Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ports, rules, NAT

    Scheduled Pinned Locked Moved NAT
    46 Posts 5 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by KOM

      If you're satisfied that it's working and you've found the cause then no, you don't need to do that other test run.

      I'm still curious as to what was really going on. I'm not sure how a DNS proxy issue would cause your client to send a RST. Where were these DNS proxy connections configured? Via some Cloudflare GUI or is this something you're doing on the pfSense box?

      If this was indeed a remote issue then that would explain why it was working fine until one day when it wasn't.

      1 Reply Last reply Reply Quote 1
      • R
        Rod-It
        last edited by

        You realise I will most likely be sticking around finding other guides and helping where I can, and no doubt I will have more questions.

        So far though I really do like PfSense.

        I am doing more with it within 2 months than I ever thought I would do with any networking product, I even sold my router - which by the way I really liked too (Netgear Nighthawk R7000)

        CloudFlare can proxy DNS requests, so assuming my website (or in this case, webmail) points to 81.x.x.x, CloudFlare makes it their own IP, so it looks like 101.x.x.x, while my IP had the ports open and CloudFlare did too, it didnt seem to be relaying HTTPS connections to me, but instead to itself - I found an article on their site about this, something to do with how SSL works with their certificates - this would also explain why I was not seeing the traffic hit the box - which by the way I now see when someone connects to 443.

        Phew... nightmare.

        Apologies for the wild chase there, but just having someone else there helped me to find the issue.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Glad we could help.

          1 Reply Last reply Reply Quote 1
          • R
            Rod-It
            last edited by

            I want to complete this topic by also stating I now know why my DNS proxy was re-enabled (sometimes we overthink things).

            In PfSense DynamicDNS is an option to enable Proxying DNS - this turned it back on after I disabled it on CloudFlare directly. Makes sense why it was working then stopped. Using this option is great, but when you need HTTP/S traffic to be directed, directly and a given IP you must disable proxying (I can't find their guide right now, I've lost it already).

            Here is the article linked from within PfSense that I obviously missed

            https://blog.cloudflare.com/announcing-virtual-dns-ddos-mitigation-and-global-distribution-for-dns-traffic/

            1 Reply Last reply Reply Quote 1
            • J
              jilted
              last edited by

              I just wanna know why your IP is scanning me like crazy... :P Or are you behind some kind of carrier NAT?
              alt text

              1 Reply Last reply Reply Quote 0
              • R
                Rod-It
                last edited by

                Those IPs are nothing to do with me, they are also hitting me.

                They are based in Germany and Finland, I am not, nor do I have any services from Germany or Finland.

                Using the link above posted by @kiokoman they are on an abuse list, therefore they are likely bots or malicious servers.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  @Rod-It said in Ports, rules, NAT:

                  138.201.87.102

                  That is the IP of the device you were saying wasn't working ;)

                  In your sniffs.
                  17:16:46.469427 IP 138.201.87.102.48424 > 192.168.1.35.443: tcp 0
                  17:16:46.522427 IP 192.168.1.35.443 > 138.201.87.102.61203: tcp 0

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • R
                    Rod-It
                    last edited by

                    I never said that IP wasn't working, you have a snip of a packet capture as asked for. Any external IPs within are purely coincidental.

                    I didnt validate any external IPs to the forum of my own.

                    I know my topic was a little confusing at times, but I never stated any specific public IP I was using.

                    If anything I stated no external IPs were getting in, but some were frequently trying - and those are likely what you see from the logs.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Ah well that makes more sense why its sent a R then ;)

                      I would block those IPs from talking to your services. Especially if they are on block lists.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • R
                        Rod-It
                        last edited by

                        I have, the poster above, like yourself believed that IP belonged to me - but none of them do :)

                        Side question based on the new addition to the topic though, without SquidGuard or any other type of filtering, can PF block known malicious or bad IPs?

                        Also, if there is a way I can mark this as resolved, please let me know and I will do so.

                        1 Reply Last reply Reply Quote 0
                        • kiokomanK
                          kiokoman LAYER 8
                          last edited by

                          you can use suricata/snort for example

                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                          Please do not use chat/PM to ask for help
                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            pfblocker can be used to block IPs from hitting your port forwards. Be it from country xyz, or only allowing IPs from country A, etc.. Or specific lists for known bad.

                            Who exactly is using this - you mentioned something about exchange? And if your using cloudflare - you can limit it to only cloudflare IPs, etc.

                            And yeah ips can be used - but its a bit more complicated when your doing https

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • R
                              Rod-It
                              last edited by

                              I have looked at Snort / Suricata, but not in great details, I will add pfblocker to my list of to look at.

                              As to who is using this, a handful of friends and family, as mentioned above this is purely my home lab, I need some genuine traffic and use from these products so I can fault-find and fix as needed, as I am sure you are all aware, the best way to learn is to do - I'm a hands-on learner, I do better with actual problems in front of me and systems to maintain than any video or guide can give me, though I do use these to fill in the gaps and top-up what I dont know or am missing, including forums like this to get me out of a situation.

                              CloudFlare is purely looking after my domain DNS, I dont need it to do anything fancy at this point (I'm only 3 days in with this anyway).

                              Some background on me;

                              I have 23 years in IT, mostly Windows server, Exchange/Email and VMware. While I understand principals and basics of networking and firewalls, I am starting to venture more in to learning them in more detail, including my Linux knowledge, I dont need this for work as we have a network team that picks up all network issues, at home it is useful to know - why it's taken me this long to be eager I have no idea, likely because I've never really needed to know, but one can never know too much so Linux, networking and firewalls are currently my learning goal.

                              I hope this helps to understand and gives you all a little on me.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                Running an email server out of home connection, while can be a useful learning experience - not going to be very useful if your actually wanting to send mail from your "home" ip..

                                Most consumer IP blocks are listed and major players block them for accepting mail. Also unless you can edit your PTR for the IP in question - again blocked by most major players.

                                So sending would need to be through a relay if you want to actually send mail to major domains.

                                Have fun! And you have any questions, while the general section doesn't get all that much traffic... Some of us like to answer just general networking and IT questions not always related to pfsense, etc. ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 1
                                • kiokomanK
                                  kiokoman LAYER 8
                                  last edited by

                                  i have a mail server myself at home for fun
                                  fortunately I have never encountered any problems, my ip is not in any blacklist and even if i can't change my ipv4 ptr, i have a ipv6 tunnel with he.net and they let you change it. i just need to be sure that my email server use ipv6 to send emails

                                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                  Please do not use chat/PM to ask for help
                                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    There are a shitton of major players email that is not on ipv6.. And pretty much every isp consumer IPs are listed as such.. But sure you might be lucky there.. But no ptr is can be a killer..

                                    Other than a toy/learning experience running mail servers off a home connection is pretty pointless.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      Rod-It
                                      last edited by

                                      Apologies, didnt realise I would have to cover that, was purely providing a little background.

                                      I have a VPS I relay through, that has correct rDNS, SPF, DKIM, DMARC all setup and working, including TLS 1.2

                                      I've been running exchange for almost 10 years this way, have my own domain, they are secure and get A+, I do not suport any less than TLS 1.2 etc. I run Nessus (community edition) and OpenVAS against my network regularly.

                                      Almost everything I do in my lab is to mimic work, its the first place I apply security patches and PCI fixes, if I break my lab no one gets hurt, if I take a business down, it's my problem and I get it in the neck, so I practise at home first (where possible)

                                      Do apricate the additional feedback though..

                                      P.S. while I dont generate crazy amounts of traffic, I am all for securing my system more effectively- those tools mentioned above will be looked at better when I have more dedicated time.

                                      And just in case anyone asks, exchange is covered, as are all my Windows licenses under an MDSN subscription by work for the sole purpose of learning. :)

                                      Side note, if I can do the same thing as work, but for free, I often take this option. Certificates = Let's Encrypt (currently I have a paid one), email filtering - also free, firewall (from home router to PfSense), VPN - OpenVPN.

                                      I like free and opensource, so use it as a 'similar' to works paid enterprise products.

                                      P.P.S (expect me asking for help), my next plan is to remove the IIS proxy and move my HTTPS traffic to either Squid or HA via PfSense to be my reverse proxy. If I can do it for free and consolidate, meaning I need to manage and maintain less, I'm all for it.

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        Rod-It
                                        last edited by

                                        FYI, work are moving to O365 in the near future, so my requirement to run and learn exchange may also go away, at which point I will likely start looking at putting email on my VPS server, using something else hosted at home that is free or just leaving it as is until it becomes EOL - I'm not at that stage yet though.

                                        1 Reply Last reply Reply Quote 0
                                        • kiokomanK
                                          kiokoman LAYER 8
                                          last edited by

                                          yes of course
                                          at home i'm using it only for toy/learning experience/test etc etc
                                          sure not something to do for work where we have professional ip with rdns and stuff configured as it should

                                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                          Please do not use chat/PM to ask for help
                                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.