Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - travisbrackett

Pages: [1]
General Questions / pfSense not replying to UDP traceroute on WAN
« on: March 02, 2018, 04:58:14 pm »
Hi there

I'm trying to configure my pfSense firewall to reply to traceroute requests on the WAN interface and I'm having a little trouble.

When I traceroute to the LAN interface IP, it works great. A packet capture shows the UDP traffic come in on port 3343X and then a TTL expired in transit ICMP message goes out to the IP attempting the traceroute just like it's supposed to.

On the WAN interface, I created a firewall rule allowing UDP ports 33434 to 33534 with the source of any, destination set to WAN address. I also enabled logging on this rule.

I don't have any outbound floating rules that would prevent the ICMP message generated by the firewall from going out.

When I do a traceroute from a random Internet location to my firewall's WAN IP, I see the UDP packets hitting the firewall in a packet capture within the port range I allowed. I know they're hitting the allow rule because I'm seeing the packets logged in the firewall logs. However, the TTL expired in transit message never goes out, like it does on LAN according to my packet capture, and the traceroute times out for the pfSense hop.

I tried this on two different pfSense firewalls. One running 2.3, and another running 2.4. I didn't see any setting like "Don't generate ICMP control messages on the WAN interface" and my forum/kb search has been fruitless.

If I force traceroute to use ICMP, it works great. What am I missing?

NAT / 1:1 NAT not forwarding traffic for one IP address
« on: August 27, 2015, 03:37:12 pm »

I'm having a strange issue where my 1:1 NAT isn't working for one IP address, but all others are okay.  I've verified that this IP is reachable from the firewall with a ping/traceroute

I have Snort installed but it is disabled, so I don't believe it's causing the issue.  I shouldn't be able to ping the IP if it's blocked.

From a working IP address, I can see traffic hitting my WAN interface, followed by the LAN interface as it forwards the traffic to the internal host as expected.

From the non-working IP address, I see the traffic hitting the WAN interface, but then it's not forwarding out the LAN interface to the internal host.  A packet capture on the internal host confirms that the traffic is not being forwarded.

I enabled logging on the firewall rule and I can see the translation happening:
Code: [Select]
clog -f /var/log/filter.log | grep $Bad_IP_Address
Aug 27 11:25:05 wabe-fw-ext01 pf:     $Bad_IP_Address.52222 > Flags [S], cksum 0x775e (correct), seq 4000306878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

but it's not being forwarded out the LAN interface like one would expect.  The fact that it's working all other IP addresses should rule out all the usual troubleshooting steps for a broken NAT: rules, routes, etc.

Any help would be greatly appreciated!

General Questions / Need help with crash
« on: August 21, 2015, 01:57:37 pm »
Hi. I recently had my pfsense box crash.  The wiki says to ask the forums for help with analyzing.  Here's the relevant information:

IP address:
Submitted @ 18:49 UTC/GMT on Friday, August 21, 2015

Any help would be greatly appreciated!

Pages: [1]