PPPOE clients cannot make connections to the internet

leenooks

Hi, I'm running pfsense 2.0-RC1.

• I have 3 interfaces (LAN (em2) - 10.1.1.192/26, WAN (em0) - 10.1.1.56 and DMZ (em1) - NO IP).
• I'm using a PPPOE server configured on the DMZ network, where a host is successfully logging and being assigned a public internet address (x.x.x.x). (The P2P link is x.x.x.x->172.31.0.1)

I have created wildcard rules on ALL firewall interfaces (Floating, LAN, WAN, DMZ & PPPOE Server) that allows any IP to talk to any IP on any port. (I wouldnt want to run this way, but I couldnt get outbound connectivity for my pppoe client).

	 *	 *	 *	 *	 *	 *	 none	  	 Enable Outbound Traffic for PPPOE Clients 

When pfctl is enabled, my PPPOE client with a public address (x.x.x.x), cannot communicate on the internet. Packets dont get past pfsense.

When pfctl is disabled, my PPPOE client CAN communicate on the internet. (So I know routing and everything is OK).

While using tcpdump on each interface (and pfctl enabled), I can see packets arriving on poes10, DMZ (em1 - PPPOE Session packets), however, I cannot see any packets leaving on WAN (em0).

With pfctl enabled, I can successfully SSH into the host from the internet.

I'm thinking that this is not right.

For info, a pfctl -s all shows this:

TRANSLATION RULES:
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 10.1.1.192/26 port = isakmp to any port = isakmp -> 10.1.1.56 port 500
nat on em0 inet from 10.1.1.192/26 to any -> 10.1.1.56 port 1024:65535
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr-anchor "miniupnpd" all

FILTER RULES:
scrub in on em0 all fragment reassemble
scrub in on em2 all fragment reassemble
scrub in on em1 all fragment reassemble
anchor "relayd/*" all
block drop in log all label "Default deny rule"
block drop out log all label "Default deny rule"
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
block drop quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
block drop in log quick proto tcp from <sshlockout>to any port = rsh-spx label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = 15443 label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! em0 inet from 10.1.1.0/26 to any
block drop in inet from 10.1.1.56 to any
block drop in on em0 inet6 from fe80::20c:29ff:fee9:29c3 to any
pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in on ! em2 inet from 10.1.1.192/26 to any
block drop in inet from 10.1.1.193 to any
block drop in on em2 inet6 from fe80::20c:29ff:fee9:29d7 to any
pass in on em2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in on em2 inet proto udp from any port = bootpc to 10.1.1.193 port = bootps keep state label "allow access to DHCP server"
pass out on em2 inet proto udp from 10.1.1.193 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lo0 all flags S/SA keep state label "pass loopback"
pass out on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em0 10.1.1.1) inet from 10.1.1.56 to ! 10.1.1.0/26 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em2 proto tcp from any to (em2) port = 15443 flags S/SA keep state label "anti-lockout rule"
pass in quick on em2 proto tcp from any to (em2) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em2 proto tcp from any to (em2) port = rsh-spx flags S/SA keep state label "anti-lockout rule"
pass on em0 all flags S/SA keep state label "USER_RULE: Enable Outbound Traffic for PPPOE Clients"
pass on em2 all flags S/SA keep state label "USER_RULE: Enable Outbound Traffic for PPPOE Clients"
pass on em1 all flags S/SA keep state label "USER_RULE: Enable Outbound Traffic for PPPOE Clients"
pass in quick on em0 reply-to (em0 10.1.1.1) inet proto tcp from any to <dmznet>port = http flags S/SA keep state label "USER_RULE: Enable HTTP to DMZ"
pass in quick on em0 reply-to (em0 10.1.1.1) inet proto tcp from any to <dmznet>port = rsh-spx flags S/SA keep state label "USER_RULE: Enable SSH to DMZ"
pass in quick on em0 reply-to (em0 10.1.1.1) inet proto tcp from any to 10.1.1.56 port = 15443 flags S/SA keep state label "USER_RULE: Enable webGUI"
pass in quick on em0 reply-to (em0 10.1.1.1) inet proto tcp from any to 10.1.1.56 port = rsh-spx flags S/SA keep state label "USER_RULE: Enable SSH"
pass in quick on em0 reply-to (em0 10.1.1.1) inet all flags S/SA keep state label "USER_RULE: Enable Outbound Traffic for PPPOE Clients"
pass in quick on em2 inet from 10.1.1.192/26 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on em2 all flags S/SA keep state label "USER_RULE: Enable Outbound Traffic for PPPOE Clients"
pass in quick on em1 all flags S/SA keep state label "USER_RULE: Enable Outbound Traffic for PPPOE Clients"
anchor "tftp-proxy/*" all
anchor "miniupnpd" all
No queue in use

STATES:
all tcp 10.1.1.56:222 <- 10.1.3.20:57176       ESTABLISHED:ESTABLISHED
all tcp x.x.x.x:222 <- y.y.y.y:45723       ESTABLISHED:ESTABLISHED
all tcp y.y.y.y:45723 -> x.x.x.x:222       ESTABLISHED:ESTABLISHED
all tcp x.x.x.x:222 <- y.y.y.y:59454       ESTABLISHED:ESTABLISHED
all tcp y.y.y.y:59454 -> x.x.x.x:222       ESTABLISHED:ESTABLISHED
all icmp 10.1.1.56:53441 -> 10.1.1.1       0:0
all udp 10.1.1.63:138 <- 10.1.1.25:138       NO_TRAFFIC:SINGLE
all udp 10.1.1.56:49035 -> y.y.y.y:123       MULTIPLE:SINGLE

…

LABEL COUNTERS:
Default deny rule 125 16 928 16 928 0 0
Default deny rule 125 0 0 0 0 0 0
Block snort2c hosts 125 0 0 0 0 0 0
Block snort2c hosts 125 0 0 0 0 0 0
Block pfSnortSamOut hosts 125 0 0 0 0 0 0
Block pfSnortSamIn hosts 125 0 0 0 0 0 0
sshlockout 125 0 0 0 0 0 0
webConfiguratorlockout 58 0 0 0 0 0 0
virusprot overload table 101 0 0 0 0 0 0
allow dhcp client out WAN 79 0 0 0 0 0 0
allow dhcp client out WAN 61 0 0 0 0 0 0
allow access to DHCP server 9 0 0 0 0 0 0
allow access to DHCP server 1 0 0 0 0 0 0
allow access to DHCP server 29 0 0 0 0 0 0
pass loopback 125 0 0 0 0 0 0
pass loopback 0 0 0 0 0 0 0
let out anything from firewall host itself 125 0 0 0 0 0 0
let out anything from firewall host itself 24 0 0 0 0 0 0
anti-lockout rule 125 0 0 0 0 0 0
anti-lockout rule 0 0 0 0 0 0 0
anti-lockout rule 0 0 0 0 0 0 0
USER_RULE: Enable Outbound Traffic for PPPOE Clients 125 47 4162 23 2378 24 1784
USER_RULE: Enable Outbound Traffic for PPPOE Clients 125 0 0 0 0 0 0
USER_RULE: Enable Outbound Traffic for PPPOE Clients 125 0 0 0 0 0 0
USER_RULE: Enable HTTP to DMZ 125 0 0 0 0 0 0
USER_RULE: Enable SSH to DMZ 0 0 0 0 0 0 0
USER_RULE: Enable webGUI 42 1483 667850 712 82637 771 585213
USER_RULE: Enable SSH 0 0 0 0 0 0 0
USER_RULE: Enable Outbound Traffic for PPPOE Clients 37 126 22287 126 22287 0 0
USER_RULE: Default allow LAN to any rule 22 10 1860 5 592 5 1268
USER_RULE: Enable Outbound Traffic for PPPOE Clients 4 0 0 0 0 0 0
USER_RULE: Enable Outbound Traffic for PPPOE Clients 17 0 0 0 0 0 0

...</dmznet></dmznet></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c> 

Is this a bug, or have I got something wrong?

eri--

You have to allow traffic on the pppoe interface under firewall->rules so clients can communicate with the server.
Also you have to allow traffic on the interfaces to reach the pppoe server.

leenooks

@ermal:

You have to allow traffic on the pppoe interface under firewall->rules so clients can communicate with the server.
Also you have to allow traffic on the interfaces to reach the pppoe server.

I'm not sure I follow you. The PPPOE client can make connections with the PPPOE server, and gets assigned a public internet address.

With pfctl enabled, I can communicate to the PPPOE client (via the public internet address). However the PPPOE client cannot initiate connections to hosts on the internet (eg: connecting to a HTTP server).

With pfctl disabled, the PPPOE client CAN make connections to hosts on the internet.

With pfctl enabled, I have a rule on EVERY firewall interface, which is a global allow (all ports, all hosts, all protocols), and still the PPPOE client CANNOT make connections to the internet until pfctl is disabled.

Did you mean something else, or am I not understanding you?

eri--

Can yo ushow screenshots of your rules?
Aslo the relevant system log and blocked packets from filter log?

leenooks

@ermal:

Can yo ushow screenshots of your rules?
Aslo the relevant system log and blocked packets from filter log?

The screenshot of my rules is shown in my original post:

The firewall logs show this:

Mar 25 15:30:14	poes10	   x.x.x.x:46655	   64.235.47.134:80	TCP:S
Mar 25 15:30:38	poes10	   x.x.x.x:46655	   64.235.47.134:80	TCP:S
Mar 25 15:31:26	poes10	   x.x.x.x:46655	   64.235.47.134:80	TCP:S
Mar 25 15:33:03	poes10	   x.x.x.x:35882	   69.30.193.218:80	TCP:S
Mar 25 15:33:06	poes10	   x.x.x.x:35882	   69.30.193.218:80	TCP:S
Mar 25 15:33:12	poes10	   x.x.x.x:35882	   69.30.193.218:80	TCP:S
Mar 25 15:33:24	poes10	   x.x.x.x:35882	   69.30.193.218:80	TCP:S
Mar 25 15:33:48	poes10	   x.x.x.x:35882	   69.30.193.218:80	TCP:S
Mar 25 15:34:37	poes10	   x.x.x.x:35882	   69.30.193.218:80	TCP:S
Mar 25 15:36:13	poes10	   x.x.x.x:46273	   72.232.223.58:80	TCP:S
Mar 25 15:36:16	poes10	   x.x.x.x:46273	   72.232.223.58:80	TCP:S

The firewal log

Mar 25 15:03:11 pfsense dhclient[30076]: DHCPREQUEST on em0 to 10.1.1.1 port 67
Mar 25 15:03:11 pfsense dhclient[30076]: DHCPACK from 10.1.1.1
Mar 25 15:03:11 pfsense dhclient: RENEW
Mar 25 15:03:11 pfsense dhclient: Creating resolv.conf
Mar 25 15:03:11 pfsense dhclient[30076]: bound to 10.1.1.56 – renewal in 1800 seconds.
Mar 25 15:11:39 pfsense apinger: ALARM: WAN(10.1.1.1)  *** down ***
Mar 25 15:11:43 pfsense apinger: alarm canceled: WAN(10.1.1.1)  *** down ***
Mar 25 15:11:49 pfsense check_reload_status: reloading filter
Mar 25 15:11:53 pfsense check_reload_status: reloading filter
Mar 25 15:33:11 pfsense dhclient[30076]: DHCPREQUEST on em0 to 10.1.1.1 port 67
Mar 25 15:33:11 pfsense dhclient[30076]: DHCPACK from 10.1.1.1
Mar 25 15:33:11 pfsense dhclient: RENEW
Mar 25 15:33:11 pfsense dhclient: Creating resolv.conf
Mar 25 15:33:11 pfsense dhclient[30076]: bound to 10.1.1.56 – renewal in 1800 seconds.
Mar 25 15:36:38 pfsense php: /system_advanced_admin.php: Successful webConfigurator login for user 'admin' from 10.1.3.20
Mar 25 15:36:38 pfsense php: /system_advanced_admin.php: Successful webConfigurator login for user 'admin' from 10.1.3.20
Mar 25 15:37:21 pfsense check_reload_status: syncing firewall
Mar 25 15:37:21 pfsense check_reload_status: reloading filter
Mar 25 15:42:59 pfsense check_reload_status: syncing firewall
Mar 25 15:43:22 pfsense check_reload_status: syncing firewall
Mar 25 15:43:30 pfsense check_reload_status: syncing firewall