Firewalling/NAT/Port Problem?
-
Hey all,
I'm posting for the following issue I've been having with pfsense. I have pfsense installed (2.4.5-RELEASE-p1) with a 4 NICs host. (em0 WAN, em1 LAN, em2+3 LAGG)
- WAN connection happens via PPPoE trough fiber-media-converter (no modem inbetween).
- The LAGG functions as trunk to my main switch (UniFi Switch PoE 48), LAN is connected as well to it.
- I have several switches and APs behind that.
I got 16 VLans, all configured on the switches and APs, they're all routed out via a VPN and have an alias setup for those which should use the default WAN Gateway.
All in all it works great!
Before installing further services as pfBlockerNG-devel etc. I'd need assistance to troubleshoot my current problems. I thoroughly checked this tutorial for all my rules as I'm a newbie on pfsense, but will post screenshots of my current setting/rules
My main problems/services that aren't working
- CUPS Printserver
- Librespot (Raspotify/Spotify-Connect) detected but unable to stream
- Netflix Apps (Android/SmartTVs/GamingConsoles)
Services that work
- Spotify-Connect (with Sonos)
- Netflix on Browser 443 (stopped today DNS_PROBE_FINISHED_NXDOMAIN)
Some settings/Rules
- OpenVPN Clients "Don't pull routes" checked
- I don't use IPv6 anywhere
NAT Port Forward
NAT Outbound
I don't have any floating rules, most of the vlans have the same rules as this one
VLan Ruleset
Aliases
LOCAL_SUBNETS
Type = Networks
Network = 192.168.0.0
CIDR = 16
Comment = LAN (192.168.0.0 - 192.168.255.255)ADMIN_PORTS
Description = Admin ports used for system administration
Type = Ports
443 : pfSense web configurator
22 : pfsense SSHAllowed_OUT_Ports_LAN
Description = Ports permitted LAN egress
Type = Ports
Ports(s) =- 53 : DNS
- 5353:5354 : MDNS
- 123 : NTP
- 21 : FTP
- 22 : SSH
- 161 : SNMP
- 80 : HTTP
- 443 : HTTPS
- 515 : LPD (Printer)
- 427 : SLP (Printer scanner)
- 631 : IPP (Printer)
- 8080:8081 : Unifi
- 8880 : Unifi redirect HTTP
- 8843 : Unifi redirect HTTPS
- 10001 : UBNT broadcast
- 5001 : iperf
- 5900 : IPMI
- 9000 : VNC
- 3389 : remote desktop
- 49152:65535 : Ephemeral ports
Allowed_OUT_Ports_WAN
Description = Open WAN ports
Type = Ports
Ports(s) =- 21 : FTP
- 22 : SSH
- 80 : HTTP
- 443 : HTTPS
- 587 : SMTPS
- 993 : IMAPS
- 5222 : XMPP
- 8080 : HTTP Alt
- 465 : SMTPS
- 119 : NNTP
- 143 : IMAP
- 6667 : IRC
- 6697 : IRCS
- 8443 : CalDAV
- 8843 : CardDAV
- 49152:65535 : ephemeral ports
I have thoroughly searched the forums and the net, checked the tutorial a thousand times..
My main problem is don't know which logs I should be paying attention to
Thanks for reading this far (if I should mask something please let me know)
If someone could help me or point me in the right direction, that would be AWESOME! :)
I'm new to pfSense but willing to learn, if you need other logs please let me know -
There's a massive amount of information there. I think we wil need some specific examples of what's not working.
You have everything relatively locked down, you are filteri8ng outbound ports. Does everything work as expected on an interface that just allows all traffic?
It is generally preferred to use block then pass rules rather than pass with inverted match which can sometimes overmatch.
Some of those port forwards are conflicting. In some interfaces you are forwarding all DNS traffic on port 53 to localhost port 5335 which I assume is the port you have DNSMasq running on? Below that you are forwarding all DNS traffic not using the interface IP to Unbound on localhost but not traffic will ever hit that because of the first rule.
Steve
-
Thank you Stephen for getting back to me.
To get started
- Netflix did work only on browsers (https/443) but not on any other device, each one did note there's a vpn/proxy in between
- The same goes for Amazon Prime
Yesterday I tried to uncheck 'Don't pull routes' on the OpenVPN and everything went to hell, reverted it, rebooted the pfSense and devices are back online, but none can access netflix (neither on browsers [DNS_PROBE_FINISHED_NXDOMAIN] even after flushing dns-caches and resetting the adapter)
Another sympton is that Windows(10) shows me the 'No Internet' symbol in the taskbar, even if it can connect to the internet and other programs (such as Avira/Malwarebytes/Adobe) find automatic updates
- Spotify (W10 App) won't work therefor^ (stating it's offline)
- Spotify on Android does work
So tried your first suggestion, connected to the LAN interface but still no connection to netflix(443) possible.
DNS lookup worked, ping'ing didn'tOne difference on this interface is that W10 will show the 'Connected' internet symbol
Rules LAN interface
W10 Troubleshooter: DNS Server not responding
DNS Lookup
Ping
5335 is the port DNSMasq runs on; In which manner should/could I change/rearrange those rules to get another result?
Huge thanks again!
Greetings from Italy,
Max -
@charles_moody, I see the problem, it is in your LAN egress rules. Change your protocol, source and destination to ANY. See if Netflix, Amazon and Spotify work.
If not, it could be corrupted. Make a backup of your Pfsense configs. Then reset Pfsense to factory setting (don’t keep any settings).
Make a simple LAN outgoing rule protocol, source and destination to ANY. If it works, then restore your backup configs. -
@AKEGEC I did change the Protocol and Source on the rule 'LAN: Allow ANY <> ANY'reloaded the filter, rebooted, but no change (still can't ping netflix)
This is driving me insane as I'm not even able to ping netflix anymore.
I'm going nuts, thinking to maybe backup my current config, and start from scratch with some simpler rulesets.
Does anyone has some ideas before I'm taking this step?
Kind regards
Max -
@charles_moody, No need for any frustration. I am still here with you while watching Netflix
Just take things one step at the time and you will learn to love challenges (like online banking) ;) -
@charles_moody I tried it too and I also can't ping this address. So they probably don't like to get pinged and turned it off.
PING netflix.com (34.241.244.104) from 192.168.0.2: 56 data bytes --- netflix.com ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
-
Yeah, netflix.com (or www.netflix.com) does not necessarily respond to ping so that's not a good test. You can just try opening a TCP connection to it instead either from the pfSense gui in Diag > Test Port or using telnet fro the client. That's obviously a very basic test. And tests from pfSense will not be policy routed.
The problem you have here is that Netflix (along with most other streaming services) spends a small fortune on technologies to prevent you connecting over a VPN into a different geographical market. So if you are trying to do that and it fails that's not surprising.
Steve
-
@charles_moody, I strongly suggest that you reinstall and set up the rules from scratch. And save configs before every big changes you make.
Download Pfsense 2.4.5-p1, the old file is around 380MB while the new one around 382MB (patched). So I guess Netgate does listen and cares about users' complaints. -
Re: Firewalling/NAT/Port Problem?
Thanks you all for your input!
As written I followed this tutorial and like @stephenw10 noticed, everything is locked down so much that even the simplest services don't work reliably, if at all. /
I learend a lot but didn't understand enough to troubleshoot nor resolve the issues, so yeah @AKEGEC I'll back up the current setting and start from scratch.
As pfsense stands for security, I check the hash of the dowloaded-file
Will setup everything on a vm and then push it to my hardware-instance; found a tutorial-set from 'Lawrence Systems' and another user-post about express-vpn and netflix.
Thanks again!
cheers
-
@charles_moody said in Firewalling/NAT/Port Problem?:
As pfsense stands for security, I check the hash of the dowloaded-file
https://www.pfsense.org/download/ will do fine - it's https - and if you trust the device on which you receive the file, all is ok.
@charles_moody said in Firewalling/NAT/Port Problem?:
this tutorial ... VM .....
What about a bare bone 'ancient' 1 $ (vey old) PC, a an extra NIC (3 $ ?) and you have the perfect - for the money - setup. Adding a "VM" is already and more advanced thing.
Tutorials : See here. Why using other people's advice if you can learn from the guy who actually wrote it ? ;)
A first install is a straight type-and-then-click-through. When it runs and you feel comfortable, which comes very fast because setting up pfSense using default settings is .... easy, you can add features one - and take the time to test/try/debug/ by one.
Things as "security" are as good as the knowledge of the admin. pfSense is not some AI device that will call you if something is good or wrong. I's a router/firewall, as there are billions on earth. With (to ?) many option, as you will see.
-
@Gertjan I already have everything in place
Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
8GB RAM and 4 Intel NICSI know how to set this box up, done that quite a few times to get the desired results; I then followed the guide I posted because of "Things as "security" are as good as the knowledge of the admin", and my knowledge in Network is limited, so I thought to follow a top-post I found on Reddit.
As I can't troubleshoot due to limited knowledge, I'll follow your guide and learn along the way.
After installing 1400m of CAT6a, 5 new PoE APs, IoT, security and several servers I badly want this network to behave the way I want.
Let's see where this journey is leading
cheers