[Firehol-support] FireQOS matching by MAC address

Phineas Gage phineas919 at gmail.com
Mon Aug 18 09:49:56 BST 2014


Thanks Costa, the srcmac and dstmac parameters do seem to work.

But in my situation, I may not be able to use them. The reason is, the MAC address that’s matched is the one after routing has occurred. I shape traffic on eth1, my external interface, and of course, the source and destination MAC addresses for traffic going in and out of eth1 are always the MAC address for eth1.

It would be great if you could match by source or destination IP, MAC address or ports either before or after routing has occurred. Earlier this year, I had to stop using NAT on my firewall/router in order for IP based classification to work right, then add a static route on my ADSL modem for the return traffic. This is working, but it doesn’t help when trying to classify traffic by MAC address.

The only other way I can think to do this is to shape on the internal interface, eth0. I could classify by IP or MAC address pre-routing, but that would also mean I’m effectively using IFB for my outgoing Internet traffic, which is counterintuitive, and I don’t know the implications of doing it.


Also, it took me a while to test this out, because I was at first confused by a few rules I had added to firehol a couple days ago for OpenVPN, which caused my traffic to be classified incorrectly:

interface tun0 vpn                            
    server all accept
    client all accept

router4 internet2vpn inface eth1 outface tun0
    route all accept

router4 vpn2internet inface tun0 outface eth1
    route all accept

For some reason, ALL traffic was then masqueraded, even traffic from the eth0 interface, and not just traffic from the tun0 interface, so my “match src $ip_address” and “match dst $ip_address” rules weren’t working. Once I removed those “router4” rules, which I only need in a limited case anyway, everything was fine again. Is this a bug, or do I not understand something? (We can start a separate thread on this if that’s better).

On Aug 17, 2014, at 5:34 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:

> Hi Phineas,
> I just pushed a version of fireqos that support srcmac and dstmac parameters.
> I cannot test it. I just verified the rules are accepted by the kernel.
> As always you can add multiple MAC addresses in a single parameter, enclosed in quotes.
> Could you please test it and report back success or failure?
> I generated rules according to http://www.docum.org/faq/cache/62.html
> Thanks.
> Costa
> On Sun, Aug 17, 2014 at 3:49 PM, Phineas Gage <phineas919 at gmail.com> wrote:
> It would be nice to be able to create a “match” rule in FireQOS to match traffic by MAC address.
> I’m interested in this because we’ll be transitioning to a dual-stack network with both IPv4 and IPv6 support. Currently, we assign IPv4 addresses using DHCP (some are assigned fixed addresses, and others put into different pools), then in fireqos.conf classify using “match src” and “match dst” rules with IP addresses. I know this isn’t bulletproof, but since I control all of the hosts, it works. With IPv6, we'll get a /64 address from our ISP, which can’t be subnetted further, and I suppose we’ll be using SLAAC instead of DHCP (haven’t sorted that out yet). So, the only way I can think of to do traffic classification on a per-host basis is using the MAC address.
> Anything I’m missing?
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20140818/028f0ca7/attachment-0003.html>

More information about the Firehol-support mailing list