Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - mislav

Pages: [1] 2
1
OpenVPN / Re: Openvpn + freeradius - unable to log in into VPN
« on: February 13, 2018, 02:38:19 am »
It says PAP indeed, I've checked.

Unprintable characters are also something that bothers me - because, password from OTP is 6 char generated and it contains only small/big letter and numbers, not a single special character.

What I've noticed is that after 2.3.x upgrade to 2.4.x freeradius package was somehow gone - version 2 was used and it was no longer available in the package list. Instead, it was replaced by freeradius version 3 which I had to install - I guess something went wrong there? Shall I try to completely remove all freeradius users, their CAs and everything connected with that - and create them from scratch? But I'm not sure if that will work, since I tried to create completely two new users - one with OTP, one with cleartxt password and in both case, log in didn't work (as long as freeradius was authentication backend).

2
OpenVPN / Re: Openvpn + freeradius - unable to log in into VPN
« on: February 09, 2018, 01:08:37 am »
Any ideas? None of clients are able to login to VPN, we've serious problems with this freeradius. As a temporary solution, we've switched to local database as backend for auth on VPN server.

3
OpenVPN / Openvpn + freeradius - unable to log in into VPN
« on: February 06, 2018, 07:04:39 pm »
Hi. Today I did upgrade of my pfsense machine from 2.3.x to 2.4.2. and after this update, our openvpn + freeradius has stopped working. Any ideas why?

I've tried with both present user login (both mOTP or plain text pass) or with creating NEW user credentials - result is the same - unable to log in into VPN.

I've attached whole messages I got when running free radius in debug mode:
/usr/local/etc/rc.d/radiusd debug

Also, on dashboard, I've noticed under vpn there is always message when connecting:
[error]   Unable to contact daemon0   Service not running?

Here is the output also from viscosity client connection log:
Quote
vlj 07 1:53:07: State changed to Connecting
vlj 07 1:53:07: Viscosity Windows 1.7.6 (1540)
vlj 07 1:53:07: Running on Microsoft Windows 7 Ultimate
vlj 07 1:53:07: Running on .NET Framework Version 4.5.51209.379893
vlj 07 1:53:07: Bringing up interface...
vlj 07 1:53:07: Checking reachability status of connection...
vlj 07 1:53:07: Connection is reachable. Starting connection attempt.
vlj 07 1:53:07: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 19 2017
vlj 07 1:53:07: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09
vlj 07 1:53:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
vlj 07 1:53:33: TCP/UDP: Preserving recently used remote address: [AF_INET]HIDDENIP:1191
vlj 07 1:53:33: Attempting to establish TCP connection with [AF_INET]HIDDENIP:1191 [nonblock]
vlj 07 1:53:34: TCP connection established with [AF_INET]HIDDENIP:1191
vlj 07 1:53:34: TCP_CLIENT link local (bound): [AF_INET][undef]:0
vlj 07 1:53:34: TCP_CLIENT link remote: [AF_INET]HIDDENIP:1191
vlj 07 1:53:34: State changed to Authenticating
vlj 07 1:53:36: [vpn1_ssl_2017] Peer Connection Initiated with [AF_INET]HIDDENIP:1191
vlj 07 1:53:37: State changed to Connecting
vlj 07 1:53:37: AUTH: Received control message: AUTH_FAILED
vlj 07 1:53:41: SIGUSR1[soft,auth-failure] received, process restarting
vlj 07 1:53:41: State changed to Connecting
vlj 07 1:53:42: State changed to Disconnecting
vlj 07 1:53:42: ERROR: could not read Auth username

Is there anything else needed?

4
Firewalling / Re: RST package info - firewall
« on: October 05, 2017, 03:52:54 pm »
Thank you!

5
Firewalling / Re: RST package info - firewall
« on: October 05, 2017, 02:03:11 am »
Could it be that it's set by default? If not, then I probably set it for unknown reason few years back when I was configuring this. Meanwhile new interfaces were added and everybody forgot about this option. The server is in "cloud" and I have around 6-7 NICs added, so every interface is like em0, em1, em2....etc (or eth0, however you prefer) - they're not added like 1 interface and then eth0, eth0:0, eth0:1, eth0:2 - this is not the case. But anyway, I'm start seeing this RST packages inside pfsense now, so I guess this did the trick anyway.
Thank you very much for the patience and guidance!

6
Firewalling / Re: RST package info - firewall
« on: October 04, 2017, 02:51:07 am »
Thank you all for having patience with me on this one, I really appreciate it.

Latest changes did something and now I've no idea what is going on anymore there. I went to "System-Advanced-Firewall & NAT" and I disabled option under - Static route filtering - Bypass firewall rules for traffic on the same interface.

