Re: [pfSense] IPSec not routing traffic over tunnel

[Roland Giesler]

On 10 February 2018 at 11:11, Chris L  wrote:

>
> > On Feb 9, 2018, at 5:25 AM, Mark Wiater 
> wrote:
> >
> > In my experience, one does not see routes in the routing table for IPSEC
> based routes.
> >
> > IPSEC tunneling, I believe, happens before any NATting might. This might
> be why you're seeing your traffic exit the default gateway since it still
> possesses it's original ip addresses. I'm not sure what you are trying to
> achieve is possible on the same device, unless you do some kind of NAT on
> the incoming interface if that's possible.
> >
> > Seeing actual configuration files might be helpful. So would the results
> of packet capture on both I{SEC interfaces.
> >
>
> IPsec “routes” do not appear in the routing table. They are installed in
> the kernel as traffic selectors. Status > IPsec, SPDs.
>

h, I see them there now.


>
> If you are policy routing on the 192.168.110.130 interface you will need
> to bypass that with a pass rule to the other side (the Remote Network in
> the Phase 2) with no gateway set.
>

The pass rule, how do I set that with no gateway?


>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

‌
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Marco]

On Mon, 12 Feb 2018 11:59:09 -0600
Steven Spencer  wrote:

> On 02/12/2018 11:43 AM, Marco wrote:
> > On Mon, 12 Feb 2018 10:21:08 -0600
> > Steven Spencer  wrote:
> >  
> >> On 02/11/2018 03:29 PM, Marco wrote:  
> >>> On Sun, 11 Feb 2018 20:46:41 +
> >>> "Joseph L. Casale"  wrote:
> >>>
>  -Original Message-
>  From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
>  Chris L Sent: Sunday, February 11, 2018 1:43 PM
>  To: pfSense Support and Discussion Mailing List
>   Subject: Re: [pfSense] Port forwards
>  don't work on one machine
> 
> > What interface is that taken on? Take one on the interface the
> > destination server is connected to (WLAN?) and test again. While
> > you’re capturing also do another Diagnostics > Test Port from
> > the local pfSense itself. Please include the capture of both
> > events (from outside and using test port.)
> >
> > It looks like the server is not responding.  
>  I'd also suggest running a capture on the destination, if it's
>  actually receiving traffic and/or sending it elsewhere (routing
>  rule) this will provide some insight.
> >>> I ran a wireshark on the destination and it received packets when
> >>> “port testing” from the pfSense, but not when using external
> >>> access (e.g. canyouseeme.org)
> >>>
> >>> Marco
> >>> ___
> >>> pfSense mailing list
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> Support the project with Gold! https://pfsense.org/gold
> >> Marco,
> >>
> >> Just curious, but what is the target machine's OS?  
> > The actual server is FreeBSD, but I run the tests with a Linux
> > laptop as the behaviour is the same.
> >
> > Marco
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold  
> 
> I know you've stated that you have no firewall on these machines. So
> iptables -L shows empty on the Linux laptop

  Chain INPUT (policy ACCEPT)
  target prot opt source   destination 

  Chain FORWARD (policy ACCEPT)
  target prot opt source   destination 

  Chain OUTPUT (policy ACCEPT)
  target prot opt source   destination 

> No selinux in play on the Linux
> laptop

No selinux in use.

> I looked at your screen shots and I can't see anything that leaps
> out at me. We have a number of PfSense firewalls in use (15)
> within our organization and I've used port forwarding on every one
> of them and have never run into a problem-unless the receiving
> machine refuses the connection.

Same here. Not that I'm a network expert, but I've set up five
pfSense installations and port forwarding has always been an easy
task which worked by just configuring the NAT rule.

If the receiving machine refuses the connection, I would not be able
to successfully "port test" it from the pfSense box and I would see
incoming packets with wireshark (I believe). Therefore, I suspect an
issue with the port forwarding.

> I've been bitten by selinux before and more recently, by firewalld.

Not installed and (therefore I hope) not used.

Thanks for the support and confirming that it's not something
obvious. Will investigate later.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[James Ronald]

What is the default gateway of the destination (is there a route back to
pfSense)?

