Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [RESOLVIDO] pfSense não pinga externamente, mas GUI acessa normalmente

    Portuguese
    4
    20
    2817
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marceloengecom last edited by

      Olá amigos,

      Essa é minha segunda instalação do pfSense em uma VM Xenserver e ambas estão funcionando perfeitamente, com apenas um detalhe. Uma delas não permite a conexão OpenVPN e ambas tem a mesma configuração.

      Buscando uma solução para o problema, fui fazer teste de ping externo e o pfSense não é encontrado. Detalhe que consigo acessá-lo pelas portas 443 e também do respectivo SSH, também consigo acessar externamente outros computadores da rede que estão configurados no NAT.

      Por isso, acredito que algo esteja bloqueando o pfsense, mas não consigo encontrar.

      Segue abaixo, algumas imagens.

      Imagem Dashboard:

      A mensagem do firewall em relação a porta WAN é:

      A regra que desencadeou esta ação é:

      @5(1000000103) block drop in log inet all label "Default deny rule IPv4"

      Firewall / Regras / WAN:

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        De acordo com seu print, o ip da sua wan está respondendo a ping.

        Duas dicas

        • Não publique seu ip publico em nenhum fórum, rede social, etc..

        • use as opções de anexo da mensagem no lugar de compartilhar imagens em sites externos  ;)


        1 Reply Last reply Reply Quote 0
        • M
          marceloengecom last edited by

          @marcelloc:

          De acordo com seu print, o ip da sua wan está respondendo a ping.

          Duas dicas

          • Não publique seu ip publico em nenhum fórum, rede social, etc..

          • use as opções de anexo da mensagem no lugar de compartilhar imagens em sites externos  ;)

          Oi Marcello,

          Obrigado pelas dicas, vou seguir a tua recomendação de publicação de imagens.

          Já em relação ao IP que você testou, ele se refere a um endereço de origem, que pode ter sido originado de um host qualquer. Ele não é o IP do meu gateway ou do pfsense.

          Ou seja, ainda continuo com o mesmo problema.

          Abração,

          1 Reply Last reply Reply Quote 0
          • danilosv.03
            danilosv.03 last edited by

            Como é a configuração do seu pfsense? Ele tem restrição de porta? Tentou habilitar a porta ICPM para teste de ping?

            1 Reply Last reply Reply Quote 0
            • marcelloc
              marcelloc last edited by

              @marceloengecom:

              Ele não é o IP do meu gateway ou do pfsense.

              Tem razão. Olhei rapidamente a tela e disparei o ping.

              Seu ip wan(se eu estiver vendo a tela certa agora  :)) é invalido. Então o primeiro passo é verificar se o seu modem/router está redirecionando tudo(dmz host por exemplo) para o pfSense.


              1 Reply Last reply Reply Quote 0
              • M
                marceloengecom last edited by

                Oi Marcello,

                Pois é…Estou usando um modem da GVT e o endereço local da WAN (192.168.25.2), está na DMZ. Todas as portas que eu preciso utilizar também estão devidamente liberadas no modem.

                Uso um serviço de DNS Dinâmico e está funcionando perfeitamente. Alguns dos serviços que estão liberados no firewall da interface WAN (22, 443, 4022, 8080) estão funcionando, com  exceção do Ping.

                Conforme falei no tópico inicial, consigo acessar o pfsense, mas não consigo pingar e nem conectar a rede VPN e acredito que resolvendo o problema do ping, também se resolve o problema da VPN.

                Abraço,

                1 Reply Last reply Reply Quote 0
                • marcelloc
                  marcelloc last edited by

                  Rode um tcpdump na wan pra ver se os pacotes estão chegando no firewall ou se estão "morrendo" no modem.

                  1 Reply Last reply Reply Quote 0
                  • M
                    marceloengecom last edited by

                    @marcelloc:

                    Rode um tcpdump na wan pra ver se os pacotes estão chegando no firewall ou se estão "morrendo" no modem.