Now, after disabling this, I was able to see this RST traffic with both tcdump and directly inside pfsense (Status ->System Logs ->Firewall -> Normal View) - and now it makes no difference whether I disable or enable this rule under advanced setting - I notice now this traffic, like this change triggered something that was not there before (as per your suggestion - traffic was done directly from 30 to 20, no routers or anything between, direct communication between LAN machine and pfsense). I even notice now this RST packages as blocked traffic even in my complicated setup with gateways/routes I was trying to explain.

So, I'm confused now! One thing that I noticed is messages in general log "promiscuous mode enabled/disabled" - I don't think was seeing this before, could this effect somehow?

7
Firewalling / Re: RST package info - firewall
« on: October 03, 2017, 02:02:03 am »
"- static route is defined to connect additional local network 10.0.40.0/24 - gateway is interface A"

What?

Please draw up this network.. You said wan to wan over public.. But then your not showing anything like that..

So your 10.0.40 is downstream of 10.0.20.. And you have some client sending packets to 10.0.20 to be looped back to 10.0.40?

Network is very complex there to draw and you won't understand what is what. The problem is that RST is not logged on the pfsense and although it should be if you set such firewall rule on the pfsense - to log all traffic with all TCP flags. Correct?

There is a additional router between this 10.0.20.0/24 and 10.0.40.0/24 which routes this traffic and enable us to even connect there. pfsense doesn't see this traffic by default, that's why static route is there. Without that route, my test machine wouldn't see this network.

I might have confused you a bit with this, I went too much into details with our environment. Imagine any combination you like with local LANs and local interfaces - the main point is that traffic in every scenario will go through pfsense - because pfsense is always a default gateway for all machines. There is no direct access between machines, no direct connectivity from WAN or to the internet - all internal LAN traffic, incoming/outgoing will always go through pfsense (pfsense has multiple interfaces for every LAN network).

8
Firewalling / Re: RST package info - firewall
« on: October 02, 2017, 06:56:29 am »
This test machine has no rules set, so I allow all outgoing traffic from it - for testing purposes. This connectivity is indeed done from WAN to WAN and tcdump is empty here.

This RST packages I mentioned that are "getting" through are from LAN traffic in pfsense environment. Here is the package flow:
1) on the pfsense I have multiple LAN interfaces with different networks - for this example I will try to provide you as much details as possible
- there is network 10.0.20.0/24 - interface A on the pfsense (gateway 10.0.20.2)
- there is network 10.0.30.0/24 - interface B on the pfsense (gateway 10.0.30.2)
- static route is defined to connect additional local network 10.0.40.0/24 - gateway is interface A

My LAN machine in 10.0.30.0/24 network has IP 10.0.30.150 with default gateway set to pfsense - interface B - 10.0.30.2. So, when I request something on 10.0.40.0/24, it goes through that static route/interface A. From my point of view, this goes through different interface and rules shouldn't be bypassed, correct?

Quote
No.     Time                       Source                Destination           Protocol Length Info
      1 2017-09-29 11:59:48.906297 10.0.30.150           10.0.40.2             TCP      54     443→15863 [RST] Seq=1 Win=0 Len=0

Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: Vmware_01:2b:2c (00:50:56:01:2b:2c), Dst: Vmware_01:09:86 (00:50:56:01:09:86)
Internet Protocol Version 4, Src: 10.0.30.150 (10.0.30.150), Dst: 10.0.40.2 (10.0.40.2)
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 15863 (15863), Seq: 1, Len: 0

No.     Time                       Source                Destination           Protocol Length Info
      2 2017-09-29 11:59:48.906311 10.0.30.150           10.0.40.2             TCP      54     443→15863 [RST] Seq=1 Win=0 Len=0

Frame 2: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: Vmware_01:2b:2c (00:50:56:01:2b:2c), Dst: Vmware_01:09:86 (00:50:56:01:09:86)
Internet Protocol Version 4, Src: 10.0.30.150 (10.0.30.150), Dst: 10.0.40.2 (10.0.40.2)
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 15863 (15863), Seq: 1, Len: 0

No.     Time                       Source                Destination           Protocol Length Info
      3 2017-09-29 11:59:48.909711 10.0.30.150           10.0.40.2             TCP      54     443→15863 [RST] Seq=1 Win=0 Len=0

Frame 3: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: Vmware_01:2b:2c (00:50:56:01:2b:2c), Dst: Vmware_01:09:86 (00:50:56:01:09:86)
Internet Protocol Version 4, Src: 10.0.30.150 (10.0.30.150), Dst: 10.0.40.2 (10.0.40.2)
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 15863 (15863), Seq: 1, Len: 0

