Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange issue

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wowbagger
      last edited by

      Argh, I was too quick and deleted the actual question!

      I have a pfsense with WAN / em0 on 10.0.56.100/24. Also a LAN / em1 at 192.168.50.1/24.
      I created a VIP for WAN on 10.0.56.11 and created a port forward rule for 10.0.56.11:10080 to 192.168.50.10:10080.
      A client on the WAN with ip 10.0.56.101 hits port 10080 and gets forwarded. That works.
      A client on the WAN with ip 10.44.0.243 hits port 10080 and gets forwarded. Working.

      I now copy that port forwarding rule and change port 10080 to 80.
      A client on the WAN with ip 10.0.56.101 hits port 80 and gets forwarded. That works.
      A client on the WAN with ip 10.44.0.243 hits port 80 and gets the pfsense admin redirect page to 8443 (8443 is what I set the admin web configurator to)
      I disable the redirect in the advanced setup option, reboot pfsense, reboot client & browser. Same thing, client with ip 10.44.0.243 hits WAN 10.0.56.11:80 and gets the admin redirect.

      Where should I start looking?

      pfctl -sa
      TRANSLATION RULES:
      no nat proto carp all
      nat-anchor "natearly/" all
      nat-anchor "natrules/
      " all
      nat on em0 inet from <tonatsubnets>to any port = isakmp -> 10.0.56.100 static-port
      nat on em0 inet from <tonatsubnets>to any -> 10.0.56.100 port 1024:65535
      nat on em2 inet from <tonatsubnets>to any port = isakmp -> 192.168.20.20 static-port
      nat on em2 inet from <tonatsubnets>to any -> 192.168.20.20 port 1024:65535
      nat on em3 inet from <tonatsubnets>to any port = isakmp -> 172.31.255.100 static-port
      nat on em3 inet from <tonatsubnets>to any -> 172.31.255.100 port 1024:65535
      no rdr proto carp all
      rdr-anchor "relayd/" all
      rdr-anchor "tftp-proxy/
      " all
      rdr on em0 inet proto tcp from any to 10.0.56.11 port = http -> 192.168.50.10
      rdr on em0 inet proto tcp from any to 10.0.56.11 port = amanda -> 192.168.50.10
      rdr on em2 inet proto tcp from 192.168.0.11 to 192.168.20.21 port = http -> 192.168.50.10
      rdr on em2 inet proto tcp from 192.168.0.0/24 to 192.168.20.21 port = 1158 -> 192.168.50.9
      rdr on em2 inet proto tcp from 192.168.0.0/24 to 192.168.20.21 port = ncube-lm -> 192.168.50.9
      rdr on em2 inet proto tcp from 192.168.0.0/24 to 192.168.20.21 port = 5500 -> 192.168.50.9
      rdr on em2 inet proto tcp from 192.168.20.0/24 to 192.168.20.20 port = 8443 -> 192.168.50.1
      rdr on em4 inet proto tcp from 192.168.60.0/24 to 192.168.20.20 port = 8443 -> 192.168.50.1
      rdr on em2 inet proto tcp from 192.168.20.0/24 to 192.168.20.20 port = 3000 -> 192.168.50.1 port 8443
      rdr-anchor "miniupnpd" all