                    Marcello,

                    Não sei se fiz certo, mas segue a resposta do comando "tcpdump -ni xn1":

                    [z2.3.4-RELEASE][root@firewall01.vmobc.local]/root: tcpdump -ni xn1
                    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                    listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
                    00:40:15.688413 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2950743782:2950743990, ack 486137981, win 510, length 208
                    00:40:15.708188 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 208, win 258, length 0
                    00:40:15.814611 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45737, length 8
                    00:40:15.815397 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45737, length 8
                    00:40:16.327611 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45738, length 8
                    00:40:16.328217 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45738, length 8
                    00:40:16.687735 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 208:784, ack 1, win 510, length 576
                    00:40:16.687764 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 784:944, ack 1, win 510, length 160
                    00:40:16.709023 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 944, win 260, length 0
                    00:40:16.829613 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45739, length 8
                    00:40:16.830415 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45739, length 8
                    00:40:17.025468 IP 192.168.25.2.47961 > 209.126.116.207.443: Flags [.], seq 1621939828:1621939829, ack 3670700958, win 259, length 1
                    00:40:17.202875 IP 209.126.116.207.443 > 192.168.25.2.47961: Flags [.], ack 1, win 260, options [nop,nop,sack 1 {0:1}], length 0
                    00:40:17.341614 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45740, length 8
                    00:40:17.342445 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45740, length 8
                    00:40:17.687695 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 944:1520, ack 1, win 510, length 576
                    00:40:17.687725 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 1520:2032, ack 1, win 510, length 512
                    00:40:17.710450 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 2032, win 256, length 0
                    00:40:17.843612 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45741, length 8
                    00:40:17.844443 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45741, length 8
                    00:40:18.344620 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45742, length 8
                    00:40:18.345242 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45742, length 8
                    00:40:18.687682 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2032:2704, ack 1, win 510, length 672
                    00:40:18.687710 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2704:2864, ack 1, win 510, length 160
                    00:40:18.709276 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 2864, win 260, length 0
                    00:40:18.817275 IP 209.126.116.207.443 > 192.168.25.2.24296: Flags [.], ack 3973120016, win 268, length 0
                    00:40:18.817790 IP 192.168.25.2.24296 > 209.126.116.207.443: Flags [.], ack 1, win 260, length 0
                    00:40:18.846609 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45743, length 8
                    00:40:18.847260 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45743, length 8
                    00:40:19.348610 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45744, length 8
                    00:40:19.349306 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45744, length 8
                    00:40:19.687663 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 2864:3248, ack 1, win 510, length 384
                    00:40:19.687693 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 3248:3808, ack 1, win 510, length 560
                    00:40:19.687702 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 3808:3968, ack 1, win 510, length 160
                    00:40:19.710523 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 3808, win 257, length 0
                    00:40:19.776504 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 3968, win 256, length 0
                    00:40:19.849981 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45745, length 8
                    00:40:19.850502 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45745, length 8
                    00:40:20.350612 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45746, length 8
                    00:40:20.351308 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45746, length 8
                    00:40:20.687683 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 3968:4576, ack 1, win 510, length 608
                    00:40:20.687712 IP 192.168.25.2.4022 > 177.18.45.124.56967: Flags [P.], seq 4576:5024, ack 1, win 510, length 448
                    00:40:20.711335 IP 177.18.45.124.56967 > 192.168.25.2.4022: Flags [.], ack 5024, win 260, length 0
                    00:40:20.851608 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45747, length 8
                    00:40:20.852130 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45747, length 8
                    00:40:21.352613 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 45748, length 8
                    00:40:21.353363 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 45748, length 8
                    ^C
                    47 packets captured
                    54 packets received by filter
                    0 packets dropped by kernel
                    
                    

                    xn1 é a minha interface WAN
                    O endereço dinâmico 177.18.45.124 corresponde à minha estação que está conectada remotamente, via SSH, ao pfSense.

                    Segue uma imagem em anexo, que mostra a minha conexão VPN (Porta 2400). Pelo que eu pude perceber, a conexão passa pelo modem, mas depois não consegue finalizar.

