Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLVIDO] pfSense não pinga externamente, mas GUI acessa normalmente

    Scheduled Pinned Locked Moved Portuguese
    20 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      Rode um tcpdump na wan pra ver se os pacotes estão chegando no firewall ou se estão "morrendo" no modem.

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • M
        marceloengecom
        last edited by

        @marcelloc:

        Rode um tcpdump na wan pra ver se os pacotes estão chegando no firewall ou se estão "morrendo" no modem.

        Marcello,

        Não sei se fiz certo, mas segue a resposta do comando "tcpdump -ni xn1":

        [z2.3.4-RELEASE][root@firewall01.vmobc.local]/root: tcpdump -ni xn1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:40:15.688413 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2950743782:2950743990, ack 486137981, win 510, length 208
00:40:15.708188 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 208, win 258, length 0
00:40:15.814611 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45737, length 8
00:40:15.815397 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45737, length 8
00:40:16.327611 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45738, length 8
00:40:16.328217 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45738, length 8
00:40:16.687735 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 208:784, ack 1, win 510, length 576
00:40:16.687764 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 784:944, ack 1, win 510, length 160
00:40:16.709023 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 944, win 260, length 0
00:40:16.829613 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45739, length 8
00:40:16.830415 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45739, length 8
00:40:17.025468 IP 192.168.25.2.47961 > 209.126.116.207.443: Flags [.], seq 1621939828:1621939829, ack 3670700958, win 259, length 1
00:40:17.202875 IP 209.126.116.207.443 > 192.168.25.2.47961: Flags [.], ack 1, win 260, options [nop,nop,sack 1 {0:1}], length 0
00:40:17.341614 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45740, length 8
00:40:17.342445 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45740, length 8
00:40:17.687695 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 944:1520, ack 1, win 510, length 576
00:40:17.687725 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 1520:2032, ack 1, win 510, length 512
00:40:17.710450 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 2032, win 256, length 0
00:40:17.843612 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45741, length 8
00:40:17.844443 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45741, length 8
00:40:18.344620 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45742, length 8
00:40:18.345242 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45742, length 8
00:40:18.687682 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2032:2704, ack 1, win 510, length 672
00:40:18.687710 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2704:2864, ack 1, win 510, length 160
00:40:18.709276 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 2864, win 260, length 0
00:40:18.817275 IP 209.126.116.207.443 > 192.168.25.2.24296: Flags [.], ack 3973120016, win 268, length 0
00:40:18.817790 IP 192.168.25.2.24296 > 209.126.116.207.443: Flags [.], ack 1, win 260, length 0
00:40:18.846609 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45743, length 8
00:40:18.847260 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45743, length 8
00:40:19.348610 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45744, length 8
00:40:19.349306 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45744, length 8
00:40:19.687663 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2864:3248, ack 1, win 510, length 384
00:40:19.687693 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 3248:3808, ack 1, win 510, length 560
00:40:19.687702 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 3808:3968, ack 1, win 510, length 160
00:40:19.710523 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 3808, win 257, length 0
00:40:19.776504 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 3968, win 256, length 0
00:40:19.849981 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45745, length 8
00:40:19.850502 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45745, length 8
00:40:20.350612 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45746, length 8
00:40:20.351308 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45746, length 8
00:40:20.687683 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 3968:4576, ack 1, win 510, length 608
00:40:20.687712 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 4576:5024, ack 1, win 510, length 448
00:40:20.711335 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 5024, win 260, length 0
00:40:20.851608 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45747, length 8
00:40:20.852130 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45747, length 8
00:40:21.352613 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45748, length 8
00:40:21.353363 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45748, length 8
^C
47 packets captured
54 packets received by filter
0 packets dropped by kernel

        xn1 é a minha interface WAN
        O endereço dinâmico 177.18.45.124 corresponde à minha estação que está conectada remotamente, via SSH, ao pfSense.

        Segue uma imagem em anexo, que mostra a minha conexão VPN (Porta 2400). Pelo que eu pude perceber, a conexão passa pelo modem, mas depois não consegue finalizar.

        Muito obrigado pela ajuda!

        tcpdump_vpn.png
        tcpdump_vpn.png_thumb

        Marcelo Costa

        telefone: (51) 3022.5100
        e-mail: marcelo@comdesk.com.br
        web-site: www.comdesk.com.br

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          No seu tcpdump não tem solicitação de ping externo pra sua wan, so aparece o ping do fw pro gw.

          A comunicação do OpenVPN começa mas não termina, já olhou os logs do OpenVPN no fw, pra ver se uma mudança de criptografia ou gerar nova chave de cliente resolve o problema?

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • M
            marceloengecom
            last edited by

            Marcello,

            Segue agora um tcpdump com a minha máquina cliente fazendo uma requisição de ping:

            [2.3.4-RELEASE][root@firewall01.vmobc.local]/root: tcpdump -ni xn1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
04:13:46.838325 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1378918515:1378918723, ack 2856631673, win 510, length 208
04:13:47.035726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9821, length 8
04:13:47.036467 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9821, length 8
04:13:47.537726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9822, length 8
04:13:47.538460 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9822, length 8
04:13:47.727692 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [P.], seq 218978248:218978316, ack 3734709880, win 134, options [nop,nop,TS val 92376245 ecr 249941110], length 68
04:13:47.837829 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 208:784, ack 1, win 510, length 576
04:13:47.837857 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 784:1024, ack 1, win 510, length 240
04:13:48.038909 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9823, length 8
04:13:48.039732 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9823, length 8
04:13:48.136932 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 4294967233:1, ack 4294967232, win 260, length 64
04:13:48.136967 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 1, win 510, length 0
04:13:48.388526 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 68, win 182, options [nop,nop,TS val 249943782 ecr 92376245], length 0
04:13:48.539728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9824, length 8
04:13:48.540519 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9824, length 8
04:13:48.572891 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 208, win 259, length 0
04:13:48.837803 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1024:1728, ack 1, win 510, length 704
04:13:48.837833 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1728:2224, ack 1, win 510, length 496
04:13:48.888706 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [P.], seq 1:85, ack 68, win 182, options [nop,nop,TS val 249944282 ecr 92376245], length 84
04:13:48.888805 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [.], ack 85, win 134, options [nop,nop,TS val 92376535 ecr 249944282], length 0
04:13:49.040728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9825, length 8
04:13:49.041361 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9825, length 8
04:13:49.420973 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 1024, win 256, length 0
04:13:49.545734 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9826, length 8
04:13:49.546559 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9826, length 8
04:13:49.837807 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 2224:2912, ack 1, win 510, length 688
04:13:49.837837 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 2912:3360, ack 1, win 510, length 448
04:13:50.014793 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 2224, win 260, length 0
04:13:50.024175 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 1:97, ack 2224, win 260, length 96
04:13:50.024198 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 97, win 509, length 0
04:13:50.024257 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 3360:3408, ack 97, win 510, length 48
04:13:50.030752 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 97:161, ack 2224, win 260, length 64
04:13:50.030761 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 161, win 509, length 0
04:13:50.046827 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9827, length 8
04:13:50.047587 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9827, length 8
04:13:50.547730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9828, length 8
04:13:50.548324 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9828, length 8
04:13:50.837787 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 3408:4016, ack 161, win 510, length 608
04:13:50.837818 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 4016:4784, ack 161, win 510, length 768
04:13:50.979620 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [P.], seq 68:136, ack 85, win 134, options [nop,nop,TS val 92377058 ecr 249944282], length 68
04:13:51.015768 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 1:161, ack 2224, win 260, length 160
04:13:51.015793 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 161, win 510, length 0
04:13:51.048727 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9829, length 8
04:13:51.049183 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9829, length 8
04:13:51.531593 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 3360, win 256, length 0
04:13:51.550720 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9830, length 8
04:13:51.551181 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9830, length 8
04:13:51.599583 IP 209.126.116.207.443 > 192.168.25.2.47961: Flags [.], ack 1621939829, win 260, length 0
04:13:51.600015 IP 192.168.25.2.47961 > 209.126.116.207.443: Flags [.], ack 1, win 259, length 0
04:13:51.603573 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 136, win 182, options [nop,nop,TS val 249946996 ecr 92377058], length 0
04:13:51.837782 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 4784:5344, ack 161, win 510, length 560
04:13:51.837813 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 5344:5984, ack 161, win 510, length 640
04:13:51.837823 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 5984:6400, ack 161, win 510, length 416
04:13:51.903215 IP 209.126.116.207.443 > 192.168.25.2.24296: Flags [.], ack 3973120016, win 268, length 0
04:13:51.903746 IP 192.168.25.2.24296 > 209.126.116.207.443: Flags [.], ack 1, win 260, length 0
04:13:52.051726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9831, length 8
04:13:52.052412 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9831, length 8
04:13:52.104995 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [P.], seq 85:169, ack 136, win 182, options [nop,nop,TS val 249947498 ecr 92377058], length 84
04:13:52.105112 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [.], ack 169, win 134, options [nop,nop,TS val 92377339 ecr 249947498], length 0
04:13:52.183989 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 3408, win 256, length 0
04:13:52.553730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9832, length 8
04:13:52.554440 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9832, length 8
04:13:52.803283 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 4784, win 260, length 0
04:13:52.837801 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 6400:6816, ack 161, win 510, length 416
04:13:52.837833 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 6816:7968, ack 161, win 510, length 1152
04:13:52.950148 IP 192.168.25.2.26747 > 200.189.40.8.123: NTPv4, Client, length 48
04:13:52.978439 IP 200.189.40.8.123 > 192.168.25.2.26747: NTPv4, Server, length 48
04:13:53.054761 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9833, length 8
04:13:53.055276 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9833, length 8
04:13:53.556735 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9834, length 8
04:13:53.557278 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9834, length 8
04:13:53.750134 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [P.], seq 136:220, ack 169, win 134, options [nop,nop,TS val 92377750 ecr 249947498], length 84
04:13:53.750285 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [F.], seq 220, ack 169, win 134, options [nop,nop,TS val 92377750 ecr 249947498], length 0
04:13:53.837814 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 7968:8256, ack 161, win 510, length 288
04:13:53.838588 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 8256:8576, ack 161, win 510, length 320
04:13:53.838618 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 8576:9088, ack 161, win 510, length 512
04:13:53.838631 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 9088:9296, ack 161, win 510, length 208
04:13:54.014506 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 5984, win 256, length 0
04:13:54.058732 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9835, length 8
04:13:54.059304 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9835, length 8
04:13:54.089660 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 6400, win 260, length 0
04:13:54.367359 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 220, win 182, options [nop,nop,TS val 249949759 ecr 92377750], length 0
04:13:54.408506 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 221, win 182, options [nop,nop,TS val 249949800 ecr 92377750], length 0
04:13:54.560731 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9836, length 8
04:13:54.561302 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9836, length 8
04:13:54.725675 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 7968, win 260, length 0
04:13:54.837809 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 9296:10016, ack 161, win 510, length 720
04:13:54.837828 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 10016:10848, ack 161, win 510, length 832
04:13:54.867339 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [P.], seq 169:221, ack 221, win 182, options [nop,nop,TS val 249950260 ecr 92377750], length 52
04:13:54.867352 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [F.], seq 221, ack 221, win 182, options [nop,nop,TS val 249950260 ecr 92377750], length 0
04:13:54.867463 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [R], seq 218978469, win 0, length 0
04:13:54.867469 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [R], seq 218978469, win 0, length 0
04:13:55.062533 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9837, length 8
04:13:55.063338 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9837, length 8
04:13:55.093329 IP 192.168.25.2.47961 > 209.126.116.207.443: Flags [.], seq 0:1, ack 1, win 259, length 1
04:13:55.270536 IP 209.126.116.207.443 > 192.168.25.2.47961: Flags [.], ack 1, win 260, options [nop,nop,sack 1 {0:1}], length 0
04:13:55.371332 IP 218.87.109.150.63312 > 192.168.25.2.22: Flags [s], seq 2833360625, win 14600, options [mss 1452,sackOK,TS val 249950761 ecr 0,nop,wscale 7], length 0
04:13:55.371479 IP 192.168.25.2.22 > 218.87.109.150.63312: Flags [S.], seq 40262607, ack 2833360626, win 14480, options [mss 1460,sackOK,TS val 92378156 ecr 249950761,nop,wscale 7], length 0
04:13:55.562726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9838, length 8
04:13:55.563333 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9838, length 8
04:13:55.747766 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 8576, win 258, length 0
04:13:55.752563 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 9296, win 255, length 0
^C
102 packets captured
108 packets received by filter
0 packets dropped by kernel

O IP dinâmico da máquina cliente agora é: 177.18.191.148

Em relação ao OpenVPN, já fiz diversas alterações na criptografia e nada funcionou. E eu acredito que está certo, pois em outro ambiente muito semelhante, funciona corretamente.

[/s]

            Marcelo Costa

            telefone: (51) 3022.5100
            e-mail: marcelo@comdesk.com.br
            web-site: www.comdesk.com.br

            1 Reply Last reply Reply Quote 0
            • andrezaomacA
              andrezaomac
              last edited by

              @marceloengecom:

              Olá amigos,

              Essa é minha segunda instalação do pfSense em uma VM Xenserver e ambas estão funcionando perfeitamente, com apenas um detalhe. Uma delas não permite a conexão OpenVPN e ambas tem a mesma configuração.

              Buscando uma solução para o problema, fui fazer teste de ping externo e o pfSense não é encontrado. Detalhe que consigo acessá-lo pelas portas 443 e também do respectivo SSH, também consigo acessar externamente outros computadores da rede que estão configurados no NAT.

              Por isso, acredito que algo esteja bloqueando o pfsense, mas não consigo encontrar.

              Segue abaixo, algumas imagens.

              Imagem Dashboard:

              A mensagem do firewall em relação a porta WAN é:

              A regra que desencadeou esta ação é:

              @5(1000000103) block drop in log inet all label "Default deny rule IPv4"

              Firewall / Regras / WAN:

              Sobre a regra do seu Ping, nos meus servidores normalmente eu deixo o Ping Externo Desativado, mas quando eu preciso eu crio essa regra.
              A sua regra está diferente, tente fazer igual a minha.
              veja a imagem abaixo.
              https://www.dropbox.com/s/3bpoo0j5disip5u/pingexterno.PNG?dl=0

              Sobre a dúvida do Ping com o funcionamento da VPN.
                Se for usar VPN de Servidor-para-Servidor, o ping não influencia.
                Se for usar VPN com acesso através de aplicativos como o OpenVPN, realmente influencia,  ao menos nos teste que fiz, quando desabilita o ping o OpenVPN não conecta.

              Consultoria em Servidores Linux/Windows.
              contato@andrenetwork.com.br

              Tecnólogo em Redes de Computadores.
              Bacharel em Sistemas da Informação.

              http://www.andrenetwork.com.br

              Limeira - SP

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                @marceloengecom:

                [2.3.4-RELEASE][root@firewall01.vmobc.local]/root: tcpdump -ni xn1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
04:13:46.838325 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1378918515:1378918723, ack 2856631673, win 510, length 208
04:13:47.035726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9821, length 8
04:13:47.036467 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9821, length 8
04:13:47.537726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9822, length 8
04:13:47.538460 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9822, length 8
04:13:48.038909 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9823, length 8
04:13:48.039732 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9823, length 8
04:13:48.539728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9824, length 8
04:13:48.540519 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9824, length 8
04:13:49.040728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9825, length 8
04:13:49.041361 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9825, length 8
04:13:49.545734 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9826, length 8
04:13:49.546559 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9826, length 8
04:13:50.046827 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9827, length 8
04:13:50.047587 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9827, length 8
04:13:50.547730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9828, length 8
04:13:50.548324 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9828, length 8
04:13:51.048727 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9829, length 8
04:13:51.049183 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9829, length 8
04:13:51.550720 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9830, length 8
04:13:51.551181 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9830, length 8
04:13:52.051726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9831, length 8
04:13:52.052412 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9831, length 8
04:13:52.553730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9832, length 8
04:13:52.554440 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9832, length 8
04:13:53.054761 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9833, length 8
04:13:53.055276 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9833, length 8
04:13:53.556735 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9834, length 8
04:13:53.557278 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9834, length 8
04:13:54.058732 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9835, length 8
04:13:54.059304 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9835, length 8
04:13:54.560731 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9836, length 8
04:13:54.561302 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9836, length 8
04:13:55.062533 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9837, length 8
04:13:55.063338 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9837, length 8
04:13:55.562726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9838, length 8
04:13:55.563333 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9838, length 8

                Não achei nenhum registro do seu ping externo nesse log também, só o teste do gateway entre ele e o fw.

                Olhe na aba de logs do openvpn, veja se aparece mais alguma informação.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • M
                  marceloengecom
                  last edited by

                  Sobre a regra do seu Ping, nos meus servidores normalmente eu deixo o Ping Externo Desativado, mas quando eu preciso eu crio essa regra.
                  A sua regra está diferente, tente fazer igual a minha.
                  veja a imagem abaixo.
                  https://www.dropbox.com/s/3bpoo0j5disip5u/pingexterno.PNG?dl=0

                  Sobre a dúvida do Ping com o funcionamento da VPN.
                    Se for usar VPN de Servidor-para-Servidor, o ping não influencia.
                    Se for usar VPN com acesso através de aplicativos como o OpenVPN, realmente influencia,  ao menos nos teste que fiz, quando desabilita o ping o OpenVPN não conecta.

                  Oi André,

                  Obrigado por tentar ajudar!

                  Já coloquei essa regra no PING, mas também não funcionou. E realmente estou usando o software OpenVPN para conexão do tipo "Acesso Remoto".

                  pfsense_icmp.jpg
                  pfsense_icmp.jpg_thumb

                  Marcelo Costa

                  telefone: (51) 3022.5100
                  e-mail: marcelo@comdesk.com.br
                  web-site: www.comdesk.com.br

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    O tcpdump mostra que os pacotes de ping não estão chegando no firewall. A regra só vai ter efeito quando o pacote chegar na wan no fw.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • M
                      marceloengecom
                      last edited by

                      @marcelloc:

                      O tcpdump mostra que os pacotes de ping não estão chegando no firewall. A regra só vai ter efeito quando o pacote chegar na wan no fw.

                      Oi Marcello,

                      Eu nunca usei o tcpdump, mas me parece que em alguns momentos, a porta WAN (192.168.25.2), responde a requisição ICMP vindo do modem (192.168.25.1).

                      04:13:54.561302 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9836, length 8
                      04:13:55.062533 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9837, length 8

                      Marcelo Costa

                      telefone: (51) 3022.5100
                      e-mail: marcelo@comdesk.com.br
                      web-site: www.comdesk.com.br

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        @marceloengecom:

                        Eu nunca usei o tcpdump, mas me parece que em alguns momentos, a porta WAN (192.168.25.2), responde a requisição ICMP vindo do modem (192.168.25.1).

                        Na verdade é o contrário o reply é a resposta da solicitação de ping gerada no firewall para saber se o gateway está ativo e acessível.

                        O que deveria aparecer aí é o seu ip cliente externo como origem no request e o ip do firewall como destino deste mesmo request.

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • M
                          marceloengecom
                          last edited by

                          Então é o modem que está bloqueando o ping!!! Estranho que outras portas ele libera.

                          Estou o usando o modem Pace v5471, fornecido pela VIVO e desbloqueado pelo firmware da Tripleoxygen (OXY-42006).

                          Marcelo Costa

                          telefone: (51) 3022.5100
                          e-mail: marcelo@comdesk.com.br
                          web-site: www.comdesk.com.br

                          1 Reply Last reply Reply Quote 0
                          • danilosv.03D
                            danilosv.03
                            last edited by

                            Você tem um IP publico para este tipo de trabalho?

                            :)
                            |E-mail: danilosv.03@gmail.com
                            |Skype: danilosv.03

                            1 Reply Last reply Reply Quote 0
                            • M
                              marceloengecom
                              last edited by

                              @danilosv.03:

                              Você tem um IP publico para este tipo de trabalho?

                              Uso um serviço de DNS Dinâmico que está plenamente funcional. O serviço está configurado diretamente no pfSense.

                              Marcelo Costa

                              telefone: (51) 3022.5100
                              e-mail: marcelo@comdesk.com.br
                              web-site: www.comdesk.com.br

                              1 Reply Last reply Reply Quote 0
                              • M
                                marceloengecom
                                last edited by

                                Problema resolvido…

                                Conferi os logs do OpenVPN e apresentava os seguintes erros:

                                187.113.211.72:58035 TLS Error: TLS handshake failed
                                Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 TLS Error: TLS object -> incoming plaintext read error
                                Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 TLS_ERROR: BIO read tls_read_plaintext error
                                Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                                Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 VERIFY SCRIPT ERROR: depth=0, C=BR, ST=<estado>, L=<cidade>, O=<organização>, emailAddress=<email>, CN= <nome-comum>Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1

                                O que fiz então, foi desabilitar a checagem profunda do certificado.

                                Em VPN / OpenVPN / Servidores / Editar:
                                No campo "Certificate Depth" colocar "Do Not Check"

                                Bastou esse procedimento e funcionou a conexão VPN.

                                Outro detalhe importante é que continuou a não pingar, devido a restrição do modem (Pace v5471, fornecido pela GVT). Apesar de não parecer interferir nos serviços liberados no pfsense, busquei informações de como permitir o ping remoto para que eu pudesse monitorar a conectividade da internet.

                                Liberação de ping da porta WAN do modem Pace v5471:

                                Conectar ao modem, via SSH
                                Usuário: admin
                                Senha: gvt12345

                                Comandos:

                                cli

                                set WANConnectionDevice_1_Firewall_AllowRemotePing 1
                                fcommit
                                exit
                                reboot

                                Obrigado ao pessoal do fórum pela ajuda!

                                Abraço,</ip-cliente></nome-comum></email></organização></cidade></estado></ip-cliente></ip-cliente></ip-cliente></ip-cliente>

                                Marcelo Costa

                                telefone: (51) 3022.5100
                                e-mail: marcelo@comdesk.com.br
                                web-site: www.comdesk.com.br

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.