Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rsync issue

    Scheduled Pinned Locked Moved
    2.4 Development Snapshots
    3
    7
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dcol Banned
      last edited by

      Hi,
      Ever since I started using 2.4, I can no longer rsync from my remote to local NAS and I am getting TCP:SA errors in my firewall log whenever my NAS tries to connect via rsync on port 873. This works with PFsense 2.3 but not 2.4. Is there any other info I can provide to help find this issue?

      I am also seeing a lot more TCP: FPA, FA, and PA errors then I saw with 2.3.
      I have the Optimization set to Conservative.

      Please help!

      1 Reply Last reply Reply Quote 0
      • D
        dcol Banned
        last edited by

        Here is the packet capture (Altered dest IP for security reasons).
        This was generated from a test connection from the remote NAS to the local NAS. The local NAS is at 192.168.10.2

        08:36:33.156062 00:1f:33:ea:b9:f9 > 00:1b:21:a6:87:5b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
            192.168.10.2.873 > 50.78.x.x.47338: Flags [S.], cksum 0xd405 (correct), seq 2834994782, ack 1854161852, win 26844, options [mss 8960,sackOK,TS val 2408329979 ecr 2090835,nop,wscale 7], length 0
        08:36:34.209839 00:1f:33:ea:b9:f9 > 00:1b:21:a6:87:5b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
            192.168.10.2.873 > 50.78.x.x.47339: Flags [S.], cksum 0xffdb (correct), seq 916138330, ack 1603961082, win 26844, options [mss 8960,sackOK,TS val 2408331032 ecr 2123886,nop,wscale 7], length 0
        08:36:35.209033 00:1f:33:ea:b9:f9 > 00:1b:21:a6:87:5b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
            192.168.10.2.873 > 50.78.x.x.47339: Flags [S.], cksum 0xfbf3 (correct), seq 916138330, ack 1603961082, win 26844, options [mss 8960,sackOK,TS val 2408332032 ecr 2123886,nop,wscale 7], length 0
        08:36:35.211728 00:1f:33:ea:b9:f9 > 00:1b:21:a6:87:5b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
            192.168.10.2.873 > 50.78.x.x.47339: Flags [S.], cksum 0xfbf1 (correct), seq 916138330, ack 1603961082, win 26844, options [mss 8960,sackOK,TS val 2408332034 ecr 2123886,nop,wscale 7], length 0
        08:36:37.211055 00:1f:33:ea:b9:f9 > 00:1b:21:a6:87:5b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
            192.168.10.2.873 > 50.78.x.x.47339: Flags [S.], cksum 0xf421 (correct), seq 916138330, ack 1603961082, win 26844, options [mss 8960,sackOK,TS val 2408334034 ecr 2123886,nop,wscale 7], length 0
        08:36:41.211054 00:1f:33:ea:b9:f9 > 00:1b:21:a6:87:5b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
            192.168.10.2.873 > 50.78.x.x.47339: Flags [S.], cksum 0xe481 (correct), seq 916138330, ack 1603961082, win 26844, options [mss 8960,sackOK,TS val 2408338034 ecr 2123886,nop,wscale 7], length 0

        And here is the firewall log from this packet capture

        2016-11-29_8-43-31.jpg
        2016-11-29_8-43-31.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • D
          dcol Banned
          last edited by

          More info

          In the rules.debug file, this rule is listed as

          antispoof log for $NAS tracker 1000004720

          Where NAS is the local NAS @ 192.168.10.2
          I do not block bogon or private networks

          So does PFsense think that my remote NAS is spoofing my local NAS? How do I fix this or is this a bug?

          1 Reply Last reply Reply Quote 0
          • D
            dcol Banned
            last edited by

            Anyone? Should I report this in bug tracker?

            Take a look at this firewall log and you will see a sample of the activity I am constantly seeing.

            Protocol.jpg
            Protocol.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • D
              dcol Banned
              last edited by

              Anyone? Just point me in the direction of a setting or hardware. Already changed the 4 port igb NIC card. Maybe this system is just too fast.

              Legit Incoming or outgoing TCP connections get an RA, FA, or PA before it eventually goes through. This has to be slowing down the network.
              What makes this even stranger is it does stop for a short while, then will flood the logs again with thousands of hits. This is all with traffic that should not be blocked.

              Something is not right here. Possible the internal Optimization settings are not Conservative enough maybe?

              1 Reply Last reply Reply Quote 0
              • A
                athurdent
                last edited by

                Your Firewall log looks odd, you would get something like this when "keep state" is not enabled. What does your Portforwading and inbound rule look like? And what do the corresponding rules in /tmp/rules.debug look like?

                1 Reply Last reply Reply Quote 0
                • P
                  PiBa
                  last edited by

                  Or perhaps asynchronous routing.? There should be packet trying to make a connection before the [S.] packet.. Why don't we see that one? How is it routed 'around' pfSense?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post