Bug #7973
closed
VLAN Priority Set feature in firewall rules is not functioning
100%
Description
The "VLAN Prio Set" option on firewall rules is supposed to alter the VLAN priority flag in 802.1q packets as they leave the firewall. The pf rule syntax appears to be correct, but exiting packets have the same VLAN Priority as configured on the VLAN directly, and not the altered priority set in the rule.
See also: #7748 (which is now working)
Updated by Kev Willers about 7 years ago
Jim Pingle wrote:
The "VLAN Prio Set" option on firewall rules is supposed to alter the VLAN priority flag in 802.1q packets as they leave the firewall. The pf rule syntax appears to be correct, but exiting packets have the same VLAN Priority as configured on the VLAN directly, and not the altered priority set in the rule.
See also: #7748 (which is now working)
This fix is essential for Orange FTTH in France. dhcp6c requests have to have priority 6 on VLAN 832 but all other traffic priority 0. Currently making it work by adding a netgear switch between the ONT and pfSense
Watching with interest
Updated by Luiz Souza about 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
This issue is fixed.
The fix will be available in tomorrow's snapshot.
Updated by Jim Pingle about 7 years ago
- Status changed from Feedback to Resolved
Confirmed as fixed, setting a priority is reflected in the traffic on the wire now. Thanks!
Updated by Kev Willers about 7 years ago
Jim Pingle wrote:
The "VLAN Prio Set" option on firewall rules is supposed to alter the VLAN priority flag in 802.1q packets as they leave the firewall. The pf rule syntax appears to be correct, but exiting packets have the same VLAN Priority as configured on the VLAN directly, and not the altered priority set in the rule.
See also: #7748 (which is now working)
I have just tested on the latest 2.4.2 snapshot and its not working for me. My be an error my side but I have the prio 6 set on all outgoing packets for udp 547 (dhcp6 request) but they are not being altered
Updated by Jim Pingle about 7 years ago
Probably an error in your rules, has to be in a floating rule, on the right interface, quick enabled, outbound direction, matching the correct outbound traffic.
The same type of request works here (though I simulated it with nc)
09:30:03.304039 68:9e:19:7f:f6:d7 > 00:90:0b:37:a3:24, ethertype 802.1Q (0x8100), length 60: vlan 50, p 6, ethertype IPv4, (tos 0x0, ttl 64, id 62126, offset 0, flags [none], proto UDP (17), length 29)
203.0.113.107.39405 > 203.0.113.1.547: [udp sum ok] dhcp6[|dhcp6]
I also set it to 3 before testing 6 in the rule so it definitely is the rule catching it, the vlan itself is set to 0.
09:29:04.034393 68:9e:19:7f:f6:d7 > 00:90:0b:37:a3:24, ethertype 802.1Q (0x8100), length 60: vlan 50, p 3, ethertype IPv4, (tos 0x0, ttl 64, id 2870, offset 0, flags [none], proto UDP (17), length 29)
203.0.113.107.49601 > 203.0.113.1.547: [udp sum ok] dhcp6[|dhcp6]
Post your rule details on the forum and someone can probably help you fix it up.
Updated by Kev Willers about 7 years ago
Jim indeed it was my rule or at least the order that pfSense rules are ordered in rules.debug
Full explanation here
https://forum.pfsense.org/index.php?topic=138995.0
Anyway I confirm this is now working as designed thank you
Updated by Kev Willers about 7 years ago
A Pull request has been added address the issue of dhcp6 vlan priority requests