• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Strange behavior with UDP protocol

Scheduled Pinned Locked Moved NAT
12 Posts 4 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lcavallaro91
    last edited by lcavallaro91 May 28, 2019, 10:19 PM May 28, 2019, 9:54 PM

    Hello everyone,
    I'm experiencing some problems with pfsense version 2.4.4-RELEASE-p3. I wanted to expose my listening service on port 443 udp on the WAN but when I try to make traffic to my server it doesn't arrive; verified with a tcpdump.
    I state that I also have other tcp rules and they work correctly.
    Also I noticed that if I run a nc command on my public ip with range 80-443 all the ports answer me even if I have a rule of "Clean" where I do the reject of everything that does not make the match. Can you give me some tips or advice?
    Available for further information
    Thank you in advance.

    Luca

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by May 29, 2019, 1:59 PM

      You can't test UDP with nc like that, it will always claim success.

      When you say the traffic doesn't arrive, did you check with a packet capture on WAN? Or on LAN? Or both?

      If it doesn't arrive when you capture on WAN, then it has to be getting blocked somewhere between the client and the pfSense WAN, and there isn't anything pfSense can do about that.

      If it arrives on WAN but doesn't reach the server on LAN, that would be a much different issue. We'd need to see the rules, the firewall logs, state table contents, etc.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • K
        KOM
        last edited by KOM May 29, 2019, 2:55 PM May 29, 2019, 2:28 PM

        I played around with this a little bit last night, and while I could see the udp packets hitting WAN, they weren't being forwarded to the internal LAN client. A packet capture on LAN showed no udp packets whatsoever regardless of which port was used.

        Assuming I made a mistake somewhere, I'll try it again later when I have some time.

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by May 29, 2019, 4:33 PM

          Not exactly sure how he is testing.. But sending a udp packet is not hard..

          Here from one of my vps, just did a simple

          root@ns1:~# echo "test" > /dev/udp/64.53.xx.xx/443

          Where that 64.53 is my pfsense wan IP.. Bam it shows up

          updtowan.png

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            KOM
            last edited by May 29, 2019, 4:38 PM

            It hits WAN like I said, but doesn't get forwarded to LAN.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by May 29, 2019, 7:40 PM

              No problem forwarding UDP ports here.

              : tcpdump -ni vmx1 port 444
              tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
              listening on vmx1, link-type EN10MB (Ethernet), capture size 262144 bytes
              15:37:32.629457 IP 198.51.100.108.45514 > 10.6.0.122.444: UDP, length 1
              : pfctl -ss | grep 444
              vmx0 udp 10.6.0.122:444 (198.51.100.6:444) <- 198.51.100.108:45514       NO_TRAFFIC:SINGLE
              vmx1 udp 198.51.100.108:45514 -> 10.6.0.122:444       SINGLE:NO_TRAFFIC
              
              : grep 444 /tmp/rules.debug
              rdr on vmx0 proto udp from any to 198.51.100.6 port 444 -> 10.6.0.122
              rdr on { vmx1  enc0 openvpn } proto udp from any to 198.51.100.6 port 444 -> 10.6.0.122
              no nat on vmx1 proto udp from (vmx1) to 10.6.0.122 port 444
              nat on vmx1 proto udp from 10.6.0.0/24 to 10.6.0.122 port 444 -> 10.6.0.1 port 1024:65535
              no nat on vmx1 proto udp from (vmx1) to 10.6.0.122 port 444
              nat on vmx1 proto udp from 10.6.0.0/24 to 10.6.0.122 port 444 -> 10.6.0.1 port 1024:65535
              no nat on vmx1 proto udp from (vmx1) to 10.6.0.122 port 444
              nat on vmx1 proto udp from 10.6.0.0/24 to 10.6.0.122 port 444 -> 10.6.0.1 port 1024:65535
              pass  in  quick  on $WAN reply-to ( vmx0 198.51.100.1 ) inet proto udp  from any to 10.6.0.122 port 444 tracker 1559158506 keep state  label "USER_RULE: NAT "
              

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz May 29, 2019, 7:53 PM May 29, 2019, 7:51 PM

                yeah no problem here either

                Here is forward and firewall rules
                forward.png

                Here is sniff of it you can see it sending to 9.100
                lan.png

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • K
                  KOM
                  last edited by May 29, 2019, 7:57 PM

                  Good to know. I tried it several times last night with nc. I was aware that it always reports success but I was capturing packets. Everything was virtualized within Virtualbox. I was forwarding to a host that didn't exist. I expected the packets to be seen on the LAN interface. Nothing was captured. If pfSense has no entries in its ARP cache for that non-existent address, will it still try to forward? That might explain why I didn't see anything.

                  While it's possible I got something wrong, I tried this several times last night and could never make it work.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by May 29, 2019, 7:59 PM

                    Why would a router deliver a packet to a host that doesn't exist?

                    If ARP fails it won't send a packet.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • K
                      KOM
                      last edited by May 29, 2019, 8:06 PM

                      @jimp See, I'm smart enough to realize my stupidity after only 20 hours. I'm getting better all the time (bettah, bettah, BETTAH!)

                      1 Reply Last reply Reply Quote 0
                      • L
                        lcavallaro91
                        last edited by May 30, 2019, 9:18 AM

                        Hi everyone

                        thanks for your proactivity :) in the coming days I will do other tests and I am attaching the report I get.
                        for now I am attaching screenshots with my WAN rules, port forwarding rules and lan rule
                        WanRule.png
                        ForwardRule.png
                        LanRule.png

                        1 Reply Last reply Reply Quote 0
                        • J
                          jimp Rebel Alliance Developer Netgate
                          last edited by May 30, 2019, 2:19 PM

                          And what is in that alias? It must only contain one entry, an IP address. Do the contents of the table show up under Diag > Tables?

                          Does it work if you remove the alias and put the IP address in directly?

                          The rules have no matches, so there must not be any traffic arriving which matches.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received