I have disabled all rules in firewall, but still can tracert from LAN
-
I have disabled all positive rules in firewall, and I can't browse Web, but I still can
tracert 10.10.0.251
from LAN machine and receive 3 hops from my ISP.
How is this possible?
-
Post your LAN rules.
-
All were disabled (dimmed), except anti-lockout rule
Currently one additional rule enabled, which I use to browse Web
I can disable it and have situation again.
-
Stop messing around and show the rules in the state they are that you say they are misbehaving.
Show the states for the traceroutes.
Look at the states using pfctl -vvss to see what rule is passing the traffic.
Post that.
-
Thank you, but I prefer rod over fish. Where/how to find undesired state in the ouput of
pfctl -vvss
? -
I found the follwing in output:
re2 icmp 10.10.0.62:1 <- 192.168.10.56:1 0:0
age 00:08:30, expires in 00:00:05, 192:7 pkts, 14400:584 bytes, rule 117
id: 010000005ab2fc3e creatorid: 6261d0b3
re0 icmp 95.84.128.151:47326 (192.168.10.56:1) -> 10.10.0.62:47326 0:0
age 00:08:30, expires in 00:00:05, 377:4 pkts, 28188:416 bytes, rule 94
id: 010000005ab2fc3f creatorid: 6261d0b310.10.0.62
is new address behind VPN I wish to ping and which is pingable frompfSense
.re2
isLAN
andre0
is firstWAN
which is undesired. -
For whatever reason that traffic is not interesting to the VPN.
Common causes:
You are policy routing the traffic out WAN by setting a gateway on a rule that matches. This overrides both the routing table and IPsec selectors.
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
The traffic does not match the traffic selector.
From that output, rule 117 passed the ping into LAN
You can match that rule in the rule set:
pfctl -vvsr | grep -A3 '^@117'