- Jim

On Mon, Feb 12, 2018 at 1:46 PM, Marco  wrote:

> On Mon, 12 Feb 2018 11:59:09 -0600
> Steven Spencer  wrote:
>
> > On 02/12/2018 11:43 AM, Marco wrote:
> > > On Mon, 12 Feb 2018 10:21:08 -0600
> > > Steven Spencer  wrote:
> > >
> > >> On 02/11/2018 03:29 PM, Marco wrote:
> > >>> On Sun, 11 Feb 2018 20:46:41 +
> > >>> "Joseph L. Casale"  wrote:
> > >>>
> >  -Original Message-
> >  From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >  Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >  To: pfSense Support and Discussion Mailing List
> >   Subject: Re: [pfSense] Port forwards
> >  don't work on one machine
> > 
> > > What interface is that taken on? Take one on the interface the
> > > destination server is connected to (WLAN?) and test again. While
> > > you’re capturing also do another Diagnostics > Test Port from
> > > the local pfSense itself. Please include the capture of both
> > > events (from outside and using test port.)
> > >
> > > It looks like the server is not responding.
> >  I'd also suggest running a capture on the destination, if it's
> >  actually receiving traffic and/or sending it elsewhere (routing
> >  rule) this will provide some insight.
> > >>> I ran a wireshark on the destination and it received packets when
> > >>> “port testing” from the pfSense, but not when using external
> > >>> access (e.g. canyouseeme.org)
> > >>>
> > >>> Marco
> > >>> ___
> > >>> pfSense mailing list
> > >>> https://lists.pfsense.org/mailman/listinfo/list
> > >>> Support the project with Gold! https://pfsense.org/gold
> > >> Marco,
> > >>
> > >> Just curious, but what is the target machine's OS?
> > > The actual server is FreeBSD, but I run the tests with a Linux
> > > laptop as the behaviour is the same.
> > >
> > > Marco
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > I know you've stated that you have no firewall on these machines. So
> > iptables -L shows empty on the Linux laptop
>
>   Chain INPUT (policy ACCEPT)
>   target prot opt source   destination
>
>   Chain FORWARD (policy ACCEPT)
>   target prot opt source   destination
>
>   Chain OUTPUT (policy ACCEPT)
>   target prot opt source   destination
>
> > No selinux in play on the Linux
> > laptop
>
> No selinux in use.
>
> > I looked at your screen shots and I can't see anything that leaps
> > out at me. We have a number of PfSense firewalls in use (15)
> > within our organization and I've used port forwarding on every one
> > of them and have never run into a problem-unless the receiving
> > machine refuses the connection.
>
> Same here. Not that I'm a network expert, but I've set up five
> pfSense installations and port forwarding has always been an easy
> task which worked by just configuring the NAT rule.
>
> If the receiving machine refuses the connection, I would not be able
> to successfully "port test" it from the pfSense box and I would see
> incoming packets with wireshark (I believe). Therefore, I suspect an
> issue with the port forwarding.
>
> > I've been bitten by selinux before and more recently, by firewalld.
>
> Not installed and (therefore I hope) not used.
>
> Thanks for the support and confirming that it's not something
> obvious. Will investigate later.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Joseph L. Casale]

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)

So what does a tcpdump on the pfSense instance reveal when the
canyouseeme.org test runs?

Obviously this is not a problem with destination, several test you have
run prove this, and based on the clear statement above, the issue is
somehow related to just the pfSense instance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Marco]

On Mon, 12 Feb 2018 10:21:08 -0600
Steven Spencer  wrote:

> On 02/11/2018 03:29 PM, Marco wrote:
> > On Sun, 11 Feb 2018 20:46:41 +
> > "Joseph L. Casale"  wrote:
> >  
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >> Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >> To: pfSense Support and Discussion Mailing List
> >>  Subject: Re: [pfSense] Port forwards don't
> >> work on one machine
> >>  
> >>> What interface is that taken on? Take one on the interface the
> >>> destination server is connected to (WLAN?) and test again. While
> >>> you’re capturing also do another Diagnostics > Test Port from the
> >>> local pfSense itself. Please include the capture of both events
> >>> (from outside and using test port.)
> >>>
> >>> It looks like the server is not responding.
> >> I'd also suggest running a capture on the destination, if it's
> >> actually receiving traffic and/or sending it elsewhere (routing
> >> rule) this will provide some insight.  
> > I ran a wireshark on the destination and it received packets when
> > “port testing” from the pfSense, but not when using external access
> > (e.g. canyouseeme.org)
> >
> > Marco
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold  
> 
> Marco,
> 
> Just curious, but what is the target machine's OS?

