pfsense 2.4.4 Rel.2 checksum error / after reboot fine for 20 sec
-
ok - needs some more help, i believe to figured the problem. i have multiple WAN Interfaces. To get the right gateway i add different rules in. might be the problem resides there
-
Just based on the time it takes it's almost certainly some state timeout.
If you have policy based rules on in the source interface for WAN failover you would need have a rule above that to reach the other interface(s) without being policy routed.
It's possible that rule did not apply before the WANs come up at boot so some traffic was initially allowed.
Steve
-
ok, so lets get this streight: the docs mentioned that:
On Firewall > Rules, visit the tab for the internal interface to be used with the gateway group, either edit the existing pass rules and add the gateway setting, choosing the desired gateway, or add a new rule to match only certain traffic to direct into the gateway group. Remember that rules are processed from the top down, and once a rule is matched, processing stops.
So in order from the DMZ i would add a rule which states
SOURCE: VLAN_DMZ => DEST: !RFC_NETWORK => GW: GW1
ath the INTERNAL NET I would do a different rule, since i want to make sure INTERNAL Outbound traffic goes to GW3
SOURCE: INTERNAL => DEST: !RFC_NETWORK => GW: GW3
all of them i would add as first rule? since yet, i had them as last rule.
But still i get this state:
LAN tcp 192.168.11.62:60664 -> 192.168.13.17:443 CLOSED:SYN_SENT 2 / 0 104 B / 0 B VLAN_DMZ tcp 192.168.11.62:60664 -> 192.168.13.17:443 SYN_SENT:CLOSED 2 / 0 104 B / 0 B
and no connection :/
-
Yes, those rules should not catch that traffic as long as the RFC_NETWORK alias has been set correctly.
That just looks like 192.168.13.17 is not responding. 2 packets to it going over both intefaces, 0 packets back.
Steve
-
so i have set up this properly but why is this not working for the port 443? I adedd haproxy tcp mode to the wan interface.
WAN => 443 => HAPROXY (tcp/ssl mode) => tcp rule to matching ssl name to the specified server
since i addes this i am not able to communicate back to the desired server over the port 443. If i add SSH Port to the tcp mode function to the haproxy i believe i will not get the SSH back to live on a internal net.
This drive me crazy and no solution nor failures to find.
-
Wait you have HAProxy in there running on those ports?
If you disable HAProxy does it all work as expected?
Steve
-
Nope, HAProx runs on External IF (igb0/igb3) and catches from there at 443 to internal server. igb5/6 are standalone.
-
Right that's what it's configured to do but you just said:
since i addes this i am not able to communicate back to the desired server over the port 443.
So before you added HAProxy it was working?
Steve
-
yes thats what i am saying, but i dont know if this belongs together. Before i addedd the haproxy into play (fresh install) i was able to browse internally to the dedicated https port. So i would assume, something is broken within haproxy while its redericting ....
-
@fgro79
Sorry for late reply, but anyhow.I suspect if you disable the haproxy transparent-client-ip feature on the backend your troubles of reaching the webserver directly are gone. That feature comes with a warning message for a reason..
-
i noticed, sorry i can not update my configs yet since the i am facing the issue described in here
So i need to wait until i can modify or downgrade the system to safely remove the transparent-client-ip feature. I was going to use this feature for internal smtp server to forward the original IP.