Re: [pfSense] IPSec not routing traffic over tunnel
On 10 February 2018 at 11:11, Chris Lwrote: > > > On Feb 9, 2018, at 5:25 AM, Mark Wiater > wrote: > > > > In my experience, one does not see routes in the routing table for IPSEC > based routes. > > > > IPSEC tunneling, I believe, happens before any NATting might. This might > be why you're seeing your traffic exit the default gateway since it still > possesses it's original ip addresses. I'm not sure what you are trying to > achieve is possible on the same device, unless you do some kind of NAT on > the incoming interface if that's possible. > > > > Seeing actual configuration files might be helpful. So would the results > of packet capture on both I{SEC interfaces. > > > > IPsec “routes” do not appear in the routing table. They are installed in > the kernel as traffic selectors. Status > IPsec, SPDs. > h, I see them there now. > > If you are policy routing on the 192.168.110.130 interface you will need > to bypass that with a pass rule to the other side (the Remote Network in > the Phase 2) with no gateway set. > The pass rule, how do I set that with no gateway? > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 11:59:09 -0600 Steven Spencerwrote: > On 02/12/2018 11:43 AM, Marco wrote: > > On Mon, 12 Feb 2018 10:21:08 -0600 > > Steven Spencer wrote: > > > >> On 02/11/2018 03:29 PM, Marco wrote: > >>> On Sun, 11 Feb 2018 20:46:41 + > >>> "Joseph L. Casale" wrote: > >>> > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > Chris L Sent: Sunday, February 11, 2018 1:43 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Port forwards > don't work on one machine > > > What interface is that taken on? Take one on the interface the > > destination server is connected to (WLAN?) and test again. While > > you’re capturing also do another Diagnostics > Test Port from > > the local pfSense itself. Please include the capture of both > > events (from outside and using test port.) > > > > It looks like the server is not responding. > I'd also suggest running a capture on the destination, if it's > actually receiving traffic and/or sending it elsewhere (routing > rule) this will provide some insight. > >>> I ran a wireshark on the destination and it received packets when > >>> “port testing” from the pfSense, but not when using external > >>> access (e.g. canyouseeme.org) > >>> > >>> Marco > >>> ___ > >>> pfSense mailing list > >>> https://lists.pfsense.org/mailman/listinfo/list > >>> Support the project with Gold! https://pfsense.org/gold > >> Marco, > >> > >> Just curious, but what is the target machine's OS? > > The actual server is FreeBSD, but I run the tests with a Linux > > laptop as the behaviour is the same. > > > > Marco > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > I know you've stated that you have no firewall on these machines. So > iptables -L shows empty on the Linux laptop Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination > No selinux in play on the Linux > laptop No selinux in use. > I looked at your screen shots and I can't see anything that leaps > out at me. We have a number of PfSense firewalls in use (15) > within our organization and I've used port forwarding on every one > of them and have never run into a problem-unless the receiving > machine refuses the connection. Same here. Not that I'm a network expert, but I've set up five pfSense installations and port forwarding has always been an easy task which worked by just configuring the NAT rule. If the receiving machine refuses the connection, I would not be able to successfully "port test" it from the pfSense box and I would see incoming packets with wireshark (I believe). Therefore, I suspect an issue with the port forwarding. > I've been bitten by selinux before and more recently, by firewalld. Not installed and (therefore I hope) not used. Thanks for the support and confirming that it's not something obvious. Will investigate later. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
What is the default gateway of the destination (is there a route back to pfSense)? - Jim On Mon, Feb 12, 2018 at 1:46 PM, Marcowrote: > On Mon, 12 Feb 2018 11:59:09 -0600 > Steven Spencer wrote: > > > On 02/12/2018 11:43 AM, Marco wrote: > > > On Mon, 12 Feb 2018 10:21:08 -0600 > > > Steven Spencer wrote: > > > > > >> On 02/11/2018 03:29 PM, Marco wrote: > > >>> On Sun, 11 Feb 2018 20:46:41 + > > >>> "Joseph L. Casale" wrote: > > >>> > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > > Chris L Sent: Sunday, February 11, 2018 1:43 PM > > To: pfSense Support and Discussion Mailing List > > Subject: Re: [pfSense] Port forwards > > don't work on one machine > > > > > What interface is that taken on? Take one on the interface the > > > destination server is connected to (WLAN?) and test again. While > > > you’re capturing also do another Diagnostics > Test Port from > > > the local pfSense itself. Please include the capture of both > > > events (from