Updating problems with mail server al DMZ, NAT Problems? x86

kaneda

I install latest snapshot and load config from previous version (1.2.3), now, at this moment only appears to be affected connections to IPPublica4, wich is nated to mail server at dmz, none service can be reached to that server (no webmail neither imap, pop, smtp…)

IPPublica1=Mail server
IPPublica3=web server
IPPublica4=Wan Firewall
IPPublica5=Default WAN Router
here is Rules.debug:

#System aliases

loopback = "{ lo0 }"
WAN = "{ em1 }"
LAN = "{ bge0 }"
DMZ = "{ em2 }"
WAN2_ADSL = "{ em0 }"
pptp = "{ pptp }"
IPsec = "{ enc0 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout>persist
#Snort2C table
table <snort2c>table <virusprot># User Aliases
table <correo>{   10.0.0.22 }
Correo = "<correo>"
table <red_dmz>{   10.0.0.1/24 }
RED_DMZ = "<red_dmz>"
table <red_local>{   172.26.0.0/24 }
Red_Local = "<red_local>"
table <servidor_web>{   10.0.0.25 }
Servidor_Web = "<servidor_web>"
table <voip>{   172.26.253.0/24  172.26.0.246/32 }
Voip = "<voip>"

Gateways

GWGW_WAN = " route-to ( em1 IPPublica5 ) "
GWGW_OPT2 = " route-to ( em0 10.1.0.1 ) "
GWSROUTE0 = " route-to ( bge0 172.26.254.26 ) "
GWSROUTE1 = " route-to ( bge0 172.26.254.66 ) "
GWSROUTE2 = " route-to ( bge0 172.26.254.70 ) "
GWSROUTE3 = " route-to ( bge0 172.26.254.34 ) "
GWSROUTE4 = " route-to ( bge0 172.26.254.2 ) "

set loginterface em1
set loginterface bge0
set loginterface em2
set loginterface em0
set optimization normal
set limit states 198000

set skip on pfsync0

scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $DMZ all    fragment reassemble
scrub in on $WAN2_ADSL all    fragment reassemble

nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

nat on $LAN  from 172.26.0.0/24 to any -> 172.26.0.10/32 port 1024:65535
nat on $WAN2_ADSL  from 172.26.0.0/24 to any -> 10.1.0.2/32 port 1024:65535
nat on $WAN  from 172.26.0.0/24 to any -> IPPublica4/32 port 1024:65535
nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 25 -> IPPublica1/32 port 1024:65535
nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 53 -> IPPublica1/32 port 1024:65535
nat on $WAN  from 10.0.0.22/32 port 53 to !172.26.0.0/24 -> IPPublica1/32 port 1024:65535
nat on $WAN  from 10.0.0.31/32 port 53 to !172.26.0.0/24 -> IPPublica1/32 port 1024:65535
nat on $WAN  from 10.0.0.30/32 port 53 to !172.26.0.0/24 -> IPPublica3/32 port 53
nat on $WAN  from 10.0.0.30/32 to !172.26.0.0/24 -> IPPublica4/32 port 1024:65535
nat on $LAN  from 10.0.0.30/32 to 172.26.0.0/24 port 1433 -> 172.26.0.10/32 port 1024:65535
nat on $LAN  from 10.0.0.25/32 to 172.26.0.250/32 port 445 -> 172.26.0.10/32 port 1024:65535
nat on $WAN  from 10.0.0.25/32 to !172.26.0.0/24 -> IPPublica3/32 port 1024:65535
nat on $LAN  from 10.0.0.22/32 to 172.26.0.201/32 -> 172.26.0.10/32 port 1024:65535
nat on $WAN  from 172.26.0.0/24 to 10.0.0.0/24 -> IPPublica4/32 port 1024:65535
nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 80 -> IPPublica1/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <vpns>{ 192.168.3.0/24 192.168.1.0/24 192.168.0.0/24 192.168.2.0/24 192.168.222.0/24 }
table <direct_networks>{ 213.201.119.96/29 172.26.0.0/24 10.0.0.0/24 10.1.0.0/24 172.26.0.16/32 }

