[Firehol-support] FireQOS source IP matching with SNAT

Phineas Gage phineas919 at gmail.com
Tue Apr 29 14:01:28 BST 2014


Is there a way to match packets by source IP before SNAT has been performed?

In my configuration, my Linux router/firewall sits behind an ADSL modem, connected by ethernet. I SNAT everyone on the inside interface to an IP on the external interface before it goes to the modem in my firehol.conf:

ipv4 snat to outface eth1 src

However, that means that outgoing matches by source address or mask don’t work in fireqos.conf, because the IP has already been NATted to, so all outgoing traffic falls through to the adsl/default class (this config is oversimplified for illustration- only using groups here because I have them in my config):

interface eth1 eth1-out output rate 100mbit minrate 12kbit ethernet
  class lan ceil 10mbit
     match dst

  class group adsl commit 387kbit ceil 387kbit adsl remote pppoe-llc
     match all
     class group private commit 60%
        match src
     class group end
     class group public commit 30% ceil 75%
        match src
     class group end
  class group end

Is there any way to get around this? I thought about adding QoS rather to the internal interface, but it doesn’t make as much sense to me conceptually. Thanks for any help...

More information about the Firehol-support mailing list