Re: [pfSense] Bridging firewall swallows its own traffic

2016-06-30 Thread Lee Damon 
Following up to my earlier email.

I was expecting the bridge to act the same as on other OSs I'm currently
using for firewalls (that is, once traffic hits the bridge it is not
examined further just goes out the other end - a tunnel). However, it
turns out I was misunderstanding how FBSD does bridging - examining the
packets on the bridge itself as it if were a switch.

As a result I have had to resort to something I consider less than
optimal. I've disabled the LAN interface and given br0 (the bridge) its
IP address (for management access). I've set up firewall rules on br0
that only allow access from management hosts to the very limited set of
management ports (all other traffic is blocked). This effectively puts
the management interface "outside" the firewall but hopefully protects
it sufficiently that isn't a totally bad thing.

Does anyone have any comments/feedback on this solution for me?

thanks,
nomad
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DMZ not working since upgrade 2.3

2016-06-30 Thread Chris Buechler 
On Wed, Jun 29, 2016 at 8:27 AM, Jean-Laurent Ivars
 wrote:
> Hello Piba (and anyone else…)
>
> Sorry for not having answered before…
>
> To answer you questions, firstly, I’m not in a datacenter, only a client 
> offices with different ISP.
>
> I agree with you double NAT is bad but you can’t alway get rid of it… and you 
> should know that on one of my wan connexion I was technically able to make a 
> bridge and I though the problem were the same with this connexion but in 
> fact, my fault, bad setting, so with this connexion everything is working !
>
> So I stay with my third connexion witch is not working (double NAT) and only 
> with this one, I can see traffic but it’s not working, so I gave a try with 
> the flag you requested to try to give more information to understand what 
> happens…
>
> from outside to 2223 portwitch is where SSH deamon is listening on the 
> pfsense from OVH Connexion (double NAT) = not working
>
> 2.3.1-RELEASE][r...@pfsense.concorde-pereire.loc]/root: tcpdump -en -i re0 
> port 2223
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:42:56.509422 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S], 
> seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], 
> length 0
> 14:42:56.509584 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.], 
> seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale 
> 7,sackOK,eol], length 0
> 14:42:59.509726 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.], 
> seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale 
> 7,sackOK,eol], length 0
> 14:42:59.529210 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S], 
> seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], 
> length 0
>
>
> from outside to 2223 port witch is where SSH deamon is listening on the 
> pfsense from SFR Connexion (double NAT) =  working
>
> [2.3.1-RELEASE][r...@pfsense.concorde-pereire.loc]/root: tcpdump -en -i re0 
> port 2223
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:43:47.280639 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 66: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [S], 
> seq 2327707324, win 9652, options [mss 1460,wscale 3,sackOK,eol], length 0
> 14:43:47.280797 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [S.], 
> seq 3881093896, ack 2327707325, win 65228, options [mss 1460,nop,wscale 
> 7,sackOK,eol], length 0
> 14:43:47.311955 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 60: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [.], 
> ack 1, win 32850, length 0
> 14:43:47.322754 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 82: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [P.], 
> seq 1:29, ack 1, win 32850, length 28
> 14:43:47.322883 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 54: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [.], 
> ack 29, win 513, length 0
> 14:43:47.343017 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 75: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [P.], 
> seq 1:22, ack 29, win 513, length 21
>
>
> To the light of this new details, I can see that the pfsense is trying to 
> respond to the bad mac address (the working connexion one) ! and that is the 
> reason it’s not working ! So I had a look at the interface settings and I 
> noticed that the mac address it tries to reply is the one selected here in 
> the menu list, I have two since I have two gateway for one interface in the 
> same private network space…
>
> First I want to tank you helping me clarifying what was going wrong (for the 
> second pfsense installation it’s a bad coincidence the problem is with the 
> modem configuration witch is defective)
>
> So my question now is : How can I set both the gateway to have the same 
> priority or at least make the system answer to the address that initiate the 
> connexion ?
>

Don't put two WANs on one interface, the reply-to rules can't properly
handle return routing in that case. Use another NIC or a VLAN for one
of them.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold