Firewall с белыми адресами
-
Добрый день всем.
Проблема следующая. Сгорела мартышка CheckPoint в одном из филиалов. Работала как fiewall с 3-мя зонами (WAN, DMZ, LAN) c публичными адресами в каждой зоне. Хочу сделать аналог на Pfsense. версия 2.3.1 Конфигурация:
GW 195,42.xxx.129/29
Wan 195.42.xxx.130/29
Lan 195.42.xxx.144/29
Dmz 195.42.xxx.136/29NAT disable
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 195.42.xxx.129 UGS sk0
127.0.0.1 link#7 UH lo0
195.42.xxx.128/29 link#3 U sk0
195.42.xxx.130 link#3 UHS lo0
195.42.xxx.136/29 link#2 U dc0
195.42.xxx.139 link#2 UHS lo0
195.42.xxx.144/29 link#1 U age0
195.42.xxx.147 link#1 UHS lo0Ппавила на Lan и Dmz настроены ICMP ********
Komp 1 и 2 пингуют интерфейсы Lan, Dmz, Wan. На GW и дальше пинги не проходят.
Понятно, что надо настроить пересылку пакетов (вроде как по умолчанию в BSD она отключена). Штатными ср-ми BSD настроить не получилось.
Как это сделать правильно в Pfsense?
С уважением
Павел
-
Доброе
Вопрос, а зачем на LAN\DMZ - белые адреса ? Вы уверены, что верно конфиг с чекпоинта перенесли ? -
Вы уверены, что верно конфиг с чекпоинта перенесли ?
На 100%
Вопрос, а зачем на LAN\DMZ - белые адреса ?
Хороший вопрос. Кто-то с бодуна в свое время придумал маршрутизацию и пакетные фильтры. Зачем- спросите у этого затейника, но иногда нужно.
С уважением
Павел -
Понятно, что надо настроить пересылку пакетов (вроде как по умолчанию в BSD она отключена). Штатными ср-ми BSD настроить не получилось.
Как это сделать правильно в Pfsense?В pfSense по умолчанию включена, это как бы маршрутизатор все-таки. Ловите ваши пинги на WAN pfSense с помощью Diagnostics > Packet Capture и отпишитесь о результатах.
-
пинг из локальной сети шлюза –> захват пакетов карта Lan
13:37:59.718334 IP 195.42.xxx.149 > 195.42.xxx.129: ICMP echo request, id 512, seq 10496,
13:38:04.962980 IP 195.42.xxx.149 > 195.42.xxx.129: ICMP echo request, id 512, seq 10752, l
13:38:09.982538 IP 195.42.xxx.149 > 195.42.xxx.129: ICMP echo request, id 512, seq 11008,пинг из локальной сети шлюза --> захват пакетов карта WAN
13:29:44.434520 IP 195.42.xxx.130 > 195.42.xxx.129: ICMP echo request, id 10840, seq 5,
13:29:44.434681 IP 195.42.xxx.129 > 195.42.xxx.130: ICMP echo reply, id 10840, seq 745,
13:29:44.966497 IP 195.42.xxx.130 > 195.42.xxx.129: ICMP echo request, id 10840, seq
13:29:44.966691 IP 195.42.xxx.129 > 195.42.xxx.130: ICMP echo reply, id 10840, seq 746,С какого перепуга на Wan вместо локального адреса подстанавливается адрес wan?
Nat отключен
С уважением
Павел -
а что конкретно в Firewall > NAT > Outbound? И что выдает pfctl -sn | grep 'nat on' в Diagnostics > Command Prompt?
-
а что конкретно в Firewall > NAT > Outbound? Disable Outbound NAT
И что выдает pfctl -sn | grep 'nat on' - ничего
С уважением
Павел -
А, ну да, на WAN вы ловите работу apinger - мониторинг шлюза. Что на WAN при пинге, например, 8.8.8.8 из LAN?
-
Что на WAN при пинге, например, 8.8.8.8 из LAN?
Полный бред
16:02:04.283872 IP 195.42.xxx.130 > 195.42.xxx.129: ICMP echo request, id 5932, seq 14274, length 8
16:02:04.284119 IP 195.42.xxx.129 > 195.42.xxx.130: ICMP echo reply, id 5932, seq 14274, length 8
16:02:04.709087 IP 195.42.xxx.149.16056 > 195.42.160.60.53: UDP, length 38
16:02:04.785609 IP 195.42.xxx.130 > 195.42.xxx.129: ICMP echo request, id 5932, seq 14275, length 8
16:02:04.785779 IP 195.42.xxx.129 > 195.42.xxx.130: ICMP echo reply, id 5932, seq 14275, length 8С уважением
Павел -
Т. е. ничего на 8.8.8.8 из WAN не выходит. Дайте тогда вывод pfctl -sr
-
scrub on sk0 all fragment reassemble
scrub on age0 all fragment reassemble
scrub on dc0 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c>to any label "Block snort2c hosts"
block drop log quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = http label "webConfiguratorlockout"
block drop in log quick from <virusprot>to any label "virusprot overload table"
block drop in log quick on sk0 from <bogons>to any label "block bogon IPv4 networks from WAN"
block drop in log quick on sk0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
block drop in log on ! sk0 inet from 195.42.169.128/29 to any
block drop in log inet from 195.42.169.130 to any
block drop in log on sk0 inet6 from fe80::21c:f0ff:fe91:d0ea to any
block drop in log quick on sk0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on sk0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on sk0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on sk0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on sk0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
block drop in log on ! age0 inet from 195.42.169.144/29 to any
block drop in log inet from 195.42.169.147 to any
block drop in log on age0 inet6 from fe80::21e:8cff:febd:d115 to any
pass quick on age0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on age0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on age0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on age0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
block drop in log on ! dc0 inet from 195.42.169.136/29 to any
block drop in log inet from 195.42.169.139 to any
block drop in log on dc0 inet6 from fe80::204:e2ff:fe37:89f2 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (sk0 195.42.169.129) inet from 195.42.169.130 to ! 195.42.169.128/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on age0 proto tcp from any to (age0) port = http flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in log quick on age0 inet proto icmp from 195.42.169.144/29 to any keep state label "USER_RULE"
pass in quick on age0 inet from 195.42.169.144/29 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
anchor "tftp-proxy/*" all</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> -
правила вроде в норме, как и все остальное
в логах-то есть что-нибудь? -
Ничего особенного. Показывает, что через Lan запросы Dns пропускает. И все.
и добавление net.inet.ip.forwerding не спасло . В чем дело? Точно никакого маршрута по умолчанию включать не надо?
С уважением
Павел -
Маршрут по умолчанию на pfSense у вас есть:
Destination Gateway Flags Netif Expire
default 195.42.xxx.129 UGS sk0и, судя по вашим словам, он есть и на клиентах:
Komp 1 и 2 пингуют интерфейсы Lan, Dmz, Wan
или нету?
-
Ув. Rubic. Спасибо за потраченное время, вопрос решен.
Дело было в провайдере,слетели настройки маршрутизации к сети где Pfsense.
С уважением
Павел
