@corep.it
<ul></ul><p>OMG.</p>
<p>The NAT 1:1 problem using limiters persist.<br />Works well on 2.1.5, 2.2.x = BAD, 2.3.x = BAD sigh ! We are forced to user 2.1.5 with many SECURITY HOLES.</p>
<p>Luca</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=283822016-07-19T07:05:41Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>Now that the target version bumped to 2.4 (FREEBSD-11) can anyone at least say whether the bug has been fixed in FreeBSD? If this bug is indeed an upstream problem, has a bug been filed with the FreeBSD project? If not, I'm afraid this can is going to keep getting kicked.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=283902016-07-20T06:48:00ZJose Duarte
<ul></ul><p>Have you guys tried using a queue inside the limiter instead of the limiter itself? It could make a difference since in my scenario it's the workaround I use to don't have kernel panic on the second firewall. (limiters in HA)</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=283932016-07-20T11:29:41ZAndrew Maslin
<ul></ul><p>Can someone share the FreeBSD bug # so we can track the progress of the root of the issue? Like Luke, I would like to know the status and timeframe of the underlying issue. Thanks!</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=283952016-07-20T13:55:26ZChris Buechlercbuechler@gmail.com
<ul></ul><p>Andrew Maslin wrote:</p>
<blockquote>
<p>Can someone share the FreeBSD bug # so we can track the progress of the root of the issue? Like Luke, I would like to know the status and timeframe of the underlying issue. Thanks!</p>
</blockquote>
<p>There isn't one because the code/feature in question doesn't exist there.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=283972016-07-20T14:23:56Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>Chris Buechler wrote:</p>
<blockquote>
<p>There isn't one because the code/feature in question doesn't exist there.</p>
</blockquote>
<p>Now I'm confused: so is the bug in FreeBSD, or somehow in pfSense? Are you saying this bug is only replicable in pfSense, but it's due to an underlying bug in fBSD that can't be replicated in stock so therefore there is no way to file a proper bugreport? Seems we are in a pickle.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=283992016-07-20T14:48:27ZChris Buechlercbuechler@gmail.com
<ul></ul><p>this is from the use of dummynet in pf, which doesn't exist in stock FreeBSD. And the implementation apparently leaves a lot to be desired, which is why it's fallen apart in so many edge cases with newer base OS versions. It was never perfect to begin with, either.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=287552016-08-31T22:10:21ZSteve Tibbetts
<ul></ul><p>Using pfsense 2.3.2-RELEASE (amd64)</p>
<p>I can confirm disabling the upload limiter solves an issue with limiters and 1:1 NAT.</p>
<p>We don't use squid or any addons for that matter. Our issue was / is.... WAN / LAN interface. Aliases setup for each IP in the DHCP scope on LAN. Limiters (up/down) setup for those aliases as a firewall rule on LAN. No issues with connectivity local or WAN. The issue is with accessing servers that are WAN to LAN NATed 1:1. It's worth noting the local IP's of the servers are NOT part of the limiter IP range. The UL limiter on LAN breaks NAT reflection.</p>
<p>To get around this we disabled the UL limiter. This is a temporary fix.</p>
<p>I really hope this can be resolved. Seems like an issue that has been ongoing for a while.</p>
<p>One thing I would like to mention... Prior to our current pfsense setup we had dual pfsense boxes using carp. Same versions, same setup. And that worked. I have a backup of that somewhere.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=288452016-09-09T09:25:32ZLuca De Andreisdea@corep.it
<ul></ul><p>Yes, it is exactly as you described.</p>
<p>ONLY PFSense 2.1.5 works fine on this configuration. I use several CRITICAL firewalls on 2.1.5 but... 2.1.5 is very old and with critical security holes (?)</p>
<p>I can't use on these firewalls on 2.2 or 2.3.</p>
<p>:(</p>
<p>On other firewalls, with limiters from LAN to WAN and NO NAT there are no problems. But WAN TO LAN limiters && 1:1 NAT is broken.</p>
<p>Luca</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=289722016-09-28T06:48:42Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>Now that 2.4 dev builds have started, is there any reason to expect that this bug might get some lovin' in the next release? Or will the target get bumped to 3.0</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=289962016-10-01T13:31:47ZToronto B2
<ul></ul><p>I am interested to know if limiters will ever work again?<br />It's annoying that they still show in the GUI and not working. Very disappointing!</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=291082016-10-20T10:47:44ZAnders Tillebeckanders@tillebeck.dk
<ul></ul><p>I also use limiters and NAT reflection in combination. So I am stuck on 2.1.4 and 2.1.5 until a release where this combination is working again. I just write this as info to tell that more than one company is affected :-)</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=291462016-10-29T05:31:27Zjake keeys
<ul></ul><p>Also affected... is there any plan to fix this in an upcoming release as it's a common use case</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=291472016-10-29T07:50:44Zgmar almnsoorfaleh.9800@gmail.com
<ul></ul><p>Solution</p>
<p>fix Limiters on firewall rules where NAT applies drop all traffic</p>
<p>and</p>
<pre><code>Problem Limiter blocks internet Squid transparent proxy</code></pre>
<p>this Solution</p>
<p>work to (pfsense 2.2.*)(2.3.*)(2.4.*)</p>
<p>my now Solution</p>
<p>here</p>
<p><a class="external" href="https://forum.pfsense.org/index.php?topic=106640.0">https://forum.pfsense.org/index.php?topic=106640.0</a></p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=291522016-11-01T04:35:32ZLuca De Andreisdea@corep.it
<ul></ul><p>This is a workaround, not a clean solution.<br />Better than nothing, but a native, specific and definitive resolution is desirable.</p>
<p>Luca</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=291742016-11-03T17:10:51ZLuiz Souzaluiz@netgate.com
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Fixed in 2.4.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=291782016-11-03T19:36:27ZPhillip Davisphil@jankaritech.com
<ul></ul><p>I guess the fix is in the pf port or...?<br />Is it something that easily applies back to 2.3.* FreeBSD 10.3 and thus could be back-ported so it will also appear fixed in 2.3.3-DEVELOPMENT snapshots?</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=292072016-11-03T21:43:38ZJim Pingle
<ul></ul><p>Given all the work that's happened on 2.4 with IPFW, I'd say it's best to not attempt a backport. 2.4 is not that far off.</p>
<p>I ran a quick test of this with a floating rule on WAN matching outbound with a limiter. It was broken on 2.3, but works for me on 2.4.</p>
<p>Could use some more testing with port forwards and LAN-side redirects (e.g. transparent squid) but so far, so good.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=292222016-11-03T22:08:46ZPhillip Davisphil@jankaritech.com
<ul></ul><p>OK. I don't use this so it doesn't effect systems that I have that will be stuck on 2.3.* (32-bit Alix). If it is not simple to back-port then I guess there will be only a few people with old 32-bit systems that also use this, and thus will not be able to get the fix. And if you are using stuff like this then the site is at least a bit complex and is likely to upgrade hardware anyway.</p> pfSense - Bug #4326: Limiters on firewall rules where NAT applies drop all traffichttps://redmine.pfsense.org/issues/4326?journal_id=297112016-12-02T11:25:22ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>All indications are that this is fixed now, from my own tests and from user feedback.</p>