Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - miken32

Pages: [1]
1
NAT / Intermittent NAT failures
« on: February 08, 2018, 03:20:53 pm »
We're seeing a number of pfSense installs over various versions (2.2.x and 2.3.x) intermittently failing to NAT packets. This happens almost exclusively with UDP streams, but occasionally with ICMP or TCP. Outbound NAT rules are automatic, there's nothing in the log files, and these internal users have other TCP and UDP conversations being NATed properly at the same time.

We're scheduling maintenance windows to try an upgrade to 2.4 to see if the problem is still present there.

Anyone seen anything similar?

https://pastebin.com/e5sCn7PS

2
IPv6 / Sharing IPv6 subnet
« on: October 17, 2016, 02:03:20 pm »
Our ISP provides a /56 network via DHCP6. If we have 3 pfSense boxes sitting behind the modem, is it possible to have each one serve a separate /64 network to LAN clients? Don't have anything live yet, just planning for what the best way to go about this is. Thanks.

3
NAT / "Inbound hairpin" routing?
« on: January 19, 2016, 05:47:33 pm »
Not sure what to call this; I can get it working easily enough on CLI, but would like a way to do it on the GUI.

Our pfSense has two WAN connections; one with a public IP and one that's stuck on a private network we don't control. For monitoring purposes, we'd like to make sure the equipment on the private network is up and running, from a remote site:

Code: [Select]
                          XXXXXX
                     XXXXXX    XXXXXXX
+------------+     XXX               XX
|            |     X     9.8.7.6  XXXX
| 10.0.0.104 |      XXX            XXX
|            |        XXX     XXXXXXX
+------^-----+           XXXXX
       | 80              +
       |                 |
       |                 | 14800
+------+-----------------v--+
| 10.0.0.103     1.2.3.4    |
| WAN2 (igb3)   WAN1 (igb1) |
|                           |
|         192.168.1.1       |
|         LAN (igb2)        |
+---------------------------+


I tried doing this in NAT rules, using the "NAT + Proxy" setting but it is hard-coded to doing the proxy bit on the LAN side. So trying to forward port 14800 to the internal equipment, I get these rules added:

Code: [Select]
rdr on igb1 proto tcp from any to 1.2.3.4 port 14800 -> 10.0.0.104 port 80
# Reflection redirects
rdr on { igb2 igb2_vlan100 igb2_vlan900 } proto tcp from any to 1.2.3.4 port 14800 tag PFREFLECT -> 127.0.0.1 port 19000

The redirection on igb1 takes the traffic and tries a straight NAT, which won't work of course. I can edit rules.debug to look like this and it does work:

Code: [Select]
rdr on { igb1 } proto tcp from any to 67.201.176.21 port 14800 tag PFREFLECT -> 127.0.0.1 port 19000

Is there any way to do this in the GUI or am I stuck installing Squid? (Or, is there a way to pre-process the pf rules before reload?)

4
IPsec / IPSec becomes unstable after some days
« on: December 15, 2015, 07:27:08 pm »
Sorry, not much to go on yet, but after about 10 days my tunnel to an ASA is becoming unstable. SSH sessions are interrupted constantly as the phase 2 connection is dropping and rebuilding every couple of minutes.

The only other person I could find having this issue was here: https://www.mail-archive.com/users@lists.strongswan.org/msg10106.html

I only get about twenty minutes on the log and didn't have a chance to save it, but I was seeing the same retransmit failures as mentioned in that thread.

From the Cisco side it just looks like the pfSense drops and rebuilds the phase 2 normally. No errors. Any reports of anything similar?

5
IPsec / IKEv2 and iOS 9
« on: October 16, 2015, 02:07:07 pm »
Anyone got this working? I'm having problems getting past P1 setup and I'm not sure why.

Code: [Select]
Oct 16 11:51:28 charon: 15[MGR] checkout IKE_SA by message
Oct 16 11:51:28 charon: 15[MGR] created IKE_SA (unnamed)[3]
Oct 16 11:51:28 charon: 15[MGR] created IKE_SA (unnamed)[3]
Oct 16 11:51:28 charon: 15[CFG] <3> looking for an ike config for 1.2.3.4...9.8.7.6
Oct 16 11:51:28 charon: 15[CFG] <3> looking for an ike config for 1.2.3.4...9.8.7.6
Oct 16 11:51:28 charon: 15[CFG] <3> candidate: 1.2.3.4...%any, prio 1052
Oct 16 11:51:28 charon: 15[CFG] <3> candidate: 1.2.3.4...%any, prio 1052
Oct 16 11:51:28 charon: 15[CFG] <3> found matching ike config: 1.2.3.4...%any with prio 1052
Oct 16 11:51:28 charon: 15[CFG] <3> found matching ike config: 1.2.3.4...%any with prio 1052
Oct 16 11:51:28 charon: 15[IKE] <3> 9.8.7.6 is initiating an IKE_SA
Oct 16 11:51:28 charon: 15[IKE] <3> 9.8.7.6 is initiating an IKE_SA
Oct 16 11:51:28 charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Oct 16 11:51:28 charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Oct 16 11:51:28 charon: 15[CFG] <3> selecting proposal:
Oct 16 11:51:28 charon: 15[CFG] <3> selecting proposal:
Oct 16 11:51:28 charon: 15[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
Oct 16 11:51:28 charon: 15[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
Oct 16 11:51:28 charon: 15[CFG] <3> selecting proposal:
Oct 16 11:51:28 charon: 15[CFG] <3> selecting proposal:
Oct 16 11:51:28 charon: 15[CFG] <3> proposal matches
Oct 16 11:51:28 charon: 15[CFG] <3> proposal matches
Oct 16 11:51:28 charon: 15[CFG] <3> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 16 11:51:28 charon: 15[CFG] <3> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 16 11:51:28 charon: 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 16 11:51:28 charon: 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 16 11:51:28 charon: 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 16 11:51:28 charon: 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 16 11:51:28 charon: 15[IKE] <3> remote host is behind NAT
Oct 16 11:51:28 charon: 15[IKE] <3> remote host is behind NAT
Oct 16 11:51:28 charon: 15[IKE] <3> DH group MODP_1024 inacceptable, requesting MODP_1536
Oct 16 11:51:28 charon: 15[IKE] <3> DH group MODP_1024 inacceptable, requesting MODP_1536
Oct 16 11:51:28 charon: 15[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
Oct 16 11:51:28 charon: 15[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
Oct 16 11:51:28 charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
Oct 16 11:51:28 charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
Oct 16 11:51:28 charon: 15[MGR] check-in and destroy of IKE_SA successful
Oct 16 11:51:28 charon: 15[MGR] check-in and destroy of IKE_SA successful

ipsec.conf shows a config that matches perfectly what the iPhone is sending (ike = aes256-sha256-modp1536!) so I'm not sure from where it gets the error about MODP_1024 being "inacceptable."

6
NAT / Logging NAT ports
« on: September 21, 2015, 12:37:56 pm »
We have a requirement to forward "copyright infringement" notices to users on our LAN. The notice includes the IP address, a port number, and time. Unfortunately, the users are behind NAT so this information is not very helpful.

We've looked at firewall logs, but they only record the inside and remote hosts, not the intermediate state on the WAN. Is there a way to log the port on the WAN side of the pfSense, along with the LAN host details?

7
IPv6 / Existing IPv4 IPSec tunnel -- how to add IPv6
« on: September 01, 2015, 12:43:47 pm »
We have a Cisco ASA 5512 in our NOC and have a /48 from our provider. Remote offices have IPSec tunnels to the NOC with 192.168.x.x addressing. The remote offices do not have native IPv6 from their ISPs so I'd like to tunnel the IPv6 traffic back through the NOC.

I've gotten as far as adding a second IPv6 phase 2 to my existing tunnel. LAN addressing is set up just fine. How do I tell pfSense to route the traffic through the tunnel though?

8
IPsec / IPSec tunnel P2 not working when started automatically
« on: April 28, 2015, 05:16:13 pm »
So, upgraded to 2.2.2 and all seemed fine with our IKEv2/PSK tunnel to a Cisco ASA. No connection problems and the traffic drops we were experiencing with 2.2.1 at P2 reauth time were fixed.

One week later, no configuration changes on either side, the tunnel just stops working. P1 comes up but P2 will not. The ASA says there are no matching policies, and the traffic selectors are bad. What does make it work is setting the P1 to responder only, and manually starting the tunnel from the status page.

We had the same problem with 2.2 snapshots, and it just went away by itself. I had assumed that it was resolved by one of the fixes in a snapshot release, but the fact that it has come back, all by itself, may indicate otherwise.

Here is a good traffic selector, from a manual start of the tunnel:

Code: [Select]
(304):  TSi(304):   Next payload: TSr, reserved: 0x0, length: 24
(304):     Num of TSs: 1, reserved 0x0, reserved 0x0
(304):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(304):     start port: 0, end port: 65535
(304):     start addr: 192.168.244.0, end addr: 192.168.244.255
(304):  TSr(304):   Next payload: NOTIFY, reserved: 0x0, length: 24
(304):     Num of TSs: 1, reserved 0x0, reserved 0x0
(304):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(304):     start port: 0, end port: 65535
(304):     start addr: 192.168.242.0, end addr: 192.168.242.255

And here's the bad one, initiated automatically by a ping to a remote IP. Note the (sanitized) WAN IP addresses are included.

