Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [solved] Best way to securely check if a connection attempt reached pfSense

    Firewalling
    6
    11
    989
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zulucon last edited by

      I have a very specific problem where one single user is not able reach web services behind a pfSense suddenly with an ERR_CONNECTION_REFUSED (so all other users I have knowledge of are able to use the services and this specific user was aswell until a day ago) and for the next step in troubleshooting I only want to be really sure if one of his HTTP(S) requests make it to pfSense or not so that I get an idea if the problem lies before, on or after pfSense.

      His IP does not come up in the firewall logs (which should log everything they block but I'm not sure if I really see everything here) and also not in pfTop which would lead me to believe he gets blocked before pfSense. But as it seems like a mere HTTP(S) block and only when he goes over this pfSense and for example not when I let him route explicitly over a secondary IP on a secondary pfSense with the same config, I'm worried that it still might be something on the box in question.

      So is there a good way to be dead sure if a specific request reaches pfSense at all (and gets block or what so ever afterwards) or if it definitely never made it so far?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        I assume he is coming into your wan interface?  Then simple is to sniff (packet capture, under diag) on your wan interface for the port and his IP so if https that should be 443.. Have him try it and see if you see any traffic hit your wan.

        If not then pfsense can not forward, can not block what it never gets.  If you do see it and its forwarded like the rest then you can look to see why your httpd might be blocking him.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

        1 Reply Last reply Reply Quote 0
        • Z
          Zulucon last edited by

          Thanks, you assume correct. I will try that; I wasn't sure that packet capturing on an interface happens before all blocking/forwarding rules.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            be kind of pointless to sniff after block rules, etc.  Sniff shows you everything that hits the interface - what the OS does with it after that is up to the OS (pfsense)..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

            1 Reply Last reply Reply Quote 0
            • Z
              Zulucon last edited by

              Indeed but you never know how something actually is implemented and if that makes sense and I'm relatively new to pfSense also I have setted up a few boxes meanwhile ;-)

              1 Reply Last reply Reply Quote 0
              • Z
                Zulucon last edited by

                So the packet capturing feature directly in the web GUI really is extremely neat, one reason more to like pfSense! … and my problem was actually behind pfSense, looks like I missed it in pfTop before.

                1 Reply Last reply Reply Quote 0
                • JKnott
                  JKnott last edited by

                  @Zulucon:

                  So the packet capturing feature directly in the web GUI really is extremely neat, one reason more to like pfSense! … and my problem was actually behind pfSense, looks like I missed it in pfTop before.

                  While that packet capture works, I prefer Wireshark.  It would be nice if it could be run on pfSense.  At the moment, I have to use a separate computer and managed switch, to see what's happening on the WAN side.  Wireshark is much more flexible and useful than the limited capabilities of packet capture.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • bingo600
                    bingo600 LAYER 8 last edited by

                    @JKnott:

                    @Zulucon:

                    So the packet capturing feature directly in the web GUI really is extremely neat, one reason more to like pfSense! … and my problem was actually behind pfSense, looks like I missed it in pfTop before.

                    While that packet capture works, I prefer Wireshark.  It would be nice if it could be run on pfSense.  At the moment, I have to use a separate computer and managed switch, to see what's happening on the WAN side.  Wireshark is much more flexible and useful than the limited capabilities of packet capture.

                    Why not just use tcpdump -i <interface>-w <capture_file>  , it writes a pcap formatted file, that you can open in wireshark.

                    I just used it yesterday , and scp'ed the pcap-file to my desktop , for wireshark viewing.

                    Neat tcpdump ref.
                    https://danielmiessler.com/study/tcpdump/

                    https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/

                    /Bingo</capture_file></interface>

                    If you find my answer useful - Please give the post a 👍 - "thumbs up"

                    pfSense+ 22.01 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LAN  : 4 x Intel 211, Disk  : 250G EVO870 Sata SSD

                    1 Reply Last reply Reply Quote 0
                    • JKnott
                      JKnott last edited by

                      Why not just use tcpdump -i <interface>-w <capture_file>, it writes a pcap formatted file, that you can open in wireshark.</capture_file></interface>

                      Because Wireshark is far more flexible.  For example you can combine filters, such as MAC and protocol type, at the same time.  You can set up complex capture rules, using boolean operators  You can also watch in real time.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • Pippin
                        Pippin last edited by

                        One can send tcpdump`s output live over SSH to Wireshark.
                        https://kaischroed.wordpress.com/2013/01/28/howto-use-wireshark-over-ssh/

                        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                        Halton Arp

                        1 Reply Last reply Reply Quote 0
                        • jimp
                          jimp Rebel Alliance Developer Netgate last edited by

                          Don't go straight to a packet capture. First, check Diagnostics > States immediately after the client attempts a connection. See what, if any, states are in the table that match the traffic in question. Only go for a packet capture if the states don't provide the answers you need.

                          https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post