OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of gac »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - gac

Pages: [1]
1
22.7 Legacy Series / Weird states behaviour when using "Inspect"
« on: August 25, 2022, 12:18:18 am »
I have an OPNsense 22.7.2 box where I was trying to debug some traffic.

I have a Floating rule with the settings:
  • Interface: Guest, VPN
  • Direction: In
  • Protocol: IPv4+6 TCP
  • Source: any
  • Destination: ALIAS (The alias contains 2 RFC1918 IPv4 addresses)
  • Port: MS DS (445)
  • Description: server CIFS
On the Floating Rules page, if I push "Inspect" then the UI updates to show me a new "States" column, which shows 1 session. This is as I expect (there is currently one client connected from the VPN interface, so this lines up).

If I click the "1" text, then I get taken to the Firewall/Diagnostics/States screen where there are several matches, one of which is the one I expect, and several of which don't match the criteria. For example there are matches with the destination port of 80, there are IPv6 matches even though the alias only contains IPv4 addresses, etc. I've attached a couple of screenshots, some redacting has been done but there's enough to show that these states should not match the rule they claim to be matching

2
General Discussion / How does the firewall interact with the shaper?
« on: December 21, 2020, 09:47:10 pm »
I'm looking to use the shaping functionality to make for smoother audio calls (like everyone else, I'm working at home...)

The UI for the shaper is "enough", but it's less feature rich than I might like (ports specified manually, can't use aliases, etc). So one thought I had is simply to create myself some low/med/high priority queues and then configure rules for certain DSCP values which could then be applied by firewall rules. However, to know whether that would work properly depends on how the packets flow through the firewall, which could be (for example):

Code: [Select]
ingress --> filter --> shaper --> egress(this could work because the filter could apply a DSCP class to the packet, the shaper could see it and handle it in the correct queue)

Code: [Select]
ingress --> shaper --> filter --> egress(this could not work because by the time the filter saw the packet to mark it, the shaping decision would have already been made)

So in a system with both packet filtering and shaping enabled, does anyone know what's the order?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2