Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Проблемы с Proxy после обновления. Подскажите…

    Scheduled Pinned Locked Moved Russian
    15 Posts 4 Posters 23.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bat72
      last edited by

      transparent
      v23.router

      System
          Interfaces
          Firewall
          Services
          VPN
          Status
          Diagnostics
          Help

      Diagnostics: Execute command help

      $ pfctl -sa
      TRANSLATION RULES:
      no nat proto carp all
      nat-anchor "natearly/" all
      nat-anchor "natrules/      " all
      nat on rl0 inet from 192.168.11.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
      nat on rl0 inet from 10.11.12.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
      nat on rl0 inet from 10.11.10.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
      nat on rl0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
      nat on rl0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
      nat on rl0 inet from 192.168.11.0/24 to any -> 10.0.2.73 port 1024:65535
      nat on rl0 inet from 10.11.12.0/24 to any -> 10.0.2.73 port 1024:65535
      nat on rl0 inet from 10.11.10.0/24 to any -> 10.0.2.73 port 1024:65535
      nat on rl0 inet from 127.0.0.0/8 to any -> 10.0.2.73 port 1024:65535
      nat on rl0 inet from 0.0.0.0 to any -> 10.0.2.73 port 1024:65535
      no rdr proto carp all
      rdr-anchor "relayd/" all
      rdr-anchor "tftp-proxy/      " all
      rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
      rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
      rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
      rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
      rdr-anchor "miniupnpd" all

