I think I figured out my problem, please correct me if I am wrong.
What I am trying to do is considered a directed broadcast, which is a
bad practice, so bad that freebsd doesn't even offer the option to turn
it on anymore.
I found a reference that said the command
sysctl net.inet.ip.directed-broadcast = 1
works in openbsd, but that OID isn't available in freebsd.
I don't really see the danger in having directed broadcasts routed on a
firewall that is using Nat and doesn't allow incoming connections,
except for those setup with port forwarding. It's isn't like someone
could send a packet to the lan broadcast ip without there being a rule
allowing it. Could someone explain what the danger is?
Is my only option to use some sort of proxy program that would accept
the packet, then send it out again, or a tunnel? Or would using the
web interface with a script be the best thing? I want machines behind
20 different pfsense firewalls to be started a 3AM every morning, or by
various IT staff at different times, and those staff shouldn't have
access to the pfsense firewalls.
While looking for an answer I took a look at netstat and that gave me
the clue I needed.
I think the WOL packets are being recorded as not forwardable.
netstat -s -p ip
82 packets not forwardable
Thanks
Josh
Josh Stompro wrote:
I have been attempting to setup a udp port forward so I can send the
WOL magic packet from an outside location to the broadcast address of
a Lan network behind a pfsense box. I haven't had any luck though,
the packet reaches the wan interface, and is passed by the firewall
rule on the Wan setup to allow it, and that also shows that the
packet has been NATed. But no packet is send out to the broadcast
address of the LAN. I have been trying to figure out if there is some
firewall rule that is trying to protect me from myself by blocking
broadcast traffic, but nothing is logged about that packet being blocked.
I have searched the listserv/forms/tickes/faq to the best of my
ability and haven't found anything related to this. Please let me
know if this is a known issue that I just couldn't find.
I have quite a few working TCP port forwards, no problems with those,
and the WOL from the firewall works fine.
My Configuration.
pfSense 1.0-RC1a-embedded (I know, old, but I can't upgrade easily,
it's at a remote location)
hardware FX5620
lan = "{ rl0 }"
wan = "{ rl1 }"
Nat
rdr on rl1 proto udp from any to 1.2.3.4 port { 40 } ->
192.168.208.255 port 40
Firewall rule
pass in log quick on $wan proto udp from { 4.5.6.7/28 } to {
192.168.208.255 } port = 40 keep state queue (qwandef, qwanacks)
label "USER_RULE: NAT Wake On Lan Forward"
Firewall rule log
Sep 29 10:47:46 fertile pf: 505939 rule 235/0(match): pass in on rl1:
(tos 0x0, ttl 52, id 38888, offset 0, flags [DF], proto: UDP (17),
length: 130) 4.5.6.7.58894 > 192.168.208.255.40: UDP, length 102
TCPDUMP on WAN (tcpdump -i rl1 port 40)
listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes
10:49:07.851234 IP mail.example.org.58895 > wanip.example.com.40: UDP,
length 102
TCPDUMP on LAN (tcpdump -i rl0 port 40)
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
(Crickets Chirping, Arg, where be thee packet, arg)
Command used to send WOL packets
wakeonlan -i 1.2.3.4 -p 40 00:06:5B:C1:78:BA
Sending magic packet to 1.2.3.4:40 with 00:06:5B:C1:78:BA
Does anyone have any suggestions? The firewall was restarted. How
can I debug this?
Thanks
Josh
--
--
Lake Agassiz Regional Library - Moorhead MN larl.org
Josh Stompro | Office 218.233.3757 EXT-139
LARL Network Administrator | Mobile 701.371.3857
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
