Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic flow through firewall simulation

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 949 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gregorij
      last edited by

      Hi.

      we've migrated from Forefront TMG 2010 to pfSense. It's really cool and robust enough, but we are missing one feature. In TMG, when there was a problem with rules on the firewall, we were able to test it by simulator - that means we were able to enter source IP, destination IP and port and than TMG showed us the flow through the firewall and the rule, that allow or deny the tested traffic. Is it possible to do similar troubleshooting in pfSense? I cannot find it anywhere in the menu. If not, what are the possibilities of firewall troubleshooting?

      Thanks
      George

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        No. Cisco ASAs have packet-tracer that does the same thing. It's really cool.

        But I know of nothing similar for pf, unfortunately. Would love to be corrected here.

        Quick example:

        ASA2# packet-tracer input inside tcp 172.25.248.100 12345 172.25.232.1 80 
        
        Phase: 1
        Type: ACCESS-LIST
        Subtype: 
        Result: ALLOW
        Config:
        Implicit Rule
        Additional Information:
        MAC Access list
        
        Phase: 2
        Type: ROUTE-LOOKUP
        Subtype: input
        Result: ALLOW
        Config:
        Additional Information:
        in   0.0.0.0         0.0.0.0         outside
        
        Phase: 3
        Type: NAT
        Subtype: 
        Result: ALLOW
        Config:
        nat (inside,outside) source dynamic any interface description Default NAPT Overload
        Additional Information:
        Dynamic translate 172.25.248.100/12345 to 172.25.228.20/12345
        
        Phase: 4
        Type: NAT
        Subtype: per-session
        Result: ALLOW
        Config:
        Additional Information:
        
        Phase: 5
        Type: IP-OPTIONS
        Subtype: 
        Result: ALLOW
        Config:
        Additional Information:
        
        Phase: 6
        Type: NAT
        Subtype: rpf-check
        Result: ALLOW
        Config:
        nat (inside,outside) source dynamic any interface description Default NAPT Overload
        Additional Information:
        
        Phase: 7      
        Type: NAT
        Subtype: per-session
        Result: ALLOW
        Config:
        Additional Information:
        
        Phase: 8
        Type: IP-OPTIONS
        Subtype: 
        Result: ALLOW
        Config:
        Additional Information:
        
        Phase: 9
        Type: FLOW-CREATION
        Subtype: 
        Result: ALLOW
        Config:
        Additional Information:
        New flow created with id 39896, packet dispatched to next module
        
        Result:
        input-interface: inside
        input-status: up
        input-line-status: up
        output-interface: outside
        output-status: up
        output-line-status: up
        Action: allow
        
        

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.