Getting a default denied rule after setting up the firewall rules

Eugene · Aug 12, 2009, 6:15 PM

pfSense does not see syn,ack, it means your 10.0.0.10 does not route 91.199.45.221 back to pfSense.

TimDows · Aug 12, 2009, 6:33 PM

pfSense does not see syn,ack, it means your 10.0.0.10 does not route 91.199.45.221 back to pfSense.

Thanks for the help so far by the way!
But 'unfortunately' the 10.0.0.10 can connect to this ip using http

Eugene · Aug 12, 2009, 6:35 PM

I think it would be more clear if you could tcpdump on 10.0.0.10 to see whether it responds to IP 91.199.45.221.43367 > 10.0.0.10.23: S
Can you?

TimDows · Aug 12, 2009, 8:16 PM

Sure I can check this:

# tcpdump -ni em0 | grep 91.199.45.221
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
22:12:57.604130 IP 91.199.45.221.34002 > 10.0.0.10.23: S 3047972562:3047972562(0) win 5840 <mss 6="" 1902431548="" 1460,sackok,timestamp="" 0,nop,wscale="">22:12:57.607788 IP 10.0.0.10.18 > 91.199.45.221.34002: S 564746040:564746040(0) ack 3047972563 win 4128 <mss 536="">22:12:59.608156 IP 10.0.0.10.1 > 91.199.45.221.34002: S 564746040:564746040(0) ack 3047972563 win 4128 <mss 536="">22:13:00.606330 IP 91.199.45.221.34002 > 10.0.0.10.23: S 3047972562:3047972562(0) win 5840 <mss 6="" 1902432298="" 1460,sackok,timestamp="" 0,nop,wscale="">22:13:00.607776 IP 10.0.0.10.18 > 91.199.45.221.34002: . ack 1 win 4128
22:13:03.608388 IP 10.0.0.10.1 > 91.199.45.221.34002: S 564746040:564746040(0) ack 3047972563 win 4128 <mss 536="">22:13:06.606098 IP 91.199.45.221.34002 > 10.0.0.10.23: S 3047972562:3047972562(0) win 5840 <mss 6="" 1902433798="" 1460,sackok,timestamp="" 0,nop,wscale="">22:13:06.607501 IP 10.0.0.10.18 > 91.199.45.221.34002: . ack 1 win 4128
22:13:11.608230 IP 10.0.0.10.1 > 91.199.45.221.34002: S 564746040:564746040(0) ack 3047972563 win 4128 <mss 536="">22:13:18.605858 IP 91.199.45.221.34002 > 10.0.0.10.23: S 3047972562:3047972562(0) win 5840 <mss 6="" 1902436798="" 1460,sackok,timestamp="" 0,nop,wscale="">22:13:18.607577 IP 10.0.0.10.18 > 91.199.45.221.34002: . ack 1 win 4128</mss></mss></mss></mss></mss></mss></mss></mss>

And the firewall messages:

Might it have something to do that I'm using the loadbalacing service?

Eugene · Aug 12, 2009, 8:31 PM

If you think this```
22:12:57.604130 IP 91.199.45.221.34002 > 10.0.0.10.23: S 3047972562:3047972562(0) win 5840 <mss 6="" 1902431548="" 1460,sackok,timestamp="" 0,nop,wscale="">22:12:57.607788 IP 10.0.0.10.18 > 91.199.45.221.34002: S 564746040:564746040(0) ack 3047972563 win 4128</mss>

is correct then you are probably wrong.
Why you have in source 10.0.0.10.18 instead of 10.0.0.10.23 ??? I am confused…

TimDows · Aug 12, 2009, 8:40 PM

I haven't got the slithest idea what it could be.
I'm thinking of a reinstall with only 1WAN and then try to NAT something.

I'll let you know tomorrow (11 PM over here already)

Eugene · Aug 12, 2009, 8:45 PM

I would blame 10.0.0.10 here.
Make local connection with network dumps.
… or good night -)

TimDows · Aug 12, 2009, 8:57 PM

Gonna try to connect a ubuntu machine here and try to open an external ssh session to it through pfSense.
Results are comming over :>)

TimDows · Aug 15, 2009, 1:57 PM

well here some test results:

After connecting my 10.0.0.10 (Local device) to the modem directly all was working fine (Puts the problem definitely at the pfSense configuration)
I did a reinstall of my pfSense machine with the 1.2.3-RC1 image and created the LoadBalacer, placed the firewall rules so the Internet was working.
Unfortunately after creating the NAT and some more firewall rules, no connection could be made.

I now have a modem directly connected to my local device so incoming connections bypass the pfSense firewall. Not the best way but works for now. If I find a solution in the near future I'll be sure to post it here!

Eugene · Aug 15, 2009, 2:00 PM

Can you make tcpdump on local device while connected directly to modem?

TimDows · Aug 15, 2009, 2:09 PM

@Eugene:

Can you make tcpdump on local device while connected directly to modem?

That will be very hard (The local device is a Cisco router)
Guess I can connect my ubuntu machine directly and run a dump on there!

Eugene · Aug 15, 2009, 2:55 PM

Fix it with ubuntu and then apply solution to cisco.

TimDows · Aug 15, 2009, 3:39 PM

@Eugene:

Fix it with ubuntu and then apply solution to cisco.

just tried to do this with ubuntu.
I'm able to connect to ubuntu over the local network (telnet and ssh)
Applying some NAT & Firewall rules give the same result as before, no syn,ack in tcpdump, while connecting from the interwebs.

Getting very frustrated because its lovley weather over here ;>)

Is there a 'workaround' for natting problems like this (Like turning off the firewall completely?)

regards from the netherlands

Eugene · Aug 15, 2009, 3:46 PM

It's lovely wheather here as well (sunny, 27C) but it should not affect our ability to fix this problem. Can you post tcpdumps of your local session to this ubuntu box and remote session (through pfsense)? Both dumps from ubuntu please.

TimDows · Aug 16, 2009, 2:26 PM

FINALLY!!!

I got it to work!

The solution:

I used OPT1 or OPT3 for the incoming connections, change this to WAN
All devices connected where configured with static IP addresses, configure for DHCP and set up DHCP-server on LAN
Make some NAT and firewall rules to LAN & WAN
+> Problem solved!

Eugene thanks for the support so far!