      FILTER RULES:
      scrub on rl0 all fragment reassemble
      scrub on fxp0 all fragment reassemble
      anchor "relayd/" all
      anchor "openvpn/      " all
      anchor "ipsec/" all
      block drop in log quick inet6 all label "Block all IPv6"
      block drop out log quick inet6 all label "Block all IPv6"
      block drop in log inet all label "Default deny rule IPv4"
      block drop out log inet all label "Default deny rule IPv4"
      block drop in log inet6 all label "Default deny rule IPv6"
      block drop out log inet6 all label "Default deny rule IPv6"
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      block drop quick inet proto tcp from any port = 0 to any
      block drop quick inet proto tcp from any to any port = 0
      block drop quick inet proto udp from any port = 0 to any
      block drop quick inet proto udp from any to any port = 0
      block drop quick inet6 proto tcp from any port = 0 to any
      block drop quick inet6 proto tcp from any to any port = 0
      block drop quick inet6 proto udp from any port = 0 to any
      block drop quick inet6 proto udp from any to any port = 0
      block drop quick from <snort2c>to any label "Block snort2c hosts"
      block drop quick from any to <snort2c>label "Block snort2c hosts"
      block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
      block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
      block drop in quick from <virusprot>to any label "virusprot overload table"
      block drop in on ! rl0 inet from 10.0.0.0/22 to any
      block drop in inet from 10.0.2.73 to any
      block drop in on ! fxp0 inet from 192.168.11.0/24 to any
      block drop in inet from 192.168.11.200 to any
      block drop in on rl0 inet6 from fe80::230:84ff:fe89:4ce0 to any
      block drop in on fxp0 inet6 from fe80::2d0:b7ff:fee6:eab9 to any
      pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      pass out route-to (rl0 10.0.0.1) inet from 10.0.2.73 to ! 10.0.0.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass in quick on fxp0 proto tcp from any to (fxp0) port = http flags S/SA keep state label "anti-lockout rule"
      pass in quick on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state label "anti-lockout rule"
      anchor "userrules/      " all
      pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto gre from any to 192.168.11.110 keep state label "USER_RULE: NAT MAP PPTP to server"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto icmp from any to 10.0.2.73 keep state label "USER_RULE: MAP ping to router"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port = la-maint flags S/SA keep state label "USER_RULE: IPSec"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port = isakmp keep state label "USER_RULE: IPSec"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port 11899 >< 11951 flags S/SA keep state label "USER_RULE: OpenVPN"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port 11899 >< 11951 keep state label "USER_RULE: OpenVPN"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.110 port = pptp flags S/SA keep state label "USER_RULE: NAT MAP PPTP to server"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP"
      pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP for 103"
      pass in quick on fxp0 inet from any to 192.168.11.0/24 flags S/SA keep state label "USER_RULE"
      pass in quick on fxp0 inet from 192.168.11.0/24 to <lansubnets>flags S/SA keep state label "USER_RULE"
      pass in quick on fxp0 from <vpnclients>to <lansubnets>flags S/SA keep state label "USER_RULE"
      pass in quick on fxp0 inet proto icmp from any to 192.168.11.200 keep state label "USER_RULE"