No.     Time                       Source                Destination           Protocol Length Info
      4 2017-09-29 11:59:48.909770 10.0.30.150           10.0.40.2             TCP      54     443→15863 [RST] Seq=1 Win=0 Len=0

Frame 4: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: Vmware_01:2b:2c (00:50:56:01:2b:2c), Dst: Vmware_01:09:86 (00:50:56:01:09:86)
Internet Protocol Version 4, Src: 10.0.30.150 (10.0.30.150), Dst: 10.0.40.2 (10.0.40.2)
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 15863 (15863), Seq: 1, Len: 0

There is no rule in pfsense to allow this, but on the firewall 10.0.40.1 we are able to see this RST packages. I also tried to capture this by setting firewall rule to match my source IP to destination with flags set to any TCP flag and nothing. Also tcpdump is empty there.

9
Firewalling / Re: RST package info - firewall
« on: October 02, 2017, 01:59:26 am »
So you saw the traffic on pfsense via tcpdump?

No, I didn't.

This test was done from "my LAN" to WAN, it was done from my LAN - 192.168.0.197 as seen there - this is my local IP in the office which translates to public IP internet provider give me - and I do test to WAN IP of pfsense. So connection is made WAN to WAN - pfsense is not in the office, but in datacenter, different country.

10
Firewalling / Re: RST package info - firewall
« on: September 29, 2017, 04:45:18 am »
Hi. Thanks for the answers.

@jimp - I did send RST without existing state and this was not logged, even though there exists firewall rule that is matching my IP and TCP flags is set to any. (I've tried with protocol set to ANY and protocol set only to TCP - of course, with TCP logs set to any).

Is this what you were wondering:
- from my local PC I do e.g. this (public IP is just pfsense public IP)
Quote
# hping3 --rst -p 40001 PUBLIC_IP -c 10
HPING PUBLIC_IP (eth0 PUBLIC_IP): R set, 40 headers + 0 data bytes

--- PUBLIC_IP hping statistic ---
10 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

This is tcpdump from my local PC:
Quote
# tcpdump -vvv -nn -s 0 'dst host PUBLIC_IP and dst port 40001'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:36:09.645081 IP (tos 0x0, ttl 64, id 4003, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1592 > PUBLIC_IP.40001: Flags [R], cksum 0x34ed (correct), seq 224770321, win 512, length 0
11:36:10.645209 IP (tos 0x0, ttl 64, id 19166, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1593 > PUBLIC_IP.40001: Flags [R], cksum 0x99e6 (correct), seq 1423098205, win 512, length 0
11:36:11.645306 IP (tos 0x0, ttl 64, id 35851, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1594 > PUBLIC_IP.40001: Flags [R], cksum 0x69cd (correct), seq 670192973, win 512, length 0
11:36:12.645384 IP (tos 0x0, ttl 64, id 3872, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1595 > PUBLIC_IP.40001: Flags [R], cksum 0x3eed (correct), seq 1701932750, win 512, length 0
11:36:13.645457 IP (tos 0x0, ttl 64, id 55838, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1596 > PUBLIC_IP.40001: Flags [R], cksum 0x1310 (correct), seq 94386705, win 512, length 0
11:36:14.645533 IP (tos 0x0, ttl 64, id 52380, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1597 > PUBLIC_IP.40001: Flags [R], cksum 0xc76e (correct), seq 1068820496, win 512, length 0
11:36:15.645655 IP (tos 0x0, ttl 64, id 9012, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1598 > PUBLIC_IP.40001: Flags [R], cksum 0xa4fc (correct), seq 1610255996, win 512, length 0
11:36:16.645747 IP (tos 0x0, ttl 64, id 5257, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1599 > PUBLIC_IP.40001: Flags [R], cksum 0x5f20 (correct), seq 1938617573, win 512, length 0
11:36:17.645829 IP (tos 0x0, ttl 64, id 33973, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1600 > PUBLIC_IP.40001: Flags [R], cksum 0x6e46 (correct), seq 498511497, win 512, length 0
11:36:18.645912 IP (tos 0x0, ttl 64, id 19401, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.197.1601 > PUBLIC_IP.40001: Flags [R], cksum 0x60cf (correct), seq 1437471741, win 512, length 0

I did same thing on pfsense but pfsense doesn't log anything on port 40001, nor do I see something in the firewall logs.

When I do SYN, this gets logged of course. on both ends.

11
Firewalling / RST package info - firewall
« on: September 28, 2017, 03:20:49 am »
Hello.

I'm having issues with RST packages. Apparently there is no way to log this kind of packet, or I'm doing something wrong. On the Status ->System Logs ->Firewall -> Normal View on the bottom you can see on the button "More information":
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, C - CWR.
= Add to block list., = Pass traffic, = Resolve

so according to this, if there would appear such packet with RST flag, R flag would be shown. I've tried to log all traffic sent from my IP, but no success. I've also tried to set under Advanced Options in the firewall rule TCP flags to match RST and even used option "Any flags", also no success. When I send normal SYN packages, this gets logged and I'm able to see this traffic.
When I do tcpdump dump on both source/destination host - I'm able to see those RST/SYN packages on the source, but on the pfsense I can only see packages with SYN flag.

Then I also found option System -> Advanced -> System Tunables - net.inet.tcp.blackhole - Do not send RST on segments to closed ports - but no matter if I change this to 0 or leave it at 2, there is no RST response on closed ports. From what I read, and please correct me if I'm wrong, RST is just a reset flag which is set when someone tries to connect to closed/non-open ports. Now, this wouldn't be a problem in general, however on the internal office firewall, we're seeing this:

Quote
Possible RST Flood on IF X1 - src: IP:443 dst: LOCAL_IP:27297 - rate: 712/sec continues

The traffic goes from internet/internal servers to different local servers - so traffic is not on the same interfaces. It seems like although traffic goes through pfsense, it somehow gets bypassed there and what should be usually blocked/logged on pfsense is seen on the internal firewall instead - this flood attacks. Spoofed source IP or not, traffic goes through pfsense.

Any ideas how to block this/see this traffic? SYN flood is not a problem, I've tested this and pfsense blocks this without any problems when using State type - Synproxy.

12
Firewalling / Re: Firewall missing traffic
« on: March 03, 2017, 08:19:43 am »
So you suspect this hardware firewall could log some traffic that comes through pfsense but that traffic is not logged on pfsense, but it's there?

13
Firewalling / Firewall missing traffic
« on: March 03, 2017, 05:05:29 am »
Hi everyone.

I've a question and I'm out of ideas and need your help!

For start, here is the environment and the network flow:
- traffic comes from internet to pfsense WAN interface and I've set rule there to allow all traffic to one specific host XX (and I'm logging traffic)
- the server where traffic comes in behind NAT and this traffic goes to host XX as mentioned

Now, the host XX have also hardware firewall and here is the problem:
- hardware firewall detects some traffic as suspicious/intrusion prevention but this traffic I don't see on pfsense traffic - why?

Example of this kind of traffic seen by host XX / hardware firewall:
time: 2017/03/03 10:55:27
src: 83.136.83.234, 443
dst: HOST XX, 18283
TCP scanned port list, 23110, 48846, 14554, 61720, 33472

Sometimes traffic like that is logged in pfsense, sometimes it's not. Any ideas?

14
Traffic Shaping / pfsense is limiting upload speed
« on: October 06, 2016, 07:20:30 am »
Hi there.

I've checked traffic shaper and there were some values for WAN/LAN interface (around 50Mbits/sec), however my traffic in this case is not going through those interfaces, but through some third one. No limit is set there and Diagnostics -> Limiter it says - Limiters: No limiters were found on this system.

That being said, I have a strange case. I have the following setup:
1) VM1 going outside through FW1
2) VM2 going outside through vmvare

The both setup I can reach max download speed of 9-10MB/s, however upload speed is problematic. If I'm uploading to one test server via SCP I get:
1) with setup 1 I get upload speed of max ~ 9MB/s
2) with setup 2 I get upload speed of max ~ 4-5MB/s

Any idea what and where could be an issue with pfsense? I've launched few speedtests and I can see upload speed difference even there. How come I lose around 50% upload speed via pfsense.

15
IPsec / Re: Site-to-site IPsec problem - no connection
« on: August 02, 2016, 02:00:13 pm »
Now that you mentioned, it could be NAT problem indeed.

Here is the setup anyway:
HOST-A (behind nat)
- private IP: 10.x.x.x. (translated into public IP)
- LAN: 192.168.5.x

HOST-B (no nat)
- public IP WAN: x.x.x.x
- LAN: 192.168.10.x

On HOST-A I have disabled outbound NAT, as it's managed on the vmware side and on the host-b outbound NAT is set to auto.

EDIT:
Thanks jlevesque. It seems to be NAT issue indeed. I've tried to add third host who is not behind NAT and ipsec connectivity is working out-of-the-box with default settings. I've even tried to change between different encryption methods and change p1 and p2 a bit, but it was working.

I will investigate this more further.

Pages: [1] 2