[Firehol-support] FireQOS source IP matching with SNAT

[Phineas Gage]

Hi,

Is there a way to match packets by source IP before SNAT has been performed?

In my configuration, my Linux router/firewall sits behind an ADSL modem, connected by ethernet. I SNAT everyone on the inside interface to an IP on the external interface before it goes to the modem in my firehol.conf:

ipv4 snat to 10.0.0.139 outface eth1 src 192.168.100.0/24

However, that means that outgoing matches by source address or mask don’t work in fireqos.conf, because the IP has already been NATted to 10.0.0.139, so all outgoing traffic falls through to the adsl/default class (this config is oversimplified for illustration- only using groups here because I have them in my config):

interface eth1 eth1-out output rate 100mbit minrate 12kbit ethernet
  class lan ceil 10mbit
     match dst 10.0.0.0/24

  class group adsl commit 387kbit ceil 387kbit adsl remote pppoe-llc
     match all
     class group private commit 60%
        match src 192.168.100.64/26
     class group end
     class group public commit 30% ceil 75%
        match src 192.168.100.0/26
     class group end
  class group end

Is there any way to get around this? I thought about adding QoS rather to the internal interface, but it doesn’t make as much sense to me conceptually. Thanks for any help...