Can't access NATed Server from one external IP

GruensFroeschli

Do you see any entry in the firewall-log?

Is another computer from the same public subnet able to access it?

premoddev

Interesting thing is I am able to login from the server to the public machine which cannot access my server. Also I can see the packets hitting on my firewall on correct port, but its not crossing the firewall. In GUI logs, I am not able to find anything helpful. How can I access the logs through cli, means the name & location of the log files.

Thanks,
Premod

premoddev

This is what I am seeing in the filter.log file,

Aug 27 16:31:32 myfw pf: 815342 rule 56/0(match): block in on vr0: (tos 0x10, ttl 48, id 8457, offset 0, flags [DF], proto TCP (6), length 60) 17.1xx.1xx.94.49269 > 10.1xx.x1.17.22: S, cksum 0x4be7 (correct), 3233901315:3233901315(0) win 5840 <mss 2="" 232413099="" 1460,sackok,timestamp="" 0,nop,wscale="">vr0 is my external (WAN) interface and I don't have a blocking rule which I have made through web GUI. How do I find the rules through cli commands, as it is telling the rule 56/0 blocking the traffic.

Thanks in advance.

Premod</mss>

GruensFroeschli

Status –> System Log --> Firewall
Click in the gui on the color-thingy on the left side and it will tell you which rule blocked it.

If you didn't create any rules at all, everything will be blocked.
(default behaviour is: block everything).

You can see the created rules under:
address_of_your_pfsense/status.php#pfctl%20-s%20rules%20-vv

premoddev

Thanks, this is what I am seeing when clicking in the colored thing,

@56 block drop in log quick on vr0 from bogons:50to any label "block bogon networks from wan"

What its mean? Seems an auto generated rule.

Thanks,
Premod</bogons:50>

GruensFroeschli

Bogon networks are IP-block which are not yet assigned and thus should never appear at your WAN.
You can disable this rule on the WAN-config-page.

It could be that this IP-block has just recently been assigned.
pfSense should update it's list of bogon networks periodically be itself.

These threads should help you to update the list manually:
http://forum.pfsense.org/index.php/topic,15650.0.html
–> http://forum.pfsense.org/index.php/topic,13278.0.html

premoddev

Thanks, GruensFroeschli

I have disabled the firewall rule and it's just working fine.

Thanks,
Premod

GruensFroeschli

Well i wouldn't just disable the rule ^^"
It's there for a reason ;)

Have you tried dotdashs suggestion?

I copied /etc/rc.update_bogons.sh to a temporary script, removed the sleep and ran it.

premoddev

As for a temporary fix, I have manually removed the network which blocked for me. And as per the other posts I have checked my crontab file and the xml file also. Both the files having entries as follows,

###/etc/crontab####

1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh

####config.xml#####

<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh

######################################################

But update is not happening I am sure. I tried run the script manually, but didn't see anything happening on it. How can I make it run automatically?

Thanks,
Premod

Eugene

Update happens once per month. What makes you think it does not?