      pass in quick on fxp0 inet proto tcp from <server>to any port = domain flags S/SA keep state label "USER_RULE: NAT server DNS"
      pass in quick on fxp0 inet proto udp from <server>to any port = domain keep state label "USER_RULE: NAT server DNS"
      pass in quick on fxp0 inet proto icmp from <server>to any keep state label "USER_RULE: NAT server ping"
      pass in quick on fxp0 inet proto tcp from <server>to any port = pptp flags S/SA keep state label "USER_RULE: NAT server PPTP"
      pass in quick on fxp0 inet proto gre from <server>to any keep state label "USER_RULE: NAT server PPTP"
      pass in quick on fxp0 inet proto tcp from <server>to any port = ntp flags S/SA keep state label "USER_RULE: NAT server NTP"
      pass in quick on fxp0 inet proto udp from <server>to any port = ntp keep state label "USER_RULE: NAT server NTP"
      pass in quick on fxp0 proto tcp from <vpnusers>to any port = pptp flags S/SA keep state label "USER_RULE: NAT VPN PPTP"
      pass in quick on fxp0 proto gre from <vpnusers>to any keep state label "USER_RULE: NAT VPN PPTP"
      pass in quick on fxp0 proto tcp from <workstation>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP workstation"
      pass in quick on fxp0 proto tcp from <vpnclients>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP PPTPclient"
      pass in quick on fxp0 proto tcp from <workstation>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
      pass in quick on fxp0 proto tcp from <workstation>to any port = 8882 flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
      pass in quick on fxp0 proto tcp from <vpnclients>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP PPTPclient"
      pass in quick on fxp0 proto tcp from <workstation>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS workstation"
      pass in quick on fxp0 proto tcp from <vpnclients>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS PPTPclient"
      pass in quick on fxp0 proto icmp from <workstation>to any keep state label "USER_RULE: NAT ping workstation"
      pass in quick on fxp0 proto tcp from <workstation>to any port 2040 >< 2043 flags S/SA keep state label "USER_RULE: NAT port workstation"
      pass in quick on fxp0 proto tcp from <workstation>to any port = 2305 flags S/SA keep state label "USER_RULE: NAT port workstation"
      pass in quick on fxp0 proto tcp from <workstation>to any port = jabber-client flags S/SA keep state label "USER_RULE: NAT port workstation"
      pass in quick on fxp0 proto tcp from <workstation>to any port = 8080 flags S/SA keep state label "USER_RULE: NAT port workstation"
      pass in quick on fxp0 proto tcp from <workstation>to any port = 27015 flags S/SA keep state label "USER_RULE: hl"
      pass in quick on fxp0 proto udp from <workstation>to any port = 27015 keep state label "USER_RULE: hl"
      pass in quick on fxp0 proto tcp from <workstation>to any port = aol flags S/SA keep state label "USER_RULE: ICQ"
      pass in quick on fxp0 proto tcp from <workstation>to any port = 8000 flags S/SA keep state label "USER_RULE: Muzic"
      pass in quick on fxp0 proto udp from <workstation>to any port = 8000 keep state label "USER_RULE: Muzic"
      pass in quick on fxp0 inet proto tcp from 192.168.11.105 to any port = smtp flags S/SA keep state label "USER_RULE"
      pass in quick on fxp0 proto tcp from <workstation>to any port = dsf flags S/SA keep state label "USER_RULE: Test RDP"
      anchor "tftp-proxy/*" all
      pass in quick on fxp0 proto tcp from any to ! (fxp0) port = http flags S/SA keep state
      pass in quick on fxp0 proto tcp from any to ! (fxp0) port = 3128 flags S/SA keep state
      No queue in use

      STATES:
      rl0 icmp 10.0.2.73:2891 -> 10.0.0.1      0:0
      fxp0 icmp 192.168.11.200:2891 -> 192.168.11.1      0:0
      fxp0 tcp 213.199.179.172:443 <- 192.168.11.9:51143      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:51143 -> 10.0.2.73:58588 -> 213.199.179.172:443      ESTABLISHED:ESTABLISHED
      fxp0 tcp 91.190.218.66:443 <- 192.168.11.9:51158      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:51158 -> 10.0.2.73:43537 -> 91.190.218.66:443      ESTABLISHED:ESTABLISHED
      fxp0 tcp 195.239.111.145:5222 <- 192.168.11.9:53322      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:53322 -> 10.0.2.73:10573 -> 195.239.111.145:5222      ESTABLISHED:ESTABLISHED
      fxp0 tcp 94.100.190.238:2042 <- 192.168.11.9:56871      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:56871 -> 10.0.2.73:27635 -> 94.100.190.238:2042      ESTABLISHED:ESTABLISHED
      fxp0 tcp 217.69.141.247:2042 <- 192.168.11.9:57107      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:57107 -> 10.0.2.73:23484 -> 217.69.141.247:2042      ESTABLISHED:ESTABLISHED
      fxp0 tcp 134.170.25.42:443 <- 192.168.11.9:65438      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:65438 -> 10.0.2.73:41729 -> 134.170.25.42:443      ESTABLISHED:ESTABLISHED
      rl0 tcp 10.0.2.73:11912 <- 5.19.244.122:28930      ESTABLISHED:ESTABLISHED
      fxp0 tcp 64.12.30.48:5190 <- 192.168.11.9:59400      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:59400 -> 10.0.2.73:59839 -> 64.12.30.48:5190      ESTABLISHED:ESTABLISHED
      fxp0 tcp 192.168.12.100:445 <- 192.168.11.133:62151      ESTABLISHED:ESTABLISHED
      ovpns1 tcp 192.168.11.133:62151 -> 192.168.12.100:445      ESTABLISHED:ESTABLISHED
      fxp0 tcp 217.69.141.244:2042 <- 192.168.11.11:56434      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.11:56434 -> 10.0.2.73:39079 -> 217.69.141.244:2042      ESTABLISHED:ESTABLISHED
      fxp0 tcp 64.12.30.67:443 <- 192.168.11.11:56495      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.11:56495 -> 10.0.2.73:48704 -> 64.12.30.67:443      ESTABLISHED:ESTABLISHED
      ovpns1 tcp 192.168.11.115:3389 <- 192.168.12.115:59821      ESTABLISHED:ESTABLISHED
      fxp0 tcp 192.168.12.115:59821 -> 192.168.11.115:3389      ESTABLISHED:ESTABLISHED
      fxp0 icmp 202.39.253.11:1 <- 192.168.11.10      0:0
      rl0 icmp 192.168.11.10:1 -> 10.0.2.73:42639 -> 202.39.253.11      0:0
      fxp0 tcp 217.69.139.216:443 <- 192.168.11.9:52920      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:52920 -> 10.0.2.73:30937 -> 217.69.139.216:443      ESTABLISHED:ESTABLISHED
      fxp0 tcp 94.100.179.66:443 <- 192.168.11.9:52988      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:52988 -> 10.0.2.73:54092 -> 94.100.179.66:443      ESTABLISHED:ESTABLISHED
      fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53151      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53151 -> 10.0.2.73:13605 -> 213.180.204.179:443      TIME_WAIT:TIME_WAIT
      fxp0 tcp 217.20.147.94:443 <- 192.168.11.9:53162      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53162 -> 10.0.2.73:14248 -> 217.20.147.94:443      TIME_WAIT:TIME_WAIT
      fxp0 tcp 87.240.131.118:80 <- 192.168.11.10:50184      FIN_WAIT_2:FIN_WAIT_2
      rl0 tcp 192.168.11.10:50184 -> 10.0.2.73:58830 -> 87.240.131.118:80      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53167      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53167 -> 10.0.2.73:36998 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 5.45.205.235:80 <- 192.168.11.11:61980      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.11:61980 -> 10.0.2.73:10455 -> 5.45.205.235:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 141.8.153.67:80 <- 192.168.11.11:61981      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.11:61981 -> 10.0.2.73:50556 -> 141.8.153.67:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53168      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53168 -> 10.0.2.73:58798 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 77.88.21.27:80 <- 192.168.11.9:53169      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53169 -> 10.0.2.73:57761 -> 77.88.21.27:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50192      TIME_WAIT:TIME_WAIT
      fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53170      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:53170 -> 10.0.2.73:22576 -> 213.180.204.179:443      ESTABLISHED:ESTABLISHED
      fxp0 tcp 213.222.201.16:80 <- 192.168.11.9:53171      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53171 -> 10.0.2.73:40142 -> 213.222.201.16:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61817      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61817 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61818      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61818 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61819      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61819 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61820      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61820 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61821      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61821 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53172      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53172 -> 10.0.2.73:1332 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 udp 192.168.11.255:1947 <- 192.168.11.100:59008      NO_TRAFFIC:SINGLE
      fxp0 tcp 91.228.166.14:80 <- 192.168.11.9:53173      FIN_WAIT_2:FIN_WAIT_2
      rl0 tcp 192.168.11.9:53173 -> 10.0.2.73:3654 -> 91.228.166.14:80      FIN_WAIT_2:FIN_WAIT_2
      fxp0 udp 192.168.11.255:138 <- 192.168.11.3:138      NO_TRAFFIC:SINGLE
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53174      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53174 -> 10.0.2.73:51477 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 udp 192.168.11.255:138 <- 192.168.11.105:138      NO_TRAFFIC:SINGLE
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50194      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50195      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50196      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50197      FIN_WAIT_2:FIN_WAIT_2
      fxp0 udp 192.168.11.255:138 <- 192.168.11.122:138      NO_TRAFFIC:SINGLE
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53175      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53175 -> 10.0.2.73:54076 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 udp 192.168.12.100:53 <- 192.168.11.9:54530      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.9:54530 -> 192.168.12.100:53      MULTIPLE:SINGLE
      fxp0 icmp 192.168.12.50:1 <- 192.168.11.10      0:0
      ovpns1 icmp 192.168.11.10:1 -> 192.168.12.50      0:0
      fxp0 udp 192.168.11.255:138 <- 192.168.11.103:138      NO_TRAFFIC:SINGLE
      fxp0 udp 192.168.12.100:53 <- 192.168.11.9:50848      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.9:50848 -> 192.168.12.100:53      MULTIPLE:SINGLE
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50204      ESTABLISHED:ESTABLISHED
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50205      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50206      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50207      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50208      FIN_WAIT_2:FIN_WAIT_2
      rl0 tcp 192.168.11.10:50208 -> 10.0.2.73:34811 -> 87.250.250.27:80      FIN_WAIT_2:FIN_WAIT_2
      fxp0 udp 192.168.12.100:53 <- 192.168.11.9:55228      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.9:55228 -> 192.168.12.100:53      MULTIPLE:SINGLE
      lo0 udp 127.0.0.1:10248 -> 127.0.0.1:53      MULTIPLE:SINGLE
      lo0 udp 127.0.0.1:53 <- 127.0.0.1:10248      SINGLE:MULTIPLE
      rl0 udp 10.0.2.73:22656 -> 192.168.245.14:53      MULTIPLE:SINGLE
      rl0 udp 10.0.2.73:22656 -> 192.168.248.21:53      MULTIPLE:SINGLE
      lo0 udp 127.0.0.1:28825 -> 127.0.0.1:53      MULTIPLE:SINGLE
      lo0 udp 127.0.0.1:53 <- 127.0.0.1:28825      SINGLE:MULTIPLE
      rl0 udp 10.0.2.73:36531 -> 192.168.245.14:53      MULTIPLE:SINGLE
      rl0 udp 10.0.2.73:36531 -> 192.168.248.21:53      MULTIPLE:SINGLE
      rl0 tcp 10.0.2.73:33438 -> 69.64.6.17:80      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50209      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50210      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50211      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50212      FIN_WAIT_2:FIN_WAIT_2
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53176      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53176 -> 10.0.2.73:28094 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 udp 192.168.12.100:53 <- 192.168.11.9:63439      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.9:63439 -> 192.168.12.100:53      MULTIPLE:SINGLE
      fxp0 udp 192.168.12.100:53 <- 192.168.11.9:53711      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.9:53711 -> 192.168.12.100:53      MULTIPLE:SINGLE
      fxp0 udp 192.168.12.100:53 <- 192.168.11.9:58502      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.9:58502 -> 192.168.12.100:53      MULTIPLE:SINGLE
      fxp0 udp 192.168.12.110:389 <- 192.168.11.10:52758      SINGLE:MULTIPLE
      ovpns1 udp 192.168.11.10:52758 -> 192.168.12.110:389      MULTIPLE:SINGLE
      fxp0 tcp 213.180.204.232:80 <- 192.168.11.9:53177      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:53177 -> 10.0.2.73:56718 -> 213.180.204.232:80      ESTABLISHED:ESTABLISHED
      fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50216      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.10:50216 -> 10.0.2.73:59964 -> 87.250.250.27:80      ESTABLISHED:ESTABLISHED
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61824      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61824 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61825      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61825 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61826      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61826 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61827      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61827 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61828      TIME_WAIT:TIME_WAIT
      ovpns1 tcp 192.168.11.100:61828 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
      fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53178      TIME_WAIT:TIME_WAIT
      rl0 tcp 192.168.11.9:53178 -> 10.0.2.73:45877 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
      fxp0 tcp 128.140.169.208:443 <- 192.168.11.9:53179      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:53179 -> 10.0.2.73:27846 -> 128.140.169.208:443      ESTABLISHED:ESTABLISHED
      fxp0 tcp 23.43.139.27:80 <- 192.168.11.9:53180      ESTABLISHED:ESTABLISHED
      rl0 tcp 192.168.11.9:53180 -> 10.0.2.73:27030 -> 23.43.139.27:80      ESTABLISHED:ESTABLISHED

