Firewall Rule Action High/Low priorities missing

System version NethServer release 7.8.2003 (final)
Kernel release 3.10.0-1127.19.1.el7.x86_64

Any idea why im not seeing “Priority Low” and “Priority High” options when defining the Action for the Firewall rules. I see this on a seperate installation but not on this server and no idea why!

Is the separate installation the same version? I also didn’t see low and high priority, but I can choose where to create the rule, at the bottom or the top.

If you want to sort the rules after creating them, you can do it by drag and drop by clicking the three lines.

Did you solve it?

1 Like

Hi Michael im afraid I havent yet and wanted to check i properly understood firewalls (i dont) because your response confused me! The reason for this is that I was asking about High Priority/Low Priority options for the rule action and you reference the ordering of the rules top/bottom. I had seen these as distinct properties because it makes no sense for me to be offered the opportunity to configure each one seperately if they are one and the same!.. As i say im not an expert so will continue reading up and posting here! Strangely, when I look at the new firewall menu (console:9090) for this server I dont seem to get the high/low priority option so im somewhat confused by that too!..

Sorry for confusing you, I thought you meant the priority of processing the rules, rules at the top are processed before the ones at the bottom.
What you search you can find at traffic shaping I think.

Hope this is a better answer to your problem.

1 Like

Also @alpreseidente: i suggest you to use Cockpit instead of NethGui (port 9090), because the second one will become soon unavailable in new installs as default.

If a rule should be applied a lot of times, the higher is the order, the better will be the perfromance.

thanks Michael, no problem appreciate your input! But yes traffic shaming is my mission here. Im trying to understand how to apply traffic shaping and am currently struggling to make sense of it… The task at hand is to create a point to point vpn between 2 nethservers (to allow offsite backups and other “admin”) but I want to be able to control/limit the available WAN bandwidth to this vpn so that it doesnt adversely impact local users WAN bandwidth

Every VPN has it’s own port and destination/source… :wink:

i know you are telling me something but i may not be sharp enough to understand!.. are you saying i can limit/control the bandwidth allocated to a permanent VPN tunnel connection, and if so what are the steps i need to take. So for instance, ive created a vpn tunnel over UDP port 1300 and i want it to never use more than 10% of WAN available bandwidth (or xMbs if thats easier to show by example)

i essentially havent got my head around the implementation of traffic shaping and am looking for a working example to reference

I’ve no reference, but I think I can explain it to you.
First create a new class at traffic shaping.

After that you can create two rules, one for outgoing traffic and one for incoming traffic



I think this should be your solution, but I have to say, I never used it.


yes that makes sense - the config of a class in association with a rule was the bit i was struggling to pull together, perhaps due to the old :980 interface, but what you say looks deployable so ill give it a go!.. thanks again for your efforts here

Hi Michael ive had a play with your config above and not been able to get the result i wanted - ie throttling the vpn connection. Ive been running tests from 1 nethserver to the other (via vpn tunnel) using sftp to get and put a large file in either direction (there are obviously more sophisticated methods but this is crudely indicitive). Things i need more certainty of are Source IP, Destination IP and Service - for instance i have used the green interface IP of each nethserver on the basis that these are the interfaces described within the VPN config - is this correct or should i be using the addresses from the VPN subnet? (ive tried many variants without success) You mention UDP as the service - i wasnt able to specify this and have opted for “any” on the basis that im happy to throttle all comms between these 2 servers… The VPN tunnel has been configured as “subnet” not “P2P” because i cant get “P2P” communication to work (i would prefer P2P because it seems to me more targeted and easier to diagnose). Ultimately here im going to throw out the challenge to someone - “(1) setup a VPN between 2 nethservers on seperate public IPs. (2) demonstrate the ability to throttle the traffic between these 2 servers”. I appreciate people have better things to do but sometimes its nice to have a challenge! :wink:

I think you have to use the VPN subnet. Did you try it also?

i believe i did yes although it seemed odd to me writing a rule that had the same source (vpn subnet) as destination (vpn subnet).

Any other idea?

Sorry, of course I ment the Ip of the servers at the vpn subnet. For example: (Server 1) and (Server 2).

Hi Michael, the problem i have with specifying the VPN IP is that the configuration (shown below) specifies a subnet for the VPN network, the implication being that there are not specified IP addresses. i could obviously use the IP adresses that have been taken (.1 and .2) but this does not seem like a robust approach

I only set up roadwarrior till now, can’t you give a vpn server/client a fixed ip? Perhaps with a template.

cc @support_team


Hi Michael

You actually can give a Server for a Site2Site OpenVPN connection a “fixed” IP.
Same as for clients in a RoadWarrior environment.

The Basis is a Server-Side reservation for that specific OpenVPN client.

Here a (german) screenshot from a RoadWarrior Setup with “fixed” IPs for each client.

(This NethServer is in the cloud, the Site2Site OpenVPN is not set up yet, as the site is not quite ready yet…)

My 2 cents

1 Like