Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SCTP and NAT not logging

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 667 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      David C
      last edited by

      Hi,

      On a pfsense 2.6.0 we configure :

      • a NAT 1:1 from external IP to internal server.
      • a FW rule on WAN to allow traffic from "all" to "sctp_LAN" on SCTP
      • a FW rule on "sctp_LAN" to allow traffic from *sctp_LAN" on SCTP
      • activate logging on both.

      User can't connect via sctp, and i don't see anything in logs when filtering on SCTP protocol only, or on the user"s external IP (with all protocols).

      I test to add * to * / * rules with logging, i can see a ssh or random tcp traffic, but the sctp don't go and nothing in logs.

      Is there something special to configure to have sctp events ?

      Thx
      David

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Let's see some screenshots of the 1:1 NAT and firewall rules/

        to "sctp_LAN" seems probably wrong though. The destination there should be the internal server.

        Steve

        D 1 Reply Last reply Reply Quote 0
        • D
          David C @stephenw10
          last edited by David C

          @stephenw10
          yes i admit that with the NAT, i'm not sure of which rules i need and on which LAN
          In the doubt i activate both.

          • NAT
            75b49a6d-eced-4ffa-8a4f-2355ecb5f2d5-image.png

          • FW Rules on WAN
            7d815241-4199-4a69-8936-c641197ae13b-image.png
            (sorry i change the name to go with the description)

          • FW Rules on SCTP_LAN
            71bd5cc7-5877-4133-af2a-e80300c7480d-image.png

          Ha and SCTP_LAN is the subnet with internal IP of the server

          D 1 Reply Last reply Reply Quote 0
          • D
            David C @David C
            last edited by

            I try to get logs with a minimal filtering :
            28d5abe7-9dfa-4423-aa89-d99fb9671168-image.png

            Another note : we have the same flow working but via an internal VPN/IPsec and the same king of rule, but in IpSec tab.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              The WAN destination rule should probably be the internal 172 IP. But that rule using the entire subnet should also match and pass it.
              You don't need any rules on the internal interface to allow connections in from the internet.
              The second rule you have there with destination SCTP_LAN net can never match anything. Traffic with that destination would just go directly between hosts and never hit the firewall.

              Run a packet capture on WAN. Make sure you are seeing SCTP traffic arrive and with the expected destination IP.

              Steve

              D 1 Reply Last reply Reply Quote 1
              • D
                David C @stephenw10
                last edited by

                @stephenw10
                Yes i'll do this tomorrow.
                But was thinking that it should be visible in the logs like others ?
                Or something that prevent SCTP packet to be logged ?

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  It should be logged there if you have logging enabled on the pass rule(s) and any states have been opened.
                  It may have left the logs already if you have a very busy WAN.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.