Code: [Select]
(305):  TSi(305):   Next payload: TSr, reserved: 0x0, length: 40
(305):     Num of TSs: 2, reserved 0x0, reserved 0x0
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 111.111.111.111, end addr: 111.111.111.111
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 192.168.244.0, end addr: 192.168.244.255
(305):  TSr(305):   Next payload: NOTIFY, reserved: 0x0, length: 40
(305):     Num of TSs: 2, reserved 0x0, reserved 0x0
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 222.222.222.222, end addr: 222.222.222.222
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 192.168.242.0, end addr: 192.168.242.255

9
Post a bounty / Captive portal <-> hotel PMS $2000
« on: January 05, 2015, 01:41:47 pm »
We require integration of the captive portal function in the pfSense software with a hotel property management system (PMS.)

Upon reaching the login page, guests must be prompted for a last name and room number, and given a selection of pricing plans. Once the guest information is submitted, the software will post a charge to the guest folio, only allowing access if the posting is successful. The purchase details must be recorded in a persistent database until they are no longer valid.

  • The software must be able to optionally check for a “VIP” guest, applying a different price and/or bandwidth package to such guests.
    • This implies either a two-step login process, with name/room number on first page, and pricing plan on second page, or a single page with AJAX.
  • Guests must be able to log in using a configurable number of devices using the same last name/room number, without additional charges.
  • The guest must also (optionally) be able to log in using the existing RADIUS or voucher account process.
  • Communications with the PMS must be available via either serial interface or IP.
  • The full specification of the PMS interface is available, as well as Windows-based emulation software for testing.
  • All aspects of the software must be fully configurable in the GUI.
    • A list of current valid users and a transaction log must also be available through the GUI.
  • The interface must be built against pfSense version 2.2.
    • Ideally, the interface will be written in PHP, keeping in mind the possibility of extending to other PMS vendors.
  • I will assume responsibility for interfacing with the PMS vendor, including all testing and certification requirements and costs.

Unfortunately, I am not blessed with a large budget for this project, but there is some flexibility. I'm hoping this will not be too complicated for someone who's written to basic client/server protocols before; the integration with pfSense will be the hard part! Thanks for your interest, please let me know if you have any questions.

10
General Questions / Mobile VPN client (IPSec)
« on: December 11, 2014, 03:44:00 pm »
Using the exact same settings as a 2.1.5 install, I get a connection but can't reach any local resources aside from the pfSense, or anything on the far end of a site-to-site VPN. Works fine getting out to the internet via the pfSense though.

The only difference I see is under Status/IPSec/SPD the 2.1.5 shows routes between 4.5.6.7 (VPN client address) and 0.0.0.0/0. Under 2.2 I see routes between 4.5.6.7 and 192.168.1.0/24 (LAN subnet.)

Does anyone have mobile VPN working such that they can connect and get access to other resources on the LAN?

11
2.2 Snapshot Feedback and Problems - RETIRED / IPSec troubles
« on: December 04, 2014, 11:56:33 am »
Just setting up my first 2.2 install, trying to tunnel to our Cisco ASA. The tunnel seems to drop partially at times – I'm not well versed in this stuff by any means, so forgive me for not knowing the terminology.

Under Status/IPSec, if the tunnel is working, there is an option to "Show child SA entries." When I come in in the mornings, that option is not there and I can't reach anything on the other side of the tunnel, though it shows as being up. Disconnecting and reconnecting manually brings everything back up.

P1: IKE v2, mutual PSK, AES 256, SHA512, DH 14
P2: tunnel, ESP, AES 256, SHA512, PFS group 14

No logs yet, as the IPSec logging seems very verbose. Will get logging sent to a remote syslog server if it will help...

12
Routing and Multi WAN / Routing mobile VPN users through IPSec tunnel
« on: July 14, 2014, 12:28:41 am »
Setup looks like this:
Code: [Select]
+----------+ ------------> +---------------+ ---------------> +-----------+
| iPhone   |  IPSec Client |    pfSense    |   IPSec Tunnel   |    ASA    |
+----------+ ------------> |               | ---------------> |           |
                           +---------------+                  +-----------+
                                  |L|                              |L|
                                  |A|                              |A|
                                  |N|                              |N|
                                  |_|                              |_|
                                  \ /                              \ /
                           +---------------+                  +-----------+
                           |    Office     |                  |    NOC    |
                           |    Network    |                  |  Network  |
                           +---------------+                  +-----------+

From my iPhone I can hit things on the office network but I cannot reach the NOC network. The pfSense and users on the office network can hit things on the NOC network no problem (my iPhone's connection is getting authenticated by an OpenLDAP server in the NOC so no connection problems.) I can't even ping the ASA's internal IP address. Anyone have any thoughts on what might be blocking the traffic?

Pages: [1]