Strange behavior with UDP protocol

lcavallaro91

Hello everyone,
I'm experiencing some problems with pfsense version 2.4.4-RELEASE-p3. I wanted to expose my listening service on port 443 udp on the WAN but when I try to make traffic to my server it doesn't arrive; verified with a tcpdump.
I state that I also have other tcp rules and they work correctly.
Also I noticed that if I run a nc command on my public ip with range 80-443 all the ports answer me even if I have a rule of "Clean" where I do the reject of everything that does not make the match. Can you give me some tips or advice?
Available for further information
Thank you in advance.

Luca

jimp

You can't test UDP with nc like that, it will always claim success.

When you say the traffic doesn't arrive, did you check with a packet capture on WAN? Or on LAN? Or both?

If it doesn't arrive when you capture on WAN, then it has to be getting blocked somewhere between the client and the pfSense WAN, and there isn't anything pfSense can do about that.

If it arrives on WAN but doesn't reach the server on LAN, that would be a much different issue. We'd need to see the rules, the firewall logs, state table contents, etc.

KOM

I played around with this a little bit last night, and while I could see the udp packets hitting WAN, they weren't being forwarded to the internal LAN client. A packet capture on LAN showed no udp packets whatsoever regardless of which port was used.

Assuming I made a mistake somewhere, I'll try it again later when I have some time.

johnpoz

Not exactly sure how he is testing.. But sending a udp packet is not hard..

Here from one of my vps, just did a simple

root@ns1:~# echo "test" > /dev/udp/64.53.xx.xx/443

Where that 64.53 is my pfsense wan IP.. Bam it shows up

KOM

It hits WAN like I said, but doesn't get forwarded to LAN.

jimp

No problem forwarding UDP ports here.

: tcpdump -ni vmx1 port 444
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:37:32.629457 IP 198.51.100.108.45514 > 10.6.0.122.444: UDP, length 1
: pfctl -ss | grep 444
vmx0 udp 10.6.0.122:444 (198.51.100.6:444) <- 198.51.100.108:45514       NO_TRAFFIC:SINGLE
vmx1 udp 198.51.100.108:45514 -> 10.6.0.122:444       SINGLE:NO_TRAFFIC

: grep 444 /tmp/rules.debug
rdr on vmx0 proto udp from any to 198.51.100.6 port 444 -> 10.6.0.122
rdr on { vmx1  enc0 openvpn } proto udp from any to 198.51.100.6 port 444 -> 10.6.0.122
no nat on vmx1 proto udp from (vmx1) to 10.6.0.122 port 444
nat on vmx1 proto udp from 10.6.0.0/24 to 10.6.0.122 port 444 -> 10.6.0.1 port 1024:65535
no nat on vmx1 proto udp from (vmx1) to 10.6.0.122 port 444
nat on vmx1 proto udp from 10.6.0.0/24 to 10.6.0.122 port 444 -> 10.6.0.1 port 1024:65535
no nat on vmx1 proto udp from (vmx1) to 10.6.0.122 port 444
nat on vmx1 proto udp from 10.6.0.0/24 to 10.6.0.122 port 444 -> 10.6.0.1 port 1024:65535
pass  in  quick  on $WAN reply-to ( vmx0 198.51.100.1 ) inet proto udp  from any to 10.6.0.122 port 444 tracker 1559158506 keep state  label "USER_RULE: NAT "

johnpoz

yeah no problem here either

Here is forward and firewall rules

Here is sniff of it you can see it sending to 9.100

KOM

Good to know. I tried it several times last night with nc. I was aware that it always reports success but I was capturing packets. Everything was virtualized within Virtualbox. I was forwarding to a host that didn't exist. I expected the packets to be seen on the LAN interface. Nothing was captured. If pfSense has no entries in its ARP cache for that non-existent address, will it still try to forward? That might explain why I didn't see anything.

While it's possible I got something wrong, I tried this several times last night and could never make it work.

jimp

Why would a router deliver a packet to a host that doesn't exist?

If ARP fails it won't send a packet.

KOM

@jimp See, I'm smart enough to realize my stupidity after only 20 hours. I'm getting better all the time (bettah, bettah, BETTAH!)

lcavallaro91

Hi everyone

thanks for your proactivity :) in the coming days I will do other tests and I am attaching the report I get.
for now I am attaching screenshots with my WAN rules, port forwarding rules and lan rule

jimp

And what is in that alias? It must only contain one entry, an IP address. Do the contents of the table show up under Diag > Tables?

Does it work if you remove the alias and put the IP address in directly?

The rules have no matches, so there must not be any traffic arriving which matches.