Firewall->Shaper: DSCP EF flag ... not working ?

[bobbis]

Hi,

how does the DSCP inside the Firewall->Shaper works ? I tried to make DNS Queries faster with the "EF" flag but "ipfw -a list" show that the Rules does not work. Opnsense 19.1.8 (amd64 nano)

Code: [Select]

60001    0       0 queue 10002 udp from any to any 53 out dscp af43 via re0 // wan: Q-UL-HighPriority
the Rule:

Code: [Select]

Enabled [x]
Sequence 11
Interface : WAN
Interface 2 none
Proto: udp
Source: any
Invert source [ ]
Src-port: any
Destination: any
Invert destination [ ]
Dst-port: 53
DSCP: Expedited Forwarding <--- the "EF" flag
Direction: out
Target: Q-UL-HighPriority
Description: R-DNS-WANIF-to-WAN

if i remove the "EF" flag, the rule works.

[mimugmail]

EF bit has to be set by switch or server. Set via rule and match on shaper doesnt work

[bobbis]

EF bit has to be set by switch or server. Set via rule and match on shaper doesnt work

if my informations about DSCP are correct then ipfw is setting the DSCP "bit" value(s) on each packet what leaves the specified interface if there is a DSCP ipfw rule!

https://en.wikipedia.org/wiki/Differentiated_services

from man page ->

The setdscp option could be used to (re)mark user traffic, by adding the following to the appropriate place in ruleset:
ipfw add setdscp be ip from any to any dscp af11,af21

https://www.unix.com/man-page/FreeBSD/8/ipfw/

[mimugmail]

Firewall rules are pf, not ipfw, sadly ...

[bobbis]

Firewall rules are pf, not ipfw, sadly ...

both are PacketFilters .... I AM PRETTY SURE THAT YOU WANT READ---> $man ipfw   --> https://www.unix.com/man-page/FreeBSD/8/ipfw/

please stop driving the thread into a wrong direction... thanks

[mimugmail]

oh boy .. you have neither any idea of DSCP, nor ipfw, nor anything.

Ok, my last reply:

on your client, mark dns packets with EF and on OPN do a match on EF with source/dst any.

I implemented this feature and tested heavily ...

[bobbis]

on your client, mark dns packets with EF and on OPN do a match on EF with source/dst any.

ok, maybe i miss understand what you mean or the being DSCP Value on the Shaper/Rules on the opnsense webinterface.
So, that means, if i select the rules as posted on post#1 of this thread, that the Shaper only matches Packets which allready has , as example: the EF "bit", is that correct ? Because I was thinking that it is also possible the set/mark the "DSCP bit" of the IP Packet from the ShaperRule.

[mimugmail]

Yes, maybe you missintrepreted something.
Just a quick recap:

There are two methods to filter in FreeBSD: ipfw and pf (there are some older ones too).
In the beginning pf was the standard and all GUI stuff is based on this. Sadly pf under FreeBSD isn't very active (compared to OpenBSD) and more development goes into ipfw. But the work to rewrite all the GUI stuff would take too much time and is way too error prone since so many ppl use this in very complex ways. Don't get me wrong, pf is still the way to go, no downsides in security. Current shaping technology is only developed on ipfw so the OPN guys build a way to use both, pf for filtering and ipfw for shaping. You can in theory mark packets with DSCP values via pf (firewall rules), but you can't match them afterwards. May I have to recheck this when I find more time, perhaps I didn't test everything.

So in sum, if you want to speed up DNS, you don't need EF, you can just use the rule as a condition to give DNS more weight or bandwidth. The only way where DSCP really makes sense is in big enterprises where edge switches already mark the packets with DSCP. Then you don't need tons of rules to and link them to queues/pipes. You can just have any/any rules with a gives DSCP match.