Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Проблемы с Proxy после обновления. Подскажите…

    Scheduled Pinned Locked Moved Russian
    15 Posts 4 Posters 23.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rubic
      last edited by

      В Diagnostics -> Command выполните команду pfctl -sa | grep rdr | grep 127.0.0.1 и опубликуйте ее вывод здесь.

      1 Reply Last reply Reply Quote 0
      • B
        Bat72
        last edited by

        transparent
        v23.router

        System
            Interfaces
            Firewall
            Services
            VPN
            Status
            Diagnostics
            Help

        Diagnostics: Execute command help

        $ pfctl -sa
        TRANSLATION RULES:
        no nat proto carp all
        nat-anchor "natearly/" all
        nat-anchor "natrules/        " all
        nat on rl0 inet from 192.168.11.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
        nat on rl0 inet from 10.11.12.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
        nat on rl0 inet from 10.11.10.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
        nat on rl0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
        nat on rl0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
        nat on rl0 inet from 192.168.11.0/24 to any -> 10.0.2.73 port 1024:65535
        nat on rl0 inet from 10.11.12.0/24 to any -> 10.0.2.73 port 1024:65535
        nat on rl0 inet from 10.11.10.0/24 to any -> 10.0.2.73 port 1024:65535
        nat on rl0 inet from 127.0.0.0/8 to any -> 10.0.2.73 port 1024:65535
        nat on rl0 inet from 0.0.0.0 to any -> 10.0.2.73 port 1024:65535
        no rdr proto carp all
        rdr-anchor "relayd/" all
        rdr-anchor "tftp-proxy/        " all
        rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
        rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
        rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
        rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
        rdr-anchor "miniupnpd" all

        FILTER RULES:
        scrub on rl0 all fragment reassemble
        scrub on fxp0 all fragment reassemble
        anchor "relayd/" all
        anchor "openvpn/        " all
        anchor "ipsec/" all
        block drop in log quick inet6 all label "Block all IPv6"
        block drop out log quick inet6 all label "Block all IPv6"
        block drop in log inet all label "Default deny rule IPv4"
        block drop out log inet all label "Default deny rule IPv4"
        block drop in log inet6 all label "Default deny rule IPv6"
        block drop out log inet6 all label "Default deny rule IPv6"
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
        block drop quick inet proto tcp from any port = 0 to any
        block drop quick inet proto tcp from any to any port = 0
        block drop quick inet proto udp from any port = 0 to any
        block drop quick inet proto udp from any to any port = 0
        block drop quick inet6 proto tcp from any port = 0 to any
        block drop quick inet6 proto tcp from any to any port = 0
        block drop quick inet6 proto udp from any port = 0 to any
        block drop quick inet6 proto udp from any to any port = 0
        block drop quick from <snort2c>to any label "Block snort2c hosts"
        block drop quick from any to <snort2c>label "Block snort2c hosts"
        block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
        block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
        block drop in quick from <virusprot>to any label "virusprot overload table"
        block drop in on ! rl0 inet from 10.0.0.0/22 to any
        block drop in inet from 10.0.2.73 to any
        block drop in on ! fxp0 inet from 192.168.11.0/24 to any
        block drop in inet from 192.168.11.200 to any
        block drop in on rl0 inet6 from fe80::230:84ff:fe89:4ce0 to any
        block drop in on fxp0 inet6 from fe80::2d0:b7ff:fee6:eab9 to any
        pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
        pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
        pass out route-to (rl0 10.0.0.1) inet from 10.0.2.73 to ! 10.0.0.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
        pass in quick on fxp0 proto tcp from any to (fxp0) port = http flags S/SA keep state label "anti-lockout rule"
        pass in quick on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state label "anti-lockout rule"
        anchor "userrules/        " all
        pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto gre from any to 192.168.11.110 keep state label "USER_RULE: NAT MAP PPTP to server"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto icmp from any to 10.0.2.73 keep state label "USER_RULE: MAP ping to router"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port = la-maint flags S/SA keep state label "USER_RULE: IPSec"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port = isakmp keep state label "USER_RULE: IPSec"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port 11899 >< 11951 flags S/SA keep state label "USER_RULE: OpenVPN"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port 11899 >< 11951 keep state label "USER_RULE: OpenVPN"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.110 port = pptp flags S/SA keep state label "USER_RULE: NAT MAP PPTP to server"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP"
        pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP for 103"
        pass in quick on fxp0 inet from any to 192.168.11.0/24 flags S/SA keep state label "USER_RULE"
        pass in quick on fxp0 inet from 192.168.11.0/24 to <lansubnets>flags S/SA keep state label "USER_RULE"
        pass in quick on fxp0 from <vpnclients>to <lansubnets>flags S/SA keep state label "USER_RULE"
        pass in quick on fxp0 inet proto icmp from any to 192.168.11.200 keep state label "USER_RULE"
        pass in quick on fxp0 inet proto tcp from <server>to any port = domain flags S/SA keep state label "USER_RULE: NAT server DNS"
        pass in quick on fxp0 inet proto udp from <server>to any port = domain keep state label "USER_RULE: NAT server DNS"
        pass in quick on fxp0 inet proto icmp from <server>to any keep state label "USER_RULE: NAT server ping"
        pass in quick on fxp0 inet proto tcp from <server>to any port = pptp flags S/SA keep state label "USER_RULE: NAT server PPTP"
        pass in quick on fxp0 inet proto gre from <server>to any keep state label "USER_RULE: NAT server PPTP"
        pass in quick on fxp0 inet proto tcp from <server>to any port = ntp flags S/SA keep state label "USER_RULE: NAT server NTP"
        pass in quick on fxp0 inet proto udp from <server>to any port = ntp keep state label "USER_RULE: NAT server NTP"
        pass in quick on fxp0 proto tcp from <vpnusers>to any port = pptp flags S/SA keep state label "USER_RULE: NAT VPN PPTP"
        pass in quick on fxp0 proto gre from <vpnusers>to any keep state label "USER_RULE: NAT VPN PPTP"
        pass in quick on fxp0 proto tcp from <workstation>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP workstation"
        pass in quick on fxp0 proto tcp from <vpnclients>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP PPTPclient"
        pass in quick on fxp0 proto tcp from <workstation>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
        pass in quick on fxp0 proto tcp from <workstation>to any port = 8882 flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
        pass in quick on fxp0 proto tcp from <vpnclients>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP PPTPclient"
        pass in quick on fxp0 proto tcp from <workstation>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS workstation"
        pass in quick on fxp0 proto tcp from <vpnclients>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS PPTPclient"
        pass in quick on fxp0 proto icmp from <workstation>to any keep state label "USER_RULE: NAT ping workstation"
        pass in quick on fxp0 proto tcp from <workstation>to any port 2040 >< 2043 flags S/SA keep state label "USER_RULE: NAT port workstation"
        pass in quick on fxp0 proto tcp from <workstation>to any port = 2305 flags S/SA keep state label "USER_RULE: NAT port workstation"
        pass in quick on fxp0 proto tcp from <workstation>to any port = jabber-client flags S/SA keep state label "USER_RULE: NAT port workstation"
        pass in quick on fxp0 proto tcp from <workstation>to any port = 8080 flags S/SA keep state label "USER_RULE: NAT port workstation"
        pass in quick on fxp0 proto tcp from <workstation>to any port = 27015 flags S/SA keep state label "USER_RULE: hl"
        pass in quick on fxp0 proto udp from <workstation>to any port = 27015 keep state label "USER_RULE: hl"
        pass in quick on fxp0 proto tcp from <workstation>to any port = aol flags S/SA keep state label "USER_RULE: ICQ"
        pass in quick on fxp0 proto tcp from <workstation>to any port = 8000 flags S/SA keep state label "USER_RULE: Muzic"
        pass in quick on fxp0 proto udp from <workstation>to any port = 8000 keep state label "USER_RULE: Muzic"
        pass in quick on fxp0 inet proto tcp from 192.168.11.105 to any port = smtp flags S/SA keep state label "USER_RULE"
        pass in quick on fxp0 proto tcp from <workstation>to any port = dsf flags S/SA keep state label "USER_RULE: Test RDP"
        anchor "tftp-proxy/*" all
        pass in quick on fxp0 proto tcp from any to ! (fxp0) port = http flags S/SA keep state
        pass in quick on fxp0 proto tcp from any to ! (fxp0) port = 3128 flags S/SA keep state
        No queue in use

        STATES:
        rl0 icmp 10.0.2.73:2891 -> 10.0.0.1      0:0
        fxp0 icmp 192.168.11.200:2891 -> 192.168.11.1      0:0
        fxp0 tcp 213.199.179.172:443 <- 192.168.11.9:51143      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:51143 -> 10.0.2.73:58588 -> 213.199.179.172:443      ESTABLISHED:ESTABLISHED
        fxp0 tcp 91.190.218.66:443 <- 192.168.11.9:51158      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:51158 -> 10.0.2.73:43537 -> 91.190.218.66:443      ESTABLISHED:ESTABLISHED
        fxp0 tcp 195.239.111.145:5222 <- 192.168.11.9:53322      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:53322 -> 10.0.2.73:10573 -> 195.239.111.145:5222      ESTABLISHED:ESTABLISHED
        fxp0 tcp 94.100.190.238:2042 <- 192.168.11.9:56871      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:56871 -> 10.0.2.73:27635 -> 94.100.190.238:2042      ESTABLISHED:ESTABLISHED
        fxp0 tcp 217.69.141.247:2042 <- 192.168.11.9:57107      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:57107 -> 10.0.2.73:23484 -> 217.69.141.247:2042      ESTABLISHED:ESTABLISHED
        fxp0 tcp 134.170.25.42:443 <- 192.168.11.9:65438      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:65438 -> 10.0.2.73:41729 -> 134.170.25.42:443      ESTABLISHED:ESTABLISHED
        rl0 tcp 10.0.2.73:11912 <- 5.19.244.122:28930      ESTABLISHED:ESTABLISHED
        fxp0 tcp 64.12.30.48:5190 <- 192.168.11.9:59400      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:59400 -> 10.0.2.73:59839 -> 64.12.30.48:5190      ESTABLISHED:ESTABLISHED
        fxp0 tcp 192.168.12.100:445 <- 192.168.11.133:62151      ESTABLISHED:ESTABLISHED
        ovpns1 tcp 192.168.11.133:62151 -> 192.168.12.100:445      ESTABLISHED:ESTABLISHED
        fxp0 tcp 217.69.141.244:2042 <- 192.168.11.11:56434      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.11:56434 -> 10.0.2.73:39079 -> 217.69.141.244:2042      ESTABLISHED:ESTABLISHED
        fxp0 tcp 64.12.30.67:443 <- 192.168.11.11:56495      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.11:56495 -> 10.0.2.73:48704 -> 64.12.30.67:443      ESTABLISHED:ESTABLISHED
        ovpns1 tcp 192.168.11.115:3389 <- 192.168.12.115:59821      ESTABLISHED:ESTABLISHED
        fxp0 tcp 192.168.12.115:59821 -> 192.168.11.115:3389      ESTABLISHED:ESTABLISHED
        fxp0 icmp 202.39.253.11:1 <- 192.168.11.10      0:0
        rl0 icmp 192.168.11.10:1 -> 10.0.2.73:42639 -> 202.39.253.11      0:0
        fxp0 tcp 217.69.139.216:443 <- 192.168.11.9:52920      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:52920 -> 10.0.2.73:30937 -> 217.69.139.216:443      ESTABLISHED:ESTABLISHED
        fxp0 tcp 94.100.179.66:443 <- 192.168.11.9:52988      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:52988 -> 10.0.2.73:54092 -> 94.100.179.66:443      ESTABLISHED:ESTABLISHED
        fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53151      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53151 -> 10.0.2.73:13605 -> 213.180.204.179:443      TIME_WAIT:TIME_WAIT
        fxp0 tcp 217.20.147.94:443 <- 192.168.11.9:53162      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53162 -> 10.0.2.73:14248 -> 217.20.147.94:443      TIME_WAIT:TIME_WAIT
        fxp0 tcp 87.240.131.118:80 <- 192.168.11.10:50184      FIN_WAIT_2:FIN_WAIT_2
        rl0 tcp 192.168.11.10:50184 -> 10.0.2.73:58830 -> 87.240.131.118:80      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53167      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53167 -> 10.0.2.73:36998 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 5.45.205.235:80 <- 192.168.11.11:61980      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.11:61980 -> 10.0.2.73:10455 -> 5.45.205.235:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 141.8.153.67:80 <- 192.168.11.11:61981      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.11:61981 -> 10.0.2.73:50556 -> 141.8.153.67:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53168      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53168 -> 10.0.2.73:58798 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 77.88.21.27:80 <- 192.168.11.9:53169      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53169 -> 10.0.2.73:57761 -> 77.88.21.27:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50192      TIME_WAIT:TIME_WAIT
        fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53170      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:53170 -> 10.0.2.73:22576 -> 213.180.204.179:443      ESTABLISHED:ESTABLISHED
        fxp0 tcp 213.222.201.16:80 <- 192.168.11.9:53171      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53171 -> 10.0.2.73:40142 -> 213.222.201.16:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61817      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61817 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61818      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61818 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61819      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61819 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61820      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61820 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61821      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61821 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53172      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53172 -> 10.0.2.73:1332 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 udp 192.168.11.255:1947 <- 192.168.11.100:59008      NO_TRAFFIC:SINGLE
