Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic flow through firewall simulation

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 949 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gregorij
      last edited by

      Hi.

      we've migrated from Forefront TMG 2010 to pfSense. It's really cool and robust enough, but we are missing one feature. In TMG, when there was a problem with rules on the firewall, we were able to test it by simulator - that means we were able to enter source IP, destination IP and port and than TMG showed us the flow through the firewall and the rule, that allow or deny the tested traffic. Is it possible to do similar troubleshooting in pfSense? I cannot find it anywhere in the menu. If not, what are the possibilities of firewall troubleshooting?

      Thanks
      George

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        No. Cisco ASAs have packet-tracer that does the same thing. It's really cool.

        But I know of nothing similar for pf, unfortunately. Would love to be corrected here.

        Quick example:

        ASA2# packet-tracer input inside tcp 172.25.248.100 12345 172.25.232.1 80 

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface description Default NAPT Overload
Additional Information:
Dynamic translate 172.25.248.100/12345 to 172.25.228.20/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface description Default NAPT Overload
Additional Information:

Phase: 7      
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 39896, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.