Floating Rules order in pfSense


I am using pfSense as my firewall and I have setup pfBlockerNG as well.
I also have the traffic shaper enabled with limiters for bufferbloat fix (FQ_CoDel Queues)

The thing is that under the IP section of pfBlockerNG -> IP Interface/Rules Configuration -> Firewall ‘Auto’ Rule Order, the order is set to the default -> | pfB_Block/Reject | All other Rules | (original format)

with this being set, every time the cron runs the IP rules are ordered to the top of the list and my bufferbloat rule is re-ordered just below the set of pfBlockerNG rules.

Previously i manually set the bufferbloat rule to be at the top, but now everytime this gets reordered

I have run tests using the http://www.dslreports.com/ and the order of the rules does effect my bufferbloat rating, as when the rule is on top i get an A+ but when the cron resets the rules and i retest, the ratings drop to an A or lower

is it possible to make a custom order like bufferbloat_fix | pfB_Block/Reject | All other Rules | (original format) ?


permanently fix a set of rules to be at the top of the floating rules list?

i can change the order to something like pfSense pass/match | pfB_Block/Reject | All other Rules | (original format)
but this would mean that the non pfBlocker rules will take precedence. Which i do not want for all rules
i just want the bufferbloat rule to have precedence over all other rules

I don’t think there is a way but I don’t have any issues with the rule at the bottom.

1 Like

Hey Tom,

I have made a workaround since I made this post
I have disabled the floating rule creation for IP under DNSBL
So, all my IP blocking/permit rules are now moved to their individual interfaces.
Since the floating rules always get executed before the interface rules (I read this somewhere I cannot recall), I am back to the solid A+ on my bufferbloat ratings.

the only downside is in case I decide to change the IP rule sets, I would need to do more work on all my interfaces.

1 Like