                    Muito obrigado pela ajuda!


                    1 Reply Last reply Reply Quote 0
                    • marcelloc
                      marcelloc last edited by

                      No seu tcpdump não tem solicitação de ping externo pra sua wan, so aparece o ping do fw pro gw.

                      A comunicação do OpenVPN começa mas não termina, já olhou os logs do OpenVPN no fw, pra ver se uma mudança de criptografia ou gerar nova chave de cliente resolve o problema?

                      1 Reply Last reply Reply Quote 0
                      • M
                        marceloengecom last edited by

                        Marcello,

                        Segue agora um tcpdump com a minha máquina cliente fazendo uma requisição de ping:

                        [2.3.4-RELEASE][root@firewall01.vmobc.local]/root: tcpdump -ni xn1
                        tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                        listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
                        04:13:46.838325 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1378918515:1378918723, ack 2856631673, win 510, length 208
                        04:13:47.035726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9821, length 8
                        04:13:47.036467 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9821, length 8
                        04:13:47.537726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9822, length 8
                        04:13:47.538460 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9822, length 8
                        04:13:47.727692 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [P.], seq 218978248:218978316, ack 3734709880, win 134, options [nop,nop,TS val 92376245 ecr 249941110], length 68
                        04:13:47.837829 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 208:784, ack 1, win 510, length 576
                        04:13:47.837857 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 784:1024, ack 1, win 510, length 240
                        04:13:48.038909 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9823, length 8
                        04:13:48.039732 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9823, length 8
                        04:13:48.136932 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 4294967233:1, ack 4294967232, win 260, length 64
                        04:13:48.136967 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 1, win 510, length 0
                        04:13:48.388526 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 68, win 182, options [nop,nop,TS val 249943782 ecr 92376245], length 0
                        04:13:48.539728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9824, length 8
                        04:13:48.540519 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9824, length 8
                        04:13:48.572891 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 208, win 259, length 0
                        04:13:48.837803 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1024:1728, ack 1, win 510, length 704
                        04:13:48.837833 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1728:2224, ack 1, win 510, length 496
                        04:13:48.888706 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [P.], seq 1:85, ack 68, win 182, options [nop,nop,TS val 249944282 ecr 92376245], length 84
                        04:13:48.888805 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [.], ack 85, win 134, options [nop,nop,TS val 92376535 ecr 249944282], length 0
                        04:13:49.040728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9825, length 8
                        04:13:49.041361 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9825, length 8
                        04:13:49.420973 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 1024, win 256, length 0
                        04:13:49.545734 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9826, length 8
                        04:13:49.546559 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9826, length 8
                        04:13:49.837807 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 2224:2912, ack 1, win 510, length 688
                        04:13:49.837837 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 2912:3360, ack 1, win 510, length 448
                        04:13:50.014793 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 2224, win 260, length 0
                        04:13:50.024175 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 1:97, ack 2224, win 260, length 96
                        04:13:50.024198 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 97, win 509, length 0
                        04:13:50.024257 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 3360:3408, ack 97, win 510, length 48
                        04:13:50.030752 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 97:161, ack 2224, win 260, length 64
                        04:13:50.030761 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 161, win 509, length 0
                        04:13:50.046827 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9827, length 8
                        04:13:50.047587 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9827, length 8
                        04:13:50.547730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9828, length 8
                        04:13:50.548324 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9828, length 8
                        04:13:50.837787 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 3408:4016, ack 161, win 510, length 608
                        04:13:50.837818 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 4016:4784, ack 161, win 510, length 768
                        04:13:50.979620 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [P.], seq 68:136, ack 85, win 134, options [nop,nop,TS val 92377058 ecr 249944282], length 68
                        04:13:51.015768 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [P.], seq 1:161, ack 2224, win 260, length 160
                        04:13:51.015793 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [.], ack 161, win 510, length 0
                        04:13:51.048727 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9829, length 8
                        04:13:51.049183 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9829, length 8
                        04:13:51.531593 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 3360, win 256, length 0
                        04:13:51.550720 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9830, length 8
                        04:13:51.551181 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9830, length 8
                        04:13:51.599583 IP 209.126.116.207.443 > 192.168.25.2.47961: Flags [.], ack 1621939829, win 260, length 0
                        04:13:51.600015 IP 192.168.25.2.47961 > 209.126.116.207.443: Flags [.], ack 1, win 259, length 0
