PfSense 2.0 won't route my packets, or is dropping them silently somewhere
-
Hi all,
I'm running
2.0-ALPHA-ALPHA
built on Thu Jun 11 17:04:26 EDT 2009
FreeBSD 7.2-RELEASE-p1on ALIX hardware.
I'm using ppp for the WAN interface. After I configure everything, I can ping internet hosts from the router itself, but not from any clients on the LAN.
The clients on the LAN are getting DNS resolution, but packets are just lost. No error is returned to the LAN host performing the ping.
net.inet.ip.fastforwarding = 1
Block private IP addresses on the WAN is disabled.
I added a firewall rule to allow all traffic to pass on the WAN and turned on logging and still no traffic would pass, and nothing showed in the logs matching this rule.
I even turned on logging for the LAN "allow any" rule and the logs showed packets being accepted on the LAN interface with destinations on the internet.I don't know what else to try or where else to look. Anyone have any ideas?
Thanks,GNB
-
You have to generate scrub rules for ppp.
Check filter.inc -
There are two rules already being created . . . Also, filter rules are below. Do I need something more than this?
I tested using a lower MTU and creating a "scrub out on ppp0" with a max-mss value being set. No change in behavior.
What else can I look at?Thanks,
GNBpfsense1:~# pfctl -sa | less
TRANSLATION RULES:
nat-anchor "natearly/" all
nat-anchor "natrules/" all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "imspector" all
rdr-anchor "miniupnpd" allFILTER RULES:
scrub in on ppp0 all random-id fragment reassemble
scrub in on vr0 all random-id fragment reassemble
anchor "relayd/*" all
anchor "firewallrules" all
block drop in log all label "Default deny rule"
block drop out log all label "Default deny rule"
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
anchor "packageearly" all
anchor "carp" all
block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! vr0 inet from 192.168.8.0/24 to any
block drop in inet from 192.168.8.1 to any
block drop in on vr0 inet6 from fe80::20d:b9ff:fe18:3a30 to any
anchor "dhcpserverLAN" all
pass in on vr0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in on vr0 inet proto udp from any port = bootpc to 192.168.8.1 port = bootps keep state label "allow access to DHCP server"
pass out on vr0 inet proto udp from 192.168.8.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
anchor "spoofing" all
anchor "loopback" all
pass in on lo0 all flags S/SA keep state label "pass loopback"
pass out on lo0 all flags S/SA keep state label "pass loopback"
anchor "firewallout" all
pass out all flags S/SA keep state label "let out anything from firewall host itself"
anchor "anti-lockout" all
pass in quick on vr0 from any to (vr0) flags S/SA keep state label "anti-lockout rule"
anchor "packagelate" all
pass in log quick on vr0 inet from 192.168.8.0/24 to any flags S/SA keep state allow-opts label "USER_RULE: Default allow LAN to any rule"
anchor "limitingesr" all
anchor "imspector" all
anchor "miniupnpd" all
No queue in use</virusprot></sshlockout></snort2c></snort2c> -
Hi,
Why don't you go back to any of known-to-be-working build and relax? It's only -AA quality and you'd be got killed instantly/anytime you attempt to upgrade, or even fresh install. Report your issues and back to working build is the way I found for surviving with -AA builds. Devs will fix/commit and new build(s) will be ready in sometime.
cheers,
-
I found the problem. By default "automatic (ipsec passthrough)" NAT rule creation is turned on. Once I turned on "Manual" (or "Advanced") NAT rule creation pfSense automatically created an outbound NAT rule.
This is not intuitive. :)
I don't recall having to do this in any previous builds.
Thanks,
GNB
-
Hmmm…that's good to hear 'cos mine runs just fine with "Automatic outbound NAT rule generation (IPsec passthrough)" turned on, or never touched it ever actucally... :P
Good for you anyway that the box started route packets finally.
cheers,