Static IP Weirdness
-
Hi Everyone,
Not sure if this is the right section to post, if it's not i apologize.
I just configured pfsense 1.2.3 on a IBASE FWA7204 box, VIA C3 1GHz CPU w/ 256M of RAM and 2GB flash.
Using one interface for LAN and one interface for WAN (ISP DHCP)
Here's what the topology looks like:INTERNET >> WAN interface - pfsense fw - LAN interface >> Cisco Switch >> Linux Box
|
> Wifi routerI'm using just one subnet for the LAN (10.10.171.32 /27)
.33 being the pfsense fw
.34 Cisco switch
.35 wifi router
.40 Linux boxDHCP on pfsense has been setup to lease out addresses between 10.10.171.44 and 10.10.171.62
All my clients behind the fw with dhcp leases can get on the web fine and/or browse network resources. The kicker comes in with statically assigned addresses.
for instance the linux box (with the .40 static address) can neither:- ping an external address
- ping default gw (pfsense)
however, the linux box can:
- ping cisco switch
- ping wifi router
and any other client on the network can:
- ping linux box
the fw rule for LAN is set to allow network 10.10.171.32/27
Can someone point me in the right direction to troubleshoot as to what would be causing this behavior, I would really appreciate it
Thanks in advance.
-
Do your pings specify a target hostname or IP address? What response do you get to the ping command?
Do the systems with static IP address have the correct default gateway and DNS?
the fw rule for LAN is set to allow network 10.10.171.32/27
The devil is in the detail: 10.10.171.32/27 as source address? destination address? ports? protocol? Is it before or after the default LAN rule? Do you even still have the default LAN rule?
-
Post your ifconfig and your fw rule.
-
Here's the fw rule from /tmp/rules.debug
[1.2.3-RELEASE] [root@br01.fw.local]/tmp(2): cat rules.debug # System Aliases loopback = "{ lo0 }" lan = "{ rl0 }" wan = "{ rl1 }" enc0 = "{ enc0 }" # User Aliases set loginterface rl1 set loginterface rl0 set optimization normal set skip on pfsync0 scrub all random-id fragment reassemble nat-anchor "pftpx/*" nat-anchor "natearly/*" nat-anchor "natrules/*" # FTP proxy rdr-anchor "pftpx/*" # Outbound NAT rules nat on $wan from 10.10.171.32/27 port 500 to any port 500 -> (rl1) port 500 nat on $wan from 10.10.171.32/27 port 5060 to any port 5060 -> (rl1) port 5060 nat on $wan from 10.10.171.32/27 to any -> (rl1) port 1024:65535 #SSH Lockout Table table <sshlockout>persist # Load balancing anchor - slbd updates rdr-anchor "slb" # FTP Proxy/helper table <vpns>{ } no rdr on rl0 proto tcp from any to <vpns>port 21 rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # IMSpector rdr anchor rdr-anchor "imspector" # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "ftpsesame/*" anchor "firewallrules" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # snort2c table <snort2c>persist block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # Block all IPv6 block in quick inet6 all block out quick inet6 all # loopback anchor "loopback" pass in quick on $loopback all label "pass loopback" pass out quick on $loopback all label "pass loopback" # package manager early specific hook anchor "packageearly" # carp anchor "carp" # NAT Reflection rules # allow access to DHCP server on LAN anchor "dhcpserverlan" pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" pass in quick on $lan proto udp from any port = 68 to 10.10.171.33 port = 67 label "allow access to DHCP server on LAN" pass out quick on $lan proto udp from 10.10.171.33 port = 67 to any port = 68 label "allow access to DHCP server on LAN" # allow our DHCP client out to the WAN anchor "wandhcp" pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan" block in log quick on $wan proto udp from any port = 67 to 10.10.171.32/27 port = 68 label "block dhcp client out wan" # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses) antispoof for rl0 anchor "spoofing" # block anything from private networks on WAN interface anchor "spoofing" antispoof for $wan block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" # Support for allow limiting of TCP connections by establishment rate anchor "limitingesr" table <virusprot>block in quick from <virusprot>to any label "virusprot overload table" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "wanbogons" table <bogons>persist file "/etc/bogons" block in log quick on $wan from <bogons>to any label "block bogon networks from wan" # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself" pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself" # tcp.closed 5 is a workaround for load balancing, squid and a few other issues. # ticket (FEN-857512) in centipede tracker. pass out quick on rl1 all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself" # pass traffic from firewall -> out anchor "firewallout" pass out quick on rl1 all keep state label "let out anything from firewall host itself" pass out quick on rl0 all keep state label "let out anything from firewall host itself" pass out quick on $enc0 keep state label "IPSEC internal host to host" # make sure the user cannot lock himself out of the webGUI or SSH anchor "anti-lockout" pass in quick on rl0 from any to 10.10.171.33 keep state label "anti-lockout web rule" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout" anchor "ftpproxy" anchor "pftpx/*" # User-defined aliases follow # User-defined rules follow pass in quick on $lan from 10.10.171.32/27 to any keep state label "USER_RULE: Default LAN -> any" # VPN Rules pass in quick on rl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on rl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on rl1 inet proto tcp from port 20 to (rl1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" # enable ftp-proxy # IMSpector anchor "imspector" # uPnPd anchor "miniupnpd" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log quick all label "Default deny rule"</sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout>
Here's the ifconfig
[1.2.3-RELEASE] [root@br01.fw.local]/tmp(3): ifconfig rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:03:2d:05:40:dd inet 10.10.171.33 netmask 0xffffffe0 broadcast 10.10.171.63 inet6 fe80::203:2dff:fe05:40dd%rl0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (none) status: no carrier rl1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:03:2d:05:40:dc inet6 fe80::203:2dff:fe05:40dc%rl1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (none) status: no carrier rl2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:03:2d:05:40:db media: Ethernet autoselect status: no carrier rl3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:03:2d:05:40:da media: Ethernet autoselect status: no carrier enc0: flags=0<> metric 0 mtu 1536 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=100 <promisc>metric 0 mtu 33204</promisc></up,running></up,loopback,running,multicast></vlan_mtu></broadcast,simplex,multicast></vlan_mtu></broadcast,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast>
All the static clients are using the correct mask (255.255.255.224) , correct gateway (10.10.171.33), correct DNS (opendns 208.67.222.222, 208.67.220.220)
10.10.171.32/27 as source network, this is the only rule in the fw for LAN.
-
i think i figured the issue out. I was following this url:
[http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url]to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.
Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?](http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url] <br /><br />to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.<br /><br />Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?<br /><br />)