Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - sporkme

Pages: [1] 2
1
Firewalling / Add rules to OpenVPN client interface?
« on: January 26, 2018, 04:11:00 pm »
How does one implement rules on an openvpn client interface?

I went to Interfaces -> Assign and selected/enabled the ovpnc interface of interest, and I now see a rules tab for it in the firewall config section.  I've restarted the vpn connection.  Even with no rules (which is a default block), traffic flows without restriction in both directions.

How do I attach rules to this?

2
Feedback / Blog - javascript scrolling hacks
« on: July 20, 2017, 03:51:39 pm »
I know, I must be one of a handful of people that uses an actual mouse with a scroll wheel, but as one of them, I'll lodge this request:  remove the javascript junk on the blog that screws with mouse acceleration, it basically makes scrolling unusable - just one tiny up or down scroll jumps huge amounts.  Even in other contexts there's rarely any kind of common sense case to be made for fiddling with scroll acceleration on desktop.

3
Firewalling / FiOS IPTV?
« on: June 28, 2017, 12:43:12 am »
I'm in a bit of a spot because I'm technically under NDA, but I am in Verizon's IPTV trial.  They seemed unsure on whether I needed their router or not, so they sent me the boxes (two set-top boxes and a dvr).  So far, no dice.  The box acts as if it's doing something, and non-live TV seems fine, but any of the live TV stuff just stalls out with no picture.  I'm guessing they're using multicast based on what otehr folks asking about other IPTV services in the forums have posted, but I'm not sure.

TL;DR - anyone else here on the same trial, and if so, can you share what you did to get things working short of sticking your pfsense box behind their router and double-natting everything?

4
Firewalling / Save states across reboot?
« on: February 20, 2017, 11:00:09 pm »
I remember at some point having a BSD-based firewall that let you run a command at shutdown to save firewall/NAT states to a file and then load them back at system start.  After a bit of googling, it looks like this was the old "ipf" firewall package, and specifically the "ipfs" command (https://smartos.org/man/1m/ipfs).

It appears pf dropped this capability - I don't see anything in the pfctl manpage to lock, save or load states.  So long shot, any plans for pfsense to do something similar since you're working with a sort of fork of the official pf?  I remember how nice it was to be able to keep my ssh sessions around over the course of an OS update, how cool would that be if one could start an update in pfsense and when the box finishes rebooting all your long-running connections are still there?

5
Installation and Upgrades / 2.3 update moved me to 32-bit, how?
« on: July 01, 2016, 12:13:57 am »
So while I was trying to figure out where all my pretty RRD graphs that showed monthly usage and such went, I kept getting errors.  Updated to 2.3.x and the mystery error went away, but it was replaced with some brief message along the lines of "rrd files from wrong architecture, deleting" (thanks!  I wouldn't want to save and convert years of data...:) ).

I thought that was a bit odd and then when poking around trying to get apcupsd installed from the FreeBSD repo I noted that it failed because the URL pointed to the amd64 repo.

Any idea why the 2.3 upgrade shoved me to i386?  This is not a modern box, but it was running amd64 and the one cause I could find googling did not seem to be my issue.  My backup config had this line, which I don't think forces me to a "non-standard" update URL (or is it?):

Code: [Select]
<firmware>
                        <alturl>
                                <enable/>
                                <firmwareurl>https://updates.pfsense.org/_updaters</firmwareurl>
                        </alturl>
                </firmware>

6
General Questions / High CPU/Interrupt usage with little traffic
« on: February 21, 2016, 06:10:50 pm »
This seems a bit odd.  I'm idling at about 30% CPU usage, which is mostly supposedly interrupts (see attached).

