ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017391ClearOSapp-firewall - Firewallpublic2017-10-05 13:402018-02-27 14:32
Assigned Todsokoloski 
PrioritynormalSeverityminorReproducibilityhave not tried
PlatformOSOS Version
Product Version7.3.1 
Target Version7.5.0Fixed in Version 
Summary0017391: IPsec marking method is old school and conflicts with QoS
DescriptionThe IPsec handling in the firewall uses an old marking method to get traffic flowing. This handling can be improved so that it does not interfere with QoS.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
pbaldwin (administrator)
2018-02-20 11:46

From a customer:

To recreate the issue:
Establish a VPN connection between two systems. Ensure Bandwidth Engine is disabled while this occurs & that firewall rules for both IPSEC Traffic & webconfig ports are enabled

Once you have established a VPN connection, then access the web interface of the source system from the host. You will find that it all goes through fine.

Now this has been completed, turn the Bandwidth Engine on, wait for it to update, then attempt the connection to the webconfig of the source system from the host machine.

You will find that there is a rule being generated somewhere that is somehow blocking webconfig access when the bandwidth engine is enabled. Disabling the Bandwidth Engine almost immediately restores access.
NickH (reporter)
2018-02-27 14:32

On the Libreswan and Openswan mailing lists, I've never seen mentioned marking packets in the mangle table, so I tried removing the marking at my end:
iptables -D PREROUTING -t mangle -p esp -j MARK --set-mark 0x64
I tested to the dogfood server and was still able to transfer files with WinSCP to and from my Desktop through the tunnel to the remote server. The server has no LAN attached so I can't test further.

- Issue History
Date Modified Username Field Change
2017-10-05 13:40 pbaldwin New Issue
2017-10-05 13:40 pbaldwin Assigned To => dloper
2017-10-05 13:40 pbaldwin Status new => assigned
2017-10-05 13:40 pbaldwin Assigned To dloper => dsokoloski
2018-02-12 10:06 pbaldwin Target Version 7.4.0 Updates =>
2018-02-20 11:46 pbaldwin Target Version => 7.5.0
2018-02-20 11:46 pbaldwin Note Added: 0007151
2018-02-27 14:32 NickH Note Added: 0007191