Ports some days opened, other days all closed
-
Don't mess with advanced settings trying to troubleshoot something that's hit and miss as described, at best it won't do anything, at worst it'll make things worse and harder to troubleshoot.
When it's not working, packet capture on WAN filtered on the port in question, see if it's getting to you at all. If not, problem is upstream. If so, see if a state is created, see if the internal host is replying.
-
The problem is difficult to reproduce and is not always the same. Every time I reboot I keep my finger crossed because I'm not sure that all networks interfaces will be working fine.
I got the followings cases:
A) Firewall is up but unreachable from lan. DHCP is working and I get internet connection, but nmap from host to firewall shows host down.
B) From LAN everything is ok, but all forwarded ports are closed from wan. Tested with Shields Up - GRC.com and everything is stealth.
C) From LAN is ok and wan forwarded ports are ok, but from secondary LAN the firewall is unreachable. The clients get IP address like case A but the captive portal is unreachable so no internet connection. I tried to add MAC address to authorized hosts but still no internet.
Every time after several reboot the firewall start to work fine again.
Once I had to restore a previous backup to get things work again, but I had not changed the configuration between.My dmesg
http://pastebin.com/N4sisRx8 -
The problem is difficult to reproduce and is not always the same. Every time I reboot I keep my finger crossed because I'm not sure that all networks interfaces will be working fine.
I got the followings cases:
A) Firewall is up but unreachable from lan. DHCP is working and I get internet connection, but nmap from host to firewall shows host down.
B) From LAN everything is ok, but all forwarded ports are closed from wan. Tested with Shields Up - GRC.com and everything is stealth.
C) From LAN is ok and wan forwarded ports are ok, but from secondary LAN the firewall is unreachable. The clients get IP address like case A but the captive portal is unreachable so no internet connection. I tried to add MAC address to authorized hosts but still no internet.
Every time after several reboot the firewall start to work fine again.
Once I had to restore a previous backup to get things work again, but I had not changed the configuration between.My dmesg
http://pastebin.com/N4sisRx8Why does nmap fail? No ping response?
Can you share your network topology?
-
Yes, no ping response. In this case I cannot ping any lan/opt2 host from the pfsense console too. And DHCP and nat are working because I have internet on lan.
WAN (wan) -> pppoe0 -> v4/PPPoE: 88.149.xxx.xxx/32
PRIMARY BROADBAND CONNECTIONLAN (lan) -> re0 -> v4: 192.168.1.250/24
LAN CONNECTION. SQUID ENABLED BUT NOT TRANSPARENTOPT1 (opt1) -> ppp1 -> v4: 10.90.209.120/32
BACKUP MOBILE CONNECTION (/dev/cuaU0.0)OPT2 (opt2) -> re1 -> v4: 192.168.2.250/24
GUEST CONNECTION WITH CAPTIVE PORTAL AND TRANSPARENT SQUIDOPENVPN 172.16.0.0/24 on port 443 TCP, shared with a port forward
configured through wizardGateways
WAN_PPPOE 81.174.0.21 8.8.8.8 17.315ms 13.176ms 0.0% Online Interface WAN_PPPOE Gateway
OPT1_PPP 10.64.64.1 8.8.4.4 54.214ms 4.702ms 0.0% Online Interface OPT1_PPP GatewayFirewall (no traffic shaper, no schedules, Automatic outbound NAT, no floating rules)
Please ignore the duplicated ssh entry: I was using a mobile browser and my tap was not precise. Now there's again only one ssh forward.
-
I upgraded this morning and did the capture (see attachment). Ports did arrived in the capture. Strange this is this time I DID see the traffic in the firewall logs.
Now the strange thing: it was blocked because the destination wasn't 10.0.0.107. Now that's a rule PFsense created himself by the NAT rule.
After adding the same rules but with a wildcard destination it all seems to work for now. It was blocked because the destination wasn't the local address, but the public IP.
Now I can understand it was blocked, only it's strange that:- The NAT rule used the local destination and not a wildcard? And you can't change it also because it's greyed out.
- Most strange things: it used to work 50% of the days and 50% of the days it didn't. So why did it worked sometimes? Before the wildcard destinations didn't exist.
- Why wasn't this logged in the firewall logs in previous version?
Firewall now:
-
Seems that it isn't solve. Problem got worse in that case that instead of closed ports I now end up with opening my firewall to the internet: https://forum.pfsense.org/index.php?topic=114731.0
-
You for sure do not want or need wild card dest for your nat stuff. Your nat rules go first, then that traffic would hit your firewall and its dest would be where the nat is sending it.
So I am curious how many connections do you have open due to the tarpitting? Maybe your running into a connections limit issue? Or issue with memory due to connections staying open?
-
Regardless of what's been said here I'm 100% sure that pfSense is not the problem unless there's some serious misconfiguration involved. Start looking at the equipment that is in front of pfSense on the WAN side, contact your ISP and ask if they can assist with the problem in case there's something wonky on their side.
-
Well first thing I would fix is a HARD boot everyday?? For what possible reason would anyone do that, does power go off? That for sure needs to be fixed!
2nd thing would be anything enolved with dynamic IP - is your IP changing? So if some fqdn points to 1.2.3.4, your IP changes to 5.6.7.8 no shit forwards wouldn't be working if still going to 1.2.3.4 ;)
-
Hi
The box goes off for about 7 hours a day because it's running off grid on batteries with solar cells. I think that shouldn't be a problem?
The IP is dynamic, but changes at night when it's powered off. I can see this in the statistics of my ISP.
My ISP is a big one and doesn't want to help me: what happens behind there lines is my problem they say (don't have much choose of ISP in Belgium).
The reason I added the wildcards is because it doesn't work if it isn't. In my previous post you can see a ZIP with traffic captures.
As you open that in Wireshark, you can see it was blocked because the destination isn't 10.0.0.107 but the public dynamic IP. Hence the wildcard.
The capture was done on pfsense itself and then exported and opened locally with Wireshark.
Or is there another way to solve this?
-
What I can tell you for FACT is that when you do a nat, you do not need a rule with dest Any.. You need a firewall rule that is to the IP to where the nat is sending the traffic. That is how it works, that is how the nat creates the rule when you create the nat. That is how mine are setup and they work just fine.
I don't know what you saw in your traces. Most likely you did not have rule or nat active? See example below, I created a nat to 22, it created rule on my wan that says the private IP. As you can see from the sniff on my wan the packet is set to my public IP.. but still gets through to my box behind on the private.
So if your power goes off because its on battery you need to look into doing a graceful shutdown.. Hard off anysort of device is rarely a good idea. Especially when the media the device is running off of it writable.. Is this running off some ro cf card or something?
If the battery runs out of juice, I would setup so your devices gracefully shutdown before the juice runs out.. And then comes back online when there is sufficient juice to run.. Or get a bigger battery to last while the sun is down ;)
-
Hi
I removed the wildcards and I changed the shutdown script to a shutdown -p now and now all ports are blocked again some days (not all days).
The days they are blocked, it shows in the Firewall log? So they are blocked because the destination is my WAN address?
What extra rule do I need?
-
None of those rules show any hits on them at all.. Why is floating and Wan lite up.. Do you have any rules in floating?
What rule is blocking those. Turn on showing the rule in the log..
Status / System / LogsSettings
Are you seeing any errors in system log about the loading of the rules?
-
What do you mean by "Why is floating and Wan lite up"?
When I click "floating", the list is empty:No floating rules are currently defined. Click the button to add a new rule.
.
Which option in Logs > Settings do you mean?
There are errors, but they seem to be IPv6 related, so not linked I guess:
-
Nothing with "rule" in it after booting:
-
The one in the picture I attached ;) And the one you have set to not show… What I meant by lit up is they are both have the red bars under them..
So your log is flooded with this?? That doesn't seem right. But again in that picture you have both general and resolver lit up.. So what is that log from general or resolver.. Only the tab your on should be lit..
if your logs are being flooded how do you know if your rules failed to load? Or issues with them..
-
Ah ok, I understand! They both light up or have the bar below them because WAN was active and I was hovering Floating at the time of the screenshot. Sorry for the confusion.
It was a screenshot of the general. DNS resolver was just hovered by the mouse.
My second screenshot was after a reboot, before the IPv6 errors. I did a search and no logs mentioned "rule" in the description. -
Hi
Can someone help me? Someone said it was a configuration issue and not a bug, but:
- I posted all configuration and nobody can point out the mistake?
- If I change nothing, make an harmless edit to the WAN firewall configuration (the name of a configuration for example), save it, then all ports are open! Before they were all closed.
- Some days I don't need to make the harmless edit and then it works right after booting.
I have made a seperate topic about the IPv6 logs in the system log: https://forum.pfsense.org/index.php?topic=115892.msg643127#msg643127
-
It just happened again :(
- I saved a backup and did a fresh install of 2.3.2 release (32bit) because I had troubles upgrading.
- After the reboot I assigned and configured the Lan interface from the console. But the lan address was not reachable from my laptop.
- I rebooted again and I gained lan gui access. I applied the backup and waited the installation of all packages, then the firewall rebooted.
First reboot -> firewall unreachable (no ping answers, no dhcp, no internet)
second reboot - > firewall unreachable (no ping or webgui) but dhcp is working and I got internet access. From the firewall console I cannot ping any address on LAN or guest network
third reboot -> the same as before
fourth reboot -> everything works as expectedEvery reboot is a lottery :'(
The boot process shows no errors and the console always shows the interfaces correctly assigned -
It just happened again :(
- I saved a backup and did a fresh install of 2.3.2 release (32bit) because I had troubles upgrading.
- After the reboot I assigned and configured the Lan interface from the console. But the lan address was not reachable from my laptop.
- I rebooted again and I gained lan gui access. I applied the backup and waited the installation of all packages, then the firewall rebooted.
First reboot -> firewall unreachable (no ping answers, no dhcp, no internet)
second reboot - > firewall unreachable (no ping or webgui) but dhcp is working and I got internet access. From the firewall console I cannot ping any address on LAN or guest network
third reboot -> the same as before
fourth reboot -> everything works as expectedEvery reboot is a lottery :'(
The boot process shows no errors and the console always shows the interfaces correctly assignedThe fresh install is a great idea, but I would not restore the backup and I would especially not restore installed packages…
Do a fresh install then add your old settings manually, one by one until your problem appears.We cannot help when there are so many possibilities. We need a simple, repeatable process to showcase your bug.