Code: [Select]
last pid: 43211;  load averages:  0.79,  0.75,  0.75                                                        up 3+18:00:18  19:08:38
69 processes:  2 running, 66 sleeping, 1 waiting
CPU:  0.0% user,  0.0% nice,  0.0% system, 37.4% interrupt, 62.6% idle
Mem: 30M Active, 103M Inact, 154M Wired, 776M Buf, 3545M Free
Swap: 8192M Total, 8192M Free

  PID USERNAME  THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root        2 155 ki31     0K    32K RUN     1 141.0H 131.59% idle
   12 root       21 -72    -     0K   336K WAIT    1  38.2H  76.17% intr
    0 root       11 -92    0     0K   176K -       1  16:26   0.00% kernel
   15 root        1 -16    -     0K    16K -       1   4:36   0.00% rand_harvestq
29675 root        1  20    0 12456K  2176K select  1   1:30   0.00% apinger
    5 root        1 -16    -     0K    16K pftm    1   0:59   0.00% pf purge
22898 root        1  20    0 21732K  6032K select  1   0:21   0.00% openvpn
55010 root        1  52   20 17136K  2656K wait    1   0:18   0.00% sh
   20 root        1  16    -     0K    16K syncer  1   0:11   0.00% syncer
    4 root        2 -16    -     0K    32K -       0   0:09   0.00% cam
80950 root        1  20    0 21160K  4656K select  1   0:09   0.00% miniupnpd

I have three ethernet NICs - one onboard bge (LAN), one PCI-e generic realtek (re0 - Fios), and one PCI generic realtek (re1 - low speed DSL).

7
Routing and Multi WAN / Tunneling and multi-homing?
« on: February 14, 2016, 04:08:09 pm »
Bear with me, this is a weird setup, and I'd like to try to validate it.

I currently have DSL and cable at home (I work from home, hence the redundancy).  The DSL is under my control - I have access to the ISP side since I work there.  Currently I have a block of static IPs on both.  This all works well.

The cable business internet rates are going up a lot, so I'm moving to residential FiOS and ditching the cable.  I will lose the block of statics from the cable line obviously.  What I'd like to do is nail up a tunnel (OpenVPN or IPSEC) on the FiOS line back to the PoP where my DSL originates.  Additionally I'd like to setup some type of dynamic routing with one path being the DSL link and the other being the tunnel.  I do NOT want to use this for all traffic, just outbound ssh/http/https to some netblocks and for inbound traffic.

This does seem like it should work, but I'm not totally confident I can make all these moving parts play nicely together.

8
Packages / apcupsd on 2.2: multiple processes
« on: April 02, 2015, 10:48:40 pm »
I keep seeing apcupsd getting started twice since upgrading to 2.2:

Code: [Select]
2015-04-02 18:18:34 -0400  apcupsd shutdown succeeded
2015-04-02 18:18:39 -0400  apcupsd 3.14.12 (29 March 2014) freebsd startup succeeded
2015-04-02 18:18:40 -0400  apcupsd 3.14.12 (29 March 2014) freebsd startup succeeded
2015-04-02 18:18:40 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 19:18:40 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 20:18:40 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 21:18:40 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 22:18:40 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 23:18:40 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 23:23:34 -0400  apcupsd exiting, signal 15
2015-04-02 23:23:34 -0400  apcupsd shutdown succeeded
2015-04-02 23:23:34 -0400  apcupsd exiting, signal 15
2015-04-02 23:23:34 -0400  apcupsd shutdown succeeded
2015-04-02 23:23:40 -0400  apcupsd 3.14.12 (29 March 2014) freebsd startup succeeded
2015-04-02 23:23:41 -0400  apcupsd 3.14.12 (29 March 2014) freebsd startup succeeded
2015-04-02 23:23:41 -0400  apcserver: cannot bind port 3551. ERR=Address already in use
2015-04-02 23:32:23 -0400  apcupsd exiting, signal 15
2015-04-02 23:32:23 -0400  apcupsd shutdown succeeded
2015-04-02 23:32:23 -0400  apcupsd exiting, signal 15
2015-04-02 23:32:23 -0400  apcupsd shutdown succeeded
2015-04-02 23:32:33 -0400  apcupsd 3.14.12 (29 March 2014) freebsd startup succeeded

It still seems to work, but something seems amiss.