outside and using test port.) > > > > > > It looks like the server is not responding. > > I'd also suggest running a capture on the destination, if it's > > actually receiving traffic and/or sending it elsewhere (routing > > rule) this will provide some insight. > > >>> I ran a wireshark on the destination and it received packets when > > >>> “port testing” from the pfSense, but not when using external > > >>> access (e.g. canyouseeme.org) > > >>> > > >>> Marco > > >>> ___ > > >>> pfSense mailing list > > >>> https://lists.pfsense.org/mailman/listinfo/list > > >>> Support the project with Gold! https://pfsense.org/gold > > >> Marco, > > >> > > >> Just curious, but what is the target machine's OS? > > > The actual server is FreeBSD, but I run the tests with a Linux > > > laptop as the behaviour is the same. > > > > > > Marco > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > I know you've stated that you have no firewall on these machines. So > > iptables -L shows empty on the Linux laptop > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > No selinux in play on the Linux > > laptop > > No selinux in use. > > > I looked at your screen shots and I can't see anything that leaps > > out at me. We have a number of PfSense firewalls in use (15) > > within our organization and I've used port forwarding on every one > > of them and have never run into a problem-unless the receiving > > machine refuses the connection. > > Same here. Not that I'm a network expert, but I've set up five > pfSense installations and port forwarding has always been an easy > task which worked by just configuring the NAT rule. > > If the receiving machine refuses the connection, I would not be able > to successfully "port test" it from the pfSense box and I would see > incoming packets with wireshark (I believe). Therefore, I suspect an > issue with the port forwarding. > > > I've been bitten by selinux before and more recently, by firewalld. > > Not installed and (therefore I hope) not used. > > Thanks for the support and confirming that it's not something > obvious. Will investigate later. > > Marco > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
-Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Sunday, February 11, 2018 2:30 PM To: list@lists.pfsense.org Subject: Re: [pfSense] Port forwards don't work on one machine > I ran a wireshark on the destination and it received packets when > “port testing” from the pfSense, but not when using external access > (e.g. canyouseeme.org) So what does a tcpdump on the pfSense instance reveal when the canyouseeme.org test runs? Obviously this is not a problem with destination, several test you have run prove this, and based on the clear statement above, the issue is somehow related to just the pfSense instance. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 10:21:08 -0600 Steven Spencerwrote: > On 02/11/2018 03:29 PM, Marco wrote: > > On Sun, 11 Feb 2018 20:46:41 + > > "Joseph L. Casale" wrote: > > > >> -Original Message- > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > >> Chris L Sent: Sunday, February 11, 2018 1:43 PM > >> To: pfSense Support and Discussion Mailing List > >> Subject: Re: [pfSense] Port forwards don't > >> work on one machine > >> > >>> What interface is that taken on? Take one on the interface the > >>> destination server is connected to (WLAN?) and test again. While > >>> you’re capturing also do another Diagnostics > Test Port from the > >>> local pfSense itself. Please include the capture of both events > >>> (from outside and using test port.) > >>> > >>> It looks like the server is not responding. > >> I'd also suggest running a capture on the destination, if it's > >> actually receiving traffic and/or sending it elsewhere (routing > >> rule) this will provide some insight. > > I ran a wireshark on the destination and it received packets when > > “port testing” from the pfSense, but not when using external access > > (e.g. canyouseeme.org) > > > > Marco > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > Marco, > > Just curious, but what is the target machine's OS? The actual server is FreeBSD, but I run the tests with a Linux laptop as the behaviour is the same. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On 02/12/2018 11:43 AM, Marco wrote: > On Mon, 12 Feb 2018 10:21:08 -0600 > Steven Spencerwrote: > >> On 02/11/2018 03:29 PM, Marco wrote: >>> On Sun, 11 Feb 2018 20:46:41 + >>> "Joseph L. Casale" wrote: >>> -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Sunday, February 11, 2018 1:43 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Port forwards don't work on one machine > What interface is that taken on? Take one on the interface the > destination server is connected to (WLAN?) and test again. While > you’re capturing also do another Diagnostics > Test Port from the > local pfSense itself. Please include the capture of both events > (from outside and using test port.) > > It looks like