                        04:13:51.603573 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 136, win 182, options [nop,nop,TS val 249946996 ecr 92377058], length 0
                        04:13:51.837782 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 4784:5344, ack 161, win 510, length 560
                        04:13:51.837813 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 5344:5984, ack 161, win 510, length 640
                        04:13:51.837823 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 5984:6400, ack 161, win 510, length 416
                        04:13:51.903215 IP 209.126.116.207.443 > 192.168.25.2.24296: Flags [.], ack 3973120016, win 268, length 0
                        04:13:51.903746 IP 192.168.25.2.24296 > 209.126.116.207.443: Flags [.], ack 1, win 260, length 0
                        04:13:52.051726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9831, length 8
                        04:13:52.052412 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9831, length 8
                        04:13:52.104995 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [P.], seq 85:169, ack 136, win 182, options [nop,nop,TS val 249947498 ecr 92377058], length 84
                        04:13:52.105112 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [.], ack 169, win 134, options [nop,nop,TS val 92377339 ecr 249947498], length 0
                        04:13:52.183989 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 3408, win 256, length 0
                        04:13:52.553730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9832, length 8
                        04:13:52.554440 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9832, length 8
                        04:13:52.803283 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 4784, win 260, length 0
                        04:13:52.837801 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 6400:6816, ack 161, win 510, length 416
                        04:13:52.837833 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 6816:7968, ack 161, win 510, length 1152
                        04:13:52.950148 IP 192.168.25.2.26747 > 200.189.40.8.123: NTPv4, Client, length 48
                        04:13:52.978439 IP 200.189.40.8.123 > 192.168.25.2.26747: NTPv4, Server, length 48
                        04:13:53.054761 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9833, length 8
                        04:13:53.055276 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9833, length 8
                        04:13:53.556735 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9834, length 8
                        04:13:53.557278 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9834, length 8
                        04:13:53.750134 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [P.], seq 136:220, ack 169, win 134, options [nop,nop,TS val 92377750 ecr 249947498], length 84
                        04:13:53.750285 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [F.], seq 220, ack 169, win 134, options [nop,nop,TS val 92377750 ecr 249947498], length 0
                        04:13:53.837814 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 7968:8256, ack 161, win 510, length 288
                        04:13:53.838588 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 8256:8576, ack 161, win 510, length 320
                        04:13:53.838618 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 8576:9088, ack 161, win 510, length 512
                        04:13:53.838631 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 9088:9296, ack 161, win 510, length 208
                        04:13:54.014506 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 5984, win 256, length 0
                        04:13:54.058732 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9835, length 8
                        04:13:54.059304 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9835, length 8
                        04:13:54.089660 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 6400, win 260, length 0
                        04:13:54.367359 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 220, win 182, options [nop,nop,TS val 249949759 ecr 92377750], length 0
                        04:13:54.408506 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [.], ack 221, win 182, options [nop,nop,TS val 249949800 ecr 92377750], length 0
                        04:13:54.560731 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9836, length 8
                        04:13:54.561302 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9836, length 8
                        04:13:54.725675 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 7968, win 260, length 0
                        04:13:54.837809 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 9296:10016, ack 161, win 510, length 720
                        04:13:54.837828 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 10016:10848, ack 161, win 510, length 832
                        04:13:54.867339 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [P.], seq 169:221, ack 221, win 182, options [nop,nop,TS val 249950260 ecr 92377750], length 52
                        04:13:54.867352 IP 218.87.109.150.1480 > 192.168.25.2.22: Flags [F.], seq 221, ack 221, win 182, options [nop,nop,TS val 249950260 ecr 92377750], length 0
                        04:13:54.867463 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [R], seq 218978469, win 0, length 0
                        04:13:54.867469 IP 192.168.25.2.22 > 218.87.109.150.1480: Flags [R], seq 218978469, win 0, length 0
                        04:13:55.062533 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9837, length 8
                        04:13:55.063338 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9837, length 8
                        04:13:55.093329 IP 192.168.25.2.47961 > 209.126.116.207.443: Flags [.], seq 0:1, ack 1, win 259, length 1
                        04:13:55.270536 IP 209.126.116.207.443 > 192.168.25.2.47961: Flags [.], ack 1, win 260, options [nop,nop,sack 1 {0:1}], length 0
                        04:13:55.371332 IP 218.87.109.150.63312 > 192.168.25.2.22: Flags [s], seq 2833360625, win 14600, options [mss 1452,sackOK,TS val 249950761 ecr 0,nop,wscale 7], length 0
                        04:13:55.371479 IP 192.168.25.2.22 > 218.87.109.150.63312: Flags [S.], seq 40262607, ack 2833360626, win 14480, options [mss 1460,sackOK,TS val 92378156 ecr 249950761,nop,wscale 7], length 0
                        04:13:55.562726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9838, length 8
                        04:13:55.563333 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9838, length 8
                        04:13:55.747766 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 8576, win 258, length 0
                        04:13:55.752563 IP 177.18.191.148.63918 > 192.168.25.2.4022: Flags [.], ack 9296, win 255, length 0
                        ^C
                        102 packets captured
                        108 packets received by filter
                        0 packets dropped by kernel
                        
