Static IP Weirdness

brokenflea

Hi Everyone,

Not sure if this is the right section to post, if it's not i apologize.

I just configured pfsense 1.2.3 on a IBASE FWA7204 box, VIA C3 1GHz CPU w/ 256M of RAM and 2GB flash.

Using one interface for LAN and one interface for WAN (ISP DHCP)
Here's what the topology looks like:

INTERNET >> WAN interface - pfsense fw - LAN interface >> Cisco Switch >> Linux Box
                                                                                        |
                                                                                    > Wifi router

I'm using just one subnet for the LAN (10.10.171.32 /27)
.33 being the pfsense fw
.34 Cisco switch
.35 wifi router
.40 Linux box

DHCP on pfsense has been setup to lease out addresses between 10.10.171.44 and 10.10.171.62

All my clients behind the fw with dhcp leases can get on the web fine and/or browse network resources. The kicker comes in with statically assigned addresses.
for instance the linux box (with the .40 static address) can neither:

• ping an external address
• ping default gw (pfsense)

however, the linux box can:

• ping cisco switch
• ping wifi router

and any other client on the network can:

• ping linux box

the fw rule for LAN is set to allow network 10.10.171.32/27

Can someone point me in the right direction to troubleshoot as to what would be causing this behavior, I would really appreciate it

Thanks in advance.

wallabybob

Do your pings specify a target hostname or IP address? What response do you get to the ping command?

Do the systems with static IP address have the correct default gateway and DNS?

@brokenflea:

the fw rule for LAN is set to allow network 10.10.171.32/27

The devil is in the detail: 10.10.171.32/27 as source address? destination address? ports? protocol? Is it before or after the default LAN rule? Do you even still have the default LAN rule?

marvosa

Post your ifconfig and your fw rule.

brokenflea

Here's the fw rule from /tmp/rules.debug

[1.2.3-RELEASE] [root@br01.fw.local]/tmp(2): cat rules.debug
# System Aliases 
loopback = "{ lo0 }"
lan = "{ rl0  }"
wan = "{ rl1   }"
enc0 = "{ enc0 }"
# User Aliases 

set loginterface rl1
set loginterface rl0
set optimization normal

set skip on pfsync0
scrub all random-id  fragment reassemble

nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"

# Outbound NAT rules
nat on $wan from 10.10.171.32/27 port 500 to any port 500 -> (rl1) port 500
nat on $wan from 10.10.171.32/27 port 5060 to any port 5060 -> (rl1) port 5060
nat on $wan from 10.10.171.32/27 to any -> (rl1) port 1024:65535

#SSH Lockout Table
table <sshlockout>persist

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper
table <vpns>{   }
no rdr on rl0 proto tcp from any to <vpns>port 21
rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "ftpsesame/*" 
anchor "firewallrules"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
# Block all IPv6
block in quick inet6 all
block out quick inet6 all
# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"

# NAT Reflection rules

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.10.171.33 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.10.171.33 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

# allow our DHCP client out to the WAN
anchor "wandhcp"
pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
block in log quick on $wan proto udp from any port = 67 to 10.10.171.32/27 port = 68 label "block dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for rl0

anchor "spoofing"

# block anything from private networks on WAN interface
anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
table <bogons>persist file "/etc/bogons"
block in log quick on $wan from <bogons>to any label "block bogon networks from wan"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself"

# tcp.closed 5 is a workaround for load balancing, squid and a few other issues.
# ticket (FEN-857512) in centipede tracker.
pass out quick on rl1 all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on rl1 all keep state label "let out anything from firewall host itself"
pass out quick on rl0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on rl0 from any to 10.10.171.33 keep state label "anti-lockout web rule"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

anchor "ftpproxy"
anchor "pftpx/*"

# User-defined aliases follow

# User-defined rules follow
pass in quick on $lan from 10.10.171.32/27 to any keep state  label "USER_RULE: Default LAN -> any"

# VPN Rules

pass in quick on rl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl1 inet proto tcp from port 20 to (rl1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
# enable ftp-proxy

# IMSpector
anchor "imspector"

# uPnPd
anchor "miniupnpd"

#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"</sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout> 

Here's the ifconfig

[1.2.3-RELEASE] [root@br01.fw.local]/tmp(3): ifconfig
rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:03:2d:05:40:dd
        inet 10.10.171.33 netmask 0xffffffe0 broadcast 10.10.171.63
        inet6 fe80::203:2dff:fe05:40dd%rl0 prefixlen 64 scopeid 0x1 
        media: Ethernet autoselect (none)
        status: no carrier
rl1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:03:2d:05:40:dc
        inet6 fe80::203:2dff:fe05:40dc%rl1 prefixlen 64 scopeid 0x2 
        media: Ethernet autoselect (none)
        status: no carrier
rl2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:03:2d:05:40:db
        media: Ethernet autoselect
        status: no carrier
rl3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:03:2d:05:40:da
        media: Ethernet autoselect
        status: no carrier
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
pfsync0: flags=41 <up,running>metric 0 mtu 1460
        pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=100 <promisc>metric 0 mtu 33204</promisc></up,running></up,loopback,running,multicast></vlan_mtu></broadcast,simplex,multicast></vlan_mtu></broadcast,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast> 

All the static clients are using the correct mask (255.255.255.224) , correct gateway (10.10.171.33), correct DNS (opendns 208.67.222.222, 208.67.220.220)

10.10.171.32/27 as source network, this is the only rule in the fw for LAN.

brokenflea

i think i figured the issue out. I was following this url:
[http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url]

to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.

Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?](http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url] <br /><br />to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.<br /><br />Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?<br /><br />)