packet captures - do they show ALL traffic prior to the firewall filters ?



  • HI

    I have two different scenarios on two different servers that I am trying to get packet captures for.

    Site has an IPSEC VPN between a hosted system and a local site. In my IPSEC firewall rules I have two rules.
    Allow all host IP Range /24 to site IP Range /24
    Allow all site IP Range /24 to host IP Range /24

    At the command line on the pfsense I have run a packet capture as:
    nohup tcpdump -i enc0 -s 0 -v -C 20 -W 10 -w capture.pcap host site_range &

    The results shows traffic across the IPSEC link.
    Would this show all traffic across the link ? or could there be some traffic missing ?
    The issue I have is if a do a tcpdump on a server at the local site, it is sending some traffic that occasionally doesn't arrive at the hosted system.. I think it's a LAN issue, but I want to be sure.

    New site is hosted and fronted by a pfSense firewall. IP Addresses and required ports for a provider are added to an alias list and then configured in port forwarding. We know the rules are correct otherwise we wouldn't be getting any packets from the provider as each packet comes from the same IP Address & port

    We have an issue were a provider claims they are sending packets to us, but not all doesn't appear at the server. The server logs show some packets from the provider but not all. .

    I've run a tcpdump at the command line as folllows:
    nohup tcpdump -i em0 -s 0 -v -C 20 -W 10 -w capture.pcap host x.x.x &

    (I've gone for the first three octets as that ensures I get everything from the range the provider uses)
    The resulting capture matches what we see in our logs.

    em0 is the interface with the public IP Address. Would this capture all traffic to the system prior to any firewall rules being applied ?

    In both scenarios I want to capture the traffic before any rules are applied, so completely unfiltered.
    Thanks for any advise.

    Regards



  • After doing some testing on setup 2 it does appear to show all traffic.
    Interestingly this has show that I appear to be getting idle NAT timeouts on port 5060 after about 30 seconds.

    ie: packets arrive fine for 5060, the call is established and then after 30minutes new packets relating to the same call are blocked. Anyway to stop that happening ?

    Thanks


  • Netgate Administrator

    You can change the state timeouts in System > Advanved > Firewall & NAT.

    You can choose a set of timeouts from the Firewall Optimization Options filed, choose 'conservative' there.

    Or you can set individual timeout values at the bottom of that page.

    That should only timeout if no traffic is using it though. If there really is nothing using it it would be better to change the keep-alive settings on the server to hold the state open.

    Steve



  • Thanks this fixed it for me.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy