Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to add pf Dup-To rules

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 5 Posters 2.9k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @Andrew453
      last edited by

      @andrew453 said in How to add pf Dup-To rules:

      Did you ever raise a feature request

      I don't see anything in redmine with dup-to mentioned.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      A 1 Reply Last reply Reply Quote 0
      • A Offline
        Andrew453 @johnpoz
        last edited by

        Thanks very much @johnpoz. I'll add a feature request if I may on Redmine, as I think it would be helpful to have the ability to add custom pf rules from the GUI.

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          Andrew453 @Andrew453
          last edited by

          .... feature request now added, thank you.

          https://redmine.pfsense.org/issues/12665

          1 Reply Last reply Reply Quote 0
          • A Offline
            Andrew453 @mciep
            last edited by Andrew453

            @mciep Hi Marius. I've been trying to get this to work today, but haven't been able to without blocking the original traffic flow.

            I'm trying to mirror traffic from a specific device on my network (say 192.168.1.87).

            If I tweak the existing rule that permits that traffic to duplicate to another address on the LAN for monitoring, e.g.

            pass in quick on $LAN dup-to ( em1 192.168.1.3 ) inet from 192.168.1.87 to any tracker 1574414022 allow-opts keep state label "USER_RULE: Allow specific LAN addresses outbound"

            ... then I can see the traffic being mirrored to 192.168.1.3 (i.e. I can see the packets arriving in Wireshark on the 192.168.1.3 device) but for some reason the original NAT'd traffic doesn't route properly.

            Instead of seeing a steady flow of TCP communications back and forth from the server with which 192.168.1.87 is supposed to communicate, I see a TCP SYN attempt followed by 6 retransmissions of the SYN (in each case mirrored to the 192.168.1.3 device). So clearly the original packet isn't getting through (or the reply is blocked).

            It feels like a NAT/state problem to me but I've tried various permutations of match rules (which shouldn't disturb the original packet), no state specified as an option etc, all to no avail.

            Grateful for any hints to the extent you or anyone else can point me in the right direction.

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @Andrew453
              last edited by JKnott

              @andrew453

              One way to do this is with port mirroring on a managed switch. You can even make a "data tap" with a cheap 5 port managed switch.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              A 1 Reply Last reply Reply Quote 0
              • A Offline
                Andrew453 @JKnott
                last edited by Andrew453

                @jknott Thanks. I had a look at this. There's a number of reasons that make that complicated here:

                • the device I want to monitor is on wifi only
                • it's an IoT device so I can't set up anything fancy, like VLANs.
                • the monitoring device has a number of functions and only has one network interface. Yes, I could add an extra ethernet port (e.g. via USB) but it's extra complexity.
                • even if I did add an extra port, if I was mirroring a port on a managed switch it would inevitably be picking up quite a bit more traffic than that of the particular device I want to monitor.

                So, yes, it could be made to work but ideally I just want to set up a (simple) rule in pfSense and have it mirror the specific traffic to the monitoring device without any need to change network connections, set up new ports, reconfigure switches etc.

                As described in my earlier posts, I've managed to get it to mirror the specific traffic, it's just for some reason it breaks the routing of the original packet.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @Andrew453
                  last edited by

                  @andrew453 said in How to add pf Dup-To rules:

                  the device I want to monitor is on wifi only

                  You can set up a filter in Wireshark to capture only a specific IP or MAC address. So, with port mirroring on your switch, you can easily do that. If you make a data tap, you can put it wherever you can pick up the Ethernet connection.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  A 1 Reply Last reply Reply Quote 0
                  • A Offline
                    Andrew453 @JKnott
                    last edited by

                    @jknott Yes, understood. I should also have said I'm not using Wireshark.

                    I'm writing an application in C# (which incidentally does use WinPcap) to monitor the IoT device and then do things when it sees particular events occurring. This is a permanent arrangement.

                    The IoT device sends about 5KB every 15 mins, so I don't want to bombard the monitoring server with GBs of traffic going across the switch.

                    Also, if all I wanted to do was do a Wireshark analysis (which I've done already), I can use the packet capture facility that natively exists in Pfsense and/or ntopng and produces a pcap file that I can import into Wireshark.

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      Andrew453 @Andrew453
                      last edited by

                      I managed to (sort of) get this to work.

                      Rather than create the rules on the LAN, I created the rules on the WAN.

                      It's not ideal because it requires the filter to be applied to the destination server IP, which could in theory change. I'll just have to keep an eye on that.

                      I tweaked etc/inc/filter.inc to add the new rules immediately after the marker for the user defined rules:

                      	$ipfrules .= "\n# User-defined rules follow\n";
                      	$ipfrules .= "\nanchor \"userrules/*\"\n";
                      	$ipfrules .= "pass  out log  on {  em0  } dup-to ( em1 192.168.aaa.aaa ) inet proto tcp  from any to bbb.bbb.bbb.bbb port 80 tracker 1641638644 flags S/SA keep state  label \"USER_RULE: Outbound mirror\"\n";
                      	$ipfrules .= "pass  in log  on {  em0  } dup-to ( em1 192.168.aaa.aaa ) inet proto tcp  from bbb.bbb.bbb.bbb to 192.168.ccc.ccc port 80 tracker 1641638677 flags S/SA keep state  label \"USER_RULE: Inbound mirror\"\n";
                      

                      where:
                      192.168.aaa.aaa is the internal IP address of the server on my network that is monitoring the device
                      192.168.ccc.ccc is the internal IP address of the device to monitor
                      bbb.bbb.bbb.bbb is the public IP address of the server that the monitored device talks to on the internet

                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        Andrew453
                        last edited by

                        fyi, the below is broken after upgrading to 2.6.0.

                        From some digging, this version introduces "ridentifier" rather than "tracker" in rule definitions.

                        If you replace

                        tracker 1641638644
                        

                        with

                        ridentifier {$increment_tracker()}
                        

                        ... then all appears to work again.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.