      FILTER RULES:
      scrub on em0 all no-df fragment reassemble
      scrub on em1 all no-df fragment reassemble
      scrub on em2 all no-df fragment reassemble
      scrub on em3 all no-df fragment reassemble
      scrub on em4 all no-df fragment reassemble
      anchor "relayd/" all
      anchor "openvpn/
      " all
      anchor "ipsec/" all
      pass in log quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out log quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      block drop in log quick inet6 all label "Block all IPv6"
      block drop out log quick inet6 all label "Block all IPv6"
      block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
      block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
      block drop in log inet all label "Default deny rule IPv4"
      block drop out log inet all label "Default deny rule IPv4"
      block drop in log inet6 all label "Default deny rule IPv6"
      block drop out log inet6 all label "Default deny rule IPv6"
      pass log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      pass log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      pass log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      pass log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
      pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
      pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
      pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
      pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
      block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
      block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
      block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
      block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
      block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
      block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
      block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
      block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
      block drop log quick from <snort2c>to any label "Block snort2c hosts"
      block drop log quick from any to <snort2c>label "Block snort2c hosts"
      block drop in log quick proto carp from (self) to any
      pass log quick proto carp all no state
      block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
      block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = 8443 label "webConfiguratorlockout"
      block drop in log quick from <virusprot>to any label "virusprot overload table"
      block drop in log on ! em0 inet from 10.0.56.0/24 to any
      block drop in log inet from 10.0.56.100 to any
      block drop in log inet from 10.0.56.11 to any
      block drop in log on em0 inet6 from fe80::20c:29ff:fe47:57ba to any
      block drop in log on ! em1 inet from 192.168.50.0/24 to any
      block drop in log inet from 192.168.50.1 to any
      block drop in log on em1 inet6 from fe80::20c:29ff:fe47:57c4 to any
      pass in log quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      pass in log quick on em1 inet proto udp from any port = bootpc to 192.168.50.1 port = bootps keep state label "allow access to DHCP server"
      pass out log quick on em1 inet proto udp from 192.168.50.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      block drop in log on ! em2 inet from 192.168.20.0/24 to any
      block drop in log inet from 192.168.20.20 to any
      block drop in log inet from 192.168.20.21 to any
      block drop in log on em2 inet6 from fe80::20c:29ff:fe47:57ce to any
      block drop in log on ! em3 inet from 172.31.255.0/24 to any
      block drop in log inet from 172.31.255.100 to any
      block drop in log on em3 inet6 from fe80::20c:29ff:fe47:57d8 to any
      pass in log on em3 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN0NAT"
      pass out log on em3 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN0NAT"
      block drop in log on ! em4 inet from 192.168.60.0/24 to any
      block drop in log inet from 192.168.60.1 to any
      block drop in log on em4 inet6 from fe80::20c:29ff:fe47:57e2 to any
      pass in log quick on em4 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      pass in log quick on em4 inet proto udp from any port = bootpc to 192.168.60.1 port = bootps keep state label "allow access to DHCP server"
      pass out log quick on em4 inet proto udp from 192.168.60.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      pass in log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      pass out log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      pass in log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out log inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      pass out log route-to (em0 10.0.56.254) inet from 10.0.56.100 to ! 10.0.56.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass out log route-to (em0 10.0.56.254) inet from 10.0.56.11 to ! 10.0.56.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass out log route-to (em2 192.168.20.1) inet from 192.168.20.20 to ! 192.168.20.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass out log route-to (em2 192.168.20.1) inet from 192.168.20.21 to ! 192.168.20.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass out log route-to (em3 172.31.255.1) inet from 172.31.255.100 to ! 172.31.255.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass in log quick on em1 proto tcp from any to (em1) port = 8443 flags S/SA keep state label "anti-lockout rule"
