Reachability problems via IPSEC
-
Is there some fuction which would prvent the reachability from one site from a site to site vpn to the other as long as there is no initiation from the other side?
I have some strange problem: I've configures an ipsec site-to-site vpn. Configured a route from one network to the other with a specific route 192.168.51.20/24 via 10.0.0.254 on a 10.0.0.128/25 net and a 10.0.0.128/25 via 192.168.51.248.
My problem now is when I try to reach the 10.0.0.161-166 from 192.168.51.20, 10.0.0.161 is reachable all the time as well as both vpn gateways, but from 162/3/6 I got no response at the first attempt.
now 162/3 are working constantly but and 165/166 is still not reachable
but as soon as I ping 166/165 from 192.168.51.248/10.0.0.254 or from 10.0.0.166 the 192.168.51.20 it does work but only as long as the ping is going on.
As soon as I stop the other ping it take one minute and the ping stops again
Can someone give me a hint how to find out what could be the problem
I've tried tcpdump but I get no sensible information
The icmp request just start from one side and just gots no response
At first I thought it might have something to do with both sides being vm's on vmware basis but then I found out that specific systems which are not vm's are behaving the same way. Since 166 is a VM and 165 is physical.here are my routes:
Host: 192.168.51.20
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
194.97.90.64 0.0.0.0 255.255.255.224 U 0 0 0 eth2
10.0.0.128 192.168.51.248 255.255.255.128 UG 0 0 0 eth1
192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 194.97.90.94 0.0.0.0 UG 100 0 0 eth2Host: 10.0.0.166
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 212.25.8.1 0.0.0.0 UG 2 0 0 eth0
10.0.0.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
192.168.51.0 10.0.0.254 255.255.255.0 UG 2 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.224 U 0 0 0 eth0
212.25.8.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0Route on pfsense 192.168.51.248:
default 194.97.90.94 UGS 0 35428 1500 le1
10.0.0.0/25 194.97.90.94 UGS 0 0 1500 le1
10.0.0.128/25 194.97.90.94 UGS 0 758920 1500 le1
127.0.0.1 link#5 UH 0 43 16384 lo0
192.168.51.0/32 192.168.51.248 US 0 0 1500 le0 =>
192.168.51.0/24 link#2 U 0 808815 1500 le0
192.168.51.248 link#2 UHS 0 0 16384 lo0
194.97.90.64/27 link#3 U 0 0 1500 le1
194.97.90.69 link#3 UHS 0 0 16384 lo0
195.30.94.149 194.97.90.94 UGHS 0 4090 1500 le1
212.25.8.11 194.97.90.94 UGHS 0 738079 1500 le1Route Pfsense 10.0.0.254:
default 212.25.8.1 UGS 0 153229 1500 le1
10.0.0.128/25 10.0.0.254 US 0 4867740 1500 le0
10.0.0.254 link#2 UHS 0 292843 16384 lo0
127.0.0.1 link#6 UH 0 581 16384 lo0
192.168.51.0/24 10.0.0.254 US 0 2599693 1500 le0
194.97.90.69 212.25.8.1 UGHS 0 2637625 1500 le1
212.25.8.0/25 link#3 U 0 138065 1500 le1
212.25.8.11 link#3 UHS 0 0 16384 lo0I've configured a "any" to "any" firewall rule for each pfsense interface and box.
Just to be sure it's no firewall thing.I hope someone can help me to find this problem.
Thank you in advance. -
Here are some mor informations:
PFSense on 192.168.51.0/24 side:
pfctl -s all
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on le1 inet from 10.0.0.0/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 192.168.51.0 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 10.0.0.0/25 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 10.0.0.128/25 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 192.168.51.0 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 192.168.51.0/24 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 127.0.0.0/8 to any -> 194.97.90.69 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "miniupnpd" allFILTER RULES:
scrub on le0 all fragment reassemble
scrub on le1 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! le0 inet from 192.168.51.0/24 to any
block drop in inet from 192.168.51.248 to any
block drop in on ! le1 inet from 194.97.90.64/27 to any
block drop in inet from 194.97.90.69 to any
block drop in on le0 inet6 from fe80::250:56ff:fe97:4d8c to any
block drop in on le1 inet6 from fe80::250:56ff:fe97:5e2a to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (le1 194.97.90.94) inet from 194.97.90.69 to ! 194.97.90.64/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on le1 reply-to (le1 194.97.90.94) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
pass in log quick on le0 inet from 192.168.51.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t"
pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 212.25.8.11 keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto"
pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 212.25.8.11 to any keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = isakmp keep state label "IPsec: Office FGN Munich - outbound isakmp"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = isakmp keep state label "IPsec: Office FGN Munich - inbound isakmp"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = sae-urn keep state label "IPsec: Office FGN Munich - outbound nat-t"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = sae-urn keep state label "IPsec: Office FGN Munich - inbound nat-t"
pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 195.30.94.149 keep state label "IPsec: Office FGN Munich - outbound esp proto"
pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 195.30.94.149 to any keep state label "IPsec: Office FGN Munich - inbound esp proto"
anchor "tftp-proxy/" all
No queue in useSTATES:
all icmp 194.97.90.69:65334 -> 212.25.8.2 0:0
all icmp 192.168.51.248:65334 -> 192.168.51.12 0:0
all udp 194.97.90.69:500 -> 212.25.8.11:500 MULTIPLE:MULTIPLE
all esp 194.97.90.69 <- 212.25.8.11 MULTIPLE:MULTIPLE
all tcp 192.168.51.16:57603 <- 10.0.0.130:55420 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:55420 -> 192.168.51.16:57603 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:65119 <- 192.168.51.16:50661 ESTABLISHED:ESTABLISHED
all tcp 192.168.51.16:50661 -> 10.0.0.130:65119 ESTABLISHED:ESTABLISHED
all udp 194.97.90.69:500 -> 195.30.94.149:500 MULTIPLE:MULTIPLE
all tcp 192.168.51.16:8443 <- 10.0.0.130:61331 FIN_WAIT_2:ESTABLISHED
all tcp 10.0.0.130:61331 -> 192.168.51.16:8443 ESTABLISHED:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:22576 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:22576 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:48475 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:48475 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:30376 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:30376 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:22875 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:22875 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:6412 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:6412 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.130:61383 -> 192.168.51.15:9084 SYN_SENT:CLOSED
all tcp 192.168.51.20:10051 <- 10.0.0.254:4796 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:4796 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.248:44 <- 192.168.51.20:55212 ESTABLISHED:ESTABLISHED
all tcp 192.168.51.20:10051 <- 10.0.0.254:27192 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:27192 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.15:9084 <- 10.0.0.130:61397 CLOSED:SYN_SENT
all tcp 10.0.0.130:61397 -> 192.168.51.15:9084 SYN_SENT:CLOSED
all udp 192.168.51.255:138 <- 192.168.51.149:138 NO_TRAFFIC:SINGLEINFO:
Status: Enabled for 1 days 13:54:06 Debug: UrgentInterface Stats for le0 IPv4 IPv6
Bytes In 614602893 4032
Bytes Out 201370476 292
Packets In
Passed 3017844 56
Blocked 2576 0
Packets Out
Passed 3102562 4
Blocked 0 0State Table Total Rate
current entries 30
searches 17825509 130.6/s
inserts 978951 7.2/s
removals 978921 7.2/s
Counters
match 981606 7.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 4 0.0/s
proto-cksum 8 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
divert 0 0.0/sLABEL COUNTERS:
Default deny rule IPv4 581824 1572 227481 1572 227481 0 0
Default deny rule IPv4 580462 0 0 0 0 0 0
Default deny rule IPv6 581824 0 0 0 0 0 0
Default deny rule IPv6 290262 0 0 0 0 0 0
Block snort2c hosts 580462 0 0 0 0 0 0
Block snort2c hosts 580462 0 0 0 0 0 0
sshlockout 580462 0 0 0 0 0 0
webConfiguratorlockout 284694 0 0 0 0 0 0
virusprot overload table 291562 0 0 0 0 0 0
pass IPv4 loopback 291562 0 0 0 0 0 0
pass IPv4 loopback 288900 0 0 0 0 0 0
pass IPv6 loopback 0 0 0 0 0 0 0
pass IPv6 loopback 0 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 580462 468378 291462249 226730 270976461 241648 20485788
let out anything IPv6 from firewall host itself 288900 0 0 0 0 0 0
let out anything from firewall host itself 288900 336 25536 168 12768 168 12768
IPsec internal host to host 288900 2767605 162093472 1375851 80128734 1391754 81964738
anti-lockout rule 580462 0 0 0 0 0 0
anti-lockout rule 3 633 81468 219 15035 414 66433
USER_RULE: Allow all on VM WAN 580461 1253 210217 1148 116626 105 93591
USER_RULE: Default LAN -> any 579423 2769913 162655791 1394063 82527141 1375850 80128650
USER_RULE 290017 468378 291462249 241648 20485788 226730 270976461
IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp 290472 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp 209 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t 172 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t 172 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto 492 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto 320 0 0 0 0 0 0
IPsec: Office FGN Munich - outbound isakmp 492 14842 1801228 7417 892976 7425 908252
IPsec: Office FGN Munich - inbound isakmp 209 0 0 0 0 0 0
IPsec: Office FGN Munich - outbound nat-t 172 0 0 0 0 0 0
IPsec: Office FGN Munich - inbound nat-t 168 0 0 0 0 0 0
IPsec: Office FGN Munich - outbound esp proto 492 1126 171152 0 0 1126 171152
IPsec: Office FGN Munich - inbound esp proto 320 0 0 0 0 0 0TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 5400 states
adaptive.end 10800 states
src.track 0sLIMITS:
states hard limit 9000
src-nodes hard limit 9000
frags hard limit 5000
tables hard limit 3000
table-entries hard limit 200000TABLES:
snort2c
sshlockout
virusprot
webConfiguratorlockoutOS FINGERPRINTS:
700 fingerprints loadedPFSense on 10.0.0.128/25 side:
pfctl -s all
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
nat on le1 inet from 192.168.51.0/24 to any -> 212.25.8.11 port 1024:65535
nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
nat on le1 inet from 127.0.0.0/8 to any -> 212.25.8.11 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "miniupnpd" allFILTER RULES:
scrub on le0 all fragment reassemble
scrub on le1 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! le0 inet from 10.0.0.128/25 to any
block drop in inet from 10.0.0.254 to any
block drop in on ! le1 inet from 212.25.8.0/25 to any
block drop in inet from 212.25.8.11 to any
block drop in on le0 inet6 from fe80::20c:29ff:fe3c:4258 to any
block drop in on le1 inet6 from fe80::20c:29ff:fe3c:4262 to any
pass in quick on le1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on le1 inet proto udp from any port = bootpc to 212.25.8.11 port = bootps keep state label "allow access to DHCP server"
pass out quick on le1 inet proto udp from 212.25.8.11 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (le1 212.25.8.1) inet from 212.25.8.11 to ! 212.25.8.0/25 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in log quick on le1 reply-to (le1 212.25.8.1) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
pass in log quick on le0 inet from 10.0.0.128/25 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp"
pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp"
pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t"
pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t"
pass out on le1 route-to (le1 212.25.8.1) inet proto esp from any to 194.97.90.69 keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto"
pass in on le1 reply-to (le1 212.25.8.1) inet proto esp from 194.97.90.69 to any keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto"
anchor "tftp-proxy/" all
No queue in useSTATES:
all icmp 10.0.0.254:28658 <- 10.0.0.253 0:0
all icmp 10.0.0.254:50354 <- 10.0.0.252 0:0
all carp 224.0.0.18 <- 212.25.8.26 NO_TRAFFIC:SINGLE
all icmp 212.25.8.11:48441 -> 212.25.8.1 0:0
all icmp 10.0.0.254:48441 -> 10.0.0.254 0:0
all udp 212.25.8.11:500 <- 194.97.90.69:500 MULTIPLE:MULTIPLE
all tcp 212.25.8.11:44 <- 195.30.94.149:29036 ESTABLISHED:ESTABLISHED
all tcp 212.25.8.11:44 <- 195.30.94.149:30734 ESTABLISHED:ESTABLISHED
all esp 212.25.8.11 -> 194.97.90.69 MULTIPLE:MULTIPLE
all tcp 192.168.51.16:57603 <- 10.0.0.130:55420 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:55420 -> 192.168.51.16:57603 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:65119 <- 192.168.51.16:50661 ESTABLISHED:ESTABLISHED
all tcp 192.168.51.16:50661 -> 10.0.0.130:65119 ESTABLISHED:ESTABLISHED
all tcp 192.168.51.16:8443 <- 10.0.0.130:61186 TIME_WAIT:TIME_WAIT
all tcp 10.0.0.130:61186 -> 192.168.51.16:8443 TIME_WAIT:TIME_WAIT
all tcp 10.0.0.254:51664 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:32911 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 212.25.8.11:44 <- 195.30.94.149:52536 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.254:31106 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.15:9084 <- 10.0.0.130:61306 CLOSED:SYN_SENT
all tcp 10.0.0.254:14321 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:19233 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:10051 <- 10.0.0.129:55623 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:38917 -> 192.168.51.20:10051 FIN_WAIT_2:FIN_WAIT_2
all igmp 224.0.0.1 <- 212.25.3.137 NO_TRAFFIC:SINGLE
all pfsync 10.0.0.252 <- 10.0.0.253 SINGLE:MULTIPLE
all pfsync 10.0.0.253 -> 10.0.0.252 MULTIPLE:SINGLE
all tcp 10.0.0.254:45545 -> 192.168.51.20:10051 ESTABLISHED:ESTABLISHEDINFO:
Status: Enabled for 2 days 18:33:13 Debug: UrgentInterface Stats for le0 IPv4 IPv6
Bytes In 400694979 398592
Bytes Out 615563169 256
Packets In
Passed 6346568 1180
Blocked 1960 3832
Packets Out
Passed 8598800 3
Blocked 270 0State Table Total Rate
current entries 28
searches 37303419 155.7/s
inserts 1665570 7.0/s
removals 1665542 7.0/s
Counters
match 1675756 7.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 3838 0.0/s
proto-cksum 21 0.0/s
state-mismatch 6 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
divert 0 0.0/sLABEL COUNTERS:
Default deny rule IPv4 1013104 55 2464 55 2464 0 0
Default deny rule IPv4 1006863 0 0 0 0 0 0
Default deny rule IPv6 1013104 5575 401400 5575 401400 0 0
Default deny rule IPv6 513470 0 0 0 0 0 0
Block snort2c hosts 1012438 0 0 0 0 0 0
Block snort2c hosts 1012438 0 0 0 0 0 0
sshlockout 1012438 0 0 0 0 0 0
webConfiguratorlockout 484573 0 0 0 0 0 0
virusprot overload table 505209 0 0 0 0 0 0
allow access to DHCP server 22308 0 0 0 0 0 0
allow access to DHCP server 194 388 176190 194 111744 194 64446
allow access to DHCP server 514896 0 0 0 0 0 0
pass IPv4 loopback 1008899 22059 1317735 11610 682668 10449 635067
pass IPv4 loopback 2322 0 0 0 0 0 0
pass IPv6 loopback 5667 0 0 0 0 0 0
pass IPv6 loopback 1161 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 1012244 7232351 487832654 2400612 147667655 4831739 340164999
let out anything IPv6 from firewall host itself 507229 0 0 0 0 0 0
let out anything from firewall host itself 507229 8642 796952 4244 443326 4398 353626
IPsec internal host to host 507229 795805 495094348 384978 459432413 410827 35661935
anti-lockout rule 1012244 0 0 0 0 0 0
anti-lockout rule 2309 0 0 0 0 0 0
USER_RULE: Allow all on VM WAN 1012244 37420 17180593 18024 1765745 19396 15414848
USER_RULE: Default LAN -> any 990970 154652 30724591 62193 16620611 92459 14103980
USER_RULE 499094 4802251 290029335 2420598 144153657 2381653 145875678
IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp 508445 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp 8409 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t 8357 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t 8357 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto 8409 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto 52 0 0 0 0 0 0TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0sLIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 3000
table-entries hard limit 200000TABLES:
snort2c
sshlockout
virusprot
webConfiguratorlockoutOS FINGERPRINTS:
700 fingerprints loadedTraceroutes from 10.0.0.165 and 10.0.0.166 to 192.168.51.20:
traceroute 192.168.51.20
traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
1 10.0.0.165 (10.0.0.165) 3009.797 ms !H 3009.797 ms !H 3009.795 ms !Htraceroute 192.168.51.20
traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
1 10.0.0.166 (10.0.0.166) 3018.811 ms !H 3018.809 ms !H 3018.806 ms !H</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>