NAT Inbound Redirects

rdr on em1 proto tcp from any to IPPublica1 port 80 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 80 tag PFREFLECT -> 127.0.0.1 port 19000

rdr on em1 proto tcp from any to IPPublica1 port 25 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 25 tag PFREFLECT -> 127.0.0.1 port 19001

rdr on em1 proto tcp from any to IPPublica1 port 5222:5223 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 5222:5223 tag PFREFLECT -> 127.0.0.1 port 19002:19003

rdr on em1 proto tcp from any to IPPublica1 port 993 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 993 tag PFREFLECT -> 127.0.0.1 port 19004

rdr on em1 proto tcp from any to IPPublica1 port 465 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 465 tag PFREFLECT -> 127.0.0.1 port 19005

rdr on em1 proto tcp from any to IPPublica1 port 443 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 443 tag PFREFLECT -> 127.0.0.1 port 19006

rdr on em1 proto tcp from any to IPPublica1 port 143 -> 10.0.0.22

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 143 tag PFREFLECT -> 127.0.0.1 port 19007

rdr on em1 proto { tcp udp } from any to IPPublica4 port 80 -> 172.26.0.253

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica4 port 80 tag PFREFLECT -> 127.0.0.1 port 19008

rdr on em1 proto { tcp udp } from any to IPPublica1 port 53 -> 10.0.0.31

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica1 port 53 tag PFREFLECT -> 127.0.0.1 port 19009

rdr on em1 proto { tcp udp } from any to IPPublica3 port 53 -> 10.0.0.30

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica3 port 53 tag PFREFLECT -> 127.0.0.1 port 19010

rdr on em1 proto { tcp udp } from any to IPPublica4 port 8080 -> 172.26.0.253

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica4 port 8080 tag PFREFLECT -> 127.0.0.1 port 19011

rdr on em1 proto tcp from any to IPPublica3 port 80 -> 10.0.0.30

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica3 port 80 tag PFREFLECT -> 127.0.0.1 port 19012

rdr on em1 proto { tcp udp } from any to IPPublica3 port 443 -> 10.0.0.30

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica3 port 443 tag PFREFLECT -> 127.0.0.1 port 19013

rdr on em1 proto udp from any to IPPublica4 port 69 -> 172.26.0.246

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 69 tag PFREFLECT -> 127.0.0.1 port 19014

rdr on em1 proto udp from any to IPPublica4 port 5060 -> 172.26.0.246

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 5060 tag PFREFLECT -> 127.0.0.1 port 19015

rdr on em1 proto udp from any to IPPublica4 port 5061 -> 172.26.0.246

Reflection redirects

rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 5061 tag PFREFLECT -> 127.0.0.1 port 19016

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "firewallrules"
#---------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

snort2c

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"
block in log quick proto carp from (self) to any
pass quick proto carp
pass quick proto pfsync

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

anchor "wanbogons"
block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for em1

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for bge0
antispoof for em2
antispoof for em0
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em1 IPPublica5 ) from IPPublica4 to !213.201.119.96/29 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 10.1.0.1 ) from 10.1.0.2 to !10.1.0.0/24 keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on bge0 from any to (bge0) keep state label "anti-lockout rule"

PPTPd rules

anchor "pptp"
pass in on $WAN proto gre from any to IPPublica4 keep state label "allow gre pptpd"
pass in on $WAN proto tcp from any to IPPublica4 port = 1723 modulate state label "allow pptpd IPPublica4"

NAT Reflection rules

pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

User-defined rules follow

pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to IPPublica4 port 1723  flags S/SA keep state  label "USER_RULE: Permitir peticiones PPTP"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 80   label "USER_RULE: NAT "
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 22   label "USER_RULE: NAT "
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.22 port 53   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION DNS "
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 25   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION SMTP"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 5221 >< 5224   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION XMPP"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 993   label "USER_RULE: NAT ZIMBRA REDIRECCION IMAPS"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 465   label "USER_RULE: NAT [ZIMBRA]-Redireccion SMTP Seguro"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 443   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION HTTP SEGURO"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 143   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION IMAP"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  from   10.0.0.30 to any keep state  label "USER_RULE: SALIDA WAN DE HOSTING1"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 500  keep state  label "USER_RULE: PERMITIR  TUNELES IPSEC "
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto esp  from any to any keep state  label "USER_RULE: PROTOCOLO ESP"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto ah  from any to any keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  inet proto icmp  from any to any keep state  label "USER_RULE: Responder Pings desde WAN"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.30 port 80   label "USER_RULE: NAT [WWW2]-REDIRECCION HTTP"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.22 port 53   label "USER_RULE: NAT ENTRADA DNS A CORREO"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 53   label "USER_RULE: NAT ENTRADA DNS A HOSTING1"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 53   label "USER_RULE: NAT ENTRADA DNS FIREWALL (PROVISIONAL)"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.31 port 53  keep state  label "USER_RULE: NAT ENTRADA DNS FIREWALL (PROVISIONAL)"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   172.26.0.253 port 8080  keep state  label "USER_RULE: NAT FichaClientes"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   172.26.0.253 port 80  keep state  label "USER_RULE: NAT FichaClientes"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   IPPublica4 port 8080  keep state  label "USER_RULE: NAT FichaClientes"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   IPPublica4 port 80  keep state  label "USER_RULE: NAT FichaClientes"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1194  keep state  label "USER_RULE: Openvpn Nuria"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1193  keep state  label "USER_RULE: Openvpn Esther Laptop"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1195  keep state  label "USER_RULE: Openvpn MariCruz"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1196  keep state  label "USER_RULE: Openvpn Ana"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1197  keep state  label "USER_RULE: Openvpn Guadalupe"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1198  keep state  label "USER_RULE: Openvpn T91MT"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1199  keep state  label "USER_RULE: Openvpn T91MT"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1297  keep state  label "USER_RULE: Openvpn LUIS"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1294  keep state  label "USER_RULE: Permitir entrada OpenVPN (BCN)"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1295  keep state  label "USER_RULE: Permitir entrada OpenVPN (BCN)"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1296  keep state  label "USER_RULE: Permitir entrada VPN Esther"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1298  keep state  label "USER_RULE: Permitir entrada VPN Easy"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.30 port 80   label "USER_RULE: NAT REDIRECCION WEB A HOSTING"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 443   label "USER_RULE: NAT ENTRADA HTTPS A HOSTING1"
pass  in  quick  on $WAN  proto tcp  from any  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass  in  quick  on $WAN  $GWGW_OPT2  proto tcp  from any to any port 21  flags S/SA keep state  label "USER_RULE: SALIDA FTP POR ADSL"
pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to IPPublica4 port 69  keep state  label "USER_RULE: Entrada TFTP"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 69  keep state  label "USER_RULE: NAT TFTP Centralita"
pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 5060  keep state  label "USER_RULE: NAT TFTP Centralita"
pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 5061   label "USER_RULE: NAT TFTP Centralita"
pass  in  quick  on $pptp  from any to   172.26.0.0/24 keep state  label "USER_RULE: Acceso a LAN desde PPTP"
pass  in  quick  on $pptp  from any to   10.0.0.0/24 keep state  label "USER_RULE: Acceso a DMZ desde VPN PPTP"
pass  in  quick  on $pptp  from any to any keep state  label "USER_RULE"
pass  in  quick  on $DMZ  from   10.0.0.25 to any keep state  label "USER_RULE"
pass  in log  quick  on $DMZ  from   10.0.0.22 to any keep state  label "USER_RULE: SALIDA TEMPORAL DE CORREO [BORARR ASAP]"
pass  in  quick  on $DMZ  proto tcp  from   10.0.0.25 to any port 25  flags S/SA keep state  label "USER_RULE: SALIENTES SMTP [VIEJO]"
pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to   172.26.0.253 keep state  label "USER_RULE: [WWW VIEJO] A SQL SERVER"
pass  in  quick  on $DMZ  proto tcp  from   10.0.0.30  os Linux to   172.26.0.253 port 1433  flags S/SA keep state  label "USER_RULE: [WWW NUEVO] A SQL SERVER (SOLO SQL)"
pass  in  quick  on $DMZ  proto tcp  from   10.0.0.30  os Linux to   172.26.0.249 port 1433  flags S/SA keep state  label "USER_RULE: [WWW NUEVO] A SQL SERVER NUEVO(SOLO SQL)"
pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to   172.26.0.250 keep state  label "USER_RULE: [WWW VIEJO] SALIDA A ANTIVIRUS"
pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to any port 53  keep state  label "USER_RULE: [WWW VIEJO] DNS TCP"
pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.31 to any port 53  keep state  label "USER_RULE: [HOSTING1 ] DNS "
pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.30 to any port 53  keep state  label "USER_RULE: [HOSTING VIRTUAL1] DNS "
pass  in  quick  on $DMZ  proto tcp  from 172.26.0.0/24 to   10.0.0.25 flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $DMZ  from   10.0.0.30 to  ! 172.26.0.0/24 keep state  label "USER_RULE: SALIDA HTTP HOSTING"
pass  in  quick  on $DMZ  from   10.0.0.12 to  ! 172.26.0.0/24 keep state  label "USER_RULE: SALIDA HTTP VMWARE"
pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: Auto added OpenVPN rule from config upgrade."
pass  in  quick  on $LAN  from any to   127.0.0.1 keep state  label "USER_RULE: FTP -PROXY"
pass  in  quick  on $LAN  from 172.26.0.0/24 to 10.0.0.1/24 keep state  label "USER_RULE: Dejar pasar todo el trafico hacia la DMZ"
pass  in  quick  on $LAN  from 172.26.0.0/24 to   213.201.119.96/29 keep state  label "USER_RULE: Redirigir salida LAN a HOSTS en WAN"
pass  in log  quick  on $LAN  from any to   172.26.254.40/29 keep state  label "USER_RULE"
pass  in  quick  on $LAN  proto tcp  from 172.26.0.0/24  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass  in  quick  on $LAN  $GWGW_OPT2  proto tcp  from 172.26.0.0/24 to any port 80  flags S/SA keep state  label "USER_RULE: Redirigir salida HTTP A ADSL"
pass  in  quick  on $LAN  proto tcp  from 172.26.0.0/24  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass  in  quick  on $LAN  $GWGW_OPT2  proto tcp  from 172.26.0.0/24 to any port 443  flags S/SA keep state  label "USER_RULE: Redirigir salida HTTPS A ADSL"
pass  in  quick  on $LAN  proto { tcp udp }  from 172.26.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass  in  quick  on $LAN  $GWGW_OPT2  proto { tcp udp }  from 172.26.0.0/24 to any port 53  keep state  label "USER_RULE: Redirigir salida DNS A ADSL"
pass  in log  quick  on $LAN  proto { tcp udp }  from 172.26.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass  in log  quick  on $LAN  $GWGW_OPT2  proto { tcp udp }  from 172.26.0.0/24 to any port 21  keep state  label "USER_RULE: Default LAN -> any"
pass  in log  quick  on $LAN  from 172.26.0.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
pass  in  quick  on $LAN  from   172.26.0.254/24 to any keep state  label "USER_RULE: Acceso desde OpenVPN"
pass  in  quick  on $LAN  from   172.26.254.0/24 to any keep state  label "USER_RULE"
pass  in  quick  on $IPsec  from   10.0.0.0/24 to   192.168.222.0/24 keep state  label "USER_RULE: Acceso a DMZ"
pass  in  quick  on $IPsec  from   172.26.0.0/24 to   192.168.222.0/24 keep state  label "USER_RULE"
pass  in  quick  on $IPsec  from any to   127.0.0.1 keep state  label "USER_RULE: FTP- PROXY"
pass  in  quick  on $IPsec  from 172.26.0.0/24 to   192.168.2.0/24 keep state  label "USER_RULE"
pass  in  quick  on $IPsec  from   192.168.2.0/24 to 172.26.0.0/24 keep state  label "USER_RULE"
pass  in  quick  on $IPsec  proto { tcp udp }  from   192.168.1.0/24 to   172.26.0.0/24 keep state  label "USER_RULE: ACEPTAR ENTRADA DESDE MAFLO LORCA"
pass  in  quick  on $IPsec  proto tcp  from   192.168.2.0/24  os Windows to   172.26.0.253 port 3389  flags S/SA keep state  label "USER_RULE: Acceso a MAnager desde Milanera"
pass  in  quick  on $IPsec  proto tcp  from   192.168.3.0/24  os Windows to   172.26.0.253 port 3389  flags S/SA keep state  label "USER_RULE: Acceso a MAnager desde Rio Vena"
pass  in  quick  on $IPsec  from any to   192.168.2.139 keep state  label "USER_RULE: SALIDA A IMPRESORA RICOH MILANERA"
pass  in  quick  on $IPsec  from   192.168.2.139 to any keep state  label "USER_RULE: ENTRADA DESDE IMPRESORA RICOH MILANERA"
pass  in  quick  on $IPsec  proto esp  from any to any keep state  label "USER_RULE: PERMITIR TRAFICO DE TUNELES IPSEC ESP"
pass  in  quick  on $IPsec  proto udp  from any to any keep state  label "USER_RULE: IPSEC UDP"
pass  in  quick  on $IPsec  proto ah  from any to any keep state  label "USER_RULE: IPSEC AH"
pass  in  quick  on $IPsec  proto pfsync  from any to any keep state  label "USER_RULE"
pass  in  quick  on $IPsec  proto { tcp udp }  from   172.26.0.0/24 to   192.168.1.0/24 keep state  label "USER_RULE: ACEPTAR ENTRADA DESDE MAFLO LORCA"
pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE: TODO IPSEC"
pass  in  quick  on $IPsec  from   172.26.254.80/29 to   192.168.0.0/24 keep state  label "USER_RULE: ACCESO A EXCLUSIVAS DESDE ESTHER OVPN"

