Strange behavior with UDP protocol

  • Hello everyone,
    I'm experiencing some problems with pfsense version 2.4.4-RELEASE-p3. I wanted to expose my listening service on port 443 udp on the WAN but when I try to make traffic to my server it doesn't arrive; verified with a tcpdump.
    I state that I also have other tcp rules and they work correctly.
    Also I noticed that if I run a nc command on my public ip with range 80-443 all the ports answer me even if I have a rule of "Clean" where I do the reject of everything that does not make the match. Can you give me some tips or advice?
    Available for further information
    Thank you in advance.


  • Rebel Alliance Developer Netgate

    You can't test UDP with nc like that, it will always claim success.

    When you say the traffic doesn't arrive, did you check with a packet capture on WAN? Or on LAN? Or both?

    If it doesn't arrive when you capture on WAN, then it has to be getting blocked somewhere between the client and the pfSense WAN, and there isn't anything pfSense can do about that.

    If it arrives on WAN but doesn't reach the server on LAN, that would be a much different issue. We'd need to see the rules, the firewall logs, state table contents, etc.

  • I played around with this a little bit last night, and while I could see the udp packets hitting WAN, they weren't being forwarded to the internal LAN client. A packet capture on LAN showed no udp packets whatsoever regardless of which port was used.

    Assuming I made a mistake somewhere, I'll try it again later when I have some time.

  • LAYER 8 Global Moderator

    Not exactly sure how he is testing.. But sending a udp packet is not hard..

    Here from one of my vps, just did a simple

    root@ns1:~# echo "test" > /dev/udp/64.53.xx.xx/443

    Where that 64.53 is my pfsense wan IP.. Bam it shows up


  • It hits WAN like I said, but doesn't get forwarded to LAN.

  • Rebel Alliance Developer Netgate

    No problem forwarding UDP ports here.

    : tcpdump -ni vmx1 port 444
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vmx1, link-type EN10MB (Ethernet), capture size 262144 bytes
    15:37:32.629457 IP > UDP, length 1
    : pfctl -ss | grep 444
    vmx0 udp ( <-       NO_TRAFFIC:SINGLE
    vmx1 udp ->       SINGLE:NO_TRAFFIC
    : grep 444 /tmp/rules.debug
    rdr on vmx0 proto udp from any to port 444 ->
    rdr on { vmx1  enc0 openvpn } proto udp from any to port 444 ->
    no nat on vmx1 proto udp from (vmx1) to port 444
    nat on vmx1 proto udp from to port 444 -> port 1024:65535
    no nat on vmx1 proto udp from (vmx1) to port 444
    nat on vmx1 proto udp from to port 444 -> port 1024:65535
    no nat on vmx1 proto udp from (vmx1) to port 444
    nat on vmx1 proto udp from to port 444 -> port 1024:65535
    pass  in  quick  on $WAN reply-to ( vmx0 ) inet proto udp  from any to port 444 tracker 1559158506 keep state  label "USER_RULE: NAT "

  • LAYER 8 Global Moderator

    yeah no problem here either

    Here is forward and firewall rules

    Here is sniff of it you can see it sending to 9.100

  • Good to know. I tried it several times last night with nc. I was aware that it always reports success but I was capturing packets. Everything was virtualized within Virtualbox. I was forwarding to a host that didn't exist. I expected the packets to be seen on the LAN interface. Nothing was captured. If pfSense has no entries in its ARP cache for that non-existent address, will it still try to forward? That might explain why I didn't see anything.

    While it's possible I got something wrong, I tried this several times last night and could never make it work.

  • Rebel Alliance Developer Netgate

    Why would a router deliver a packet to a host that doesn't exist?

    If ARP fails it won't send a packet.

  • @jimp See, I'm smart enough to realize my stupidity after only 20 hours. I'm getting better all the time (bettah, bettah, BETTAH!)

  • Hi everyone

    thanks for your proactivity :) in the coming days I will do other tests and I am attaching the report I get.
    for now I am attaching screenshots with my WAN rules, port forwarding rules and lan rule

  • Rebel Alliance Developer Netgate

    And what is in that alias? It must only contain one entry, an IP address. Do the contents of the table show up under Diag > Tables?

    Does it work if you remove the alias and put the IP address in directly?

    The rules have no matches, so there must not be any traffic arriving which matches.

Log in to reply