[SG1000] Issues on MAC filtered networks.
-
I recently purchased a SG1000 micro firewall and whilst setting it up came across a problem whereby devices connected to LAN are unable to connect to the internet. The internet connection that I am using whilst testing this devices is filtered by MAC addresses, and I have thus added the firewall's MAC address to the white list. Whether or not firewall LAN clients are on the external MAC whitelist, makes no difference to the following issue.
When pinging addresses such as 8.8.8.8 or 8.8.4.4 from the ping utility in the pfSense webgui diagnostics, I get replies every time. However, when I try a ping from a machine connected to the firewall LAN I get responses saying "Destination Unreachable (Port Unreachable)" - Even when running through NAT. It should be noted that when pinging from the firewall's webgui on the LAN interface, responses are received, suggesting NAT is working correctly.
After inspecting the traffic on the outgoing Ethernet wire with a traffic tap and wireshark, I can see that the outgoing ICMP requests are almost identical. The only fields that differ between these packets are id, seq, time, checksum and (random) payload. All MAC/destination/source addresses are the same, regardless of the device used to create the ping request. This I believe is expected behaviour for a network hop on a Layer 3 firewall (however refer to the aside note at the bottom).
Do you have any ideas as to what would be causing the connected device's pings to never return, and the firewall's pings to always return?
I have attached 4 sample packets captured, the outgoing and incoming ICMP ping request packets for both the SG1000 and device connected to SG1000, as captured from the WAN wire. The packets have appropriate comments explaining which is which.–----
As an aside, I also noticed the spec sheet for the SG1000 states that it is Layer 2 Transparent - and in this case it doesn't seem to be as the pings from the device connected to the firewall leave on WAN with the firewall's MAC address and not the original devices MAC address, implying it is going through a network hop and not being transparent. Am I misunderstanding what L2 Transparency is, or could this have anything to do with my problem?
pcap.pcapng -
Okay, so for those of you also having problems with MAC filtered networks. I found the problem and a solution.
The upstream device on the network was performing NAT detection by looking at whether the TTL had decremented by 1. I.e. was no longer 64 when it arrived and so discarded it.
To counteract this you can do the following:
on line 591 in /etc/inc/filter.inc
change:
$scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
to
$scrubrules .= "scrub on \${$scrubcfg['descr']} all min-ttl 64 {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
This makes sure that all packets coming in on any interface are assigned with a TTL of 64.