Unable to telnet from LAN to WAN subnet

marcelloc

Can you check if traffic from lan to modem is being natted by pfsense?

If lan machine has a firewall lan rule and nat on firewall to Allow Telnet it should work.

PistolPete

There is no NAT running, it's straight routing.
All my IP ranges (Router WAN /32, Firewall Interlink /30, LAN /27 & DMZ /29) are all public ranges.

I have an allow all out set on the LAN and DMZ to try and diagnose the problem, and I've set an allow telnet in from the router to the LAN & DMZ subnet just to check but no dice.
As I say, they are communicating to the extent that packets travelling between the machines so I'm 100% sure it's not a routing issue (as I can HTTP onto the router) and 99% sure it's not a firewall ACL issue.

PistolPete

Anyone got any clues?  I have a wireshark capture of the Telnet and HTTP sessions if that's any use to you.

cmb

packet capture of the telnet could be telling.

PistolPete

http://www.the-crib.co.uk/telnet.pcap

cmb

The TCP handshake completes, and then the 81.187.x.x host immediately sends a FIN ACK, telling the source of the TCP connection that it's killing the connection. Why, hard to say, not sure what IP is associated with what, but that's the problem. Firewall wouldn't be related to that, it'll never send a FIN ACK.

PistolPete

81.x is the LAN interface on the router, 90.x is the WAN interface on the pfSense.

If I SSH into pfSense and then telnet out, it works - http://www.the-crib.co.uk/telnetfrompfsense.cap
Also, if I pull pfSense and put my PC direct to the router and use the pfSense WAN IP address, it also works.

It only ever fails THROUGH pfSense.

stephenw10

In both the above working cases the machine initiating the telnet session is within the subnet of the router LAN interface. If you try to do the same from the other side of your pfSense box presumably the traffic has to be routed. Though it's hard to say from your description of your subnets.
My initial thought on this was that the router didn't have a route back to your client PC but that cannot be the case since the initial TCP handshake completes.
Therefore perhaps your router has a restriction on allowing telnet only from within it's own subnet?

Steve

PistolPete

I never thought about there being a restriction on the telnet daemon not talking to outside it's subnet.

Might need to contact Billion and see.

cmb

It's a screwy way to block a connection, but that device is without question blocking the connection, it has nothing to do with your firewall. Off-subnet access being rejected is the most likely cause.