My guess at the most likely cause is incorrect policy routing (proper negation rules not in place), where in earlier versions the negate rules could be excessively permissive and were tightened down in 2.1. Check the states on the traffic, if that's the case you'll see it getting NATed out to the Internet.
On Thu, Dec 12, 2013 at 2:46 AM, Stefan Baur <[email protected]> wrote: > Hi List, > > I'm kind of stumped by this. > > Situation: > pfSsense with 3 Interfaces > WAN: 192.168.0.161/24 (DHCP) > LAN: 192.168.133.1/24 > OPT1 (renamed "DMZ"): 172.16.0.2/12 > > What I did: > 1) fresh install of 2.1-RELEASE as virtual machine (KVM on Linux host), with > same virtual machine settings as for 2.0.3-RELEASE > 2) enabled virtio network and disk devices as described on the wiki > 3) loaded config of 2.0.3-RELEASE and changed interface/disk names as > required > > What I did NOT do until the issue appeared: > change any firewall rules > > Issue: > After upgrading, all TCPv4 connections (and possibly UDPv4 too) between LAN > and OPT1 (and vice versa) do not work > (Haven't tried IPv6 at all, since I don't have that configured) > > What I'm trying is (as an example, http/proxy connections via 80/8080/3128 > don't work, either): > ssh from 192.168.133.100 to 172.16.0.110 > > Firewall log shows that the connection is being attempted and allowed: > pass Dec 12 08:51:10 LAN 192.168.133.100:51876 172.16.0.110:22 TCP:S > > Result: Nothing happens, connection silently times out > > Same goes for the opposite direction, I try: > ssh from 172.16.0.110 to 192.168.133.100 > > Firewall log shows that the connection is being attempted and allowed: > pass Dec 12 09:02:55 DMZ 172.16.0.110:52172 192.168.133.100:22 TCP:S > > Result: Nothing happens, connection silently times out > > On 192.168.133.100, the source machine, netstat -rn gives: > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br1 > 172.16.0.0 192.168.133.1 255.240.0.0 UG 0 0 0 br0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br1 > 192.168.133.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 > > On the pfSense box, netstat -rn gives: > netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 192.168.0.1 UGS 0 7611 vtnet0 > 127.0.0.1 link#4 UH 0 28 lo0 > 172.16.0.0/12 link#3 U 0 17787 vtnet2 > 172.16.0.2 link#3 UHS 0 0 lo0 > 192.168.0.0/24 link#1 U 0 7669 vtnet0 > 192.168.0.1 52:54:00:60:93:00 UHS 0 19408 vtnet0 > 192.168.0.161 link#1 UHS 0 0 lo0 > 192.168.133.0/24 link#2 U 0 2193 vtnet1 > 192.168.133.1 link#2 UHS 0 0 lo0 > > Internet6: > Destination Gateway Flags Netif Expire > ::1 ::1 UH lo0 > fe80::%vtnet0/64 link#1 U vtnet0 > fe80::5054:ff:fe60:9300%vtnet0 link#1 UHS lo0 > fe80::%vtnet1/64 link#2 U vtnet1 > fe80::5054:ff:fe60:9301%vtnet1 link#2 UHS lo0 > fe80::%vtnet2/64 link#3 U vtnet2 > fe80::5054:ff:fe60:9302%vtnet2 link#3 UHS lo0 > fe80::%lo0/64 link#4 U lo0 > fe80::1%lo0 link#4 UHS lo0 > ff01::%vtnet0/32 fe80::5054:ff:fe60:9300%vtnet0 U > vtnet0 > ff01::%vtnet1/32 fe80::5054:ff:fe60:9301%vtnet1 U > vtnet1 > ff01::%vtnet2/32 fe80::5054:ff:fe60:9302%vtnet2 U > vtnet2 > ff01::%lo0/32 ::1 U lo0 > ff02::%vtnet0/32 fe80::5054:ff:fe60:9300%vtnet0 U > vtnet0 > ff02::%vtnet1/32 fe80::5054:ff:fe60:9301%vtnet1 U > vtnet1 > ff02::%vtnet2/32 fe80::5054:ff:fe60:9302%vtnet2 U > vtnet2 > ff02::%lo0/32 ::1 U lo0 > > Funnily, when I ssh to 192.168.133.1 (the pfSense box), I can continue to > ssh to 172.16.0.110 just fine from there. > > On 172.16.0.110, the destination machine, netstat -rn gives: > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > 0.0.0.0 172.16.0.2 0.0.0.0 UG 0 0 0 > eth0 > 172.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 > eth0 > > > Connections between OPT1/DMZ and WAN work just fine: > When I try: > ssh from 172.16.0.110 to 192.168.0.10 > > The firewall log shows: > pass Dec 12 09:19:50 DMZ 172.16.0.110:43745 192.168.0.10:22 TCP:S > > And it connects just fine. > > Since this is a test environment, I had no pain disabling all firewall rules > and adding a > "pass, log IPv4 * * * * * * none" at the top of > every interface ruleset. > > This doesn't change a thing with regards to the TCP packages though (and > yes, I hit the "reload" button): > > After making this change, I can Ping from anywhere to anywhere just fine. > SSH/HTTP/Proxy still doesn't work across interfaces. > So it seems only TCP (and possibly UDP) is affected by whatever is causing > this, while ICMP goes through (as long as there's no blocking rule). > > My first thought was that "Block private networks" was enabled for one of > the interfaces, but the option is disabled for all. > All I'm blocking is "Bogon Networks" on WAN. > > What has changed between 2.0.3-RELEASE and 2.1-RELEASE that causes this, > what am I doing wrong? > Or is virtio buggy and causing this? > I am confused. Please help me. > > -Stefan > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
