pfSense

Hello

I am aware this looks like a duplicate of bug 3726 https://redmine.pfsense.org/issues/3726 but it's not

I carefully tested and I can not get any DSCP to be matched, tested from 2.3.4 to 2.4.2

my test protocol is to make a simple host matched floating rule (with wizard), stream data with iperf and check the rule is matched. result : this rule matches has expected

adding diffserv EF to the existing rule, flushing the states and stream again with proper iperf3 setting will not match as expected

iperf3 c x.x.x.x -S 0xB8 <- does not trigger the match with EF added to the rule
ping Q 184 x.x.x.x <- did not work either

as I got no matching for any diffserv I tested my packets on the REMOTE x.x.x.x host with tcpdump

I can confirm the diffserv is properly set on my packets with this command :

tcpdump nni enp1s0 -v 'ip1 & 0xfc == 184' <- gives me plenty output of TOS 0xb8 marked packets incoming

flushing all states will not help, I am now totally puzzled

any rule with DSCP will never be matched

Am I hitting a bug?

Thank you

erno rubbik wrote:

Hello

I am aware this looks like a duplicate of bug 3726 https://redmine.pfsense.org/issues/3726 but it's not

I carefully tested and I can not get any DSCP to be matched, tested from 2.3.4 to 2.4.2

my test protocol is to make a simple host matched floating rule (with wizard), stream data with iperf and check the rule is matched. result : this rule matches has expected

adding diffserv EF to the existing rule, flushing the states and stream again with proper iperf3 setting will not match as expected

iperf3 c x.x.x.x -S 0xB8 <- does not trigger the match with EF added to the rule
ping Q 184 x.x.x.x <- did not work either

as I got no matching for any diffserv I tested my packets on the REMOTE x.x.x.x host with tcpdump

I can confirm the diffserv is properly set on my packets with this command :

tcpdump nni enp1s0 -v 'ip1 & 0xfc == 184' <- gives me plenty output of TOS 0xb8 marked packets incoming

flushing all states will not help, I am now totally puzzled

any rule with DSCP will never be matched

Am I hitting a bug?

Thank you

I also encountered this - what debug info can I provide?

I wrote what I've done thus far here: https://forum.pfsense.org/index.php?topic=144362.msg785904#msg785904

Could not duplicate on 2.4.2_1:

Set laptop switchport to set dscp 14

Set floating rule to match AF13 and log

@282(1521434373) match in log on igb1.223 inet all dscp 0x38 label "USER_RULE: Match DSCP Test Redmine 8379"

Connected laptop. iperf3 client to pfSense (no server running)

Shell Output - clog /var/log/filter.log | grep 1521434373

Mar 18 22:12:29 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,192.168.223.1,65415,5201,0,S,1436453948,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:22:59 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,52.84.154.170,65418,443,0,S,1320783426,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,61718,0,none,17,udp,76,192.168.223.199,17.253.4.125,63574,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,39080,0,none,17,udp,76,192.168.223.199,17.253.26.125,56859,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,63354,0,none,17,udp,76,192.168.223.199,17.253.4.253,56272,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,17.249.25.246,65419,443,0,S,1108708379,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol

Wireshark on pfSense interface says: Differentiated Services Field: 0x38 (DSCP: AF13, ECN: Not-ECT)

Changed laptop switchport to set dscp 18

Same firewall rule, same iperf test, same laptop

Nothing additional logged:

Shell Output - clog /var/log/filter.log | grep 1521434373

Mar 18 22:12:29 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,192.168.223.1,65415,5201,0,S,1436453948,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:22:59 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,52.84.154.170,65418,443,0,S,1320783426,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,61718,0,none,17,udp,76,192.168.223.199,17.253.4.125,63574,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,39080,0,none,17,udp,76,192.168.223.199,17.253.26.125,56859,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,63354,0,none,17,udp,76,192.168.223.199,17.253.4.253,56272,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,17.249.25.246,65419,443,0,S,1108708379,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol

Wireshark on pfSense interface says: Differentiated Services Field: 0x48 (DSCP: AF21, ECN: Not-ECT)

Probably should take this to the forum and hash out what testing issues you're having. Doesn't look like a malfunction.

Thanks for the followup Chris.
I will do some more testing - I am using VirtIO/vtnet interfaces, is it possible that DSCP matching doesn't work on these?
@erno rubbik what NIC type are you using?

This is not a discussion forum. Please start a topic at https://forum.pfsense.org/

I expect this will be closed as #notabug

Post removed, apologies, will post in forum.

Edit: Now I understand my mistake, I agree, this is #notabug