        fxp0 tcp 91.228.166.14:80 <- 192.168.11.9:53173      FIN_WAIT_2:FIN_WAIT_2
        rl0 tcp 192.168.11.9:53173 -> 10.0.2.73:3654 -> 91.228.166.14:80      FIN_WAIT_2:FIN_WAIT_2
        fxp0 udp 192.168.11.255:138 <- 192.168.11.3:138      NO_TRAFFIC:SINGLE
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53174      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53174 -> 10.0.2.73:51477 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 udp 192.168.11.255:138 <- 192.168.11.105:138      NO_TRAFFIC:SINGLE
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50194      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50195      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50196      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50197      FIN_WAIT_2:FIN_WAIT_2
        fxp0 udp 192.168.11.255:138 <- 192.168.11.122:138      NO_TRAFFIC:SINGLE
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53175      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53175 -> 10.0.2.73:54076 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 udp 192.168.12.100:53 <- 192.168.11.9:54530      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.9:54530 -> 192.168.12.100:53      MULTIPLE:SINGLE
        fxp0 icmp 192.168.12.50:1 <- 192.168.11.10      0:0
        ovpns1 icmp 192.168.11.10:1 -> 192.168.12.50      0:0
        fxp0 udp 192.168.11.255:138 <- 192.168.11.103:138      NO_TRAFFIC:SINGLE
        fxp0 udp 192.168.12.100:53 <- 192.168.11.9:50848      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.9:50848 -> 192.168.12.100:53      MULTIPLE:SINGLE
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50204      ESTABLISHED:ESTABLISHED
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50205      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50206      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50207      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50208      FIN_WAIT_2:FIN_WAIT_2
        rl0 tcp 192.168.11.10:50208 -> 10.0.2.73:34811 -> 87.250.250.27:80      FIN_WAIT_2:FIN_WAIT_2
        fxp0 udp 192.168.12.100:53 <- 192.168.11.9:55228      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.9:55228 -> 192.168.12.100:53      MULTIPLE:SINGLE
        lo0 udp 127.0.0.1:10248 -> 127.0.0.1:53      MULTIPLE:SINGLE
        lo0 udp 127.0.0.1:53 <- 127.0.0.1:10248      SINGLE:MULTIPLE
        rl0 udp 10.0.2.73:22656 -> 192.168.245.14:53      MULTIPLE:SINGLE
        rl0 udp 10.0.2.73:22656 -> 192.168.248.21:53      MULTIPLE:SINGLE
        lo0 udp 127.0.0.1:28825 -> 127.0.0.1:53      MULTIPLE:SINGLE
        lo0 udp 127.0.0.1:53 <- 127.0.0.1:28825      SINGLE:MULTIPLE
        rl0 udp 10.0.2.73:36531 -> 192.168.245.14:53      MULTIPLE:SINGLE
        rl0 udp 10.0.2.73:36531 -> 192.168.248.21:53      MULTIPLE:SINGLE
        rl0 tcp 10.0.2.73:33438 -> 69.64.6.17:80      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50209      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50210      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50211      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50212      FIN_WAIT_2:FIN_WAIT_2
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53176      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53176 -> 10.0.2.73:28094 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 udp 192.168.12.100:53 <- 192.168.11.9:63439      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.9:63439 -> 192.168.12.100:53      MULTIPLE:SINGLE
        fxp0 udp 192.168.12.100:53 <- 192.168.11.9:53711      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.9:53711 -> 192.168.12.100:53      MULTIPLE:SINGLE
        fxp0 udp 192.168.12.100:53 <- 192.168.11.9:58502      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.9:58502 -> 192.168.12.100:53      MULTIPLE:SINGLE
        fxp0 udp 192.168.12.110:389 <- 192.168.11.10:52758      SINGLE:MULTIPLE
        ovpns1 udp 192.168.11.10:52758 -> 192.168.12.110:389      MULTIPLE:SINGLE
        fxp0 tcp 213.180.204.232:80 <- 192.168.11.9:53177      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:53177 -> 10.0.2.73:56718 -> 213.180.204.232:80      ESTABLISHED:ESTABLISHED
        fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50216      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.10:50216 -> 10.0.2.73:59964 -> 87.250.250.27:80      ESTABLISHED:ESTABLISHED
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61824      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61824 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61825      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61825 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61826      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61826 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61827      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61827 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61828      TIME_WAIT:TIME_WAIT
        ovpns1 tcp 192.168.11.100:61828 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
        fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53178      TIME_WAIT:TIME_WAIT
        rl0 tcp 192.168.11.9:53178 -> 10.0.2.73:45877 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
        fxp0 tcp 128.140.169.208:443 <- 192.168.11.9:53179      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:53179 -> 10.0.2.73:27846 -> 128.140.169.208:443      ESTABLISHED:ESTABLISHED
        fxp0 tcp 23.43.139.27:80 <- 192.168.11.9:53180      ESTABLISHED:ESTABLISHED
        rl0 tcp 192.168.11.9:53180 -> 10.0.2.73:27030 -> 23.43.139.27:80      ESTABLISHED:ESTABLISHED

        INFO:
        Status: Enabled for 66 days 07:59:51          Debug: Urgent

        Interface Stats for fxp0              IPv4            IPv6
          Bytes In                    80424040351          2319700
          Bytes Out                  220153381963                0
          Packets In
            Passed                      137489254                0
            Blocked                          53168            30525
          Packets Out
            Passed                      209519736                0
            Blocked                              1                0

        State Table                          Total            Rate
          current entries                      140             
          searches                      839472044          146.5/s
          inserts                        11937308            2.1/s
          removals                        11937168            2.1/s
        Counters
          match                          14961873            2.6/s
          bad-offset                            0            0.0/s
          fragment                              0            0.0/s
          short                                  0            0.0/s
          normalize                              0            0.0/s
          memory                                0            0.0/s
          bad-timestamp                          0            0.0/s
          congestion                            0            0.0/s
          ip-option                              0            0.0/s
          proto-cksum                      180336            0.0/s
          state-mismatch                      540            0.0/s
          state-insert                          0            0.0/s
          state-limit                            0            0.0/s
          src-limit                              0            0.0/s
          synproxy                              0            0.0/s
          divert                                0            0.0/s

        LABEL COUNTERS:
        Block all IPv6 54774 154 11088 154 11088 0 0
        Block all IPv6 17334 0 0 0 0 0 0
        Default deny rule IPv4 54620 18665 4308907 18665 4308907 0 0
        Default deny rule IPv4 54620 0 0 0 0 0 0
        Default deny rule IPv6 54620 0 0 0 0 0 0
        Default deny rule IPv6 17334 0 0 0 0 0 0
        Block snort2c hosts 54620 0 0 0 0 0 0
        Block snort2c hosts 54620 0 0 0 0 0 0
        sshlockout 54620 0 0 0 0 0 0
        webConfiguratorlockout 10825 0 0 0 0 0 0
        virusprot overload table 37286 0 0 0 0 0 0
        pass IPv4 loopback 37286 91 33198 49 3082 42 30116
        pass IPv4 loopback 17348 0 0 0 0 0 0
        pass IPv6 loopback 28 0 0 0 0 0 0
        pass IPv6 loopback 14 0 0 0 0 0 0
        let out anything IPv4 from firewall host itself 54620 3293127 2927774805 1710649 1659714896 1582478 1268059909
        let out anything IPv6 from firewall host itself 17334 0 0 0 0 0 0
        let out anything from firewall host itself 17334 96611 33316774 48484 23939060 48127 9377714
        anti-lockout rule 54620 888 470390 392 44406 496 425984
        anti-lockout rule 0 0 0 0 0 0 0
        USER_RULE 54574 85978 20345824 44060 14690765 41918 5655059
        USER_RULE: NAT MAP PPTP to server 46124 0 0 0 0 0 0
        USER_RULE: MAP ping to router 18752 106 6416 53 3208 53 3208
        USER_RULE: IPSec 18686 0 0 0 0 0 0
        USER_RULE: IPSec 17970 0 0 0 0 0 0
        USER_RULE: OpenVPN 1108 0 0 0 0 0 0
        USER_RULE: OpenVPN 1024 0 0 0 0 0 0
        USER_RULE: NAT MAP PPTP to server 18731 13 852 8 484 5 368
        USER_RULE: NAT HTTP 798 33326 27504297 12694 1092582 20632 26411715
        USER_RULE: NAT HTTP for 103 0 0 0 0 0 0 0
        USER_RULE 37278 6343 549735 6343 549735 0 0
        USER_RULE 17076 3166123 2880067090 1522099 1252611364 1644024 1627455726
        USER_RULE 0 0 0 0 0 0 0
        USER_RULE 8742 0 0 0 0 0 0
        USER_RULE: NAT server DNS 8742 0 0 0 0 0 0
        USER_RULE: NAT server DNS 1679 2132 407063 1066 79591 1066 327472
        USER_RULE: NAT server ping 565 0 0 0 0 0 0
        USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
        USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
        USER_RULE: NAT server NTP 563 0 0 0 0 0 0
        USER_RULE: NAT server NTP 539 0 0 0 0 0 0
        USER_RULE: NAT VPN PPTP 7684 0 0 0 0 0 0
        USER_RULE: NAT VPN PPTP 1097 0 0 0 0 0 0
        USER_RULE: NAT FTP workstation 7684 0 0 0 0 0 0
        USER_RULE: NAT FTP PPTPclient 20 0 0 0 0 0 0
        USER_RULE: NAT HTTP workstation 7063 61942 26125169 30367 5998394 31575 20126775
        USER_RULE: NAT HTTP workstation 463 0 0 0 0 0 0
        USER_RULE: NAT HTTP PPTPclient 483 0 0 0 0 0 0
        USER_RULE: NAT HTTPS workstation 483 14719 6179101 7745 3021719 6974 3157382
        USER_RULE: NAT HTTPS PPTPclient 20 0 0 0 0 0 0
        USER_RULE: NAT ping workstation 657 25723 951751 12893 477041 12830 474710
        USER_RULE: NAT port workstation 655 0 0 0 0 0 0
        USER_RULE: NAT port workstation 16 0 0 0 0 0 0
        USER_RULE: NAT port workstation 16 0 0 0 0 0 0
        USER_RULE: NAT port workstation 16 0 0 0 0 0 0
        USER_RULE: hl 16 0 0 0 0 0 0
        USER_RULE: hl 619 0 0 0 0 0 0
        USER_RULE: ICQ 61 0 0 0 0 0 0
        USER_RULE: Muzic 16 0 0 0 0 0 0
        USER_RULE: Muzic 45 0 0 0 0 0 0
        USER_RULE 655 0 0 0 0 0 0
        USER_RULE: Test RDP 36 0 0 0 0 0 0

        TIMEOUTS:
        tcp.first                  120s
        tcp.opening                  30s
        tcp.established          86400s
        tcp.closing                900s
        tcp.finwait                  45s
        tcp.closed                  90s
        tcp.tsdiff                  30s
        udp.first                    60s
        udp.single                  30s
        udp.multiple                60s
        icmp.first                  20s
        icmp.error                  10s
        other.first                  60s
        other.single                30s
        other.multiple              60s
        frag                        30s
        interval                    10s
        adaptive.start                0 states
        adaptive.end                  0 states
        src.track                    0s

        LIMITS:
        states        hard limit    23000
        src-nodes    hard limit    23000
        frags        hard limit    5000
        tables        hard limit    3000
        table-entries hard limit  200000

        TABLES:
        VPNclients
        VPNusers
        blocklist
        bogons
        lansubnets
        server
        snort2c
        sshlockout
        virusprot
        webConfiguratorlockout
        workstation

        OS FINGERPRINTS:
        710 fingerprints loaded

        Execute Shell command
        Command:

        Download
        File to download:

        Upload
        File to upload:

        PHP Execute
        Command:

        Example: interfaces_carp_setup();
        pfSense is © 2004 - 2013 by Electric Sheep Fencing LLC. All Rights Reserved. [view license]</workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></vpnclients></workstation></vpnclients></workstation></workstation></vpnclients></workstation></vpnusers></vpnusers></server></server></server></server></server></server></server></lansubnets></vpnclients></lansubnets></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

        1 Reply Last reply Reply Quote 0
        • B
          Bat72
          last edited by

          На другие две команды ответ был такой:
          $ grep rdr
          grep: (standard input): Socket is not connected

          $ grep 127.0.0.1
          grep: (standard input): Socket is not connected

          Может я что-то не так ввёл?

          1 Reply Last reply Reply Quote 0
          • werterW
            werter
            last edited by

            Это одна команда.

            1 Reply Last reply Reply Quote 0
            • B
              Bat72
              last edited by

              Под вечер реально туплю.

              $ pfctl -sa | grep rdr
              no rdr proto carp all
              rdr-anchor "relayd/" all
              rdr-anchor "tftp-proxy/              " all
              rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
              rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
              rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
              rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
              rdr-anchor "miniupnpd" all

              1 Reply Last reply Reply Quote 0
              • B
                Bat72
                last edited by

                А на полную команду реагируте вот так:

                $ pfctl -sa | grep rdr | grep 127.0.0.1

                1 Reply Last reply Reply Quote 0
                • N
                  NegoroX
                  last edited by

                  у тебя сквид, не работает или не настроен. должно быть так:
                  $ pfctl -sa | grep rdr | grep 127.0.0.1
                  rdr on sk0 inet proto tcp from any to ! (sk0) port = http -> 127.0.0.1 port 3128

                  1 Reply Last reply Reply Quote 0
                  • B
                    Bat72
                    last edited by

                    Так и что мне теперь сделать? Снести его и поставить заново, или что? Или вообще всё заново устанавливать или конфигурацию в ручную настраивать а не заливать из бэкап? Или как быть?

                    1 Reply Last reply Reply Quote 0
                    • R
                      rubic
                      last edited by

                      Ну, если галка "Transparent proxy" в настройках SQUID стоит, а правила почему-то нету, то можно и руками его создать:
                      Firewall -> NAT -> Port Forward ->

                      LAN TCP * * LAN address HTTP 127.0.0.1 3128

                      Правда не факт, что у вас SQUID вообще работает. Что, кстати, в Status -> Services у вас?
                      В любом случае, все это не нормально, я бы переустановил все на вашем месте.

                      1 Reply Last reply Reply Quote 0
                      • werterW
                        werter
                        last edited by

                        2 TC

                        Как вариант - выгрузить конфиг без пакетов - там для этого спец. галка есть. Поставить по-новой и установить только проблемный сквид.
                        Проверить работоспособность и ,если все ок, - продолжить настройку.

                        1 Reply Last reply Reply Quote 0
                        • B
                          Bat72
                          last edited by

                          в Status -> Services  и squid и squidGuard  стоит Running…..  Причём картина наблюдается на всех имеющихся роутерах (у меня ещё домашняя сеть связана с рабочей по OpenVPN)

                          1 Reply Last reply Reply Quote 0
                          • B
                            Bat72
                            last edited by

                            Прописал правило руками теперь стало так:
                            $ pfctl -sa | grep rdr | grep 127.0.0.1
                            rdr on fxp0 inet proto tcp from any to 192.168.11.200 port = http -> 127.0.0.1 port 3128

                            1 Reply Last reply Reply Quote 0
                            • R
                              rubic
                              last edited by

                              Ошибся я, LAN Address уберите, надо:
                              LAN TCP * * * HTTP 127.0.0.1 3128

                              UPD: ну или Not LAN Address поставьте

                              1 Reply Last reply Reply Quote 0
                              • B
                                Bat72
                                last edited by

                                Ура! Теперь, вроде всё поехало.  Получается дело в правиле было. Теперь вроде всё фильтруется, что хочу. Большое всем спасибо.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.