Any other info I can provide?

9
General Questions / NTP server not working post-2.2 upgrade
« on: April 02, 2015, 09:47:39 pm »
I'm seeing what seems to be exactly what this guy saw in the 2.2-RC thread:

https://forum.pfsense.org/index.php?topic=86502.0

Same thing, previously we were running 2.1.2 and had a number of clients inside the LAN syncing to the pfsense box.  After the ugprade all the clients are un-synced.  Running ntpdate from inside clients shows this (note the complaint is that the server is stratum 16):

Code: [Select]
[spork@devel4 ~]$ ntpdate -d 192.168.11.1
 2 Apr 22:32:16 ntpdate[5180]: ntpdate 4.2.4p5-a (1)
transmit(192.168.11.1)
receive(192.168.11.1)
transmit(192.168.11.1)
receive(192.168.11.1)
transmit(192.168.11.1)
transmit(192.168.11.1)
transmit(192.168.11.1)
192.168.11.1: Server dropped: strata too high
server 192.168.11.1, port 123
stratum 16, precision -6, leap 11, trust 000
refid [192.168.11.1], delay 0.02605, dispersion 24.00186
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036  1:28:16.000
originate timestamp: d8c87a30.69123d7c  Thu, Apr  2 2015 22:32:16.410
transmit timestamp:  d8c87a31.6916bd01  Thu, Apr  2 2015 22:32:17.410
filter delay:  0.02605  0.04166  0.00000  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.003524 -0.00021 0.000000 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.02605, dispersion 24.00186
offset 0.003524

 2 Apr 22:32:18 ntpdate[5180]: no server suitable for synchronization found

Some stats from the server itself:

Code: [Select]
ntpq> peer
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*nu.binary.net   216.229.0.179    2 u  132  128  377   51.473   11.690   2.584
+ec2-54-235-96-1 199.102.46.76    2 u  123  128  377   37.559  -20.004   1.790
+NTP1.playallian 129.6.15.30      2 u  128  128  377   74.699   -9.198   1.077
ntpq>

ntpq> rv
associd=0 status=061b leap_none, sync_ntp, 1 event, leap_event,
version="ntpd 4.2.8p1@1.3265-o Fri Feb 13 17:22:32 UTC 2015 (1)",
processor="i386", system="FreeBSD/10.1-RELEASE-p6", leap=00, stratum=3,
precision=-19, rootdelay=51.702, rootdisp=54.216, refid=216.229.0.50,
reftime=d8c879a1.8d8e464c  Thu, Apr  2 2015 22:29:53.552,
clock=d8c87a6a.49d3deb7  Thu, Apr  2 2015 22:33:14.288, peer=25885, tc=7,
mintc=3, offset=-0.171923, frequency=25.245, sys_jitter=33.872938,
clk_jitter=23.433, clk_wander=0.019

ntpq> sysinfo
associd=0 status=061b leap_none, sync_ntp, 1 event, leap_event,
system peer:        nu.binary.net:123
system peer mode:   client
leap indicator:     00
stratum:            3
log2 precision:     -19
root delay:         51.702
root dispersion:    54.456
reference ID:       216.229.0.50
reference time:     d8c879a1.8d8e464c  Thu, Apr  2 2015 22:29:53.552
system jitter:      33.872938
clock jitter:       23.433
clock wander:       0.019
broadcast delay:    0.000
symm. auth. delay:  0.000
ntpq>


And ntpdate on the firewall itself does not see the server as stratum 16:

Code: [Select]
[2.2.1-RELEASE][admin@fw.office.xxx.com]/root: ntpdate -d 192.168.11.1
 2 Apr 22:33:48 ntpdate[43622]: ntpdate 4.2.8p1@1.3265-o Fri Feb 13 17:22:33 UTC 2015 (1)
Looking for host 192.168.11.1 and service ntp
192.168.11.1 reversed to fw.office.xxx.com
host found : fw.office.xxx.com
transmit(192.168.11.1)
receive(192.168.11.1)
transmit(192.168.11.1)
receive(192.168.11.1)
transmit(192.168.11.1)
receive(192.168.11.1)
transmit(192.168.11.1)
receive(192.168.11.1)
server 192.168.11.1, port 123
stratum 3, precision -19, leap 00, trust 000
refid [192.168.11.1], delay 0.02591, dispersion 0.00002
transmitted 4, in filter 4
reference time:    d8c879a1.8d8e464c  Thu, Apr  2 2015 22:29:53.552
originate timestamp: d8c87a93.11bf9b26  Thu, Apr  2 2015 22:33:55.069
transmit timestamp:  d8c87a93.119781b8  Thu, Apr  2 2015 22:33:55.068
filter delay:  0.02632  0.02594  0.02591  0.02603
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000257 0.000074 0.000059 0.000090
         0.000000 0.000000 0.000000 0.000000
delay 0.02591, dispersion 0.00002
offset 0.000059

 2 Apr 22:33:55 ntpdate[43622]: adjust time server 192.168.11.1 offset 0.000059 sec


And the config in /var/etc/ntp.conf (this is all default for the options except for additional logging, and I'm set to only listen on the LAN interface):

Code: [Select]
cat /var/etc/ntpd.conf
#
# pfSense ntp configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 0.freebsd.pool.ntp.org iburst maxpoll 9
server 1.freebsd.pool.ntp.org iburst maxpoll 9
server 3.freebsd.pool.ntp.org iburst maxpoll 9


disable monitor
enable stats
statistics clockstats loopstats peerstats
statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap

interface ignore all
interface listen fxp0

And the logs since the last restart:

Code: [Select]
Apr  2 21:48:25 fw ntpd[37699]: ntpd exiting on signal 15 (Terminated)
Apr  2 21:48:25 fw ntpd[37699]: 0.0.0.0 061d 0d kern kernel time sync disabled
Apr  2 21:48:25 fw ntpd[22713]: ntpd 4.2.8p1@1.3265-o Fri Feb 13 17:22:32 UTC 2015 (1): Starting
Apr  2 21:48:25 fw ntpd[22713]: Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
Apr  2 21:48:25 fw ntpd[23006]: proto: precision = 2.235 usec (-19)
Apr  2 21:48:25 fw ntpd[23006]: Listen and drop on 0 v6wildcard [::]:123
Apr  2 21:48:25 fw ntpd[23006]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Apr  2 21:48:25 fw ntpd[23006]: Listen normally on 2 fxp0 [fe80::20e:cff:fea2:804%1]:123
Apr  2 21:48:25 fw ntpd[23006]: setsockopt IPV6_MULTICAST_IF 0 for fe80::20e:cff:fea2:804%1 fails: Can't assign requested address
Apr  2 21:48:25 fw ntpd[23006]: Listen normally on 3 fxp0 192.168.11.1:123
Apr  2 21:48:25 fw ntpd[23006]: Listen normally on 4 fxp0 [2001:470:8:120e::1]:123
Apr  2 21:48:25 fw ntpd[23006]: Listen normally on 5 lo0 127.0.0.1:123
Apr  2 21:48:25 fw ntpd[23006]: Listen normally on 6 lo0 [::1]:123
Apr  2 21:48:25 fw ntpd[23006]: Listening on routing socket on fd #27 for interface updates
Apr  2 21:48:25 fw ntpd[23006]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Apr  2 21:48:25 fw ntpd[23006]: 0.0.0.0 c012 02 freq_set kernel 25.309 PPM
Apr  2 21:48:25 fw ntpd[23006]: 0.0.0.0 c016 06 restart
Apr  2 21:48:25 fw ntpd[23006]: DNS 0.freebsd.pool.ntp.org -> 216.229.0.50
Apr  2 21:48:25 fw ntpd[23006]: 216.229.0.50 8011 81 mobilize assoc 25885
Apr  2 21:48:25 fw ntpd[23006]: DNS 1.freebsd.pool.ntp.org -> 54.235.96.196
Apr  2 21:48:25 fw ntpd[23006]: 54.235.96.196 8011 81 mobilize assoc 25886
Apr  2 21:48:26 fw ntpd[23006]: DNS 3.freebsd.pool.ntp.org -> 70.35.113.43
Apr  2 21:48:26 fw ntpd[23006]: 70.35.113.43 8011 81 mobilize assoc 25887
Apr  2 21:48:26 fw ntpd[23006]: 70.35.113.43 8024 84 reachable
Apr  2 21:48:26 fw ntpd[23006]: 70.35.113.43 903a 8a sys_peer
Apr  2 21:48:26 fw ntpd[23006]: 0.0.0.0 c615 05 clock_sync
Apr  2 21:48:29 fw ntpd[23006]: 54.235.96.196 8024 84 reachable
Apr  2 21:48:29 fw ntpd[23006]: 216.229.0.50 8024 84 reachable
Apr  2 21:48:33 fw ntpd[23006]: 0.0.0.0 061b 0b leap_event
Apr  2 21:48:36 fw ntpd[23006]: 216.229.0.50 903a 8a sys_peer


