[Firehol-support] FireQOS source IP matching with SNAT
Phineas Gage
phineas919 at gmail.com
Tue Apr 29 14:01:28 BST 2014
Hi,
Is there a way to match packets by source IP before SNAT has been performed?
In my configuration, my Linux router/firewall sits behind an ADSL modem, connected by ethernet. I SNAT everyone on the inside interface to an IP on the external interface before it goes to the modem in my firehol.conf:
ipv4 snat to 10.0.0.139 outface eth1 src 192.168.100.0/24
However, that means that outgoing matches by source address or mask don’t work in fireqos.conf, because the IP has already been NATted to 10.0.0.139, so all outgoing traffic falls through to the adsl/default class (this config is oversimplified for illustration- only using groups here because I have them in my config):
interface eth1 eth1-out output rate 100mbit minrate 12kbit ethernet
class lan ceil 10mbit
match dst 10.0.0.0/24
class group adsl commit 387kbit ceil 387kbit adsl remote pppoe-llc
match all
class group private commit 60%
match src 192.168.100.64/26
class group end
class group public commit 30% ceil 75%
match src 192.168.100.0/26
class group end
class group end
Is there any way to get around this? I thought about adding QoS rather to the internal interface, but it doesn’t make as much sense to me conceptually. Thanks for any help...
More information about the Firehol-support
mailing list