Packet capture on wan interface



  • can someone explain this to me?
    i have a wan and a lan interface on a pfsense router. on the lan interface there is a server: 192.168.0.2. an ssh server is running on that server. nat is configured on pfsense to nat traffic from the wan interface port 22 to 192.168.0.2 port 22.

    i am on the internet, and connect trough the wan interface to the ssh server on 192.168.0.2 with ssh dynamic port forwarding (-D[someport]), so i can use the ssh connection as proxy tunnel and connect to the internet trough that tunnel.

    when i activate a packet capture on the pfsense box on the wan interface and navigate to some websites, i see only the ssh traffic, but not the web traffic generated from my browser connecting to the ssh tunnel and going outside again trough 192.168.0.2.

    why?

    if i do something like curl http://www.google.com on the shell on 192.168.0.2 i see that traffic in the capture on the wan interface.


  • Rebel Alliance Global Moderator

    My first guess would be your not going through your tunnel, which would explain why your not seeing the traffic.

    When you call up a website that you believe is using the tunnel and go to a whats my IP website, what IP do you see?

    Normally when you want to tunnel web traffic through ssh, you would map a port local that would send that traffic down the tunnel. I use to do this all the time with putty, then connect browser to the local IP and port as a proxy.



  • yes, my setup is exactly like you described. i'm pretty sure i'm going through the tunnel, because when i close the putty window firefox complains that the proxy connection failed (the tunnel is closed). and if i start the packet capture on the "lan" interface i can see the traffic going though the tunnel, but not on the wan interface.
    is there something else that could be wrong? do you see your traffic on a packet capture on the wan port in the above mentioned setup?



  • Packet capture at the client to see where the web traffic is actually going.

    I suspect that only some of the traffic is going through the tunnel, such as maybe DNS and that is the WAN traffic being seen.  But the web traffic is using the local internet connection instead of the tunnel.