PFSense [RST, ACK] packet when accessing a site
-
Hello Everyone, Good day.
I have a problem with my production pfsense box when accessing this particular site:
https://corporate.metrobankdirect.com/I have tried accessing this site using both ISP but still cant access the site, the browser says "PR_CONNECT_RESET_ERROR". So I tried running wireshark on my laptop with the Ethernet cable directly connected to PFsense's LAN Port.
Here's the result:
corporate.metrobankdirect.com resolves to 107.162.134.203
When my laptop is directly connected to the ISP modem\router, the page loads. my setup is like this
This is the capture file:https://drive.google.com/open?id=123YCCao4mvyEq8JoMDRocXYBr9Hs4tJj
Hoping someone can enlighten me on how to resolve this issue.
Thank you. -
Are you running behind a proxy like squid? Which packages, if any, do you have installed? It works fine for me both with and without squid.
-
If the site sends you RST not much pfsense can do about that.. If your running through proxy - could be detecting that and blocking you.
-
Are you load-balancing those ISPs? I haven't seen it for a while but some older sites use to reject connections from multiple IPs when you do that. I used to maintain a list of IPs to policy route directly to to avoid that.
But it looks like the site ACKs your hello and then your client doesn't send anything for 4s.Steve
-
@KOM said in PFSense [RST, ACK] packet when accessing a site:
Are you running behind a proxy like squid? Which packages, if any, do you have installed? It works fine for me both with and without squid.
No, I'm not running behind a proxy. These are the packages installed on my system:
-
@stephenw10 I only have two ISPs. I have set it up to only failover using gateway groups.
-
Correction on my post, I still cant access the site when directly connected to ISP modem. Even without NAT, my laptop uses public IP, I still cant access the site. I may have to contact the site's network admin.
-
Ah, Ok. That would be hard to solve in pfSense then!
-
Hey guys,
i have a freenas jail with weewx listening on port 8000. it sits on the server vlan.
the weather station client sits on the client vlan.i am seeing the same thing when i capture from pfsense.
if i connect the weather station to a ubuntu server on the same vlan, i do not have this problem. However, in this case the client (wifi) is connected to a managed switch so would bypass pfsense.
In other words, i can't rule out pfsense nor clearly the freenas server/jail.
given freenas and pfsense are both freebsd, can you give me some direction on how i can ensure it is not the freenas jail or pfsense causing this please.
-
What exactly are you seeing?
The server sends RST?
Most likely it's configured not to accept connections from outside it's subnet.
Steve
-
@stephenw10 captured on pfsense, the RST, ACK is marked red.
22 2.968670 WH2900C WEEWX TCP 58 20150 → 8080 [SYN] Seq=0 Win=5840 Len=0 MSS=1460
23 2.969709 WEEWX WH2900C TCP 54 8080 → 20150 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0]I have ping to each other from each system. both lie in different VLANs
-
Right, it's refusing the connection. Nothing to do with pfSense which is routing it correctly.
Since it's sending a RST rather then just dropping the traffic it's probably a server config issue but it could be a local firewall on the server.
Steve
-
@stephenw10 i am not so strong with freebsd. can you offer some advice on commands that could help in identifying the cause pls
-
You will need check whatever you have WeeWX running on. The server config there is the first place I would look.
Could be something in FreeNAS rejecting it.To prove it you could add an outbound NAT rule in pfSense so traffic appears to be coming from the same subnet. If you can then access it you know it's a server side problem.
Steve
-
-
If SRV_Address is the interface address on the VLAN where the server is.
You need an outbound NAT rule not a port forward.
Steve
-
When you see a RST internally, its almost always going to be the OS of the device your trying to talk to. A firewall like pfsense, normally would never send a RST.. Unless you have a real specific rule setup to "reject" Which you really would rarely want on wan side. Internally such rules can be useful..
There some special use cases for reject on wan. If you want it to answer for traceroute for example is one that comes to mind. But normally a RST means you talked to OS, or OS firewall.. Since normally a firewall between you and your end device wouldn't send RST for traffic it doesn't allow. Default is normally to just drop traffic that is not allowed.
-
@stephenw10 so check "do not NAT"? like below?
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description Actions VLAN_2_INTERN 192.168.2.5/32 8000 192.168.4.7/32 8000 NO NAT * TEST WEEWX Rule -
@johnpoz thanks to you and steve for the clarification. freenas is freebsd.
how can i establish what on the box is causing it?
e.g. ip tables, etc?can you offer some commands i could use to validate pls
-
No what stephenw10 is talking about is a source nat to get around rules that might stop traffic to a device, where the traffic is from another network.
server is on vlanX 192.168.1.100 for example, and you want to talk to it from device on vlanY 192.168.2.200 for example.
If 1.100 does not allow access to its services, because of firewall, or lack of gateway for example. You can do a outbound, or source nat to trick the 1.100 device to think the traffic came from pfsense IP in vlanX, say 192.168.1.1
This is outbound nat, set on the vlanX interface to set the source of the traffic to pfsense IP address in that interface. Here is example I have setup to talk to 9.101 device on my network because it has no gateway. So to the device when I talk to it from my vpn... It thinks the traffic came from pfsense IP address 9.253
I would not suggest this, unless the reason you can not talk to the device is no gateway.. You need to adjust the firewall on the device your trying to talk to allow traffic from where your talking from.
