Ports some days opened, other days all closed
-
You for sure do not want or need wild card dest for your nat stuff. Your nat rules go first, then that traffic would hit your firewall and its dest would be where the nat is sending it.
So I am curious how many connections do you have open due to the tarpitting? Maybe your running into a connections limit issue? Or issue with memory due to connections staying open?
-
Regardless of what's been said here I'm 100% sure that pfSense is not the problem unless there's some serious misconfiguration involved. Start looking at the equipment that is in front of pfSense on the WAN side, contact your ISP and ask if they can assist with the problem in case there's something wonky on their side.
-
Well first thing I would fix is a HARD boot everyday?? For what possible reason would anyone do that, does power go off? That for sure needs to be fixed!
2nd thing would be anything enolved with dynamic IP - is your IP changing? So if some fqdn points to 1.2.3.4, your IP changes to 5.6.7.8 no shit forwards wouldn't be working if still going to 1.2.3.4 ;)
-
Hi
The box goes off for about 7 hours a day because it's running off grid on batteries with solar cells. I think that shouldn't be a problem?
The IP is dynamic, but changes at night when it's powered off. I can see this in the statistics of my ISP.
My ISP is a big one and doesn't want to help me: what happens behind there lines is my problem they say (don't have much choose of ISP in Belgium).
The reason I added the wildcards is because it doesn't work if it isn't. In my previous post you can see a ZIP with traffic captures.
As you open that in Wireshark, you can see it was blocked because the destination isn't 10.0.0.107 but the public dynamic IP. Hence the wildcard.
The capture was done on pfsense itself and then exported and opened locally with Wireshark.
Or is there another way to solve this?
-
What I can tell you for FACT is that when you do a nat, you do not need a rule with dest Any.. You need a firewall rule that is to the IP to where the nat is sending the traffic. That is how it works, that is how the nat creates the rule when you create the nat. That is how mine are setup and they work just fine.
I don't know what you saw in your traces. Most likely you did not have rule or nat active? See example below, I created a nat to 22, it created rule on my wan that says the private IP. As you can see from the sniff on my wan the packet is set to my public IP.. but still gets through to my box behind on the private.
So if your power goes off because its on battery you need to look into doing a graceful shutdown.. Hard off anysort of device is rarely a good idea. Especially when the media the device is running off of it writable.. Is this running off some ro cf card or something?
If the battery runs out of juice, I would setup so your devices gracefully shutdown before the juice runs out.. And then comes back online when there is sufficient juice to run.. Or get a bigger battery to last while the sun is down ;)
-
Hi
I removed the wildcards and I changed the shutdown script to a shutdown -p now and now all ports are blocked again some days (not all days).
The days they are blocked, it shows in the Firewall log? So they are blocked because the destination is my WAN address?
What extra rule do I need?
-
None of those rules show any hits on them at all.. Why is floating and Wan lite up.. Do you have any rules in floating?
What rule is blocking those. Turn on showing the rule in the log..
Status / System / LogsSettings
Are you seeing any errors in system log about the loading of the rules?
-
What do you mean by "Why is floating and Wan lite up"?
When I click "floating", the list is empty:No floating rules are currently defined. Click the button to add a new rule.
.
Which option in Logs > Settings do you mean?
There are errors, but they seem to be IPv6 related, so not linked I guess:
-
Nothing with "rule" in it after booting:
-
The one in the picture I attached ;) And the one you have set to not show… What I meant by lit up is they are both have the red bars under them..
So your log is flooded with this?? That doesn't seem right. But again in that picture you have both general and resolver lit up.. So what is that log from general or resolver.. Only the tab your on should be lit..
if your logs are being flooded how do you know if your rules failed to load? Or issues with them..
-
Ah ok, I understand! They both light up or have the bar below them because WAN was active and I was hovering Floating at the time of the screenshot. Sorry for the confusion.
It was a screenshot of the general. DNS resolver was just hovered by the mouse.
My second screenshot was after a reboot, before the IPv6 errors. I did a search and no logs mentioned "rule" in the description. -
Hi
Can someone help me? Someone said it was a configuration issue and not a bug, but:
- I posted all configuration and nobody can point out the mistake?
- If I change nothing, make an harmless edit to the WAN firewall configuration (the name of a configuration for example), save it, then all ports are open! Before they were all closed.
- Some days I don't need to make the harmless edit and then it works right after booting.
I have made a seperate topic about the IPv6 logs in the system log: https://forum.pfsense.org/index.php?topic=115892.msg643127#msg643127
-
It just happened again :(
- I saved a backup and did a fresh install of 2.3.2 release (32bit) because I had troubles upgrading.
- After the reboot I assigned and configured the Lan interface from the console. But the lan address was not reachable from my laptop.
- I rebooted again and I gained lan gui access. I applied the backup and waited the installation of all packages, then the firewall rebooted.
First reboot -> firewall unreachable (no ping answers, no dhcp, no internet)
second reboot - > firewall unreachable (no ping or webgui) but dhcp is working and I got internet access. From the firewall console I cannot ping any address on LAN or guest network
third reboot -> the same as before
fourth reboot -> everything works as expectedEvery reboot is a lottery :'(
The boot process shows no errors and the console always shows the interfaces correctly assigned -
It just happened again :(
- I saved a backup and did a fresh install of 2.3.2 release (32bit) because I had troubles upgrading.
- After the reboot I assigned and configured the Lan interface from the console. But the lan address was not reachable from my laptop.
- I rebooted again and I gained lan gui access. I applied the backup and waited the installation of all packages, then the firewall rebooted.
First reboot -> firewall unreachable (no ping answers, no dhcp, no internet)
second reboot - > firewall unreachable (no ping or webgui) but dhcp is working and I got internet access. From the firewall console I cannot ping any address on LAN or guest network
third reboot -> the same as before
fourth reboot -> everything works as expectedEvery reboot is a lottery :'(
The boot process shows no errors and the console always shows the interfaces correctly assignedThe fresh install is a great idea, but I would not restore the backup and I would especially not restore installed packages…
Do a fresh install then add your old settings manually, one by one until your problem appears.We cannot help when there are so many possibilities. We need a simple, repeatable process to showcase your bug.
-
The first time I installed pfsense was the 2.3 release. That day I tried to install it three times because every single time the gui was not reachable from my lan, even if I got the correct address shipped via dhcp. After a couple of reboot then I managed to reach the webgui every single time. This happens before even starting the webgui wizard!
Last Saturday, as I wrote above, after the installation I had to reboot again before being able to reach the gui to apply the backup.
So for me the issue is reproduced every single time, after every installation, from 2.3 to 2.3.2.May be an hardware issue with the Jetway Daughter Board I'm using. http://www.mini-box.com/VERSA-3-x-Gigabit-LAN-Port-Daughterboard
But that hardware ran for almost ten years with ipcop without any issue.And the interface is up and working because I cat get DHCP address and connect to google.
Every time I reboot I have to cross my fingers and hope everything is going well. Sometimes it does and sometimes it doesn't and I have to try some other reboot.When it works, then, It's rocks solid for weeks and the behavior is perfectly reliable with the rules I set.
-
I'm still having this problem. It goes down by pi@10.0.0.1 shutdown every day and when it comes up I have to go to NAT, click edit on a random line, click save without changing anything and then click save to get my ports opened. Someone has a solution?
