Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense keeps blocking Cloudflare sever IP range

    Scheduled Pinned Locked Moved
    pfBlockerNG
    3
    8
    4.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wepee
      last edited by Wepee

      Hello there,

      I bought a cam???.com domain from Godaddy and transferred it nameserver to Cloudflare
      and set up my DNS record within Cloudflare's DNS app.

      Below is the DNS record in Cloudflare DNS app:

      A cam???.com points to 14.???.???.???(my pfsense public address) grey cloud selected = not using Cloudflare reverse proxy: DNS+HTTP

      CNAME firewall is an alias of cam???.com orange cloud selected
      CNAME pfsense is an alias of cam???.com orange cloud selected
      CNAME www is an alias of cam???.com orange cloud selected

      Note: Grey cloud means only DNS traffic is allowed to go through Cloudflare network.
      Note: Orange cloud means reverse proxy: DNS + HTTP traffic is allow to go through Cloudflare network.

      Testing without using Cloudflare reverse proxy...........
      If I type in the URL: https://cam???.com, in my chrome browser, using my remote laptop,
      my browser was able to reach my pfsense web GUI (pfsense firewall running at home)

      I decided to try Cloudflare's reversing proxy, for DNS HTTP traffic.

      The main reason having Cloudflare reverse proxy is to hide
      real my public pfsense WAN interface IP address: [14.???.???.???(my pfsense public address)] with Cloudflare's public IP.

      If I run a command nslookup in Windows command prompt, for: pfsense.cam???.com

      The domain will resolve to:
      104.27.160.171
      104.27.161.171
      Which is Cloudflare's IP address.

      In order to get Cloudflare reverse proxying to work, I set an alias in pfsense for the: Cloudflare IP range:

      103.21.244.0/22
      103.22.200.0/22
      103.31.4.0/22
      104.16.0.0/12
      108.162.192.0/18
      131.0.72.0/22
      141.101.64.0/18
      162.158.0.0/15 = Range: 162.158.0.0 - 162.159.255.255
      172.64.0.0/13 = Range: 172.64.0.0 - 172.71.255.255
      73.245.48.0/20
      188.114.96.0/20
      190.93.240.0/20
      197.234.240.0/22
      198.41.128.0/17

      The above Information is obtained from: https://www.cloudflare.com/ips/

      Next, I set up a port forwarding rule -a PASS rule for the alias: Cloudflare IP range.
      These PASS rule was placed at the very top order of the firewall rule.

      I am based in one of the countries in Asia region.

      Problem: pfsense keeps blocking all the Cloudflare's IP address range,
      (see below) even though, I have double checked the IP ranges
      are included in the alias, and used in the PASS rule.

      I went to system logs, and check on the firewall tab.
      Below are the Cloudflare's Singapore IP address range which pfsense keep on blocking.

      1. 162.158.0.0/15 ->Range: 162.158.0.0 - 162.159.255.255
      2. 172.64.0.0/13 ->Range: 172.64.0.0 - 172.71.255.255

      If I type in the URL: firewall.cam???.com or pfsense.cam???.com into Chrome browser, the connection will time out.
      and I get ERROR 522 message on the browser, indicating: Connection timed out.

      Any idea which is the problem here?

      Appreciated if some can give some advice.

      Thank you.😟

      1 Reply Last reply Reply Quote 0
      • W
        Wepee
        last edited by Wepee

        I have attached some screen shots:
        Public IP address: 172.69.135.80 belongs to Cloudflare's Singapore branch.
        For unknown reason, pfsense blocked the connection, even though I have a pass rule for
        CIDR: 172.64.0.0/13 = range: 172.64.0.0 -> 172.71.255.255 specified in my alias: CloulflareHTTPReverseProxyIPs

        0_1550000991429_2019-02-13_3-48-53.jpg
        1_1550001443096_2019-02-13_3-53-33.jpg
        0_1550001443096_2019-02-13_3-52-52.jpg
        0_1550002014743_2019-02-13_4-05-01.jpg
        0_1550002151301_2019-02-13_4-08-40.jpg
        0_1550002417627_2019-02-13_4-12-00.jpg

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          Can you show a screen shot of your WAN rule?

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • W
            Wepee
            last edited by

            Sure, here is the attachment, btw, I always wonder why the order of the automatically shifted to the bottom by pfsense?
            I saved the PASS rules (with the green tick) above the pfblock wan rules, but somehow it will move them back to the bottom.
            0_1550022585243_2019-02-13_9-42-37.jpg

            1 Reply Last reply Reply Quote 0
            • W
              Wepee
              last edited by Wepee

              Finally, after after spending lots of hours playing around and trouble shooting..............I finally found the problem

              The problem lies within pfblockerNG ( I was using pfblockerNG dev.)

              Disabling pfblockerNG did not help............same old problem keeps on blocking..........until I uninstall it from pfsense
              package manager.

              Once uninstalled pfblockerNG dev from pfsense, reboot the router.........then.......every works like clockworks.

              Now, if I am outside my local network(at the WAN side) can access my pfsense Web GUI securely.

              Anyone one provided that the domain name was given, can access my pfsense Web GUI using SSL.

              My real WAN address of the firewall will be hiding behind Cloudflare reverse proxy server.

              1 Reply Last reply Reply Quote 0
              • W
                Wepee
                last edited by

                0_1550170928519_2019-02-13_9-42-37.jpg
                0_1550170986530_2019-02-15_1-32-29.jpg
                0_1550171059055_2019-02-15_1-31-33.jpg
                0_1550171078154_2019-02-15_2-44-15.jpg
                0_1550171099737_2019-02-15_2-50-00.jpg

                1 Reply Last reply Reply Quote 0
                • W
                  Wepee
                  last edited by

                  My next question how to create a whitelist of the following Cloudflare IP addresses, in pfblockerNG,
                  at the very top order in WAN rule.

                  103.21.244.0/22
                  103.22.200.0/22
                  103.31.4.0/22
                  104.16.0.0/12
                  108.162.192.0/18
                  131.0.72.0/22
                  141.101.64.0/18
                  162.158.0.0/15
                  172.64.0.0/13
                  173.245.48.0/20
                  188.114.96.0/20
                  190.93.240.0/20
                  197.234.240.0/22
                  198.41.128.0/17

                  1 Reply Last reply Reply Quote 0
                  • S
                    stevesibilia
                    last edited by

                    In PfblockerNG --> General there is the Option Rule order.
                    I think you should define a custom ip list (under ipv4 section) with action "pass" and than define the rule order so pass come before block/reject.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post