The actual server is FreeBSD, but I run the tests with a Linux
laptop as the behaviour is the same.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Steven Spencer]

On 02/12/2018 11:43 AM, Marco wrote:
> On Mon, 12 Feb 2018 10:21:08 -0600
> Steven Spencer  wrote:
>
>> On 02/11/2018 03:29 PM, Marco wrote:
>>> On Sun, 11 Feb 2018 20:46:41 +
>>> "Joseph L. Casale"  wrote:
>>>  
 -Original Message-
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
 Chris L Sent: Sunday, February 11, 2018 1:43 PM
 To: pfSense Support and Discussion Mailing List
  Subject: Re: [pfSense] Port forwards don't
 work on one machine
  
> What interface is that taken on? Take one on the interface the
> destination server is connected to (WLAN?) and test again. While
> you’re capturing also do another Diagnostics > Test Port from the
> local pfSense itself. Please include the capture of both events
> (from outside and using test port.)
>
> It looks like the server is not responding.
 I'd also suggest running a capture on the destination, if it's
 actually receiving traffic and/or sending it elsewhere (routing
 rule) this will provide some insight.  
>>> I ran a wireshark on the destination and it received packets when
>>> “port testing” from the pfSense, but not when using external access
>>> (e.g. canyouseeme.org)
>>>
>>> Marco
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold  
>> Marco,
>>
>> Just curious, but what is the target machine's OS?
> The actual server is FreeBSD, but I run the tests with a Linux
> laptop as the behaviour is the same.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

I know you've stated that you have no firewall on these machines. So
iptables -L shows empty on the Linux laptop and (sorry not familiar with
FreeBSD) and equiv on FreeBSD? No selinux in play on the Linux laptop or
at least if in play, policies are in use? I looked at your screen shots
and I can't see anything that leaps out at me. We have a number of
PfSense firewalls in use (15) within our organization and I've used port
forwarding on every one of them and have never run into a problem-unless
the receiving machine refuses the connection. I've been bitten by
selinux before and more recently, by firewalld.

Thanks,

Steven G. Spencer

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Steve Yates]

I would think "exposed host" is what I am calling DMZ, from your 
description.

If you have a firewall rule you can set it to log traffic (pass or 
block I believe).  Under status/system logs/settings there is a checkbox to log 
packets blocked by the default block rule.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Monday, February 12, 2018 3:10 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

On Mon, 12 Feb 2018 20:45:55 +
Steve Yates  wrote:

> Just to double check the config, so the pfSense router is set as the
> DMZ of the ISP router?

No clue if the ISP device has a concept of DMZ. I configure it as
“Exposed Host”, so all communication is actually forwarded to the
pfSense box. I've set up numerous of those devices in different
locations and that was always sufficient.

> Have you tried deleting the rule and re-adding?

On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP
devices' config and also start off with a vanilla pfSense config.

I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow? I tried

Status → System Logs → Firewall → Normal View → Advanced Log Filter

I checked “Block”, then entered Port: 8000 and “Apply Filter” and it
shows “No logs to disply”. That means that the packet is not blocked
by an implicit or explicit firewall rule, right?

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Marco]

On Sun, 11 Feb 2018 15:23:43 -0800
Chris L  wrote:

> > On Feb 11, 2018, at 1:29 PM, Marco  wrote:
> > 
> > On Sun, 11 Feb 2018 20:46:41 +
> > "Joseph L. Casale"  wrote:
> >   
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >> Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >> To: pfSense Support and Discussion Mailing List
> >>  Subject: Re: [pfSense] Port forwards don't
> >> work on one machine
> >>   
> >>> What interface is that taken on? Take one on the interface the
> >>> destination server is connected to (WLAN?) and test again. While
> >>> you’re capturing also do another Diagnostics > Test Port from the
> >>> local pfSense itself. Please include the capture of both events
> >>> (from outside and using test port.)
> >>> 
> >>> It looks like the server is not responding.
> >> 
> >> I'd also suggest running a capture on the destination, if it's
> >> actually receiving traffic and/or sending it elsewhere (routing
> >> rule) this will provide some insight.  
> > 
> > I ran a wireshark on the destination and it received packets when
> > “port testing” from the pfSense, but not when using external access
> > (e.g. canyouseeme.org)
> >   
> 
> Are the packets going out pfSense LAN? To what MAC/IP address?

You mean when scanning from outside? I ran a Packet Capture on
pfsense on the WLAN side (settings: interface WLAN, port 8000) and
got nothing.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Marco]

On Mon, 12 Feb 2018 20:45:55 +
Steve Yates  wrote:

> Just to double check the config, so the pfSense router is set as the
> DMZ of the ISP router?

