• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFSense [RST, ACK] packet when accessing a site

Scheduled Pinned Locked Moved General pfSense Questions
28 Posts 5 Posters 4.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 4
    4o4rh @stephenw10
    last edited by 4o4rh Jan 20, 2021, 1:29 PM Jan 20, 2021, 1:22 PM

    @stephenw10 so check "do not NAT"? like below?

    Interface 	Source 	Source Port 	Destination 	Destination Port 	NAT Address 	NAT Port 	Static Port 	Description 	Actions
      	VLAN_2_INTERN 	192.168.2.5/32 	8000 	192.168.4.7/32 	8000 	NO NAT		* 		TEST WEEWX Rule
    
    1 Reply Last reply Reply Quote 0
    • 4
      4o4rh @johnpoz
      last edited by Jan 20, 2021, 1:24 PM

      @johnpoz thanks to you and steve for the clarification. freenas is freebsd.

      how can i establish what on the box is causing it?
      e.g. ip tables, etc?

      can you offer some commands i could use to validate pls

      J 1 Reply Last reply Jan 20, 2021, 1:37 PM Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator @4o4rh
        last edited by johnpoz Jan 20, 2021, 1:38 PM Jan 20, 2021, 1:37 PM

        No what stephenw10 is talking about is a source nat to get around rules that might stop traffic to a device, where the traffic is from another network.

        server is on vlanX 192.168.1.100 for example, and you want to talk to it from device on vlanY 192.168.2.200 for example.

        If 1.100 does not allow access to its services, because of firewall, or lack of gateway for example. You can do a outbound, or source nat to trick the 1.100 device to think the traffic came from pfsense IP in vlanX, say 192.168.1.1

        This is outbound nat, set on the vlanX interface to set the source of the traffic to pfsense IP address in that interface. Here is example I have setup to talk to 9.101 device on my network because it has no gateway. So to the device when I talk to it from my vpn... It thinks the traffic came from pfsense IP address 9.253

        outboundnat.png

        I would not suggest this, unless the reason you can not talk to the device is no gateway.. You need to adjust the firewall on the device your trying to talk to allow traffic from where your talking from.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Jan 20, 2021, 1:52 PM

          Yes, that ^.

          But, also yes, you can use that to prove where the problem is but you should fix it at the root which is probably the server config or some rule in the FreeNAS networking.

          Steve

          4 1 Reply Last reply Jan 20, 2021, 1:55 PM Reply Quote 0
          • 4
            4o4rh @stephenw10
            last edited by 4o4rh Jan 20, 2021, 1:56 PM Jan 20, 2021, 1:55 PM

            @stephenw10 ok, guys. thanks. I can see the port 8000 is coming from the svr vlan gateway address now instead of the wh2900c. and it is still being reset.

            So it is clear, it is the truenas 12.1 box (or the jail that the weewx is running in).

            any chance to guide me here with your freebsd knowledge pls

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Jan 20, 2021, 1:58 PM

              How exactly are you seeing that? In the state table? Packet capture?

              I would have expected the connection to succeed after being translated to the interface address.

              Steve

              4 1 Reply Last reply Jan 20, 2021, 1:59 PM Reply Quote 0
              • 4
                4o4rh @stephenw10
                last edited by Jan 20, 2021, 1:59 PM

                @stephenw10 packet capture instead of the wh2900c address from before, it shows the svr vlan gateway address. so both addresses are on the same network.

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Jan 20, 2021, 3:19 PM

                  Mmm, OK. Well if you are seeing traffic leave the interface the server is on and using the interface IP then pfSense is both routing and translating correctly.
                  Something in the FreeNAS firewall or the server config is rejecting it for some other reason.

                  Check the server logs. Are those requests actually getting that far?

                  Steve

                  4 1 Reply Last reply Jan 20, 2021, 3:48 PM Reply Quote 0
                  • 4
                    4o4rh @stephenw10
                    last edited by Jan 20, 2021, 3:48 PM

                    @stephenw10 thanks guys. i got it working. was an issue with the application.

                    J 1 Reply Last reply Jan 20, 2021, 4:08 PM Reply Quote 1
                    • J
                      johnpoz LAYER 8 Global Moderator @4o4rh
                      last edited by Jan 20, 2021, 4:08 PM

                      @gwaitsi said in PFSense [RST, ACK] packet when accessing a site:

                      i got it working. was an issue with the application.

                      I would remove your source nat then.. I wouldn't recommend natting between local networks.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      4 1 Reply Last reply Jan 20, 2021, 4:11 PM Reply Quote 0
                      • 4
                        4o4rh @johnpoz
                        last edited by Jan 20, 2021, 4:11 PM

                        @johnpoz already did, thanks :-)

                        1 Reply Last reply Reply Quote 0
                        28 out of 28
                        • First post
                          28/28
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received