Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Подскажите пожалуйста по Nat

    Scheduled Pinned Locked Moved Russian
    26 Posts 5 Posters 11.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      ToXaNSK
      last edited by

      У меня тоже не получилось пробросить ФТПшник со второго ВАНа.
      На первом PPPoE а втором Static IP, 80, порт и порты DC работали нормально а вот 21 порт пробросить так и не удалось…:(
      Думал что кривость рук, но смотрю я не одинок...

      Присоеденяюсь к вопросу. ???

      Say what you mean, mean what you say. (Interstate 60)

      1 Reply Last reply Reply Quote 0
      • E Offline
        Eugene
        last edited by

        FTP - штука хитрая ибо придумана была в те далёкие сказочные времена, когда о файрволлах особо не задумывались…
        Во-первых, нужно чётко себе представлять в активном или пассивном режиме работают сервер и клиент.
        Во-вторых, выключить ftp-helper на WAN и ручками уже всё пробрасывать.

        http://ru.doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • T Offline
          ToXaNSK
          last edited by

          Смысл в том что с ВАН фейса все работает. В файерволе создаются 2 правила. А вот с ОПТ фейсом проблемы. Порты типа ДС и ХТТП робят а вот ФТП наотрез отказывается.

          Say what you mean, mean what you say. (Interstate 60)

          1 Reply Last reply Reply Quote 0
          • E Offline
            Eugene
            last edited by

            Где инициатор соединения (клиент) на LAN или на WAN?

            http://ru.doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • T Offline
              ToXaNSK
              last edited by

              на OPT1.
              Сеть такая:
                    WAN (белый IP) - LAN (10.1.1.1/28)
              OPT1 (10.10.10.10.) /

              На компе в LAN 10.1.1.2 есть FTP и HTTP, правила созданы в файерволе. Проблемы в том что с WAN работает FTP, HTTP, а с OPT1 только HTTP.

              Say what you mean, mean what you say. (Interstate 60)

              1 Reply Last reply Reply Quote 0
              • E Offline
                Eugene
                last edited by

                Active или passive ftp?

                http://ru.doc.pfsense.org

                1 Reply Last reply Reply Quote 0
                • P Offline
                  programmist_w
                  last edited by

                  à ïî pptp íèêòî íè÷åãî íå ñêàæåò? ó ìåíÿ ôòï ïîìîåìó â àêòèâíîì ðåæèìå.ÍÎ âåäü ñ wan òî âñå æå íîðìàëüíî, çíà÷èò òàì âñå ïîíèìàåò. Ýòî ïðîñòî êàêàÿ òî íåäîðàáîòêà.

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    dvserg
                    last edited by

                    @programmist_w:

                    à ïî pptp íèêòî íè÷åãî íå ñêàæåò? ó ìåíÿ ôòï ïîìîåìó â àêòèâíîì ðåæèìå.ÍÎ âåäü ñ wan òî âñå æå íîðìàëüíî, çíà÷èò òàì âñå ïîíèìàåò. Ýòî ïðîñòî êàêàÿ òî íåäîðàáîòêà.

                    Активный режим работает с ftpхэлпером кажется А PPTP так не умеет

                    SquidGuardDoc EN  RU Tutorial
                    Localization ru_PFSense

                    1 Reply Last reply Reply Quote 0
                    • E Offline
                      Eugene
                      last edited by

                      ftp-хэлпер тем и прекрасен, что с ним работают оба режима, надо убедиться, что он включен на LAN и потом tcpdump'ить то, что происходит на LAN и OPT1 во время FTP сессии. Вариантов масса. Обычно в дампе видно, где проблема.

                      http://ru.doc.pfsense.org

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dvserg
                        last edited by

                        @Eugene:

                        ftp-хэлпер тем и прекрасен, что с ним работают оба режима, надо убедиться, что он включен на LAN и потом tcpdump'ить то, что происходит на LAN и OPT1 во время FTP сессии. Вариантов масса. Обычно в дампе видно, где проблема.

                        Я про то , что PPTP с хэлпером не пытается дружить…

                        SquidGuardDoc EN  RU Tutorial
                        Localization ru_PFSense

                        1 Reply Last reply Reply Quote 0
                        • E Offline
                          Eugene
                          last edited by

                          Конечно не пытается - они живут друг другу не мешая. По-моему вопрос был про FTP или я чего-то пропустил?

                          http://ru.doc.pfsense.org

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            programmist_w
                            last edited by

                            âîïðîñ â ñèëå è áûë îí è ïî pptp è ïðî ftp. :'(

                            1 Reply Last reply Reply Quote 0
                            • E Offline
                              Eugene
                              last edited by

                              1. VPN. Если PPTP-сервер это не сам pfSense, а какая-то машина, подключенная к LAN, то на OPT1 должно быть два NAT-portforward'а для протокола GRE и для TCP port 1723. Соответственно должно быть два правила на OPT1.
                              2. FTP. Нужно смотреть tcpdump'ом, что у Вас не в порядке. Предположим вы с клиента IP x.x.x.x стучитесь на OPT1 пытаетесь достучаться до FTP-сервера IP y.y.y.y на LAN . Попробуйте с консоли следующее:
                              tcpdump -i <opt1_interface_name>-n -s0 host x.x.x.x
                              И одновременно с этим в другой консоле:
                              tcpdump -i <lan_interface_name>-n -s0 host x.x.x.x or host y.y.y.y</lan_interface_name></opt1_interface_name>

                              http://ru.doc.pfsense.org

                              1 Reply Last reply Reply Quote 0
                              • P Offline
                                programmist_w
                                last edited by

                                1. PPTP ñàìà pfsense.
                                2. áóäó ïðîáîâàòü.

                                1 Reply Last reply Reply Quote 0
                                • E Offline
                                  Eugene
                                  last edited by

                                  1. И как выглядят правила на OPT1 для GRE и 1723?

                                  http://ru.doc.pfsense.org

                                  1 Reply Last reply Reply Quote 0
                                  • P Offline
                                    programmist_w
                                    last edited by

                                    1. à íåò òàì ïðàâèë, íåò Nat, íà wan òî íè÷åãî íåò è pptp ðàáîòàåò. Èëè òàì íàäî ïðàâèëà ïðîïèñûâàòü?

                                    1 Reply Last reply Reply Quote 0
                                    • E Offline
                                      Eugene
                                      last edited by

                                      1. Думаю надо. Два правила на OPT1:
                                      Разрешить протокол GRE от любого IP на interface OPT1 IP
                                      Разрешить протокол TCP port 1723 от любого IP на interface OPT1 IP

                                      http://ru.doc.pfsense.org

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        programmist_w
                                        last edited by

                                        1. Ñäåëàë îòêðûë ïðàâèëà â RULES OPT1. Äîõîäèò ïðîâåðêà ïîëüçîâàòåëÿ è ïàðîëÿ è îòâàëèâàåòñÿ ñ îøèáêîé çàêðûòèÿ ïîðòà, ïî wan âñå èäåò íîðìàëüíî. Ãäå äàëüøå ðûòü?

                                        1 Reply Last reply Reply Quote 0
                                        • E Offline
                                          Eugene
                                          last edited by

                                          Дальше рыть некуда.

                                          1. tcpdump на OPT1 должен показать проблему
                                            или
                                          2. дайте pfctl -sr | grep<opt1_interface_name></opt1_interface_name>

                                          http://ru.doc.pfsense.org

                                          1 Reply Last reply Reply Quote 0
                                          • P Offline
                                            programmist_w
                                            last edited by

                                            2 EUGENE - äàìïû ñäåëàë, íî ÷åñòíî ãîâîðÿ ìíå òàì ñìóòíî ïîíÿòíî, è ñ òîãî èíòåðôåéñà, ãäå ïðîõîäèò ñîåäèíåíèå è ñ òîãî, ãäå íå ïðîõîäèò, ÷òî òàì óñìîòðåòü íàäî

                                            òàì ãäå ïðîõîäèò

                                            tcpdump -i rl0 -vv | grep pptp

                                            tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
                                            12:35:27.967724 IP (tos 0x20, ttl 101, id 625, offset 0, flags [DF], proto TCP (6), length 48) 193.201.231.34.30795 > 81.195.135.114.pptp: S, cksum 0x683f (correct), 2725853150:2725853150(0) win 16384 <mss 1300,nop,nop,sackok="">12:35:27.967984 IP (tos 0x0, ttl 64, id 319, offset 0, flags [DF], proto TCP (6), length 48) 81.195.135.114.pptp > 193.201.231.34.30795: S, cksum 0x6b41 (correct), 536813346:536813346(0) ack 2725853151 win 65228 <mss 1300,sackok,eol="">12:35:29.282942 IP (tos 0x20, ttl 101, id 626, offset 0, flags [DF], proto TCP (6), length 196) 193.201.231.34.30795 > 81.195.135.114.pptp: P 1:157(156) ack 1 win 16900: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
                                            12:35:29.283159 IP (tos 0x0, ttl 64, id 57602, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9495 (correct), 1:1(0) ack 157 win 65535
                                            12:35:29.284014 IP (tos 0x0, ttl 64, id 35158, offset 0, flags [DF], proto TCP (6), length 196) 81.195.135.114.pptp > 193.201.231.34.30795: P 1:157(156) ack 157 win 65535: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp]
                                            12:35:30.072215 IP (tos 0x20, ttl 100, id 627, offset 0, flags [DF], proto TCP (6), length 208) 193.201.231.34.30795 > 81.195.135.114.pptp: P 157:325(168) ack 157 win 16744: pptp Length=168 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(61247) CALL_SER_NUM(2935) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
                                            12:35:30.072349 IP (tos 0x0, ttl 64, id 59172, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9351 (correct), 157:157(0) ack 325 win 65535
                                            12:35:30.074248 IP (tos 0x0, ttl 64, id 57405, offset 0, flags [DF], proto TCP (6), length 72) 81.195.135.114.pptp > 193.201.231.34.30795: P, cksum 0x21da (correct), 157:189(32) ack 325 win 65535: pptp Length=32 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(12380) PEER_CALL_ID(61247) RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) PHY_CHAN_ID(0)
                                            12:35:30.907737 IP (tos 0x20, ttl 100, id 628, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xcacc (correct), 325:349(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12380) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
                                            12:35:30.907876 IP (tos 0x0, ttl 64, id 60748, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9319 (correct), 189:189(0) ack 349 win 65535
                                            12:35:32.363060 IP (tos 0x20, ttl 100, id 633, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xcab4 (correct), 349:373(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12380) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
                                            12:35:32.363202 IP (tos 0x0, ttl 64, id 31283, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9301 (correct), 189:189(0) ack 373 win 65535
                                            12:35:47.594406 IP (tos 0x20, ttl 100, id 711, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xca9c (correct), 373:397(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12380) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
                                            12:35:47.594568 IP (tos 0x0, ttl 64, id 38925, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x92e9 (correct), 189:189(0) ack 397 win 65535
                                            12:35:49.619933 IP (tos 0x0, ttl 64, id 11620, offset 0, flags [DF], proto TCP (6), length 56) 81.195.135.114.pptp > 193.201.231.34.30795: P, cksum 0x3945 (correct), 189:205(16) ack 397 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown)
                                            12:35:49.620062 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [DF], proto TCP (6), length 188) 81.195.135.114.pptp > 193.201.231.34.30795: P 205:353(148) ack 397 win 65535: pptp Length=148 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=CDN CALL_ID(12380) RESULT_CODE(3:Admin Shutdown) ERR_CODE(0:None) CAUSE_CODE(0) [|pptp]
                                            12:35:51.206539 IP (tos 0x0, ttl 64, id 30238, offset 0, flags [DF], proto TCP (6), length 204) 81.195.135.114.pptp > 193.201.231.34.30795: P 189:353(164) ack 397 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown)
                                            12:35:51.437511 IP (tos 0x20, ttl 100, id 719, offset 0, flags [DF], proto TCP (6), length 56) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xf9fb (correct), 397:413(16) ack 205 win 16696: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRP RESULT_CODE(1:OK) ERR_CODE(0:None)
                                            12:35:51.437645 IP (tos 0x0, ttl 64, id 31245, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9235 (correct), 353:353(0) ack 413 win 65535
                                            12:35:51.438392 IP (tos 0x0, ttl 64, id 31233, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: F, cksum 0x9234 (correct), 353:353(0) ack 413 win 65535
                                            12:35:52.751589 IP (tos 0x20, ttl 100, id 726, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: ., cksum 0x5191 (correct), 413:413(0) ack 353 win 16548
                                            12:35:52.771997 IP (tos 0x20, ttl 100, id 727, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: F, cksum 0x5190 (correct), 413:413(0) ack 353 win 16548
                                            12:35:52.811899 IP (tos 0x20, ttl 100, id 728, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: ., cksum 0x518f (correct), 414:414(0) ack 354 win 16548
                                            12:35:56.429730 IP (tos 0x20, ttl 100, id 731, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: F, cksum 0x518f (correct), 413:413(0) ack 354 win 16548
                                            12:35:56.429855 IP (tos 0x0, ttl 64, id 15199, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9234 (correct), 354:354(0) ack 414 win 65534
                                            ^C11135 packets captured
                                            11175 packets received by filter
                                            0 packets dropped by kernel

                                            ãäå íå ïðîõîäèò

                                            tcpdump -i rl1 -vv | grep pptp

                                            tcpdump: listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes
                                            12:30:05.941170 IP (tos 0x20, ttl 101, id 610, offset 0, flags [DF], proto TCP (6), length 48) 193.201.231.34.50835 > 81.195.169.34.pptp: S, cksum 0x16d6 (correct), 4076914887:4076914887(0) win 16384 <mss 1300,nop,nop,sackok="">12:30:05.941481 IP (tos 0x0, ttl 64, id 65022, offset 0, flags [DF], proto TCP (6), length 48) 81.195.169.34.pptp > 193.201.231.34.50835: S, cksum 0x51a6 (correct), 3574739520:3574739520(0) ack 4076914888 win 65228 <mss 1300,sackok,eol="">12:30:07.660204 IP (tos 0x20, ttl 101, id 611, offset 0, flags [DF], proto TCP (6), length 196) 193.201.231.34.50835 > 81.195.169.34.pptp: P 1:157(156) ack 1 win 16900: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
                                            12:30:07.660444 IP (tos 0x0, ttl 64, id 30967, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x7afa (correct), 1:1(0) ack 157 win 65535
                                            12:30:07.661293 IP (tos 0x0, ttl 64, id 18083, offset 0, flags [DF], proto TCP (6), length 196) 81.195.169.34.pptp > 193.201.231.34.50835: P 1:157(156) ack 157 win 65535: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp]
                                            12:30:08.512164 IP (tos 0x20, ttl 100, id 612, offset 0, flags [DF], proto TCP (6), length 208) 193.201.231.34.50835 > 81.195.169.34.pptp: P 157:325(168) ack 157 win 16744: pptp Length=168 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(57281) CALL_SER_NUM(2934) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
                                            12:30:08.512304 IP (tos 0x0, ttl 64, id 29657, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x79b6 (correct), 157:157(0) ack 325 win 65535
                                            12:30:08.514217 IP (tos 0x0, ttl 64, id 6110, offset 0, flags [DF], proto TCP (6), length 72) 81.195.169.34.pptp > 193.201.231.34.50835: P, cksum 0x17be (correct), 157:189(32) ack 325 win 65535: pptp Length=32 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(12379) PEER_CALL_ID(57281) RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) PHY_CHAN_ID(0)
                                            12:30:09.487822 IP (tos 0x20, ttl 100, id 613, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.50835 > 81.195.169.34.pptp: P, cksum 0xb132 (correct), 325:349(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12379) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
                                            12:30:09.487955 IP (tos 0x0, ttl 64, id 61384, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x797e (correct), 189:189(0) ack 349 win 65535
                                            12:30:25.924914 IP (tos 0x0, ttl 64, id 24554, offset 0, flags [DF], proto TCP (6), length 56) 81.195.169.34.pptp > 193.201.231.34.50835: P, cksum 0x1fda (correct), 189:205(16) ack 349 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown)
                                            12:30:25.925056 IP (tos 0x0, ttl 64, id 55425, offset 0, flags [DF], proto TCP (6), length 188) 81.195.169.34.pptp > 193.201.231.34.50835: P 205:353(148) ack 349 win 65535: pptp Length=148 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=CDN CALL_ID(12379) RESULT_CODE(3:Admin Shutdown) ERR_CODE(0:None) CAUSE_CODE(0) [|pptp]
                                            12:30:27.118941 IP (tos 0x20, ttl 100, id 620, offset 0, flags [DF], proto TCP (6), length 56) 193.201.231.34.50835 > 81.195.169.34.pptp: P, cksum 0xe090 (correct), 349:365(16) ack 205 win 16696: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRP RESULT_CODE(1:OK) ERR_CODE(0:None)
                                            12:30:27.119105 IP (tos 0x0, ttl 64, id 25327, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x78ca (correct), 353:353(0) ack 365 win 65535
                                            12:30:27.119678 IP (tos 0x0, ttl 64, id 51709, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: F, cksum 0x78c9 (correct), 353:353(0) ack 365 win 65535
                                            12:30:27.159304 IP (tos 0x20, ttl 100, id 621, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: ., cksum 0x3826 (correct), 365:365(0) ack 353 win 16548
                                            12:30:27.895540 IP (tos 0x20, ttl 100, id 622, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: F, cksum 0x3825 (correct), 365:365(0) ack 353 win 16548
                                            12:30:27.915437 IP (tos 0x20, ttl 100, id 623, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: ., cksum 0x3824 (correct), 366:366(0) ack 354 win 16548
                                            12:30:31.542210 IP (tos 0x20, ttl 100, id 624, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: F, cksum 0x3824 (correct), 365:365(0) ack 354 win 16548
                                            12:30:31.542342 IP (tos 0x0, ttl 64, id 56252, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x78c9 (correct), 354:354(0) ack 366 win 65534

                                            pfctr opt1

                                            pfctl -sr | grep rl1

                                            block drop in on ! rl1 inet from 81.195.169.0/24 to any
                                            block drop in on rl1 inet6 from fe80::21c:c0ff:fe9d:fe25 to any
                                            pass out quick on rl1 all flags S/SA keep state label "let out anything from firewall host itself"
                                            pass out quick on rl1 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
                                            pass out quick on rl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = ftp flags S/SA keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = pptp flags S/SA keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto gre from any to 81.195.169.34 keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = ntp flags S/SA keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto udp from any to 81.195.169.34 port = ntp keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 192.168.0.240 port = smtp flags S/SA keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 192.168.0.240 port = pop3 flags S/SA keep state label "USER_RULE: NAT "
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = 3155 flags S/SA keep state label "USER_RULE"
                                            pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 192.168.0.240 port = 8010 flags S/SA keep state label "USER_RULE: NAT "
                                            block drop in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp all label "USER_RULE"
                                            pass in quick on sis0 route-to { (rl0 81.195.135.113), (rl1 81.195.169.33) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label                                              "USER_RULE"
                                            pass in quick on sis0 route-to { (rl0 81.195.135.113), (rl1 81.195.169.33) } round-robin inet proto tcp from any to any port = 8080 flags S/SA keep state label                                              "USER_RULE"
                                            pass in quick on sis0 route-to (rl1 81.195.169.33) inet proto tcp from any to any port = pop3 flags S/SA keep state label "USER_RULE"
                                            pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
                                            pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"</mss></mss></mss></mss>

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.