Bug #8379
closedrules with DSCP never match
0%
Description
Hello
I am aware this looks like a duplicate of bug 3726 https://redmine.pfsense.org/issues/3726 but it's not
I carefully tested and I can not get any DSCP to be matched, tested from 2.3.4 to 2.4.2
my test protocol is to make a simple host matched floating rule (with wizard), stream data with iperf and check the rule is matched. result : this rule matches has expected
adding diffserv EF to the existing rule, flushing the states and stream again with proper iperf3 setting will not match as expected
iperf3 c x.x.x.x -S 0xB8 <- does not trigger the match with EF added to the rule
ping Q 184 x.x.x.x <- did not work either
as I got no matching for any diffserv I tested my packets on the REMOTE x.x.x.x host with tcpdump
I can confirm the diffserv is properly set on my packets with this command :
tcpdump nni enp1s0 -v 'ip1 & 0xfc == 184' <- gives me plenty output of TOS 0xb8 marked packets incoming
flushing all states will not help, I am now totally puzzled
any rule with DSCP will never be matched
Am I hitting a bug?
Thank you
Updated by erno rubbik about 6 years ago
Hello
I am aware this looks like a duplicate of bug 3726 https://redmine.pfsense.org/issues/3726 but it's not
I carefully tested and I can not get any DSCP to be matched, tested from 2.3.4 to 2.4.2
my test protocol is to make a simple host matched floating rule (with wizard), stream data with iperf and check the rule is matched. result : this rule matches has expected
adding diffserv EF to the existing rule, flushing the states and stream again with proper iperf3 setting will not match as expected
iperf3 c x.x.x.x -S 0xB8 <- does not trigger the match with EF added to the rule
ping Q 184 x.x.x.x <- did not work either
as I got no matching for any diffserv I tested my packets on the REMOTE x.x.x.x host with tcpdump
I can confirm the diffserv is properly set on my packets with this command :
tcpdump nni enp1s0 -v 'ip1 & 0xfc == 184' <- gives me plenty output of TOS 0xb8 marked packets incoming
flushing all states will not help, I am now totally puzzled
any rule with DSCP will never be matched
Am I hitting a bug?
Thank you
Updated by Anonymous about 6 years ago
erno rubbik wrote:
Hello
I am aware this looks like a duplicate of bug 3726 https://redmine.pfsense.org/issues/3726 but it's not
I carefully tested and I can not get any DSCP to be matched, tested from 2.3.4 to 2.4.2
my test protocol is to make a simple host matched floating rule (with wizard), stream data with iperf and check the rule is matched. result : this rule matches has expected
adding diffserv EF to the existing rule, flushing the states and stream again with proper iperf3 setting will not match as expected
iperf3 c x.x.x.x -S 0xB8 <- does not trigger the match with EF added to the rule
ping Q 184 x.x.x.x <- did not work eitheras I got no matching for any diffserv I tested my packets on the REMOTE x.x.x.x host with tcpdump
I can confirm the diffserv is properly set on my packets with this command :
tcpdump nni enp1s0 -v 'ip1 & 0xfc == 184' <- gives me plenty output of TOS 0xb8 marked packets incoming
flushing all states will not help, I am now totally puzzled
any rule with DSCP will never be matched
Am I hitting a bug?
Thank you
I also encountered this - what debug info can I provide?
I wrote what I've done thus far here: https://forum.pfsense.org/index.php?topic=144362.msg785904#msg785904
Updated by Chris Linstruth about 6 years ago
Could not duplicate on 2.4.2_1:
Set laptop switchport to set dscp 14
Set floating rule to match AF13 and log
@282(1521434373) match in log on igb1.223 inet all dscp 0x38 label "USER_RULE: Match DSCP Test Redmine 8379"
Connected laptop. iperf3 client to pfSense (no server running)
Shell Output - clog /var/log/filter.log | grep 1521434373
Mar 18 22:12:29 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,192.168.223.1,65415,5201,0,S,1436453948,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:22:59 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,52.84.154.170,65418,443,0,S,1320783426,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,61718,0,none,17,udp,76,192.168.223.199,17.253.4.125,63574,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,39080,0,none,17,udp,76,192.168.223.199,17.253.26.125,56859,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,63354,0,none,17,udp,76,192.168.223.199,17.253.4.253,56272,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,17.249.25.246,65419,443,0,S,1108708379,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Wireshark on pfSense interface says: Differentiated Services Field: 0x38 (DSCP: AF13, ECN: Not-ECT)
Changed laptop switchport to set dscp 18
Same firewall rule, same iperf test, same laptop
Nothing additional logged:
Shell Output - clog /var/log/filter.log | grep 1521434373
Mar 18 22:12:29 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,192.168.223.1,65415,5201,0,S,1436453948,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:22:59 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,52.84.154.170,65418,443,0,S,1320783426,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,61718,0,none,17,udp,76,192.168.223.199,17.253.4.125,63574,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,39080,0,none,17,udp,76,192.168.223.199,17.253.26.125,56859,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,63354,0,none,17,udp,76,192.168.223.199,17.253.4.253,56272,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,17.249.25.246,65419,443,0,S,1108708379,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Wireshark on pfSense interface says: Differentiated Services Field: 0x48 (DSCP: AF21, ECN: Not-ECT)
Probably should take this to the forum and hash out what testing issues you're having. Doesn't look like a malfunction.
Updated by Anonymous about 6 years ago
Thanks for the followup Chris.
I will do some more testing - I am using VirtIO/vtnet interfaces, is it possible that DSCP matching doesn't work on these?
@erno rubbik what NIC type are you using?
Updated by Chris Linstruth about 6 years ago
This is not a discussion forum. Please start a topic at https://forum.pfsense.org/
I expect this will be closed as #notabug
Updated by Anonymous about 6 years ago
Post removed, apologies, will post in forum.
Edit: Now I understand my mistake, I agree, this is #notabug