What's really odd is that the server does not seem to think it's at stratum 16, but stratum 3.  But clients on the LAN don't agree.

Any ideas?

No blocks showing in the firewall logs.

10
OpenVPN / OpenVPN client, routes being ignored
« on: March 23, 2015, 11:09:08 pm »
I'm running pfsense 2.1.4 (scared to update much further, this is a Pentium 3) and I run both an OpenVPN server for my own convenience and have been running a single client config for access to a work site as well.  Both have been working well.

I wanted to add a second client connection and that went well as far as getting all the ca and cert stuff going and getting the link up.  However it seems like even though the routes are being pushed to my pfsense client (the same way they are with the other client config), they are being ignored.

Here's a snippet of the vpn routing:

Code: [Select]
netstat -nr |grep ovpnc
10.77.66.0/24      10.99.99.5         UGS         0     1257 ovpnc2
10.88.77.0/24      10.99.0.102        UGS         0      372 ovpnc3
10.99.0.1/32       10.99.0.102        UGS         0       18 ovpnc3
10.99.0.102        link#12            UH          0        5 ovpnc3
10.99.99.5         link#11            UH          0       86 ovpnc2
192.168.1.0/24     10.99.0.102        UGS         0        0 ovpnc3
192.168.2.0/24     10.99.0.102        UGS         0        0 ovpnc3
192.168.3.0/24     10.99.0.102        UGS         0        0 ovpnc3
192.168.4.0/24     10.99.0.102        UGS         0        0 ovpnc3
192.168.88.0/24    10.99.99.5         UGS         0       12 ovpnc2

LAN behind my pfsense box is 10.3.2.0/24.

All boxes on my LAN can ping hosts with routes to "ovpnc2" which was the initial client setup.

No boxes on my LAN can ping anything with routes to "ovpnc3" which is the new client setup.

However, from the pf command line, no problems:

Code: [Select]
[2.1.4-RELEASE][admin@gw.xx.com]/root(73): ping 10.99.0.1
PING 10.99.0.1 (10.99.0.1): 56 data bytes
64 bytes from 10.99.0.1: icmp_seq=0 ttl=64 time=12.191 ms
64 bytes from 10.99.0.1: icmp_seq=1 ttl=64 time=11.279 ms
^C
--- 10.99.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 11.279/11.735/12.191/0.456 ms
[2.1.4-RELEASE][admin@gw.xx.com]/root(74): ping 10.88.77.81
PING 10.88.77.81 (10.88.77.81): 56 data bytes
64 bytes from 10.88.77.81: icmp_seq=0 ttl=63 time=11.511 ms
64 bytes from 10.88.77.81: icmp_seq=1 ttl=63 time=12.323 ms
^C
--- 10.88.77.81 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 11.511/11.917/12.323/0.406 ms
[2.1.4-RELEASE][admin@gw.xx.com]/root(75): ping 192.168.4.1
PING 192.168.4.1 (192.168.4.1): 56 data bytes
64 bytes from 192.168.4.1: icmp_seq=0 ttl=253 time=12.405 ms
^C
--- 192.168.4.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.405/12.405/12.405/0.000 ms
[2.1.4-RELEASE][admin@gw.xx.com]/root(76):

And if I run a tcpdump on the tun interface of the server, I can clearly see the traffic arriving and the echo replies:

Code: [Select]
[root@trunk /usr/local/etc/openvpn]# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
00:01:42.083363 IP 10.99.0.101 > 10.99.0.1: ICMP echo request, id 16141, seq 0, length 64
00:01:42.083381 IP 10.99.0.1 > 10.99.0.101: ICMP echo reply, id 16141, seq 0, length 64
00:01:43.083461 IP 10.99.0.101 > 10.99.0.1: ICMP echo request, id 16141, seq 1, length 64
00:01:43.083474 IP 10.99.0.1 > 10.99.0.101: ICMP echo reply, id 16141, seq 1, length 64
00:01:46.411995 IP 10.99.0.101 > 192.168.4.1: ICMP echo request, id 16918, seq 0, length 64
00:01:46.412864 IP 192.168.4.1 > 10.99.0.101: ICMP echo reply, id 16918, seq 0, length 64
00:01:47.414083 IP 10.99.0.101 > 192.168.4.1: ICMP echo request, id 16918, seq 1, length 64
00:01:47.415823 IP 192.168.4.1 > 10.99.0.101: ICMP echo reply, id 16918, seq 1, length 64
...

But pinging from the LAN, that tcpdump is silent.

Doing a packet capture on the pfsense side, I can see the packets going out if I select the "ovpnc3" interface, both from the LAN and from the shell session.

pfsense is logging no firewall rule hits.

NAT rules are set to "auto".

Where are my packets going?

11
DHCP and DNS / Unbound ACLs not working
« on: July 14, 2014, 12:48:26 am »
pfsense 2.1.4, unbound package 1.4.22_2 (which seems to be the latest).

When adding or deleting an ACL, when you get to the "apply changes" screen and hit submit, the following error is thrown:

Code: [Select]
Fatal error: Call to undefined function unbound_reconfigure() in /usr/local/www/unbound_acls.php on line 124
FWIW, a workaround is to add specific allows in the "Custom Options" in the "Unbound DNS Advanced Settings" tab, for example:

Code: [Select]
access-control: 10.200.200.0/24 allow

12
NAT / NAT Reflection status?
« on: July 12, 2014, 02:56:16 pm »
I think I pretty much understand how the reflection options are supposed to work, but I'm having issues (2.1.4) and I'm wondering if there are any caveats that I don't know of.

Currently, I'm able to get reflection working only with the proxy option.  I do not want to use this option for two reasons:

•It appears all external traffic passes through the proxy
•All traffic appears to come from the proxy, so any services that log a source address no longer have the "real" source, everything appears to come form pfsense itself

Two things that I have configured that I'm not sure are compatible with the standard reflection rules are using virtual IPs for the NAT rules (additional external addresses - "if alias" type) and a legacy bridge interface I'm trying really hard to get rid of (chicken and egg problem - need to get NAT working before I can yank the bridge interface).

When I initiate a connection from inside to a service that's forwarded on the outside with "pure nat" reflection enabled, I see no packets blocked in the firewall logs.  For state entries, I see the following:

Code: [Select]
Proto Source -> Router -> Destination State
tcp 192.168.11.102:22 <- x.x.x.222:22 <- x.x.x.211:55418 CLOSED:SYN_SENT
tcp x.x.x.211:51893 -> 192.168.11.102:22 SYN_SENT:CLOSED

x.x.x.222 is an alias on pfsense's wan interface
x.x.x.211 is the wan interface's main IP
192.168.11.102 is the port forward target IP

Not seen there is the connection source, which is 192.168.11.101.

If I'm reading this right, there's no state being generated from 192.168.11.101 to the ultimate destination after NAT of 192.168.11.101, and the state entries shown above represent the destination (192.168.11.102) reaching back to pfsense's main WAN IP and the second state entry is likely the already-translated source IP hitting the destination.

What's going wrong in this scenario?

Is my bridge interfering in some way?

Is reflection not supported with if aliases?

What else can I do to troubleshoot?

13
I think I have this working, but I don't quite understand what I've done to make it work.

An overview:

pfsense box at a central site (2.1.4 Release) running OpenVPN server and an IPSEC tunnel to another site.  The remote IPSEC site has a box running FreeBSD 8.4/racoon which straddle both an external and internal network. 

Clients that connect via OpenVPN to the pfsense box want to reach both a local internal network and the remote IPSEC-connected internal network.  The IPSEC tunnel between both sites is operational and used regularly.  Before I started working on this, openvpn clients could not reach anything at the remote IPSEC-connected site - traceroutes would show a first hop of the OpenVPN interface on the pfsense box and then would follow the default route out to the public internet.

Networks in question - 192.168.11.0/24, internal network at pfsense site, 10.99.88.0/24, internal network at the remote site connected via IPSEC tunnel, 10.200.200.0/24, OpenVPN interface range.

What I've done is added another "phase 2" entry to the IPSEC configuration.  On the pfsense end, I have the following entered:

Mode - Tunnel IPv4
Local Network
  - type, network - 10.200.200.0/24
  - "specify the address to be translated" option - type, address - 192.168.11.251
Remote Network
  - type, network - 10.99.88.0/24

On the remote side, I added an "sainfo" stanza like this in racoon.conf:

Code: [Select]
sainfo address 10.99.88.0/24 any address 192.168.11.251/32 any {
        encryption_algorithm aes256,3des,blowfish,cast128,rijndael;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
        pfs_group 2;
        lifetime time 3600 secs;
}


This works.  Some options that did not work were - specifying a /32 instead of "address" in the NAT section, specifying a /24 in the NAT section, and specifying a /24 in the above snippet from the remote kind of worked, but I ended up breaking connectivity from the remote site back to the pfsense site over the tunnel.

I'm puzzled as to what the "In case you need NAT/BINAT on this network specify the address to be translated" section really does behind the scenes. I'm also confused by the second phase 2 config in the remote racoon config, as it seems to overlap the first.

It does work though...

14
Firewalling / Java, you had your chance...
« on: March 01, 2013, 07:49:05 pm »
OK, this java mess is not going away.  Yet another hole found today.

I was digging around to see what SonicWall and the low-end Cisco ASAs offer, and they all have the ability to block java applets.  I'd love to give this a shot in pfsense.  I only need java on a few select sites (and usually via VPN anyhow, as they're IP-KVM interfaces), but there's always a chance I'll forget to disable the web plugin after using it.  I'd like to use pfsense to shield me from that.

I have not looked at the Layer-7 filtering at all since upgrading to a recent 2.1 snapshot.  Can this help me accomplish my task of blocking java applets?  If so, and if it's not horribly complicated, it would be nice to sticky this on one of the forums (and if it works well, put out a news release - this java mess is a big deal, and Oracle being Oracle, I'm sure we're in for many more vulns going forward).