      pass in log quick on em1 proto tcp from any to (em1) port = ssh flags S/SA keep state label "anti-lockout rule"
      anchor "userrules/
      " all
      pass in log quick on em0 reply-to (em0 10.0.56.254) inet proto tcp from any to 192.168.50.10 port = http flags S/SA keep state label "USER_RULE: NAT NAT for enekets http PRD to DILEWEB0001"
      pass in log quick on em0 reply-to (em0 10.0.56.254) inet proto tcp from any to 192.168.50.10 port = amanda flags S/SA keep state label "USER_RULE: NAT NAT for enekets http ACC to DILEWEB0001"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto icmp from any to (self) icmp-type echorep keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto icmp from any to (self) icmp-type echoreq keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto icmp from any to (self) icmp-type trace keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto icmp from any to 10.0.56.11 icmp-type echorep keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto icmp from any to 10.0.56.11 icmp-type echoreq keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto icmp from any to 10.0.56.11 icmp-type trace keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet from any to 10.0.56.11 flags S/SA keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto tcp from 10.44.0.0/24 to 10.0.56.11 port = http flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto tcp from 10.44.0.0/24 to 10.0.56.11 port = amanda flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on em0 reply-to (em0 10.0.56.254) inet proto tcp from 10.44.0.243 to 10.0.56.11 port = http flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on em1 inet proto tcp from any to (self) port = domain flags S/SA keep state label "USER_RULE: Allow LAN DNS lookups"
      pass in quick on em1 inet proto udp from any to (self) port = domain keep state label "USER_RULE: Allow LAN DNS lookups"
      pass in quick on em1 inet proto tcp from 192.168.50.0/24 to 80.81.194.131 port = https flags S/SA keep state label "USER_RULE: Allow outgoing softether to vpn.zoelidad.com"
      pass in quick on em1 inet proto udp from 192.168.50.0/24 to 80.81.194.131 port = https keep state label "USER_RULE: Allow outgoing softether to vpn.zoelidad.com"
      pass in quick on em1 inet proto tcp from 192.168.50.0/24 to 192.168.20.104 port = ssh flags S/SA keep state label "USER_RULE: allow access to synology"
      pass in quick on em1 inet proto icmp from 192.168.50.0/24 to 10.44.2.4 keep state label "USER_RULE: Allow Ping to enekets - SMTP"
      pass in quick on em1 inet proto icmp from 192.168.50.0/24 to 10.44.2.1 keep state label "USER_RULE: Allow Ping to enekets - LDAP"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto icmp from any to 192.168.20.20 icmp-type echorep keep state label "USER_RULE: allow ping from 192.168. subnet"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto icmp from any to 192.168.20.20 icmp-type echoreq keep state label "USER_RULE: allow ping from 192.168. subnet"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto icmp from any to 192.168.20.20 icmp-type trace keep state label "USER_RULE: allow ping from 192.168. subnet"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from 192.168.0.11 to 192.168.50.10 port = http flags S/SA keep state label "USER_RULE: NAT NAT for zoelidad Sub to enekets http PRD to DIL…"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from 192.168.20.0/24 to (self) port = 3000 flags S/SA keep state label "USER_RULE"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet from 192.168.20.0/24 to (self) flags S/SA keep state label "USER_RULE"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from any to (self) port = 8443 flags S/SA keep state label "USER_RULE: Allow pfSense Admin from OPT1"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from 192.168.0.0/24 to 192.168.50.9 port = 1158 flags S/SA keep state label "USER_RULE: NAT NAT for zoelidad Sub to enekets Oracle EM"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from 192.168.0.0/24 to 192.168.50.9 port = 5500 flags S/SA keep state label "USER_RULE: NAT NAT for zoelidad Sub to VO Oracle EM"
      pass in quick on em2 reply-to (em2 192.168.20.1) inet proto tcp from 192.168.0.0/24 to 192.168.50.9 port = ncube-lm flags S/SA keep state label "USER_RULE: NAT NAT for zoelidad Sub to VO Oracle SQLNet"
      pass in log quick on em3 reply-to (em3 172.31.255.1) inet proto icmp from any to (self) keep state label "USER_RULE"
      pass in quick on em4 inet proto tcp from any to (self) port = domain flags S/SA keep state label "USER_RULE: Allow DNS lookups"
      pass in quick on em4 inet proto udp from any to (self) port = domain keep state label "USER_RULE: Allow DNS lookups"
      pass in quick on em4 inet proto tcp from 192.168.60.0/24 to 80.81.194.131 port = https flags S/SA keep state label "USER_RULE: Allow outgoing softether to vpn.zoelidad.com"
      pass in quick on em4 inet proto udp from 192.168.60.0/24 to 80.81.194.131 port = https keep state label "USER_RULE: Allow outgoing softether to vpn.zoelidad.com"
      pass in quick on em4 inet proto tcp from 192.168.60.0/24 to 192.168.50.1 port = 8443 flags S/SA keep state label "USER_RULE: NAT Allow secure VO subnet (via OPT interface) ac..."
      pass in quick on em4 inet from 192.168.60.0/24 to (self) flags S/SA keep state label "USER_RULE"
      pass in quick on em4 inet proto tcp from 192.168.60.0/24 to 192.168.50.9 port = ncube-lm flags S/SA keep state label "USER_RULE: Allow LAN2 - VO object access to Oracle"
      anchor "tftp-proxy/*" all
      No queue in use

