Adam, Thank you for continuing to help. The block entry is not the missing packet. Don't forget that the test being carried out is using ICMP packets and the block entry refers to TCP.The ICMP echo request packets are being sent from 10.6.2.10 to 192.168.6.106.Forget about OPT1, in fact it's OPT3, but for the sake of simplicity, I mentioned OPT1.The interface being used is re0. re2 is the LAN interface. Rule 5 is the "Default deny rule IPv4".On the remote pfSense, on the OPT1 interface, I have a rule allowing ALL from subnet 10.6.0.0.1/16 (local LAN subnet) to the remote LAN subnet (192.168.6.0/24).I also have a last rule allowing ALL from ANY to ANY on the OPT interface.
Date: Thu, 17 Jul 2014 18:26:45 -0500 From: [email protected] To: [email protected]; [email protected] Subject: Re: [pfSense] Disable antispoofing on an interface On 14-07-17 12:32 PM, NetSys Pro wrote: Here's the output: Jul 17 21:27:50 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 0, length 64 Jul 17 21:27:52 fw2 pf: 00:00:01.885014 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:52 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 2, length 64 Jul 17 21:27:52 fw2 pf: 00:00:00.358395 rule 5/0(match): block in on re2: (tos 0x0, ttl 128, id 1110, offset 0, flags [DF], proto TCP (6), length 40) Jul 17 21:27:52 fw2 pf: 192.168.6.106.54118 > 23.214.64.109.443: Flags [R.], cksum 0x4fe4 (correct), seq 1951833685, ack 1897326514, win 0, length 0 Jul 17 21:27:53 fw2 pf: 00:00:00.628387 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 2, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:53 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 3, length 64 Jul 17 21:27:54 fw2 pf: 00:00:01.148349 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 3, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:54 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 4, length 64 Jul 17 21:27:55 fw2 pf: 00:00:00.874917 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 4, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:55 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 5, length 64 Jul 17 21:27:56 fw2 pf: 00:00:01.011050 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 5, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:56 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 6, length 64 Jul 17 21:27:57 fw2 pf: 00:00:00.989951 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 6, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:57 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 7, length 64 Jul 17 21:27:58 fw2 pf: 00:00:00.995826 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 7, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:58 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 8, length 64 Jul 17 21:27:59 fw2 pf: 00:00:01.031938 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 8, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:59 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 9, length 64 Jul 17 21:28:00 fw2 pf: 00:00:00.971443 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 9, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:28:00 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 10, length 64 Jul 17 21:28:01 fw2 pf: 00:00:01.040452 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 10, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:28:01 fw2 pf: 10.6.2.10 > 192.168.6.106: ICMP echo request, id 43547, seq 11, length 64 What do you think? Since there's only one "block" in that list, I'm going to speculate that it represents your missing packet. Also, it refers to "re2" which is likely your OPT1 interface if you did things conventionally. I don't know what rule 5 is, although anything with that low a # is likely to be a system-generated rule. On my system, it's the "Default deny rule IPv6", although that doesn't sound likely in your case. You'll want to run "pfctl -vv -s rules | more" and tell us what rule 5 is. It's almost certainly going to be a Default-Deny rule, which means you're missing a firewall rule somewhere. Do you have a rule allowing all protocols from OPT1 to LAN? -- -Adam Thompson [email protected]
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