No clue if the ISP device has a concept of DMZ. I configure it as
“Exposed Host”, so all communication is actually forwarded to the
pfSense box. I've set up numerous of those devices in different
locations and that was always sufficient.

> Have you tried deleting the rule and re-adding?

On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP
devices' config and also start off with a vanilla pfSense config.

I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow? I tried

Status → System Logs → Firewall → Normal View → Advanced Log Filter

I checked “Block”, then entered Port: 8000 and “Apply Filter” and it
shows “No logs to disply”. That means that the packet is not blocked
by an implicit or explicit firewall rule, right?

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Marco]

On Mon, 12 Feb 2018 14:12:53 -0500
James Ronald  wrote:

> What is the default gateway of the destination (is there a route back
> to pfSense)?

pfSense is the default gateway of the destination.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Steve Yates]

Just to double check the config, so the pfSense router is set as the DMZ of the 
ISP router?  Have you tried deleting the rule and re-adding?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 1:13 PM
To: list@lists.pfsense.org
Subject: [pfSense] Port forwards don't work on one machine

Hi,

I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.

My network:

  Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)

For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.

1) The port forward from the WAN to 10.0.30.21 is set up.

https://i.imgur.com/V8vlN1Z.png

2) A corresponding WAN rule is created as well:

https://i.imgur.com/N7ulwha.png

  On another machine this already is enough to get it working. But not on this
  one. Nmap shows “filtered”.

3) Confirming the port 8000 is actually open on 10.0.30.21:

https://i.imgur.com/KcaSP6T.png

  Yes, it is.

4) Now testing from the external IP:

https://i.imgur.com/QnWQuIO.png

  Nope!

  Again using an external service:

https://i.imgur.com/v4KaivE.png

  No, James!

5) States:

https://i.imgur.com/Rf1kjbf.png

6) Packet capture:

https://i.imgur.com/xT3qFXW.png


I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

> Common Problems
> 
> 1. NAT and firewall rules not correctly added (see How can I forward ports 
> with pfSense?)

I guess it's all correct, works on another machine.

> Hint: Do NOT set a source port

not set

> 2. Firewall enabled on client machine

nope

> 3. Client machine is not using pfSense as its default gateway

pfSense is the default gateway

> 4. Client machine not actually listening on the port being forwarded

It is, see

  https://i.imgur.com/KcaSP6T.png

> 5. ISP or something upstream of pfSense is blocking the port being forwarded

I guess the states table and packet capture should be empty if that's the
case, right?

> 6. Trying to test from inside the local network, need to test from an outside 
> machine

Tested both, see

  https://i.imgur.com/QnWQuIO.png
  https://i.imgur.com/v4KaivE.png

> 7. Incorrect or missing Virtual IP configuration for additional public IP 
> addresses

No clue, haven't configured anything virtual.

> 8. The pfSense router is not the border router. If there is something else 
> between pfSense and the ISP, the port forwards and associated rules must be 
> replicated there.

True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.

> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be 
> added both to and from the server's IP in order for a port forward to work 
> behind a Captive Portal.

nope

> 10. If this is on a WAN that is not the default gateway, make sure there is a 
> gateway chosen on this WAN interface, or the firewall rules for the port 
> forward would not reply back via the correct gateway.

WAN is default gateway

> 11. If this is on a WAN that is not the default gateway, ensure the traffic 
> for the port forward is NOT passed in via Floating Rules or an Interface 
> Group. Only rules present on the WAN's interface tab under Firewall Rules 
> will have the reply-to keyword to ensure the traffic responds properly via 
> the expected gateway.

didn't configure floating rules

> 12. If this is on a WAN that is not the default gateway, make sure the 
> firewall rule(s) allowing the traffic in do not have the box checked to 
> disable reply-to.

not the case

> 13. If this is on a WAN that is not the default gateway, make sure the master 
> reply-to disable switch is not checked under System > Advanced, on the 
> Firewall/NAT tab.

not the case

> 14. WAN rules should NOT have a gateway set, so make sure that the rules for 
> the port forward do NOT have a gateway configured on the actual rule.

see

https://i.imgur.com/N7ulwha.png

> 15. If the traffic appears to be forwarding in to an unexpected device, it 
> may be happening due to UPnP. Check Status > UPnP to see if an internal 
> service has configured a port forward unexpectedly. If so, disable UPnP on 
> either that device or on the firewall. 

UPnP is not used

I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold!