NAT and routing problems: CLOSED:SYN_SENT
-
Hi.
I'm having a lot of NAT/routing probelms on my pfSense 2.2 installation on KVM with VirtIO interfaces.
The hosts in the LAN can ping host on WAN but they cannot access to any website on WAN.
They correctly resolv addresses with DNS.
If I check states I correctly see them, but they are all in CLOSED:SYN_SENT and SYN_SENT:CLOSED state:DMZ tcp RemoteIP:80 <- LocalHostIP:51416 CLOSED:SYN_SENT WAN tcp LocalHostIP:18544 (192.168.110.131:51416) -> RemoteIP:80 SYN_SENT:CLOSEDI also cannot access to the host in the DMZ network from the VPN connections, and I have this problem on other local networks too (LAN for example). Please note that I can ping them from the VPN, so the problem seems to be only for TCP connections and not for ICMP ones.
But the very strange thing is that there are other hosts in the LAN and DMZ networks I can connect to and that can access to the WAN without any problems. There aren't any filters per IP on the pfSense firewall for the DMZ and LAN networks.
Could you help me to find out the problem, please?
Thank you very much!
Bye. -
If some of your hosts in your LAN and DMZ are functioning correctly and others aren't then the problem is with the configuration of the non-working hosts, I should think. Have you checked the routing? Compare the default routes defined on the working hosts against the ones that aren't working and see if there's a difference. Check that the DNS settings on both working and non-working hosts match, too.
-
If some of your hosts in your LAN and DMZ are functioning correctly and others aren't then the problem is with the configuration of the non-working hosts, I should think. Have you checked the routing? Compare the default routes defined on the working hosts against the ones that aren't working and see if there's a difference. Check that the DNS settings on both working and non-working hosts match, too.
This is the same thing I was thinking about, but the DNS and routing configuration on hosts are the same:
-
Default gateway: the CARP IP of pfSense on the host's network
-
Primary DNS: the IP address of the master pfSense host
-
Secondary DNS: the IP address of the slave pfSense host
Please note that ICMP requests (ping) to external hosts are working from all hosts, and the non-working hosts cannot do any TCP connection.
-
-
So you can send ICMP packets to any external host from any internal host? So what kind of TCP connections are you trying to make (http, https, ftp)? And are you trying to make these connections via the hostname or directly to the target IP?
-
So you can send ICMP packets to any external host from any internal host?
Yes, exactly.
So what kind of TCP connections are you trying to make (http, https, ftp)?
HTTP connection, to the port 80.
And are you trying to make these connections via the hostname or directly to the target IP?
Both, they don't work.
And I see the permitted connection in the pfSense firewall log, so this is not a firewall problem.
It seems to be a post-routing problem for TCP connections. -
Do you have an upstream router operating as the next hop to the internet? If so, do you have administrative access to it? Assumedly you can telnet successfully from an unaffected host to a remote site (eg: "telnet www.google.com 80"). What happens when you do the same from a non-functioning host?
Might be helpful if you could post a map/outline of your network configuration, showing the path from local LAN to DMZ to outside. Also, can you specify what server(s) are handling your DNS and - if any - your DHCP allocation? A screenshot of your NAT and firewall rules might be useful also.