[solved] problems with understanding "advanced" egress filtering
-
@johnpoz I remember that @stephenw10 gave me once the advice to remove reply-to from my VPN-kill-switch, which is a block, outgoing on WAN too.
So my unqualified guess is, it shouldn't be there in the first place.
Too bad I am a network noob not really able to sniff and evaluate that stuff but I see the potential fun of doing it and solving all the mystery.
-
@Bob-Dig said in [solved] problems with understanding "advanced" egress filtering:
not really able to sniff
anyone that has pfsense can sniff - its simple gui packet capture under diagnostics.. Simple packet capture with your frtitzbox IP as filter on host IP.. Then go to your fritzbox gui and post the pcap - and we can see if the mac you send to is the same that answer comes from.
-
@johnpoz Like this? I do nat.
-
@Bob-Dig yeah so what is the macs involved - you see in the syn and then in the syn,ack answer
They look the same - so reply-to disable shouldn't be needed. Is that your fritzbox IP, or some other IP on yoru wan net?
-
@johnpoz said in [solved] problems with understanding "advanced" egress filtering:
They look the same - so reply-to disable shouldn't be needed. Is that your fritzbox IP, or some other IP on yoru wan net?
But it was needed. That is fritzbox (.1) and pfsense (.2).
-
@Bob-Dig hmmm - then I don't understand exactly what that reply-to disable is doing then. From that converstation, it looks to be symmetrical from the macs
-
@johnpoz It has no purpose on an outbound wan-rule and further does something bad, if it exists. I don't think that it is a coincidence, that we both needed to disable it...
-
@Bob-Dig mine I thought I understood because the macs are different from where I send and where the reply comes from. But in yours the answer is coming from the same mac your sending too..
You sure you need it when talking to that IP.. I could see needing it when talking to some other device on the wan net, that bounces its return off your fritzbox.. Then it would make complete sense when not natting..
edit: Ok its something weird when you use outbound blocking rules.. So when I disable my block rule of rfc1918 and my allow rule for outbound to 192.168.100.1
It works just fine.. But if I add block rfc1918 outbound, with specific allow of 192.168.100.1 before it - then have to disable the reply-to...
Hmmmm?? Something is odd for sure..
-
B Bob.Dig referenced this topic on
-
@johnpoz said in [solved] problems with understanding "advanced" egress filtering:
I allow outbound going to 192.168.100.1 which is my cable modems IP, so I can view its logs and signal strengths, etc. I do nat that because I have a vip on the wan interface connected to the modem of 192.168.100.2. So I nat traffic going to my modem IP with that vip
Btw
I bet you don't need that vip to connect to your cable modem. When I had cable internet, I could connect without it. -
@Bob-Dig said in [solved] problems with understanding "advanced" egress filtering:
I bet you don't need that vip to connect to your cable modem. When I had cable internet, I could connect without it.
True my last cable modem I could without the vip.. But I leave it setup so its easy to show people how to do it if need be.. I haven't actually tested with my new S33 I got a while back.
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on