How do you know pfSense is dropping the packet? Does it show up in a packet
capture on OPT1?
-Adam
On July 17, 2014 5:12:07 AM CDT, NetSys Pro <netsys...@live.com> wrote:
>Hello Adam,Anything else I could try?
>Thanks
>
>Subject: Re: [pfSense] Disable antispoofing on an interface
>From: athom...@athompso.net
>Date: Mon, 14 Jul 2014 20:24:36 -0500
>To: list@lists.pfsense.org; netsys...@live.com
>
>I suspect you need to be looking not for anti-spoofing but for
>anti-bogon rules.
>
>Can't remember what pfSense calls it offhand.
>
>-Adam
>
>
>
>On July 14, 2014 6:19:22 PM CDT, NetSys Pro <netsys...@live.com> wrote:
>
>
>
>
>
>
> Hello everyone,
>
>
>
> First of all, please note that I have already posted the question
> below on the pfSense forum (see
> https://forum.pfsense.org/index.php?topic=79081.0) since about 1
> week without any reply.
>
> Given the urgency of the matter, I decided to post to the mailing
> list, hoping for some here.
>
>
>
> BTW: I don't know if this will be of any help to obtain a reply,
> please note that I have a Gold membership subscription as well.
>
>
>
> So, regarding my question, I'll copy/paste from the forum as
> follows:
>
>
>
>
>
> I have 2 pfSense boxes (both version 2.1.4) connected via the
> Internet. Each one has 3 interfaces: LAN, WAN & OPT1.
>
> There is an IPsec VPN between the 2 pfSense boxes.
>
> A WAN optimisation (we'll call it WANOPT) appliance is connected to
> the OPT1 interface on each side.
>
> There is a UDP tunnel between the 2 WANOPT appliances. This UDP
> tunnel goes inside the IPsec tunnel.
>
> I use PBR (as a LAN rule) to redirect traffic going to the remote
> LAN into the WANOPT appliance.
>
>
>
> This is what I've observed after starting to ping a remote LAN
> machine from a local LAN machine:
>
> 1. On reaching the local LAN interface, the ICMP echo request is
> properly redirected to the WANOPT appliance.
>
> 2. The ICMP request then goes inside the UDP tunnel.
>
> 3. The UDP packets go into the IPsec tunnel.
>
> 4. On the remote side, a tcpdump shows that the ICMP packet does
> come out of the WANOPT appliance and therefore the UDP tunnel.
>
> 5. It then reaches the OPT1 interface of the remote firewall.
>
> 6. However, it does NOT come out any interface!!!
>
> 7. I have an "Allow all protocols from any to any" rule on both the
> IPsec and OPT1 interfaces, for testing purposes.
>
> 8. There's nothing in the log saying that the packet was dropped. In
> fact, there's a log entry which says that the packet was actually
> allowed into the OPT1 interface!
>
>
>
> What has happened to the packet?
>
>
>
> NB:
>
> 1. On the remote side, when the ICMP packet comes out of the UDP
> tunnel, its source IP is that of the local LAN machine and its
> destination is that of the remote LAN machine.
>
> 2. Is this packet being considered a spoofed packet?
>
>
>
> I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
> 2.1.4) to disable antispoofing on the OPT1 interface and rebooted
> both firewalls without any success.
>
> I confirmed that the file /tmp/rules.debug did not contain the
> antispoof directive for the OPT1 interface after reboot.
>
> RFC 1918 private IP addresses are not being blocked either.
>
>
>
> Thank you for any help.
>
>
>
>List mailing list
>List@lists.pfsense.org
>https://lists.pfsense.org/mailman/listinfo/list
>
>--
>
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list