15
OpenVPN / Routing remote LAN w/pfsense as OVPN client?
« on: October 15, 2012, 07:52:21 pm »
Hello,

Can't quite figure this one out...  I was running an older 2.1 snap, updated today to the latest to rule out any old issues.  I have both OpenVPN server and client running on my box.  The server has been working great.  The client I just setup today and I'm having trouble figuring out why the clients on the LAN behind my local pfsense cannot reach the subnet on the other end of the vpn.  I've got the route pushed and I can reach it fine from the pfsense cli:

Code: [Select]
sis0 = LAN
xl0 = Primary WAN
dc0 = Secondary WAN
ovpns1 = ovpn server
ovpns2 = ovpn client

[2.1-BETA0][admin@gw.xxx.com]/root(7): netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            my wan1 IP       UGS         0    15963    xl0
10.3.2.0/24        link#1             U           0    56536   sis0
10.3.2.1           link#1             UHS         0        0    lo0
10.3.3.0/24        10.3.3.2           UGS         0        0 ovpns1
10.3.3.1           link#11            UHS         0        0    lo0
10.3.3.2           link#11            UH          0        0 ovpns1
10.77.66.0/24      10.99.99.5         UGS         0      216 ovpnc2  <<-- REMOTE LAN
10.99.99.5         link#12            UH          0        0 ovpnc2  <<-- REMOTE OVPN GW
10.99.99.6         link#12            UHS         0        0    lo0
WAN1 subnet/29    link#3             U           0        0    xl0
WAN1       link#3             UHS         0        0    lo0
127.0.0.1          link#6             UH          0      119    lo0
WAN2 subnet/24   link#2             U           0     7007    dc0
WAN2    link#2             UHS         0        0    lo0

And pinging the OVPN link IPs from pfsense shell:

Code: [Select]
[2.1-BETA0][admin@gw.xxx.com]/root(8):  ping 10.99.99.5
PING 10.99.99.5 (10.99.99.5): 56 data bytes
64 bytes from 10.99.99.5: icmp_seq=0 ttl=64 time=19.943 ms
64 bytes from 10.99.99.5: icmp_seq=1 ttl=64 time=27.085 ms
64 bytes from 10.99.99.5: icmp_seq=2 ttl=64 time=17.750 ms
^C
--- 10.99.99.5 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.750/21.593/27.085/3.986 ms
[2.1-BETA0][admin@gw.xxx.com]/root(9): ping 10.99.99.6
PING 10.99.99.6 (10.99.99.6): 56 data bytes
64 bytes from 10.99.99.6: icmp_seq=0 ttl=64 time=0.464 ms
64 bytes from 10.99.99.6: icmp_seq=1 ttl=64 time=0.197 ms
^C
--- 10.99.99.6 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.197/0.331/0.464/0.133 ms

And pinging the remote LAN from the pfsense shell:

Code: [Select]
[2.1-BETA0][admin@gw.xxx.com]/root(10): ping obox
PING obox.bway.net (10.77.66.50): 56 data bytes
64 bytes from 10.77.66.50: icmp_seq=0 ttl=64 time=17.947 ms
64 bytes from 10.77.66.50: icmp_seq=1 ttl=64 time=16.552 ms
64 bytes from 10.77.66.50: icmp_seq=2 ttl=64 time=18.384 ms
^C
--- obox.xxx.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.552/17.628/18.384/0.781 ms

But I cannot reach any of those except for 10.99.99.6 (pfsense ovpn client link IP) from my local LAN or from the shell when pinging with the LAN IP:

Code: [Select]
[2.1-BETA0][admin@gw.xxx.com]/root(11): ping -S 10.3.2.1 10.99.99.5
PING 10.99.99.5 (10.99.99.5) from 10.3.2.1: 56 data bytes
^C
--- 10.99.99.5 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
[2.1-BETA0][admin@gw.xxx.com]/root(12): ping -S 10.3.2.1 obox
PING obox.bway.net (10.77.66.50) from 10.3.2.1: 56 data bytes
^C
--- obox.xxx.net ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

I do have a failover WAN config, so I've tried a few things to no avail:

-Added a rule to the LAN tab that says for destination net 10.77.66.0 to not use the floating gw but to use the system default, moved that rule above the existing rule pointing to the floating gw.
-Added a NAT rule to disable NAT when 10.77.66.0 is the destination.

What am I missing here?  The OVPN portion seems correct, something's just funky with routing or the firewall.  I see none of my traffic bound for 10.77.66.0 in the firewall deny logs...

Help?

Pages: [1] 2