• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Traffic flow through firewall simulation

Scheduled Pinned Locked Moved Firewalling
2 Posts 2 Posters 941 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gregorij
    last edited by Mar 23, 2017, 4:11 PM

    Hi.

    we've migrated from Forefront TMG 2010 to pfSense. It's really cool and robust enough, but we are missing one feature. In TMG, when there was a problem with rules on the firewall, we were able to test it by simulator - that means we were able to enter source IP, destination IP and port and than TMG showed us the flow through the firewall and the rule, that allow or deny the tested traffic. Is it possible to do similar troubleshooting in pfSense? I cannot find it anywhere in the menu. If not, what are the possibilities of firewall troubleshooting?

    Thanks
    George

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Mar 23, 2017, 10:08 PM

      No. Cisco ASAs have packet-tracer that does the same thing. It's really cool.

      But I know of nothing similar for pf, unfortunately. Would love to be corrected here.

      Quick example:

      ASA2# packet-tracer input inside tcp 172.25.248.100 12345 172.25.232.1 80 
      
      Phase: 1
      Type: ACCESS-LIST
      Subtype: 
      Result: ALLOW
      Config:
      Implicit Rule
      Additional Information:
      MAC Access list
      
      Phase: 2
      Type: ROUTE-LOOKUP
      Subtype: input
      Result: ALLOW
      Config:
      Additional Information:
      in   0.0.0.0         0.0.0.0         outside
      
      Phase: 3
      Type: NAT
      Subtype: 
      Result: ALLOW
      Config:
      nat (inside,outside) source dynamic any interface description Default NAPT Overload
      Additional Information:
      Dynamic translate 172.25.248.100/12345 to 172.25.228.20/12345
      
      Phase: 4
      Type: NAT
      Subtype: per-session
      Result: ALLOW
      Config:
      Additional Information:
      
      Phase: 5
      Type: IP-OPTIONS
      Subtype: 
      Result: ALLOW
      Config:
      Additional Information:
      
      Phase: 6
      Type: NAT
      Subtype: rpf-check
      Result: ALLOW
      Config:
      nat (inside,outside) source dynamic any interface description Default NAPT Overload
      Additional Information:
      
      Phase: 7      
      Type: NAT
      Subtype: per-session
      Result: ALLOW
      Config:
      Additional Information:
      
      Phase: 8
      Type: IP-OPTIONS
      Subtype: 
      Result: ALLOW
      Config:
      Additional Information:
      
      Phase: 9
      Type: FLOW-CREATION
      Subtype: 
      Result: ALLOW
      Config:
      Additional Information:
      New flow created with id 39896, packet dispatched to next module
      
      Result:
      input-interface: inside
      input-status: up
      input-line-status: up
      output-interface: outside
      output-status: up
      output-line-status: up
      Action: allow
      
      

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received