"PIA"

you are right !
Thank you.

The attack is called bad tunnel I Have been in contact with VPN company's as all there windows servers (all versions of windows from W95 to W10) are getting a attack throw ports 135, 136, 137, 138, 139, 455, 500 but mainly port 137 dew to them running windows under windows 10 anniversary update.

BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how  IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) – all of which when lumped together make the network vulnerable to a BadTunnel attack.

Here’s an attack scenario, as explained in Yu’s technical paper:

1.  Alice and Bob can be located anywhere on their network, and have firewall and NAT devices in-between, as long as Bob’s 137/UDP port is reachable by Alice.

2.  Bob closes 139 and 445 port, but listens on 137/UDP port.

3.  Alice is convinced to access a file URI or UNC path that points to Bob, and another hostname based URI such as “http://WPAD/x.jpg” or “http://FileServer/x.jpg”. Alice will send a NBNS NBSTAT query to Bob, and also send a NBNS NB query to the LAN broadcast address.

4.  If Bob blocks access to 139 and 445 port using a firewall, Alice will send a NBNS NBSTAT query after approximately 22 seconds. If Bob instead closed 139 and 445 port by disabling Server Windows service or NetBIOS over TCP/IP protocol, Alice do not need to wait for connection to time out before send the query.
info taken from this page: https://goo.gl/OZnC9b

Here is a google search if you want to read up on it more: https://goo.gl/ZTNH26

Thanks. I was misinterpreting this passage in the book:

When a gateway has failed, by default pfSense will flush all states for connections using that gateway. That mechanism
will force clients to reconnect, and in doing so they will use a gateway that is online instead of a gateway that is down.
This currently only works one-way, meaning that it can move connections off of a failing gateway, but it cannot force
them back if the original gateway comes back online.

Didn't read that as only applying to existing connections. As long as new connections go by the currently favored gateway, I'm happy.

Thank you doktornotor, it worked for me. I cleaned all the gateways and rebooted and it worked.

yes i configure gateway monitoring and also DNS in general setup

till now doesn't work policy based routing un firewall rules..

:'( :'( :'( :'( :'(

@dotdash:

I haven't tried the feature in years, but it was problematic in the past. If I need to load-balance these days, I just add a rule to send https to a failover group and LB the rest of the traffic.

Can't do that. I have a lot of HTTPS over custom port such as 8888, 8890 and many many more on remote client access. it would be impractical to put all the ports over fail over rule

Thank you

Problems:
(1) Seems PFsense interfaces rely on static route for 10.0.0.0/24 hosts to be able to http webconfigurator
(2) 192 hosts can't access the internet or ping from the PFsense interface
(3) Can't ssh 192 hosts from 10.0.0.0/24
(4) But 192 hosts can talk to each other
(5) From ASA, I can ping PFsense interfaces but none of 192 hosts.
(6) Disabled firwall/packet-filtering on PFsense for now to fix route issues.

(ASA output)

cisASA# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2       ia - IS-IS inter area, * - candidate default, U - per-user static route       o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 107.204.168.1 to network 0.0.0.0 S*    0.0.0.0 0.0.0.0 [1/0] via 107.204.168.1, outside O IA    10.10.2.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside C        107.0.0.0 255.0.0.0 is directly connected, outside L        107.204.169.233 255.255.255.255 is directly connected, outside C        10.0.0.0 255.255.0.0 is directly connected, inside L        10.0.0.1 255.255.255.255 is directly connected, inside O IA  192.168.122.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside cisASA# show ospf nei Neighbor ID    Pri  State          Dead Time  Address        Interface 100.100.100.100  1  FULL/BDR        0:00:39    10.0.0.119    inside cisASA#

(PFsense output)

IPv4 Routes Destination Gateway Flags  Use Mtu Netif  Expire 0.0.0.0/32  10.0.0.1    UGS 0  1450    em3 default 10.0.0.1    UGS 57016  1450    em3 8.8.8.8 00:3d:2c:15:26:57  UHS 17  1450    em3 10.10.2.0/24    link#2  U  0  1450    em1 10.10.2.1  link#2  UHS 212364  16384  lo0 84.200.69.80    00:3d:2c:15:26:57  UHS 166 1450    em3 127.0.0.1  link#8  UH  823 16384  lo0 10.0.0.0/16 10.0.0.1    UGS 120297  1450    em3 10.0.0.119  link#4  UHS 0  16384  lo0 192.168.122.0/24    link#3  U  63230  1450    em2 192.168.122.1  link#3  UHS 212299  16384  lo0 Quagga OSPF Neighbors     Neighbor ID Pri State          Dead Time Address        Interface            RXmtL RqstL DBsmL 5.5.5.5          1 Full/DR          34.501s 10.0.0.1      em3:10.0.0.119        0    0    0 (ASA Config) cisASA# show run : Hardware:  ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(4) ! hostname cisASA enable password .jaY8R6W./JP9tz1 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 !            interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.1 255.255.0.0 ! interface Vlan2 nameif outside security-level 0 ip address 7.4.1.2 255.0.0.0 ! interface Vlan3 no nameif    no security-level no ip address ! boot system disk0:/asa924-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 84.200.69.80 name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-100 subnet 10.0.0.0 255.255.0.0 object network loader object network ospf-10 subnet 10.0.2.0 255.255.255.0 object network ospf-20 subnet 10.0.20.0 255.255.255.0 object network ospf-30 subnet 10.0.30.0 255.255.255.0 object network ospf-40 subnet 192.168.122.0 255.255.255.0 object-group service DM_INLINE_SERVICE_1 access-list inside_access_in extended permit ip object obj-100 any4 access-list inside_access_in extended permit ip object ospf-10 any4 access-list inside_access_in extended permit ip object ospf-20 any4 access-list inside_access_in extended permit ip object ospf-30 any4 access-list inside_access_in extended permit ip object ospf-40 any4 access-list outside_access_in extended permit ip 192.168.0.0 255.255.0.0 any access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0 any access-list outside_access_in extended permit ip 172.16.0.0 255.240.0.0 any pager lines 24 logging enable logging buffer-size 987564 logging buffered informational logging asdm informational mtu inside 1450 mtu outside 1450 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj-1000 nat (inside,outside) dynamic interface object network ospf-10 nat (inside,outside) dynamic interface object network ospf-20 nat (inside,outside) dynamic interface object network ospf-30 nat (inside,outside) dynamic interface object network ospf-40 nat (inside,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface access-group inside_access_in in interface inside access-group open-acl in interface outside router ospf 5505 router-id 5.5.5.5 network 10.0.0.0 255.255.0.0 area 0 log-adj-changes redistribute static subnets ! route outside 0.0.0.0 0.0.0.0 7.4.1.1 management-access inside dhcp-client client-id interface outside dhcpd dns 84.200.69.80 8.8.8.8 dhcpd update dns both override dhcpd option 3 ip 10.0.0.1 ! dhcpd address 10.0.1.100-10.0.1.130 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 216.228.192.69 source outside ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:72ade258e5ac8ab26363b2a9beb2724a : end cisASA#

(PFsense Config is in GUI format)

But pretty much the same

"I have a block of IPs provided by my ISP, routed directly to me. "

So this block is routed to you over what transit network??  Or is more what is common is they gave you say a /29 with 1 of those /29 being your gateway your suppose to point to.. This is completely different than a routed network.

If they routed your block to you, then you would have a transit network connection..

So for example lets say they gave you public 4.5.6.0/29, and your pfsense wan IP might be 1.2.3.2/30  You could then yes put that 4.5.6.0/29 behind pfsense and not nat it.  But if all they gave you was 1.2.3.0/29 and told you to point to 1.2.3.1 as your gateway.. That is not a routed network.. You just have /29 hanging off their network.  And sure you could use .2 - .6 as other VIPs on pfsense wan.. Placing those IPs behind pfsense would require subnet of that network or bridge..

Same problem here (OpenVPN not switching back from backup to main connection) - so perhaps I can push up the topic?

regards
Luggi

Ok thanks

Hello,

Could you please add Multipath TCP (MPTCP) feature on 2.4.0 version?

Link : https://redmine.pfsense.org/issues/4632

"request come from the .40.x side."

So your source natting as well?  Putting a host in both your dmz and your lan via multihoming pretty much defeats the whole purpose of a "dmz"

@DJBenson:

Am I right in assuming if I use a port alias containing 25,465 and 587 and assign that to the rule you suggested, any other traffic originating from the mail server will still load balance (i.e. normal HTTP/S traffic)?

Yes, set the destination for smtp, etc and the other traffic will progress to the default rule. You may want to put https on a failover group (not load balanced) to avoid the problems you saw with banking sites, etc.

Hi Jim,

Regarding all the tests my colleague has made and his results, do you think it could be a bug ?

Thank you :-)

What dok said ;)

That is not how you would set it up.. If you want 192.168.1/24 to be your internal network - then it would go behind pfsense..  Just like your wifi network..  You can have another firewall between pfsense and the internet if you want.. kind of pointless..  But you end up with like the attached.  Now you can firewall or talk between your segments all you want.  You can run a captive portal on the wifi segment, etc.

You don't put devices on a transit network between 2 routers.  If you do then they have put routes on them to tell them which router to use for which network.  If your pfsense is natting now you also have to port forward to allow traffic from your transit into your downstream network.  Your prob going to have asymmetrical issues because you miss a route on 1 of your hosts in your transit..

If you want to use pfsense as a downstream router/firewall and have a segment hang off the upstream router then you would connect them with a transit, but now your going to have to create routing on your upstream router.. See 2nd pic.. I wouldn't be natting at psfense in this case.  Your upstream router would do the natting for any networks behind it.  So there is more config on upstream router in this setup.

transitnetwork.png_thumb
typicalsetup.png
typicalsetup.png_thumb
transitnetwork.png