VPN Rules

pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.168.223 port = 500 keep state label "IPsec: SRB - RIO VENA - outbound isakmp"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.168.223 to any port = 500 keep state label "IPsec: SRB - RIO VENA - inbound isakmp"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.168.223 port = 4500 keep state label "IPsec: SRB - RIO VENA - outbound nat-t"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.168.223 to any port = 4500 keep state label "IPsec: SRB - RIO VENA - inbound nat-t"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 193.146.168.223 keep state label "IPsec: SRB - RIO VENA - outbound esp proto"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 193.146.168.223 to any keep state label "IPsec: SRB - RIO VENA - inbound esp proto"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.69.198 port = 500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound isakmp"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.69.198 to any port = 500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound isakmp"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.69.198 port = 4500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound nat-t"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.69.198 to any port = 4500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound nat-t"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 84.125.69.198 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound esp proto"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 84.125.69.198 to any keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound esp proto"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.89.246 port = 500 keep state label "IPsec: EXCLUSIVAS - outbound isakmp"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.89.246 to any port = 500 keep state label "IPsec: EXCLUSIVAS - inbound isakmp"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.89.246 port = 4500 keep state label "IPsec: EXCLUSIVAS - outbound nat-t"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.89.246 to any port = 4500 keep state label "IPsec: EXCLUSIVAS - inbound nat-t"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 84.125.89.246 keep state label "IPsec: EXCLUSIVAS - outbound esp proto"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 84.125.89.246 to any keep state label "IPsec: EXCLUSIVAS - inbound esp proto"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.174.197 port = 500 keep state label "IPsec: VPN SRB MILANERA - outbound isakmp"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.174.197 to any port = 500 keep state label "IPsec: VPN SRB MILANERA - inbound isakmp"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.174.197 port = 4500 keep state label "IPsec: VPN SRB MILANERA - outbound nat-t"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.174.197 to any port = 4500 keep state label "IPsec: VPN SRB MILANERA - inbound nat-t"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 193.146.174.197 keep state label "IPsec: VPN SRB MILANERA - outbound esp proto"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 193.146.174.197 to any keep state label "IPsec: VPN SRB MILANERA - inbound esp proto"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 87.223.188.155 port = 500 keep state label "IPsec: Kaneda HOme - outbound isakmp"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 87.223.188.155 to any port = 500 keep state label "IPsec: Kaneda HOme - inbound isakmp"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 87.223.188.155 port = 4500 keep state label "IPsec: Kaneda HOme - outbound nat-t"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 87.223.188.155 to any port = 4500 keep state label "IPsec: Kaneda HOme - inbound nat-t"
pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 87.223.188.155 keep state label "IPsec: Kaneda HOme - outbound esp proto"
pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 87.223.188.155 to any keep state label "IPsec: Kaneda HOme - inbound esp proto"

package manager late specific hook

anchor "packagelate"

anchor "tftp-proxy/*"

anchor "limitingesr"

uPnPd

anchor "miniupnpd"
–--------------------------------------------------------------------------

If i do a tcpdump I dont see the public VIP (Proxy ARP Virtual IP), in the logs, anybody knows if there are any problem importing Virtual IPs, the only time that I updated firewall and mail server works until I do the traffic shaper assistant I saw the reinstalling modules web dialog and I change  fast the window trying to interrupt it. Doing that it works until I tried to do the traffic shaping.

Im getting really crazy with this, any help would be nice.</vpns></vpns></vpns></vpns></vpns></bogons></bogons></virusprot></sshlockout></snort2c></snort2c></direct_networks></vpns></voip></voip></servidor_web></servidor_web></red_local></red_local></red_dmz></red_dmz></correo></correo></virusprot></snort2c></sshlockout>