[solved] Best way to securely check if a connection attempt reached pfSense



  • I have a very specific problem where one single user is not able reach web services behind a pfSense suddenly with an ERR_CONNECTION_REFUSED (so all other users I have knowledge of are able to use the services and this specific user was aswell until a day ago) and for the next step in troubleshooting I only want to be really sure if one of his HTTP(S) requests make it to pfSense or not so that I get an idea if the problem lies before, on or after pfSense.

    His IP does not come up in the firewall logs (which should log everything they block but I'm not sure if I really see everything here) and also not in pfTop which would lead me to believe he gets blocked before pfSense. But as it seems like a mere HTTP(S) block and only when he goes over this pfSense and for example not when I let him route explicitly over a secondary IP on a secondary pfSense with the same config, I'm worried that it still might be something on the box in question.

    So is there a good way to be dead sure if a specific request reaches pfSense at all (and gets block or what so ever afterwards) or if it definitely never made it so far?


  • Rebel Alliance Global Moderator

    I assume he is coming into your wan interface?  Then simple is to sniff (packet capture, under diag) on your wan interface for the port and his IP so if https that should be 443.. Have him try it and see if you see any traffic hit your wan.

    If not then pfsense can not forward, can not block what it never gets.  If you do see it and its forwarded like the rest then you can look to see why your httpd might be blocking him.



  • Thanks, you assume correct. I will try that; I wasn't sure that packet capturing on an interface happens before all blocking/forwarding rules.


  • Rebel Alliance Global Moderator

    be kind of pointless to sniff after block rules, etc.  Sniff shows you everything that hits the interface - what the OS does with it after that is up to the OS (pfsense)..



  • Indeed but you never know how something actually is implemented and if that makes sense and I'm relatively new to pfSense also I have setted up a few boxes meanwhile ;-)



  • So the packet capturing feature directly in the web GUI really is extremely neat, one reason more to like pfSense! … and my problem was actually behind pfSense, looks like I missed it in pfTop before.



  • @Zulucon:

    So the packet capturing feature directly in the web GUI really is extremely neat, one reason more to like pfSense! … and my problem was actually behind pfSense, looks like I missed it in pfTop before.

    While that packet capture works, I prefer Wireshark.  It would be nice if it could be run on pfSense.  At the moment, I have to use a separate computer and managed switch, to see what's happening on the WAN side.  Wireshark is much more flexible and useful than the limited capabilities of packet capture.



  • @JKnott:

    @Zulucon:

    So the packet capturing feature directly in the web GUI really is extremely neat, one reason more to like pfSense! … and my problem was actually behind pfSense, looks like I missed it in pfTop before.

    While that packet capture works, I prefer Wireshark.  It would be nice if it could be run on pfSense.  At the moment, I have to use a separate computer and managed switch, to see what's happening on the WAN side.  Wireshark is much more flexible and useful than the limited capabilities of packet capture.

    Why not just use tcpdump -i <interface>-w <capture_file>  , it writes a pcap formatted file, that you can open in wireshark.

    I just used it yesterday , and scp'ed the pcap-file to my desktop , for wireshark viewing.

    Neat tcpdump ref.
    https://danielmiessler.com/study/tcpdump/

    https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/

    /Bingo</capture_file></interface>



  • Why not just use tcpdump -i <interface>-w <capture_file>, it writes a pcap formatted file, that you can open in wireshark.</capture_file></interface>

    Because Wireshark is far more flexible.  For example you can combine filters, such as MAC and protocol type, at the same time.  You can set up complex capture rules, using boolean operators  You can also watch in real time.



  • One can send tcpdump`s output live over SSH to Wireshark.
    https://kaischroed.wordpress.com/2013/01/28/howto-use-wireshark-over-ssh/


  • Rebel Alliance Developer Netgate

    Don't go straight to a packet capture. First, check Diagnostics > States immediately after the client attempts a connection. See what, if any, states are in the table that match the traffic in question. Only go for a packet capture if the states don't provide the answers you need.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting