Firewall block
-
Hello,
I have a network 10.33.206.0/24 and a Cisco router 10.33.206.1.
I want to add a pfsense in this network with only one interface (WAN) with the IP 10.33.206.44 (the pfsense FW has the Gateway 10.33.206.1) and i don't want to use other ip not in this range.
I change the Gateway of computers to 10.33.206.44 on computers (10.33.206.1 to 10.33.206.44) and it works fine.
Computers can go on internet and can go on servers…Now i want to enable the pfsense firewall (it was disable before).
I have one rule : IPv4* * * * * * none
I can ping my servers, i can go on internet by with strange problem.
My problem are:
If i try a speed test on internet the download test but the upload test doesn't works.
When i go on internet pages are slow.
If i go on a RDP server i can't click and i can't use the keyboard.
Skype is disconnecting each 10 secondes
My Outlook works then stop to works....If i disable the firewall (pfctl -d) everything works fine.
If i enable it again there are many problems.My firewall rule allow everything so i don't understand why i have this strange problem.
Can you help me please?Regards
Packet tracert:
18:38:53.913054 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 1460
18:38:56.441500 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 1460
18:38:58.713348 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 1460
18:38:59.115946 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
18:38:59.116027 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
18:38:59.537607 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 0
18:38:59.537694 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 0
18:39:04.765285 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 1460
18:39:08.311851 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
18:39:08.311975 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
18:39:08.336953 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
18:39:08.337033 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
18:39:08.378651 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
18:39:08.378713 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
18:39:08.403546 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
18:39:08.403634 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
18:39:08.404122 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 47
18:39:08.404181 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 47
18:39:08.435766 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 163
18:39:08.435850 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 163
18:39:08.464089 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 326
18:39:08.464168 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 326
18:39:08.496523 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 85
18:39:08.496586 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 85
[2.1.3-RELEASE][admin@pfSense.localdomain]/root(2): pfctl -sa
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on em0 inet from 10.33.0.0/24 port = isakmp to any port = isakmp -> 10.33.206.44 port 500
nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 10.33.206.44 port 500
nat on em0 inet from 10.33.0.0/24 to any -> 10.33.206.44 port 1024:65535
nat on em0 inet from 127.0.0.0/8 to any -> 10.33.206.44 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "miniupnpd" allFILTER RULES:
scrub on em0 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! em0 inet from 10.33.206.0/24 to any
block drop in inet from 10.33.206.44 to any
block drop in on em0 inet6 from fe80::a00:27ff:fef5:7fe4 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (em0 10.33.206.1) inet from 10.33.206.44 to ! 10.33.206.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in log quick on em0 inet from any to <negate_networks>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on em0 route-to (em0 10.33.206.1) inet all flags S/SA keep state label "USER_RULE"
anchor "tftp-proxy/*" all
No queue in useSTATES:
em0 icmp 10.33.206.44:57130 -> 10.33.206.1 0:0
em0 tcp 10.33.206.44:22 <- 10.33.206.7:37205 ESTABLISHED:ESTABLISHED
em0 udp 10.33.252.70:137 <- 10.33.206.7:137 NO_TRAFFIC:SINGLE
em0 tcp 10.33.206.44:80 <- 10.33.206.7:37225 FIN_WAIT_2:FIN_WAIT_2
em0 udp 10.33.252.70:53 <- 10.33.206.7:59587 NO_TRAFFIC:SINGLE
em0 udp 10.33.252.70:53 <- 10.33.206.7:61506 NO_TRAFFIC:SINGLE
em0 udp 10.33.252.70:53 <- 10.33.206.7:58050 NO_TRAFFIC:SINGLE
em0 udp 10.33.252.70:53 <- 10.33.206.7:55338 NO_TRAFFIC:SINGLE
em0 tcp 10.33.252.68:80 <- 10.33.206.7:37231 CLOSED:SYN_SENT
lo0 udp 127.0.0.1:36412 -> 127.0.0.1:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:36412 SINGLE:MULTIPLE
lo0 udp 127.0.0.1:33084 -> 127.0.0.1:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:33084 SINGLE:MULTIPLE
lo0 udp 127.0.0.1:13503 -> 127.0.0.1:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:13503 SINGLE:MULTIPLE
em0 tcp 10.33.252.61:3389 <- 10.33.206.7:37232 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.18.13:58664 <- 10.33.206.7:37233 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.17.14:55208 <- 10.33.206.7:37234 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37235 CLOSED:SYN_SENT
em0 tcp 10.33.18.13:58664 <- 10.33.206.7:37236 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.17.14:55208 <- 10.33.206.7:37237 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37238 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37239 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.252.68:80 <- 10.33.206.7:37240 CLOSED:SYN_SENT
em0 tcp 10.33.252.68:80 <- 10.33.206.7:37241 CLOSED:SYN_SENT
em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37242 CLOSED:CLOSING
em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37243 CLOSED:SYN_SENT
em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37244 CLOSED:CLOSING
em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37245 CLOSED:SYN_SENT
em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37246 TIME_WAIT:TIME_WAIT
em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37247 CLOSED:CLOSING
em0 tcp 10.33.252.61:3389 <- 10.33.206.7:37248 CLOSED:SYN_SENT
em0 icmp 10.33.252.70:1 <- 10.33.206.7 0:0
em0 tcp 10.33.252.70:3389 <- 10.33.206.7:37249 CLOSED:SYN_SENT
em0 tcp 10.33.252.61:3389 <- 10.33.206.7:37250 CLOSED:SYN_SENT
em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37251 TIME_WAIT:TIME_WAIT
em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37252 TIME_WAIT:TIME_WAITINFO:
Status: Enabled for 0 days 00:02:07 Debug: UrgentInterface Stats for em0 IPv4 IPv6
Bytes In 9512583 0
Bytes Out 615880 292
Packets In
Passed 18993 0
Blocked 2872 0
Packets Out
Passed 1487 4
Blocked 0 0State Table Total Rate
current entries 37
searches 23660 186.3/s
inserts 791 6.2/s
removals 754 5.9/s
Counters
match 2476 19.5/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 1187 9.3/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
divert 0 0.0/sLABEL COUNTERS:
Default deny rule IPv4 2458 1685 604669 1685 604669 0 0
Default deny rule IPv4 2458 0 0 0 0 0 0
Default deny rule IPv6 2458 0 0 0 0 0 0
Default deny rule IPv6 77 0 0 0 0 0 0
Block snort2c hosts 2458 0 0 0 0 0 0
Block snort2c hosts 2458 0 0 0 0 0 0
sshlockout 2458 0 0 0 0 0 0
webConfiguratorlockout 2174 0 0 0 0 0 0
virusprot overload table 2381 0 0 0 0 0 0
pass IPv4 loopback 2381 152 10312 76 5156 76 5156
pass IPv4 loopback 153 0 0 0 0 0 0
pass IPv6 loopback 152 0 0 0 0 0 0
pass IPv6 loopback 76 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 2458 402 26312 201 13156 201 13156
let out anything IPv6 from firewall host itself 77 0 0 0 0 0 0
let out anything from firewall host itself 77 0 0 0 0 0 0
anti-lockout rule 2458 816 570292 311 40533 505 529759
NEGATE_ROUTE: Negate policy routing for destination 2448 0 0 0 0 0 0
USER_RULE 2295 18044 7976191 17768 7931650 276 44541TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0sLIMITS:
states hard limit 23000
src-nodes hard limit 23000
frags hard limit 5000
tables hard limit 3000
table-entries hard limit 200000TABLES:
bogons
negate_networks
snort2c
sshlockout
virusprot
webConfiguratorlockoutOS FINGERPRINTS:
710 fingerprints loaded</negate_networks></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> -
Why do you need cisco on the same network? Better change 10.33.206.1 to 10.33.205.1. And connect cisco to WAN port pfsense server.
