Some connections from USA can not reach to a server behind pfsense firewall
-
I have pfsense 2.3.2 installed on a Dell Server dedicated and connected to a switch. I created a LAN 192.168.75.0/24 I have a physical server using IP 192.168.75.1, in that server I created 4 virtual machines with IPs 192.168.75.51-54
I have 4 public IPs nated in internal IPs with some ports open like port 80, 443, 8080, 8443, etc
I have many rules in Firewall but none of those rules are blocking connections. Only "permit".
I have installed PFblockerNG and I am blocking Inbound and Outblound connections from Asia, Europe, Oceania and South America.
I have a website (http://mobilecard.mx) hosted in a virtual machine, all connections from Mexico can reach to website. But the problem is that some connections from USA can not reach the website, mainly connections from T-Mobile and Telepacifica. Something very strange is that some day many connections from Tmobile in USA can reach the website and the next day the same connections can NOT reach.
My datacenter has confirmed that the Public IPs has not any blocking in router. I made many tests like add rule in firewall from ANY to ANY and the connections can not reach the website.
I have not any blocking in OS. I delete a RFC1918 rule that locks private IPs like 192.168.0.0, 172.0.0.0 because some IPS blocked are 172.
Some Ips that can not reach to website are: 172.58.23.237, 172.251.160.239, etc.Any ideas? :(
Thanks in advance!
-
Some Ips that can not reach to website are: 172.58.23.237, 172.251.160.239, etc.
Packet capture on WAN filtering on those IP addresses and see if the traffic is even arriving. If it is not it is upstream and there is nothing you can to at that point in the network to fix it.
I delete a RFC1918 rule that locks private IPs like 192.168.0.0, 172.0.0.0 because some IPS blocked are 172.
RFC1918 is 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
172.16.0.0/12 is 172.16.0.0 - 172.31.255.255. It is not everything in 172.0.0.0/8.
-
Some Ips that can not reach to website are: 172.58.23.237, 172.251.160.239, etc.
Packet capture on WAN filtering on those IP addresses and see if the traffic is even arriving. If it is not it is upstream and there is nothing you can to at that point in the network to fix it.
I can not see the current IP that is trying to access to website in the packet capture (172.56.12.14):
10:28:24.537872 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.537942 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1347
10:28:24.560752 ARP, Request who-has 192.168.30.74 tell 192.168.30.70, length 46
10:28:24.571519 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.608492 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.623162 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 0
10:28:24.623223 IP 199.231.161.35.70 > 187.177.152.109.58134: tcp 0
10:28:24.632774 IP 199.231.161.35 > 199.231.161.1: ICMP echo request, id 14682, seq 5393, length 8
10:28:24.634516 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 474
10:28:24.634559 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 0
10:28:24.634826 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.634836 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.634844 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.634853 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.634861 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.636953 IP 199.231.161.1 > 199.231.161.35: ICMP echo reply, id 14682, seq 5393, length 8
10:28:24.690629 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 0
10:28:24.694070 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 204
10:28:24.694128 IP 199.231.161.35.70 > 187.177.152.109.58134: tcp 0
10:28:24.694363 IP 199.231.161.35.70 > 187.177.152.109.58134: tcp 137
10:28:24.709393 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.709457 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.709468 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.709474 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.709491 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.709500 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.709509 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.734849 ARP, Request who-has 199.231.160.83 (ff:ff:ff:ff:ff:ff) tell 199.231.160.65, length 46
10:28:24.745302 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.745364 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.749173 IP 199.231.161.35.70 > 187.177.152.109.53740: tcp 753
10:28:24.757950 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 0
10:28:24.757989 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 51
10:28:24.758020 IP 199.231.161.35.70 > 187.177.152.109.58134: tcp 0
10:28:24.758028 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 0
10:28:24.758059 IP 199.231.161.35.70 > 187.177.152.109.58134: tcp 0
10:28:24.758169 IP 199.231.161.35.70 > 187.177.152.109.58134: tcp 0
10:28:24.767710 IP 187.177.152.109.58136 > 199.231.161.35.70: tcp 0
10:28:24.767775 IP 199.231.161.35.70 > 187.177.152.109.58136: tcp 0
10:28:24.784643 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.784671 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.784677 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.784692 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.784883 ARP, Request who-has 199.231.160.198 (ff:ff:ff:ff:ff:ff) tell 199.231.160.193, length 46
10:28:24.785194 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.785212 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.785221 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.785239 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.785247 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.785268 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.785281 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.816685 IP 187.177.152.109.53740 > 199.231.161.35.70: tcp 0
10:28:24.820898 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.820919 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.826733 IP 187.177.152.109.58134 > 199.231.161.35.70: tcp 0
10:28:24.842799 IP 187.177.152.109.58136 > 199.231.161.35.70: tcp 0
10:28:24.843738 IP 189.243.192.222.55360 > 199.231.161.36.8080: tcp 0
10:28:24.843891 IP 187.177.152.109.58136 > 199.231.161.35.70: tcp 204
10:28:24.843909 IP 199.231.161.35.70 > 187.177.152.109.58136: tcp 0
10:28:24.844110 IP 199.231.161.35.70 > 187.177.152.109.58136: tcp 137
10:28:24.844726 IP 199.231.161.36.8080 > 189.243.192.222.55360: tcp 0
10:28:24.863005 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.863029 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.863038 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.863056 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.863064 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.863083 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.863090 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.863105 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.863119 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.863132 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.863136 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.863152 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.863160 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.891766 IP 187.177.152.109.63725 > 199.231.161.35.70: tcp 0
10:28:24.891787 IP 199.231.161.35.70 > 187.177.152.109.63725: tcp 1368
10:28:24.916478 IP 187.177.152.109.58136 > 199.231.161.35.70: tcp 0
10:28:24.916489 IP 187.177.152.109.58136 > 199.231.161.35.70: tcp 51
10:28:24.916508 IP 199.231.161.35.70 > 187.177.152.109.58136: tcp 0By the way, when I assigned the public IP directly in the virtual machine (not behind the firewall) they can reach to website!!!
-
If you can not see the IP
"I can not see the current IP that is trying to access to website in the packet capture (172.56.12.14):"
Then how could pfsense forward it and the issue as Derelict already pointed out is upstream from you.