      STATES:
      em0 icmp 10.0.56.11:12 <- 10.44.0.243:12      0:0
      em2 icmp 192.168.20.20:30327 -> 192.168.20.1:30327      0:0
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53665      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:13285 (192.168.50.10:53665) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      lo0 tcp 127.0.0.1:1131 -> 127.0.0.1:6379      ESTABLISHED:ESTABLISHED
      lo0 tcp 127.0.0.1:6379 <- 127.0.0.1:1131      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53648      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:40788 (192.168.50.10:53648) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53654      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:21753 (192.168.50.10:53654) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      lo0 tcp 127.0.0.1:51872 -> 127.0.0.1:6379      ESTABLISHED:ESTABLISHED
      lo0 tcp 127.0.0.1:6379 <- 127.0.0.1:51872      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53658      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:32930 (192.168.50.10:53658) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53660      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:45843 (192.168.50.10:53660) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53662      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:57811 (192.168.50.10:53662) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53667      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:59205 (192.168.50.10:53667) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53670      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:63381 (192.168.50.10:53670) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53671      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:64361 (192.168.50.10:53671) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.10:53673      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:43319 (192.168.50.10:53673) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED
      em2 tcp 192.168.20.20:22 <- 192.168.0.53:61197      ESTABLISHED:ESTABLISHED
      em0 udp 10.0.56.100:65390 -> 10.0.56.254:53      SINGLE:NO_TRAFFIC
      em0 udp 10.0.56.100:43577 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:27318 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:27499 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:51239 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:58692 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:36234 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:53939 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:26225 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:7183 -> 10.0.56.254:53      MULTIPLE:SINGLE
      lo0 udp 127.0.0.1:56408 -> 127.0.0.1:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:8438 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43820      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43820 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43822      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43822 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43826      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43826 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43828      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43828 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43830      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43830 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43832      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43832 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43842      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43842 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43844      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43844 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em4 tcp 192.168.50.9:1521 <- 192.168.60.101:43846      ESTABLISHED:ESTABLISHED
      em1 tcp 192.168.60.101:43846 -> 192.168.50.9:1521      ESTABLISHED:ESTABLISHED
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28017      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:42588 (192.168.50.9:28017) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28027      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:20324 (192.168.50.9:28027) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28030      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:25854 (192.168.50.9:28030) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28035      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:37798 (192.168.50.9:28035) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28038      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:31945 (192.168.50.9:28038) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28045      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:21067 (192.168.50.9:28045) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28048      TIME_WAIT:TIME_WAIT
      em0 tcp 10.0.56.100:21498 (192.168.50.9:28048) -> 80.81.194.131:443      TIME_WAIT:TIME_WAIT
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28058      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:13172 (192.168.50.9:28058) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28062      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:45119 (192.168.50.9:28062) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28069      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:31656 (192.168.50.9:28069) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 udp 192.168.50.1:53 <- 192.168.50.9:57659      MULTIPLE:MULTIPLE
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28072      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:57151 (192.168.50.9:28072) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28080      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:60036 (192.168.50.9:28080) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em0 udp 10.0.56.100:36046 -> 10.0.56.254:53      SINGLE:NO_TRAFFIC
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28085      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:11937 (192.168.50.9:28085) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28095      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:33130 (192.168.50.9:28095) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28098      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:50346 (192.168.50.9:28098) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em4 udp 192.168.60.1:53 <- 192.168.60.101:41199      SINGLE:MULTIPLE
      em1 udp 192.168.50.1:53 <- 192.168.50.9:15073      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:46275 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em1 udp 192.168.50.1:53 <- 192.168.50.9:37865      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:55982 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em1 udp 192.168.50.1:53 <- 192.168.50.9:55470      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:34189 -> 10.0.56.254:53      SINGLE:NO_TRAFFIC
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28104      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:11561 (192.168.50.9:28104) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28107      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:45083 (192.168.50.9:28107) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em1 udp 192.168.50.1:53 <- 192.168.50.9:40321      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:12435 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em1 udp 192.168.50.1:53 <- 192.168.50.9:57084      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:43160 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em1 udp 192.168.50.1:53 <- 192.168.50.9:53063      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:15412 -> 10.0.56.254:53      SINGLE:NO_TRAFFIC
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28115      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:10867 (192.168.50.9:28115) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      em4 udp 192.168.60.1:53 <- 192.168.60.101:38264      SINGLE:MULTIPLE
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28118      FIN_WAIT_2:FIN_WAIT_2
      em0 tcp 10.0.56.100:39013 (192.168.50.9:28118) -> 80.81.194.131:443      FIN_WAIT_2:FIN_WAIT_2
      lo0 udp 127.0.0.1:53 <- 127.0.0.1:56408      SINGLE:MULTIPLE
      em0 udp 10.0.56.100:51724 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:32809 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em0 udp 10.0.56.100:10739 -> 10.0.56.254:53      MULTIPLE:SINGLE
      em1 tcp 80.81.194.131:443 <- 192.168.50.9:28128      ESTABLISHED:ESTABLISHED
      em0 tcp 10.0.56.100:63957 (192.168.50.9:28128) -> 80.81.194.131:443      ESTABLISHED:ESTABLISHED

      INFO:
      Status: Enabled for 0 days 00:31:24          Debug: Urgent

      Interface Stats for em1              IPv4            IPv6
        Bytes In                        5629158                0
        Bytes Out                        4403937              320
        Packets In
          Passed                          16531                0
          Blocked                          9860                0
        Packets Out
          Passed                          16739                0
          Blocked                              0                4

      State Table                          Total            Rate
        current entries                      117
        searches                          194450          103.2/s
        inserts                            2953            1.6/s
        removals                            2836            1.5/s
      Counters
        match                              13586            7.2/s
        bad-offset                            0            0.0/s
        fragment                              0            0.0/s
        short                                  0            0.0/s
        normalize                              0            0.0/s
        memory                                0            0.0/s
        bad-timestamp                          0            0.0/s
        congestion                            0            0.0/s
        ip-option                              0            0.0/s
        proto-cksum                            0            0.0/s
        state-mismatch                        4            0.0/s
        state-insert                          0            0.0/s
        state-limit                            0            0.0/s
        src-limit                              0            0.0/s
        synproxy                              0            0.0/s
        divert                                0            0.0/s

      LABEL COUNTERS:
      pass IPv6 loopback 12895 0 0 0 0 0 0 0
      pass IPv6 loopback 165 0 0 0 0 0 0 0
      Block all IPv6 12565 28 3808 28 3808 0 0 0
      Block all IPv6 1333 0 0 0 0 0 0 0
      Block IPv4 link-local 12865 0 0 0 0 0 0 0
      Block IPv4 link-local 11368 0 0 0 0 0 0 0
      Default deny rule IPv4 11368 10321 1061133 10321 1061133 0 0 0
      Default deny rule IPv4 12866 0 0 0 0 0 0 0
      Default deny rule IPv6 12865 0 0 0 0 0 0 0
      Default deny rule IPv6 1499 0 0 0 0 0 0 0
      Block traffic from port 0 12867 0 0 0 0 0 0 0
      Block traffic from port 0 10615 0 0 0 0 0 0 0
      Block traffic to port 0 12867 0 0 0 0 0 0 0
      Block traffic to port 0 10615 0 0 0 0 0 0 0
      Block traffic from port 0 12867 0 0 0 0 0 0 0
      Block traffic from port 0 34 0 0 0 0 0 0 0
      Block traffic to port 0 0 0 0 0 0 0 0 0
      Block traffic to port 0 0 0 0 0 0 0 0 0
      Block snort2c hosts 12867 0 0 0 0 0 0 0
      Block snort2c hosts 12867 0 0 0 0 0 0 0
      sshlockout 12865 0 0 0 0 0 0 0
      webConfiguratorlockout 1869 0 0 0 0 0 0 0
      virusprot overload table 11743 0 0 0 0 0 0 0
      allow access to DHCP server 10429 3 984 3 984 0 0 3
      allow access to DHCP server 1 2 669 1 334 1 335 1
      allow access to DHCP server 10491 3 987 0 0 3 987 3
      allow dhcp client out WAN0NAT 73 0 0 0 0 0 0 0
      allow dhcp client out WAN0NAT 1557 0 0 0 0 0 0 0
      allow access to DHCP server 485 0 0 0 0 0 0 0
      allow access to DHCP server 1 2 656 1 328 1 328 1
      allow access to DHCP server 1577 0 0 0 0 0 0 0
      pass IPv4 loopback 12858 330 31520 165 12975 165 18545 165
      pass IPv4 loopback 330 0 0 0 0 0 0 0
      pass IPv6 loopback 330 0 0 0 0 0 0 0
      pass IPv6 loopback 165 0 0 0 0 0 0 0
      let out anything IPv4 from firewall host itself 12858 8082 2925143 3681 1500274 4401 1424869 1093
      let out anything IPv6 from firewall host itself 1496 0 0 0 0 0 0 0
      let out anything from firewall host itself 1495 21621 5460449 10590 2589583 11031 2870866 399
      let out anything from firewall host itself 576 0 0 0 0 0 0 0
      let out anything from firewall host itself 1496 0 0 0 0 0 0 0
      let out anything from firewall host itself 1496 0 0 0 0 0 0 0
      let out anything from firewall host itself 1495 0 0 0 0 0 0 0
      anti-lockout rule 13528 0 0 0 0 0 0 0
      anti-lockout rule 707 0 0 0 0 0 0 0
      USER_RULE: NAT NAT for enekets http PRD to DILEWEB0001 13530 0 0 0 0 0 0 0
      USER_RULE: NAT NAT for enekets http ACC to DILEWEB0001 0 0 0 0 0 0 0 0
      USER_RULE 86 0 0 0 0 0 0 0
      USER_RULE 9 0 0 0 0 0 0 0
      USER_RULE 9 0 0 0 0 0 0 0
      USER_RULE 0 0 0 0 0 0 0 0
      USER_RULE 0 0 0 0 0 0 0 0
      USER_RULE 0 0 0 0 0 0 0 0
      USER_RULE 85 1794 1302510 714 54171 1080 1248339 16
      USER_RULE: Easy Rule: Passed from Firewall Log View 0 0 0 0 0 0 0 0
      USER_RULE: Easy Rule: Passed from Firewall Log View 0 0 0 0 0 0 0 0
      USER_RULE: Easy Rule: Passed from Firewall Log View 0 0 0 0 0 0 0 0
      USER_RULE: Allow LAN DNS lookups 11989 0 0 0 0 0 0 0
      USER_RULE: Allow LAN DNS lookups 9441 1381 151531 691 64434 690 87097 406
      USER_RULE: Allow outgoing to vpn.zoelidad.com 10245 21960 5565860 11182 2926935 10778 2638925 373
      USER_RULE: Allow outgoing to vpn.zoelidad.com 8819 428 124997 223 68583 205 56414 0
      USER_RULE: allow access to synology 9860 0 0 0 0 0 0 0
      USER_RULE: Allow Ping to enekets - SMTP 9860 0 0 0 0 0 0 0
      USER_RULE: Allow Ping to enekets - LDAP 16 0 0 0 0 0 0 0
      USER_RULE: allow ping from 192.168. subnet 1298 0 0 0 0 0 0 0
      USER_RULE: allow ping from 192.168. subnet 186 0 0 0 0 0 0 0
      USER_RULE: allow ping from 192.168. subnet 186 0 0 0 0 0 0 0
      USER_RULE: NAT NAT for zoelidad Sub to enekets http PRD to DIL... 9984 0 0 0 0 0 0 0
      USER_RULE 5 0 0 0 0 0 0 0
      USER_RULE 135 0 0 0 0 0 0 0
      USER_RULE: Allow pfSense Admin from OPT1 5 359 161470 175 26586 184 134884 4
      USER_RULE 136 3470 519515 1681 112753 1789 406762 1
      USER_RULE: NAT NAT for zoelidad Sub to enekets Oracle EM 0 0 0 0 0 0 0 0
      USER_RULE: NAT NAT for zoelidad Sub to VO Oracle EM 0 0 0 0 0 0 0 0
      USER_RULE: NAT NAT for zoelidad Sub to VO Oracle SQLNet 0 0 0 0 0 0 0 0
      USER_RULE 11134 0 0 0 0 0 0 0
      USER_RULE: Allow DNS lookups 11093 0 0 0 0 0 0 0
      USER_RULE: Allow DNS lookups 476 266 21741 136 9252 130 12489 63
      USER_RULE: Allow outgoing softether to vpn.zoelidad.com 460 0 0 0 0 0 0 0
      USER_RULE: Allow outgoing softether to vpn.zoelidad.com 58 0 0 0 0 0 0 0
      USER_RULE: NAT Allow secure VO subnet (via OPT interface) ac... 460 0 0 0 0 0 0 0
      USER_RULE 460 0 0 0 0 0 0 0
      USER_RULE: Allow LAN2 - VO object access to Oracle 460 5922 2618721 3261 1324051 2661 1294670 10

      TIMEOUTS:
      tcp.first                  120s
      tcp.opening                  30s
      tcp.established          86400s
      tcp.closing                900s
      tcp.finwait                  45s
      tcp.closed                  90s
      tcp.tsdiff                  30s
      udp.first                    60s
      udp.single                  30s
      udp.multiple                60s
      icmp.first                  20s
      icmp.error                  10s
      other.first                  60s
      other.single                30s
      other.multiple              60s
      frag                        30s
      interval                    10s
      adaptive.start          120600 states
      adaptive.end            241200 states
      src.track                    0s

      LIMITS:
      states        hard limit  201000
      src-nodes    hard limit  201000
      frags        hard limit    5000
      table-entries hard limit  2000000

      TABLES:
      bogons
      snort2c
      sshlockout
      tonatsubnets
      virusprot
      webConfiguratorlockout

      OS FINGERPRINTS:
      710 fingerprints loaded</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets>

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Clear the browsers cache.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.