      INFO:
      Status: Enabled for 66 days 07:59:51          Debug: Urgent

      Interface Stats for fxp0              IPv4            IPv6
        Bytes In                    80424040351          2319700
        Bytes Out                  220153381963                0
        Packets In
          Passed                      137489254                0
          Blocked                          53168            30525
        Packets Out
          Passed                      209519736                0
          Blocked                              1                0

      State Table                          Total            Rate
        current entries                      140             
        searches                      839472044          146.5/s
        inserts                        11937308            2.1/s
        removals                        11937168            2.1/s
      Counters
        match                          14961873            2.6/s
        bad-offset                            0            0.0/s
        fragment                              0            0.0/s
        short                                  0            0.0/s
        normalize                              0            0.0/s
        memory                                0            0.0/s
        bad-timestamp                          0            0.0/s
        congestion                            0            0.0/s
        ip-option                              0            0.0/s
        proto-cksum                      180336            0.0/s
        state-mismatch                      540            0.0/s
        state-insert                          0            0.0/s
        state-limit                            0            0.0/s
        src-limit                              0            0.0/s
        synproxy                              0            0.0/s
        divert                                0            0.0/s

      LABEL COUNTERS:
      Block all IPv6 54774 154 11088 154 11088 0 0
      Block all IPv6 17334 0 0 0 0 0 0
      Default deny rule IPv4 54620 18665 4308907 18665 4308907 0 0
      Default deny rule IPv4 54620 0 0 0 0 0 0
      Default deny rule IPv6 54620 0 0 0 0 0 0
      Default deny rule IPv6 17334 0 0 0 0 0 0
      Block snort2c hosts 54620 0 0 0 0 0 0
      Block snort2c hosts 54620 0 0 0 0 0 0
      sshlockout 54620 0 0 0 0 0 0
      webConfiguratorlockout 10825 0 0 0 0 0 0
      virusprot overload table 37286 0 0 0 0 0 0
      pass IPv4 loopback 37286 91 33198 49 3082 42 30116
      pass IPv4 loopback 17348 0 0 0 0 0 0
      pass IPv6 loopback 28 0 0 0 0 0 0
      pass IPv6 loopback 14 0 0 0 0 0 0
      let out anything IPv4 from firewall host itself 54620 3293127 2927774805 1710649 1659714896 1582478 1268059909
      let out anything IPv6 from firewall host itself 17334 0 0 0 0 0 0
      let out anything from firewall host itself 17334 96611 33316774 48484 23939060 48127 9377714
      anti-lockout rule 54620 888 470390 392 44406 496 425984
      anti-lockout rule 0 0 0 0 0 0 0
      USER_RULE 54574 85978 20345824 44060 14690765 41918 5655059
      USER_RULE: NAT MAP PPTP to server 46124 0 0 0 0 0 0
      USER_RULE: MAP ping to router 18752 106 6416 53 3208 53 3208
      USER_RULE: IPSec 18686 0 0 0 0 0 0
      USER_RULE: IPSec 17970 0 0 0 0 0 0
      USER_RULE: OpenVPN 1108 0 0 0 0 0 0
      USER_RULE: OpenVPN 1024 0 0 0 0 0 0
      USER_RULE: NAT MAP PPTP to server 18731 13 852 8 484 5 368
      USER_RULE: NAT HTTP 798 33326 27504297 12694 1092582 20632 26411715
      USER_RULE: NAT HTTP for 103 0 0 0 0 0 0 0
      USER_RULE 37278 6343 549735 6343 549735 0 0
      USER_RULE 17076 3166123 2880067090 1522099 1252611364 1644024 1627455726
      USER_RULE 0 0 0 0 0 0 0
      USER_RULE 8742 0 0 0 0 0 0
      USER_RULE: NAT server DNS 8742 0 0 0 0 0 0
      USER_RULE: NAT server DNS 1679 2132 407063 1066 79591 1066 327472
      USER_RULE: NAT server ping 565 0 0 0 0 0 0
      USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
      USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
      USER_RULE: NAT server NTP 563 0 0 0 0 0 0
      USER_RULE: NAT server NTP 539 0 0 0 0 0 0
      USER_RULE: NAT VPN PPTP 7684 0 0 0 0 0 0
      USER_RULE: NAT VPN PPTP 1097 0 0 0 0 0 0
      USER_RULE: NAT FTP workstation 7684 0 0 0 0 0 0
      USER_RULE: NAT FTP PPTPclient 20 0 0 0 0 0 0
      USER_RULE: NAT HTTP workstation 7063 61942 26125169 30367 5998394 31575 20126775
      USER_RULE: NAT HTTP workstation 463 0 0 0 0 0 0
      USER_RULE: NAT HTTP PPTPclient 483 0 0 0 0 0 0
      USER_RULE: NAT HTTPS workstation 483 14719 6179101 7745 3021719 6974 3157382
      USER_RULE: NAT HTTPS PPTPclient 20 0 0 0 0 0 0
      USER_RULE: NAT ping workstation 657 25723 951751 12893 477041 12830 474710
      USER_RULE: NAT port workstation 655 0 0 0 0 0 0
      USER_RULE: NAT port workstation 16 0 0 0 0 0 0
      USER_RULE: NAT port workstation 16 0 0 0 0 0 0
      USER_RULE: NAT port workstation 16 0 0 0 0 0 0
      USER_RULE: hl 16 0 0 0 0 0 0
      USER_RULE: hl 619 0 0 0 0 0 0
      USER_RULE: ICQ 61 0 0 0 0 0 0
      USER_RULE: Muzic 16 0 0 0 0 0 0
      USER_RULE: Muzic 45 0 0 0 0 0 0
      USER_RULE 655 0 0 0 0 0 0
      USER_RULE: Test RDP 36 0 0 0 0 0 0

      TIMEOUTS:
      tcp.first                  120s
      tcp.opening                  30s
      tcp.established          86400s
      tcp.closing                900s
      tcp.finwait                  45s
      tcp.closed                  90s
      tcp.tsdiff                  30s
      udp.first                    60s
      udp.single                  30s
      udp.multiple                60s
      icmp.first                  20s
      icmp.error                  10s
      other.first                  60s
      other.single                30s
      other.multiple              60s
      frag                        30s
      interval                    10s
      adaptive.start                0 states
      adaptive.end                  0 states
      src.track                    0s

      LIMITS:
      states        hard limit    23000
      src-nodes    hard limit    23000
      frags        hard limit    5000
      tables        hard limit    3000
      table-entries hard limit  200000

      TABLES:
      VPNclients
      VPNusers
      blocklist
      bogons
      lansubnets
      server
      snort2c
      sshlockout
      virusprot
      webConfiguratorlockout
      workstation

      OS FINGERPRINTS:
      710 fingerprints loaded

      Execute Shell command
      Command:

      Download
      File to download:

      Upload
      File to upload:

      PHP Execute
      Command:

      Example: interfaces_carp_setup();
      pfSense is © 2004 - 2013 by Electric Sheep Fencing LLC. All Rights Reserved. [view license]</workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></vpnclients></workstation></vpnclients></workstation></workstation></vpnclients></workstation></vpnusers></vpnusers></server></server></server></server></server></server></server></lansubnets></vpnclients></lansubnets></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

      1 Reply Last reply Reply Quote 0
      • B
        Bat72
        last edited by

        На другие две команды ответ был такой:
        $ grep rdr
        grep: (standard input): Socket is not connected

        $ grep 127.0.0.1
        grep: (standard input): Socket is not connected

        Может я что-то не так ввёл?

        1 Reply Last reply Reply Quote 0
        • werterW
          werter
          last edited by

          Это одна команда.

          1 Reply Last reply Reply Quote 0
          • B
            Bat72
            last edited by

            Под вечер реально туплю.

            $ pfctl -sa | grep rdr
            no rdr proto carp all
            rdr-anchor "relayd/" all
            rdr-anchor "tftp-proxy/            " all
            rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
            rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
            rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
            rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
            rdr-anchor "miniupnpd" all

            1 Reply Last reply Reply Quote 0
            • B
              Bat72
              last edited by

              А на полную команду реагируте вот так:

              $ pfctl -sa | grep rdr | grep 127.0.0.1

              1 Reply Last reply Reply Quote 0
              • N
                NegoroX
                last edited by

                у тебя сквид, не работает или не настроен. должно быть так:
                $ pfctl -sa | grep rdr | grep 127.0.0.1
                rdr on sk0 inet proto tcp from any to ! (sk0) port = http -> 127.0.0.1 port 3128

                1 Reply Last reply Reply Quote 0
                • B
                  Bat72
                  last edited by

                  Так и что мне теперь сделать? Снести его и поставить заново, или что? Или вообще всё заново устанавливать или конфигурацию в ручную настраивать а не заливать из бэкап? Или как быть?

                  1 Reply Last reply Reply Quote 0
                  • R
                    rubic
                    last edited by

                    Ну, если галка "Transparent proxy" в настройках SQUID стоит, а правила почему-то нету, то можно и руками его создать:
                    Firewall -> NAT -> Port Forward ->

                    LAN TCP * * LAN address HTTP 127.0.0.1 3128

                    Правда не факт, что у вас SQUID вообще работает. Что, кстати, в Status -> Services у вас?
                    В любом случае, все это не нормально, я бы переустановил все на вашем месте.

                    1 Reply Last reply Reply Quote 0
                    • werterW
                      werter
                      last edited by

                      2 TC

                      Как вариант - выгрузить конфиг без пакетов - там для этого спец. галка есть. Поставить по-новой и установить только проблемный сквид.
                      Проверить работоспособность и ,если все ок, - продолжить настройку.

                      1 Reply Last reply Reply Quote 0
                      • B
                        Bat72
                        last edited by

                        в Status -> Services  и squid и squidGuard  стоит Running…..  Причём картина наблюдается на всех имеющихся роутерах (у меня ещё домашняя сеть связана с рабочей по OpenVPN)

                        1 Reply Last reply Reply Quote 0
                        • B
                          Bat72
                          last edited by

                          Прописал правило руками теперь стало так:
                          $ pfctl -sa | grep rdr | grep 127.0.0.1
                          rdr on fxp0 inet proto tcp from any to 192.168.11.200 port = http -> 127.0.0.1 port 3128

                          1 Reply Last reply Reply Quote 0
                          • R
                            rubic
                            last edited by

                            Ошибся я, LAN Address уберите, надо:
                            LAN TCP * * * HTTP 127.0.0.1 3128

                            UPD: ну или Not LAN Address поставьте

                            1 Reply Last reply Reply Quote 0
                            • B
                              Bat72
                              last edited by

                              Ура! Теперь, вроде всё поехало.  Получается дело в правиле было. Теперь вроде всё фильтруется, что хочу. Большое всем спасибо.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.