Firewall Help

agroshong

I am having trouble with my internal server 192.168.1.195 on multiple ports despite having no blocking rules for this server, I have tried to add pass rules for this server to all but this traffic still gets blocked, below is the output from my firewall log.

Feb 17 14:44:09 LAN   192.168.1.195:135   10.10.1.3:57340 TCP:R

Feb 17 14:43:57 LAN   192.168.1.195:135   10.10.1.3:57340 TCP:SA

Feb 17 14:43:51 LAN   192.168.1.195:135   10.10.1.3:57340 TCP:SA

Feb 17 14:43:48 LAN   192.168.1.195:135   10.10.1.3:57340 TCP:SA

Feb 17 14:39:09 LAN   192.168.1.195:135   10.10.1.3:57313 TCP:R

Feb 17 14:39:08 LAN   192.168.1.195:25   10.10.0.10:1492 TCP:R

Feb 17 14:38:57 LAN   192.168.1.195:135   10.10.1.3:57313 TCP:SA

Feb 17 14:38:56 LAN   192.168.1.195:25   10.10.0.10:1492 TCP:SA

Feb 17 14:38:51 LAN   192.168.1.195:135   10.10.1.3:57313 TCP:SA

Feb 17 14:38:50 LAN   192.168.1.195:25   10.10.0.10:1492 TCP:SA

Feb 17 14:38:48 LAN   192.168.1.195:135   10.10.1.3:57313 TCP:SA

Feb 17 14:38:47 LAN   192.168.1.195:25   10.10.0.10:1492 TCP:SA

podilarius

We could guess at the problem, but without more details, we cannot help two much. Where is the traffic coming from? Where is the traffic going to? (WAN, LAN, OPTx?)

cmb

Looks like you have asymmetric routing between those networks, and hence cannot statefully filter traffic. How to fix that depends on why it is that way, more details on where those networks are and how they're interconnected needed.

agroshong

Hello
Thank you for your help, here is a little more about the problem

This traffic is coming from our primary server which hosts Exchange, DNS, AD, and DHCP.  We have three exit point's on our network the pfsense box which is our exit point for the internet( this was being handled with a aging openBSD box before the hard drive blew up I replaced it with a pfsense VM I was testing ), and two different vpn tunnels to different locations in the city, these vpn tunnels are terminated on separate vpn concentrator's. Ever since implementing pfsense these locations have not been able to connect to exchange with outlook, I believe this is due to port 135 being blocked. I have also added these concentrator's as gateways in pfsense and added static routes to these networks through these gateways for routing. I have been unable to get this traffic to pass with the default pass rule or with specific rule's I am completely stumped, any help would be greatly appreciated I will give as much information as I can

cmb

The 3 exit points definitely will cause you problems there. Assuming you have static routes, enabling "Bypass firewall rules for traffic on the same interface" under System>Advanced will work around that. It's not possible to statefully filter such traffic. Getting down to one ingress and egress gateway is much cleaner from a networking perspective, and gives you the ability to filter traffic.

agroshong

Thank you for the help I will work on getting the network to a single egress point

Also how do you make sure the traffic you want is going over the VPN and all other traffic goes out the default gateway, is it with static routes or firewall rules?

Andrew

cmb

Either/or depending on the circumstance. Generally static routes, but can policy route via firewall rules.

agroshong

Thank you

I am very new to pfsense so I have another question regarding static routing, it is my understanding that pfsense uses gateways to static route, how do you create a gateway for the remote lan so I can point to it with a static route?

Andrew

podilarius

In the screen that has the gateway setup, there is a tab just to the right that is for static routes. It is labelled "Routes". In there you will setup the remote network with its corresponding gateway.