the server is not responding. I'd also suggest running a capture on the destination, if it's actually receiving traffic and/or sending it elsewhere (routing rule) this will provide some insight. >>> I ran a wireshark on the destination and it received packets when >>> “port testing” from the pfSense, but not when using external access >>> (e.g. canyouseeme.org) >>> >>> Marco >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> Marco, >> >> Just curious, but what is the target machine's OS? > The actual server is FreeBSD, but I run the tests with a Linux > laptop as the behaviour is the same. > > Marco > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold I know you've stated that you have no firewall on these machines. So iptables -L shows empty on the Linux laptop and (sorry not familiar with FreeBSD) and equiv on FreeBSD? No selinux in play on the Linux laptop or at least if in play, policies are in use? I looked at your screen shots and I can't see anything that leaps out at me. We have a number of PfSense firewalls in use (15) within our organization and I've used port forwarding on every one of them and have never run into a problem-unless the receiving machine refuses the connection. I've been bitten by selinux before and more recently, by firewalld. Thanks, Steven G. Spencer ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
I would think "exposed host" is what I am calling DMZ, from your description. If you have a firewall rule you can set it to log traffic (pass or block I believe). Under status/system logs/settings there is a checkbox to log packets blocked by the default block rule. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Monday, February 12, 2018 3:10 PM To: list@lists.pfsense.org Subject: Re: [pfSense] Port forwards don't work on one machine On Mon, 12 Feb 2018 20:45:55 + Steve Yateswrote: > Just to double check the config, so the pfSense router is set as the > DMZ of the ISP router? No clue if the ISP device has a concept of DMZ. I configure it as “Exposed Host”, so all communication is actually forwarded to the pfSense box. I've set up numerous of those devices in different locations and that was always sufficient. > Have you tried deleting the rule and re-adding? On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP devices' config and also start off with a vanilla pfSense config. I'm not really used to debugging with pfSense, especially the logging features. What's the best way to check if that packet is blocked by pfSense somehow? I tried Status → System Logs → Firewall → Normal View → Advanced Log Filter I checked “Block”, then entered Port: 8000 and “Apply Filter” and it shows “No logs to disply”. That means that the packet is not blocked by an implicit or explicit firewall rule, right? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Sun, 11 Feb 2018 15:23:43 -0800 Chris Lwrote: > > On Feb 11, 2018, at 1:29 PM, Marco wrote: > > > > On Sun, 11 Feb 2018 20:46:41 + > > "Joseph L. Casale" wrote: > > > >> -Original Message- > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > >> Chris L Sent: Sunday, February 11, 2018 1:43 PM > >> To: pfSense Support and Discussion Mailing List > >> Subject: Re: [pfSense] Port forwards don't > >> work on one machine > >> > >>> What interface is that taken on? Take one on the interface the > >>> destination server is connected to (WLAN?) and test again. While > >>> you’re capturing also do another Diagnostics > Test Port from the > >>> local pfSense itself. Please include the capture of both events > >>> (from outside and using test port.) > >>> > >>> It looks like the server is not responding. > >> > >> I'd also suggest running a capture on the destination, if it's > >> actually receiving traffic and/or sending it elsewhere (routing > >> rule) this will provide some insight. > > > > I ran a wireshark on the destination and it received packets when > > “port testing” from the pfSense, but not when using external access > > (e.g. canyouseeme.org) > > > > Are the packets going out pfSense LAN? To what MAC/IP address? You mean when scanning from outside? I ran a Packet Capture on pfsense on the WLAN side (settings: interface WLAN, port 8000) and got nothing. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 20:45:55 + Steve Yateswrote: > Just to double check the config, so the pfSense router is set as the > DMZ of the ISP router? No clue if the ISP device has a concept of DMZ. I configure it as “Exposed Host”, so all communication is actually forwarded to the pfSense box. I've set up numerous of those devices in different locations and that was always sufficient. > Have you tried deleting the rule and re-adding? On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP devices' config and also start off with a vanilla pfSense config. I'm not really used to debugging with pfSense, especially the logging features. What's the best way to check if that packet is blocked by pfSense somehow? I tried Status → System Logs → Firewall → Normal View → Advanced Log Filter I checked “Block”, then entered Port: 8000 and “Apply Filter” and it shows “No logs to disply”. That means that the packet is not blocked by an implicit or explicit firewall rule, right? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 14:12:53 -0500 James Ronaldwrote: > What is the default gateway of the destination (is there a route back > to pfSense)? pfSense is the default gateway of the destination. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
