How to figure out required details for firewall rule

matulis

Hi all,

currently I have the following problem:

I set up my pfSense and added some (most common) rules and everything is working fine so far.

But now my son tried to start one of his favorite games on his Android mobile. Before/without pfSense it starts without problems. But now it hangs with a "No connection" message.
So pfSense obviously seems to block something here.

And that's my current problem: I'm trying to figure out WHAT exactly I need to enable/allow, but I cannot find any hint in the logs.
Of course, I can see some log entries wich are blocked by "Default deny rule IPv4 (1000000103)". But none of them seem to be related to the mobile request.

So, I tried to get some more details by capturing packages. When activating the "Allow LAN to Any" rule for testing purposes the following is returned (and the game starts/connects) without any problems:

    MYROUTER.54943 > dns.google.domain: [udp sum ok] 38697+ A? ludia.helpshift.com. (37)
    MYROUTER.47441 > dns.google.domain: [udp sum ok] 34973+ A? ludia.helpshift.com. (37)
    dns.google.domain > MYROUTER.54943: [udp sum ok] 38697 q: A? ludia.helpshift.com. 8/0/0 ludia.helpshift.com. A 54.215.132.170, ludia.helpshift.com. A 54.219.146.147, ludia.helpshift.com. A 54.215.157.70, ludia.helpshift.com. A 54.215.132.180, ludia.helpshift.com. A 54.215.136.41, ludia.helpshift.com. A 54.183.67.143, ludia.helpshift.com. A 54.215.199.132, ludia.helpshift.com. A 54.183.86.99 (165)
    dns.google.domain > MYROUTER.47441: [udp sum ok] 34973 q: A? ludia.helpshift.com. 8/0/0 ludia.helpshift.com. A 52.52.54.108, ludia.helpshift.com. A 52.9.11.148, ludia.helpshift.com. A 50.18.32.157, ludia.helpshift.com. A 52.8.143.33, ludia.helpshift.com. A 52.53.139.53, ludia.helpshift.com. A 52.8.65.145, ludia.helpshift.com. A 52.52.224.18, ludia.helpshift.com. A 52.9.100.225 (165)
    MYROUTER.50882 > dns.google.domain: [udp sum ok] 57956+ A? drg-1-43-16-pag.ludia.net. (43)
    dns.google.domain > MYROUTER.50882: [udp sum ok] 57956 q: A? drg-1-43-16-pag.ludia.net. 2/0/0 drg-1-43-16-pag.ludia.net. CNAME ord-gs-prod-dragons-005.ludia.net., ord-gs-prod-dragons-005.ludia.net. A 161.47.34.73 (97)
    MYROUTER.57155 > dns.google.domain: [udp sum ok] 60654+ AAAA? ord-gs-prod-dragons-002.ludia.net. (51)
    dns.google.domain > MYROUTER.57155: [udp sum ok] 60654 q: AAAA? ord-gs-prod-dragons-002.ludia.net. 0/1/0 ns: ludia.net. SOA ns-48.awsdns-06.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (131)
    MYROUTER.35296 > dns.google.domain: [udp sum ok] 60654+ AAAA? ord-gs-prod-dragons-002.ludia.net. (51)
    dns.google.domain > MYROUTER.35296: [udp sum ok] 60654 q: AAAA? ord-gs-prod-dragons-002.ludia.net. 0/1/0 ns: ludia.net. SOA ns-48.awsdns-06.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (131)
    MYROUTER.56656 > dns.google.domain: [udp sum ok] 45712+ A? ord-gs-prod-dragons-002.ludia.net. (51)
    dns.google.domain > MYROUTER.56656: [udp sum ok] 45712 q: A? ord-gs-prod-dragons-002.ludia.net. 1/0/0 ord-gs-prod-dragons-002.ludia.net. A 161.47.34.70 (67)

But when deactivating the "Allow LAN to Any" rule again, the AAAA records are missing, what seems to be the cause from my point of view:

    MYROUTER.1801 > dns.google.domain: [udp sum ok] 64930+ A? ludia.helpshift.com. (37)
    MYROUTER.37938 > dns.google.domain: [udp sum ok] 42085+ A? ludia.helpshift.com. (37)
    dns.google.domain > MYROUTER.1801: [udp sum ok] 64930 q: A? ludia.helpshift.com. 8/0/0 ludia.helpshift.com. A 54.215.201.94, ludia.helpshift.com. A 54.215.221.188, ludia.helpshift.com. A 54.215.202.46, ludia.helpshift.com. A 54.219.155.27, ludia.helpshift.com. A 54.215.231.4, ludia.helpshift.com. A 54.219.161.135, ludia.helpshift.com. A 54.219.156.51, ludia.helpshift.com. A 54.219.138.63 (165)
    dns.google.domain > MYROUTER.37938: [udp sum ok] 42085 q: A? ludia.helpshift.com. 8/0/0 ludia.helpshift.com. A 54.241.137.29, ludia.helpshift.com. A 54.67.104.81, ludia.helpshift.com. A 54.67.110.124, ludia.helpshift.com. A 54.219.147.222, ludia.helpshift.com. A 54.219.233.4, ludia.helpshift.com. A 54.219.242.145, ludia.helpshift.com. A 54.219.149.111, ludia.helpshift.com. A 54.219.149.5 (165)
    MYROUTER.63627 > dns.google.domain: [udp sum ok] 51734+ A? drg-1-43-16-pag.ludia.net. (43)
    dns.google.domain > MYROUTER.63627: [udp sum ok] 51734 q: A? drg-1-43-16-pag.ludia.net. 2/0/0 drg-1-43-16-pag.ludia.net. CNAME ord-gs-prod-dragons-004.ludia.net., ord-gs-prod-dragons-004.ludia.net. A 161.47.34.72 (97)   

So, what is missing here to get the entire traffic allowed? How can I figure out which port, etc. needs to be allowed?

Many thanks in advance!

kiokoman

the rules order is important, you should make a screenshot of what you have for the LAN interface, and tell us what are you using for the wifi.

matulis

@kiokoman Thanks for your reply. Yes, of course I know that the rule oder matters. But I was able to solve it myself now.
I installed Packet Capture for Android on the phone, started the game and figured out that two port are required. After these port have been allowed on pfSense the game started as expected. :-)