                        O IP dinâmico da máquina cliente agora é: 177.18.191.148
                        
                        Em relação ao OpenVPN, já fiz diversas alterações na criptografia e nada funcionou. E eu acredito que está certo, pois em outro ambiente muito semelhante, funciona corretamente.
                        
                        [/s]
                        
                        1 Reply Last reply Reply Quote 0
                        • andrezaomac
                          andrezaomac last edited by

                          @marceloengecom:

                          Olá amigos,

                          Essa é minha segunda instalação do pfSense em uma VM Xenserver e ambas estão funcionando perfeitamente, com apenas um detalhe. Uma delas não permite a conexão OpenVPN e ambas tem a mesma configuração.

                          Buscando uma solução para o problema, fui fazer teste de ping externo e o pfSense não é encontrado. Detalhe que consigo acessá-lo pelas portas 443 e também do respectivo SSH, também consigo acessar externamente outros computadores da rede que estão configurados no NAT.

                          Por isso, acredito que algo esteja bloqueando o pfsense, mas não consigo encontrar.

                          Segue abaixo, algumas imagens.

                          Imagem Dashboard:

                          A mensagem do firewall em relação a porta WAN é:

                          A regra que desencadeou esta ação é:

                          @5(1000000103) block drop in log inet all label "Default deny rule IPv4"

                          Firewall / Regras / WAN:

                          Sobre a regra do seu Ping, nos meus servidores normalmente eu deixo o Ping Externo Desativado, mas quando eu preciso eu crio essa regra.
                          A sua regra está diferente, tente fazer igual a minha.
                          veja a imagem abaixo.
                          https://www.dropbox.com/s/3bpoo0j5disip5u/pingexterno.PNG?dl=0

                          Sobre a dúvida do Ping com o funcionamento da VPN.
                            Se for usar VPN de Servidor-para-Servidor, o ping não influencia.
                            Se for usar VPN com acesso através de aplicativos como o OpenVPN, realmente influencia,  ao menos nos teste que fiz, quando desabilita o ping o OpenVPN não conecta.

                          1 Reply Last reply Reply Quote 0
                          • marcelloc
                            marcelloc last edited by

                            @marceloengecom:

                            [2.3.4-RELEASE][root@firewall01.vmobc.local]/root: tcpdump -ni xn1
                            tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                            listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
                            04:13:46.838325 IP 192.168.25.2.4022 > 177.18.191.148.63918: Flags [P.], seq 1378918515:1378918723, ack 2856631673, win 510, length 208
                            04:13:47.035726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9821, length 8
                            04:13:47.036467 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9821, length 8
                            04:13:47.537726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9822, length 8
                            04:13:47.538460 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9822, length 8
                            04:13:48.038909 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9823, length 8
                            04:13:48.039732 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9823, length 8
                            04:13:48.539728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9824, length 8
                            04:13:48.540519 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9824, length 8
                            04:13:49.040728 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9825, length 8
                            04:13:49.041361 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9825, length 8
                            04:13:49.545734 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9826, length 8
                            04:13:49.546559 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9826, length 8
                            04:13:50.046827 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9827, length 8
                            04:13:50.047587 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9827, length 8
                            04:13:50.547730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9828, length 8
                            04:13:50.548324 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9828, length 8
                            04:13:51.048727 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9829, length 8
                            04:13:51.049183 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9829, length 8
                            04:13:51.550720 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9830, length 8
                            04:13:51.551181 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9830, length 8
                            04:13:52.051726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9831, length 8
                            04:13:52.052412 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9831, length 8
                            04:13:52.553730 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9832, length 8
                            04:13:52.554440 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9832, length 8
                            04:13:53.054761 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9833, length 8
                            04:13:53.055276 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9833, length 8
                            04:13:53.556735 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9834, length 8
                            04:13:53.557278 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9834, length 8
                            04:13:54.058732 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9835, length 8
                            04:13:54.059304 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9835, length 8
                            04:13:54.560731 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9836, length 8
                            04:13:54.561302 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9836, length 8
                            04:13:55.062533 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9837, length 8
                            04:13:55.063338 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9837, length 8
                            04:13:55.562726 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9838, length 8
                            04:13:55.563333 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9838, length 8
                            
                            

                            Não achei nenhum registro do seu ping externo nesse log também, só o teste do gateway entre ele e o fw.

                            Olhe na aba de logs do openvpn, veja se aparece mais alguma informação.

                            1 Reply Last reply Reply Quote 0
                            • M
                              marceloengecom last edited by

                              Sobre a regra do seu Ping, nos meus servidores normalmente eu deixo o Ping Externo Desativado, mas quando eu preciso eu crio essa regra.
                              A sua regra está diferente, tente fazer igual a minha.
                              veja a imagem abaixo.
                              https://www.dropbox.com/s/3bpoo0j5disip5u/pingexterno.PNG?dl=0

                              Sobre a dúvida do Ping com o funcionamento da VPN.
                                Se for usar VPN de Servidor-para-Servidor, o ping não influencia.
                                Se for usar VPN com acesso através de aplicativos como o OpenVPN, realmente influencia,  ao menos nos teste que fiz, quando desabilita o ping o OpenVPN não conecta.

                              Oi André,

                              Obrigado por tentar ajudar!

                              Já coloquei essa regra no PING, mas também não funcionou. E realmente estou usando o software OpenVPN para conexão do tipo "Acesso Remoto".


                              1 Reply Last reply Reply Quote 0
                              • marcelloc
                                marcelloc last edited by

                                O tcpdump mostra que os pacotes de ping não estão chegando no firewall. A regra só vai ter efeito quando o pacote chegar na wan no fw.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  marceloengecom last edited by

                                  @marcelloc:

                                  O tcpdump mostra que os pacotes de ping não estão chegando no firewall. A regra só vai ter efeito quando o pacote chegar na wan no fw.

                                  Oi Marcello,

                                  Eu nunca usei o tcpdump, mas me parece que em alguns momentos, a porta WAN (192.168.25.2), responde a requisição ICMP vindo do modem (192.168.25.1).

                                  04:13:54.561302 IP 192.168.25.1 > 192.168.25.2: ICMP echo reply, id 13137, seq 9836, length 8
                                  04:13:55.062533 IP 192.168.25.2 > 192.168.25.1: ICMP echo request, id 13137, seq 9837, length 8

                                  1 Reply Last reply Reply Quote 0
                                  • marcelloc
                                    marcelloc last edited by

                                    @marceloengecom:

                                    Eu nunca usei o tcpdump, mas me parece que em alguns momentos, a porta WAN (192.168.25.2), responde a requisição ICMP vindo do modem (192.168.25.1).

                                    Na verdade é o contrário o reply é a resposta da solicitação de ping gerada no firewall para saber se o gateway está ativo e acessível.

                                    O que deveria aparecer aí é o seu ip cliente externo como origem no request e o ip do firewall como destino deste mesmo request.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      marceloengecom last edited by

                                      Então é o modem que está bloqueando o ping!!! Estranho que outras portas ele libera.

                                      Estou o usando o modem Pace v5471, fornecido pela VIVO e desbloqueado pelo firmware da Tripleoxygen (OXY-42006).

                                      1 Reply Last reply Reply Quote 0
                                      • danilosv.03
                                        danilosv.03 last edited by

                                        Você tem um IP publico para este tipo de trabalho?

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          marceloengecom last edited by

                                          @danilosv.03:

                                          Você tem um IP publico para este tipo de trabalho?

                                          Uso um serviço de DNS Dinâmico que está plenamente funcional. O serviço está configurado diretamente no pfSense.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            marceloengecom last edited by

                                            Problema resolvido…

                                            Conferi os logs do OpenVPN e apresentava os seguintes erros:

                                            187.113.211.72:58035 TLS Error: TLS handshake failed
                                            Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 TLS Error: TLS object -> incoming plaintext read error
                                            Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 TLS_ERROR: BIO read tls_read_plaintext error
                                            Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                                            Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 VERIFY SCRIPT ERROR: depth=0, C=BR, ST=<estado>, L=<cidade>, O=<organização>, emailAddress=<email>, CN= <nome-comum>Jun 1 14:12:03 openvpn 23410 <ip-cliente>:58035 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1

                                            O que fiz então, foi desabilitar a checagem profunda do certificado.

                                            Em VPN / OpenVPN / Servidores / Editar:
                                            No campo "Certificate Depth" colocar "Do Not Check"

                                            Bastou esse procedimento e funcionou a conexão VPN.

                                            Outro detalhe importante é que continuou a não pingar, devido a restrição do modem (Pace v5471, fornecido pela GVT). Apesar de não parecer interferir nos serviços liberados no pfsense, busquei informações de como permitir o ping remoto para que eu pudesse monitorar a conectividade da internet.

                                            Liberação de ping da porta WAN do modem Pace v5471:

                                            Conectar ao modem, via SSH
                                            Usuário: admin
                                            Senha: gvt12345

                                            Comandos:

                                            cli

                                            set WANConnectionDevice_1_Firewall_AllowRemotePing 1
                                            fcommit
                                            exit
                                            reboot

                                            Obrigado ao pessoal do fórum pela ajuda!

                                            Abraço,</ip-cliente></nome-comum></email></organização></cidade></estado></ip-cliente></ip-cliente></ip-cliente></ip-cliente>

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post

                                            Products

                                            • Platform Overview
                                            • TNSR
                                            • pfSense
                                            • Appliances

                                            Services

                                            • Training
                                            • Professional Services

                                            Support

                                            • Subscription Plans
                                            • Contact Support
                                            • Product Lifecycle
                                            • Documentation

                                            News

                                            • Media Coverage
                                            • Press
                                            • Events

                                            Resources

                                            • Blog
                                            • FAQ
                                            • Find a Partner
                                            • Resource Library
                                            • Security Information

                                            Company

                                            • About Us
                                            • Careers
                                            • Partners
                                            • Contact Us
                                            • Legal
                                            Our Mission

                                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                            Subscribe to our Newsletter

                                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                            © 2021 Rubicon Communications, LLC | Privacy Policy