Just to double check the config, so the pfSense router is set as the DMZ of the ISP router? Have you tried deleting the rule and re-adding? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Sunday, February 11, 2018 1:13 PM To: list@lists.pfsense.org Subject: [pfSense] Port forwards don't work on one machine Hi, I have set up port forwarding multiple times in the past and it has always worked. But I now have a machine that fails to forward a port. No clue why. Maybe I'm missing the obvious here. My network: Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1) For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG, used IPs instead of aliases. 1) The port forward from the WAN to 10.0.30.21 is set up. https://i.imgur.com/V8vlN1Z.png 2) A corresponding WAN rule is created as well: https://i.imgur.com/N7ulwha.png On another machine this already is enough to get it working. But not on this one. Nmap shows “filtered”. 3) Confirming the port 8000 is actually open on 10.0.30.21: https://i.imgur.com/KcaSP6T.png Yes, it is. 4) Now testing from the external IP: https://i.imgur.com/QnWQuIO.png Nope! Again using an external service: https://i.imgur.com/v4KaivE.png No, James! 5) States: https://i.imgur.com/Rf1kjbf.png 6) Packet capture: https://i.imgur.com/xT3qFXW.png I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting > Common Problems > > 1. NAT and firewall rules not correctly added (see How can I forward ports > with pfSense?) I guess it's all correct, works on another machine. > Hint: Do NOT set a source port not set > 2. Firewall enabled on client machine nope > 3. Client machine is not using pfSense as its default gateway pfSense is the default gateway > 4. Client machine not actually listening on the port being forwarded It is, see https://i.imgur.com/KcaSP6T.png > 5. ISP or something upstream of pfSense is blocking the port being forwarded I guess the states table and packet capture should be empty if that's the case, right? > 6. Trying to test from inside the local network, need to test from an outside > machine Tested both, see https://i.imgur.com/QnWQuIO.png https://i.imgur.com/v4KaivE.png > 7. Incorrect or missing Virtual IP configuration for additional public IP > addresses No clue, haven't configured anything virtual. > 8. The pfSense router is not the border router. If there is something else > between pfSense and the ISP, the port forwards and associated rules must be > replicated there. True, pfSense is not the border router, ISP provided “NAT gateway” is. Device is configured to forward everything to the pfSense box, though. > 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be > added both to and from the server's IP in order for a port forward to work > behind a Captive Portal. nope > 10. If this is on a WAN that is not the default gateway, make sure there is a > gateway chosen on this WAN interface, or the firewall rules for the port > forward would not reply back via the correct gateway. WAN is default gateway > 11. If this is on a WAN that is not the default gateway, ensure the traffic > for the port forward is NOT passed in via Floating Rules or an Interface > Group. Only rules present on the WAN's interface tab under Firewall Rules > will have the reply-to keyword to ensure the traffic responds properly via > the expected gateway. didn't configure floating rules > 12. If this is on a WAN that is not the default gateway, make sure the > firewall rule(s) allowing the traffic in do not have the box checked to > disable reply-to. not the case > 13. If this is on a WAN that is not the default gateway, make sure the master > reply-to disable switch is not checked under System > Advanced, on the > Firewall/NAT tab. not the case > 14. WAN rules should NOT have a gateway set, so make sure that the rules for > the port forward do NOT have a gateway configured on the actual rule. see https://i.imgur.com/N7ulwha.png > 15. If the traffic appears to be forwarding in to an unexpected device, it > may be happening due to UPnP. Check Status > UPnP to see if an internal > service has configured a port forward unexpectedly. If so, disable UPnP on > either that device or on the firewall. UPnP is not used I guess I'm missing the obvious here, since port forwards are rather straightforward in pfSense and have never given me troubles in the past. A nudge in the right direction is appreciated. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold!