NAT Problems importing 1.2.3 config on 2.0 Pfsense?



  • Hello boys, another user told me at 2.0 Bugs Forum thats I have a NAT problem on my config, so I thought that perhaps this is a better place to find a solution to my problem I posted below Rules.debug too.

    I install latest snapshot and load config from previous version (1.2.3), now, at this moment only appears to be affected connections to IPPublica4, wich is nated to mail server at dmz, none service can be reached to that server (no webmail neither imap, pop, smtp…) but maybe all port redirection is not working

    IPPublica1=Mail server
    IPPublica3=web server
    IPPublica4=Wan Firewall
    IPPublica5=Default WAN Router
    here is Rules.debug:

    #System aliases

    loopback = "{ lo0 }"
    WAN = "{ em1 }"
    LAN = "{ bge0 }"
    DMZ = "{ em2 }"
    WAN2_ADSL = "{ em0 }"
    pptp = "{ pptp }"
    IPsec = "{ enc0 }"
    OpenVPN = "{ openvpn }"

    #SSH Lockout Table
    table <sshlockout>persist
    #Snort2C table
    table <snort2c>table <virusprot># User Aliases
    table <correo>{   10.0.0.22 }
    Correo = "<correo>"
    table <red_dmz>{   10.0.0.1/24 }
    RED_DMZ = "<red_dmz>"
    table <red_local>{   172.26.0.0/24 }
    Red_Local = "<red_local>"
    table <servidor_web>{   10.0.0.25 }
    Servidor_Web = "<servidor_web>"
    table <voip>{   172.26.253.0/24  172.26.0.246/32 }
    Voip = "<voip>"

    Gateways

    GWGW_WAN = " route-to ( em1 IPPublica5 ) "
    GWGW_OPT2 = " route-to ( em0 10.1.0.1 ) "
    GWSROUTE0 = " route-to ( bge0 172.26.254.26 ) "
    GWSROUTE1 = " route-to ( bge0 172.26.254.66 ) "
    GWSROUTE2 = " route-to ( bge0 172.26.254.70 ) "
    GWSROUTE3 = " route-to ( bge0 172.26.254.34 ) "
    GWSROUTE4 = " route-to ( bge0 172.26.254.2 ) "

    set loginterface em1
    set loginterface bge0
    set loginterface em2
    set loginterface em0
    set optimization normal
    set limit states 198000

    set skip on pfsync0

    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble
    scrub in on $DMZ all    fragment reassemble
    scrub in on $WAN2_ADSL all    fragment reassemble

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    nat on $LAN  from 172.26.0.0/24 to any -> 172.26.0.10/32 port 1024:65535
    nat on $WAN2_ADSL  from 172.26.0.0/24 to any -> 10.1.0.2/32 port 1024:65535
    nat on $WAN  from 172.26.0.0/24 to any -> IPPublica4/32 port 1024:65535
    nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 25 -> IPPublica1/32 port 1024:65535
    nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 53 -> IPPublica1/32 port 1024:65535
    nat on $WAN  from 10.0.0.22/32 port 53 to !172.26.0.0/24 -> IPPublica1/32 port 1024:65535
    nat on $WAN  from 10.0.0.31/32 port 53 to !172.26.0.0/24 -> IPPublica1/32 port 1024:65535
    nat on $WAN  from 10.0.0.30/32 port 53 to !172.26.0.0/24 -> IPPublica3/32 port 53
    nat on $WAN  from 10.0.0.30/32 to !172.26.0.0/24 -> IPPublica4/32 port 1024:65535
    nat on $LAN  from 10.0.0.30/32 to 172.26.0.0/24 port 1433 -> 172.26.0.10/32 port 1024:65535
    nat on $LAN  from 10.0.0.25/32 to 172.26.0.250/32 port 445 -> 172.26.0.10/32 port 1024:65535
    nat on $WAN  from 10.0.0.25/32 to !172.26.0.0/24 -> IPPublica3/32 port 1024:65535
    nat on $LAN  from 10.0.0.22/32 to 172.26.0.201/32 -> 172.26.0.10/32 port 1024:65535
    nat on $WAN  from 172.26.0.0/24 to 10.0.0.0/24 -> IPPublica4/32 port 1024:65535
    nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 80 -> IPPublica1/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <vpns>{ 192.168.3.0/24 192.168.1.0/24 192.168.0.0/24 192.168.2.0/24 192.168.222.0/24 }
    table <direct_networks>{ 213.201.119.96/29 172.26.0.0/24 10.0.0.0/24 10.1.0.0/24 172.26.0.16/32 }

    NAT Inbound Redirects

    rdr on em1 proto tcp from any to IPPublica1 port 80 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 80 tag PFREFLECT -> 127.0.0.1 port 19000

    rdr on em1 proto tcp from any to IPPublica1 port 25 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 25 tag PFREFLECT -> 127.0.0.1 port 19001

    rdr on em1 proto tcp from any to IPPublica1 port 5222:5223 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 5222:5223 tag PFREFLECT -> 127.0.0.1 port 19002:19003

    rdr on em1 proto tcp from any to IPPublica1 port 993 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 993 tag PFREFLECT -> 127.0.0.1 port 19004

    rdr on em1 proto tcp from any to IPPublica1 port 465 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 465 tag PFREFLECT -> 127.0.0.1 port 19005

    rdr on em1 proto tcp from any to IPPublica1 port 443 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 443 tag PFREFLECT -> 127.0.0.1 port 19006

    rdr on em1 proto tcp from any to IPPublica1 port 143 -> 10.0.0.22

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 143 tag PFREFLECT -> 127.0.0.1 port 19007

    rdr on em1 proto { tcp udp } from any to IPPublica4 port 80 -> 172.26.0.253

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica4 port 80 tag PFREFLECT -> 127.0.0.1 port 19008

    rdr on em1 proto { tcp udp } from any to IPPublica1 port 53 -> 10.0.0.31

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica1 port 53 tag PFREFLECT -> 127.0.0.1 port 19009

    rdr on em1 proto { tcp udp } from any to IPPublica3 port 53 -> 10.0.0.30

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica3 port 53 tag PFREFLECT -> 127.0.0.1 port 19010

    rdr on em1 proto { tcp udp } from any to IPPublica4 port 8080 -> 172.26.0.253

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica4 port 8080 tag PFREFLECT -> 127.0.0.1 port 19011

    rdr on em1 proto tcp from any to IPPublica3 port 80 -> 10.0.0.30

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica3 port 80 tag PFREFLECT -> 127.0.0.1 port 19012

    rdr on em1 proto { tcp udp } from any to IPPublica3 port 443 -> 10.0.0.30

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica3 port 443 tag PFREFLECT -> 127.0.0.1 port 19013

    rdr on em1 proto udp from any to IPPublica4 port 69 -> 172.26.0.246

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 69 tag PFREFLECT -> 127.0.0.1 port 19014

    rdr on em1 proto udp from any to IPPublica4 port 5060 -> 172.26.0.246

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 5060 tag PFREFLECT -> 127.0.0.1 port 19015

    rdr on em1 proto udp from any to IPPublica4 port 5061 -> 172.26.0.246

    Reflection redirects

    rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 5061 tag PFREFLECT -> 127.0.0.1 port 19016

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    anchor "firewallrules"
    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    snort2c

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"
    block in log quick proto carp from (self) to any
    pass quick proto carp
    pass quick proto pfsync

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    anchor "wanbogons"
    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for em1

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    antispoof for bge0
    antispoof for em2
    antispoof for em0
    anchor "spoofing"

    loopback

    anchor "loopback"
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    anchor "firewallout"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em1 IPPublica5 ) from IPPublica4 to !213.201.119.96/29 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 10.1.0.1 ) from 10.1.0.2 to !10.1.0.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out on $IPsec all keep state label "IPsec internal host to host"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    anchor "anti-lockout"
    pass in quick on bge0 from any to (bge0) keep state label "anti-lockout rule"

    PPTPd rules

    anchor "pptp"
    pass in on $WAN proto gre from any to IPPublica4 keep state label "allow gre pptpd"
    pass in on $WAN proto tcp from any to IPPublica4 port = 1723 modulate state label "allow pptpd IPPublica4"

    NAT Reflection rules

    pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

    User-defined rules follow

    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to IPPublica4 port 1723  flags S/SA keep state  label "USER_RULE: Permitir peticiones PPTP"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 80   label "USER_RULE: NAT "
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 22   label "USER_RULE: NAT "
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.22 port 53   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION DNS "
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 25   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION SMTP"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 5221 >< 5224   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION XMPP"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 993   label "USER_RULE: NAT ZIMBRA REDIRECCION IMAPS"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 465   label "USER_RULE: NAT [ZIMBRA]-Redireccion SMTP Seguro"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 443   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION HTTP SEGURO"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 143   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION IMAP"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  from   10.0.0.30 to any keep state  label "USER_RULE: SALIDA WAN DE HOSTING1"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 500  keep state  label "USER_RULE: PERMITIR  TUNELES IPSEC "
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto esp  from any to any keep state  label "USER_RULE: PROTOCOLO ESP"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto ah  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  inet proto icmp  from any to any keep state  label "USER_RULE: Responder Pings desde WAN"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.30 port 80   label "USER_RULE: NAT [WWW2]-REDIRECCION HTTP"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.22 port 53   label "USER_RULE: NAT ENTRADA DNS A CORREO"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 53   label "USER_RULE: NAT ENTRADA DNS A HOSTING1"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 53   label "USER_RULE: NAT ENTRADA DNS FIREWALL (PROVISIONAL)"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.31 port 53  keep state  label "USER_RULE: NAT ENTRADA DNS FIREWALL (PROVISIONAL)"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   172.26.0.253 port 8080  keep state  label "USER_RULE: NAT FichaClientes"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   172.26.0.253 port 80  keep state  label "USER_RULE: NAT FichaClientes"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   IPPublica4 port 8080  keep state  label "USER_RULE: NAT FichaClientes"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   IPPublica4 port 80  keep state  label "USER_RULE: NAT FichaClientes"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1194  keep state  label "USER_RULE: Openvpn Nuria"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1193  keep state  label "USER_RULE: Openvpn Esther Laptop"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1195  keep state  label "USER_RULE: Openvpn MariCruz"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1196  keep state  label "USER_RULE: Openvpn Ana"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1197  keep state  label "USER_RULE: Openvpn Guadalupe"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1198  keep state  label "USER_RULE: Openvpn T91MT"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1199  keep state  label "USER_RULE: Openvpn T91MT"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1297  keep state  label "USER_RULE: Openvpn LUIS"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1294  keep state  label "USER_RULE: Permitir entrada OpenVPN (BCN)"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1295  keep state  label "USER_RULE: Permitir entrada OpenVPN (BCN)"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1296  keep state  label "USER_RULE: Permitir entrada VPN Esther"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1298  keep state  label "USER_RULE: Permitir entrada VPN Easy"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.30 port 80   label "USER_RULE: NAT REDIRECCION WEB A HOSTING"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 443   label "USER_RULE: NAT ENTRADA HTTPS A HOSTING1"
    pass  in  quick  on $WAN  proto tcp  from any  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass  in  quick  on $WAN  $GWGW_OPT2  proto tcp  from any to any port 21  flags S/SA keep state  label "USER_RULE: SALIDA FTP POR ADSL"
    pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to IPPublica4 port 69  keep state  label "USER_RULE: Entrada TFTP"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 69  keep state  label "USER_RULE: NAT TFTP Centralita"
    pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 5060  keep state  label "USER_RULE: NAT TFTP Centralita"
    pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 5061   label "USER_RULE: NAT TFTP Centralita"
    pass  in  quick  on $pptp  from any to   172.26.0.0/24 keep state  label "USER_RULE: Acceso a LAN desde PPTP"
    pass  in  quick  on $pptp  from any to   10.0.0.0/24 keep state  label "USER_RULE: Acceso a DMZ desde VPN PPTP"
    pass  in  quick  on $pptp  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $DMZ  from   10.0.0.25 to any keep state  label "USER_RULE"
    pass  in log  quick  on $DMZ  from   10.0.0.22 to any keep state  label "USER_RULE: SALIDA TEMPORAL DE CORREO [BORARR ASAP]"
    pass  in  quick  on $DMZ  proto tcp  from   10.0.0.25 to any port 25  flags S/SA keep state  label "USER_RULE: SALIENTES SMTP [VIEJO]"
    pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to   172.26.0.253 keep state  label "USER_RULE: [WWW VIEJO] A SQL SERVER"
    pass  in  quick  on $DMZ  proto tcp  from   10.0.0.30  os Linux to   172.26.0.253 port 1433  flags S/SA keep state  label "USER_RULE: [WWW NUEVO] A SQL SERVER (SOLO SQL)"
    pass  in  quick  on $DMZ  proto tcp  from   10.0.0.30  os Linux to   172.26.0.249 port 1433  flags S/SA keep state  label "USER_RULE: [WWW NUEVO] A SQL SERVER NUEVO(SOLO SQL)"
    pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to   172.26.0.250 keep state  label "USER_RULE: [WWW VIEJO] SALIDA A ANTIVIRUS"
    pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to any port 53  keep state  label "USER_RULE: [WWW VIEJO] DNS TCP"
    pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.31 to any port 53  keep state  label "USER_RULE: [HOSTING1 ] DNS "
    pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.30 to any port 53  keep state  label "USER_RULE: [HOSTING VIRTUAL1] DNS "
    pass  in  quick  on $DMZ  proto tcp  from 172.26.0.0/24 to   10.0.0.25 flags S/SA keep state  label "USER_RULE"
    pass  in  quick  on $DMZ  from   10.0.0.30 to  ! 172.26.0.0/24 keep state  label "USER_RULE: SALIDA HTTP HOSTING"
    pass  in  quick  on $DMZ  from   10.0.0.12 to  ! 172.26.0.0/24 keep state  label "USER_RULE: SALIDA HTTP VMWARE"
    pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: Auto added OpenVPN rule from config upgrade."
    pass  in  quick  on $LAN  from any to   127.0.0.1 keep state  label "USER_RULE: FTP -PROXY"
    pass  in  quick  on $LAN  from 172.26.0.0/24 to 10.0.0.1/24 keep state  label "USER_RULE: Dejar pasar todo el trafico hacia la DMZ"
    pass  in  quick  on $LAN  from 172.26.0.0/24 to   213.201.119.96/29 keep state  label "USER_RULE: Redirigir salida LAN a HOSTS en WAN"
    pass  in log  quick  on $LAN  from any to   172.26.254.40/29 keep state  label "USER_RULE"
    pass  in  quick  on $LAN  proto tcp  from 172.26.0.0/24  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass  in  quick  on $LAN  $GWGW_OPT2  proto tcp  from 172.26.0.0/24 to any port 80  flags S/SA keep state  label "USER_RULE: Redirigir salida HTTP A ADSL"
    pass  in  quick  on $LAN  proto tcp  from 172.26.0.0/24  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass  in  quick  on $LAN  $GWGW_OPT2  proto tcp  from 172.26.0.0/24 to any port 443  flags S/SA keep state  label "USER_RULE: Redirigir salida HTTPS A ADSL"
    pass  in  quick  on $LAN  proto { tcp udp }  from 172.26.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass  in  quick  on $LAN  $GWGW_OPT2  proto { tcp udp }  from 172.26.0.0/24 to any port 53  keep state  label "USER_RULE: Redirigir salida DNS A ADSL"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 172.26.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass  in log  quick  on $LAN  $GWGW_OPT2  proto { tcp udp }  from 172.26.0.0/24 to any port 21  keep state  label "USER_RULE: Default LAN -> any"
    pass  in log  quick  on $LAN  from 172.26.0.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
    pass  in  quick  on $LAN  from   172.26.0.254/24 to any keep state  label "USER_RULE: Acceso desde OpenVPN"
    pass  in  quick  on $LAN  from   172.26.254.0/24 to any keep state  label "USER_RULE"
    pass  in  quick  on $IPsec  from   10.0.0.0/24 to   192.168.222.0/24 keep state  label "USER_RULE: Acceso a DMZ"
    pass  in  quick  on $IPsec  from   172.26.0.0/24 to   192.168.222.0/24 keep state  label "USER_RULE"
    pass  in  quick  on $IPsec  from any to   127.0.0.1 keep state  label "USER_RULE: FTP- PROXY"
    pass  in  quick  on $IPsec  from 172.26.0.0/24 to   192.168.2.0/24 keep state  label "USER_RULE"
    pass  in  quick  on $IPsec  from   192.168.2.0/24 to 172.26.0.0/24 keep state  label "USER_RULE"
    pass  in  quick  on $IPsec  proto { tcp udp }  from   192.168.1.0/24 to   172.26.0.0/24 keep state  label "USER_RULE: ACEPTAR ENTRADA DESDE MAFLO LORCA"
    pass  in  quick  on $IPsec  proto tcp  from   192.168.2.0/24  os Windows to   172.26.0.253 port 3389  flags S/SA keep state  label "USER_RULE: Acceso a MAnager desde Milanera"
    pass  in  quick  on $IPsec  proto tcp  from   192.168.3.0/24  os Windows to   172.26.0.253 port 3389  flags S/SA keep state  label "USER_RULE: Acceso a MAnager desde Rio Vena"
    pass  in  quick  on $IPsec  from any to   192.168.2.139 keep state  label "USER_RULE: SALIDA A IMPRESORA RICOH MILANERA"
    pass  in  quick  on $IPsec  from   192.168.2.139 to any keep state  label "USER_RULE: ENTRADA DESDE IMPRESORA RICOH MILANERA"
    pass  in  quick  on $IPsec  proto esp  from any to any keep state  label "USER_RULE: PERMITIR TRAFICO DE TUNELES IPSEC ESP"
    pass  in  quick  on $IPsec  proto udp  from any to any keep state  label "USER_RULE: IPSEC UDP"
    pass  in  quick  on $IPsec  proto ah  from any to any keep state  label "USER_RULE: IPSEC AH"
    pass  in  quick  on $IPsec  proto pfsync  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $IPsec  proto { tcp udp }  from   172.26.0.0/24 to   192.168.1.0/24 keep state  label "USER_RULE: ACEPTAR ENTRADA DESDE MAFLO LORCA"
    pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE: TODO IPSEC"
    pass  in  quick  on $IPsec  from   172.26.254.80/29 to   192.168.0.0/24 keep state  label "USER_RULE: ACCESO A EXCLUSIVAS DESDE ESTHER OVPN"

    VPN Rules

    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.168.223 port = 500 keep state label "IPsec: SRB - RIO VENA - outbound isakmp"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.168.223 to any port = 500 keep state label "IPsec: SRB - RIO VENA - inbound isakmp"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.168.223 port = 4500 keep state label "IPsec: SRB - RIO VENA - outbound nat-t"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.168.223 to any port = 4500 keep state label "IPsec: SRB - RIO VENA - inbound nat-t"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 193.146.168.223 keep state label "IPsec: SRB - RIO VENA - outbound esp proto"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 193.146.168.223 to any keep state label "IPsec: SRB - RIO VENA - inbound esp proto"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.69.198 port = 500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound isakmp"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.69.198 to any port = 500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound isakmp"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.69.198 port = 4500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound nat-t"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.69.198 to any port = 4500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound nat-t"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 84.125.69.198 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound esp proto"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 84.125.69.198 to any keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound esp proto"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.89.246 port = 500 keep state label "IPsec: EXCLUSIVAS - outbound isakmp"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.89.246 to any port = 500 keep state label "IPsec: EXCLUSIVAS - inbound isakmp"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.89.246 port = 4500 keep state label "IPsec: EXCLUSIVAS - outbound nat-t"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.89.246 to any port = 4500 keep state label "IPsec: EXCLUSIVAS - inbound nat-t"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 84.125.89.246 keep state label "IPsec: EXCLUSIVAS - outbound esp proto"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 84.125.89.246 to any keep state label "IPsec: EXCLUSIVAS - inbound esp proto"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.174.197 port = 500 keep state label "IPsec: VPN SRB MILANERA - outbound isakmp"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.174.197 to any port = 500 keep state label "IPsec: VPN SRB MILANERA - inbound isakmp"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.174.197 port = 4500 keep state label "IPsec: VPN SRB MILANERA - outbound nat-t"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.174.197 to any port = 4500 keep state label "IPsec: VPN SRB MILANERA - inbound nat-t"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 193.146.174.197 keep state label "IPsec: VPN SRB MILANERA - outbound esp proto"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 193.146.174.197 to any keep state label "IPsec: VPN SRB MILANERA - inbound esp proto"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 87.223.188.155 port = 500 keep state label "IPsec: Kaneda HOme - outbound isakmp"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 87.223.188.155 to any port = 500 keep state label "IPsec: Kaneda HOme - inbound isakmp"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 87.223.188.155 port = 4500 keep state label "IPsec: Kaneda HOme - outbound nat-t"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 87.223.188.155 to any port = 4500 keep state label "IPsec: Kaneda HOme - inbound nat-t"
    pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 87.223.188.155 keep state label "IPsec: Kaneda HOme - outbound esp proto"
    pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 87.223.188.155 to any keep state label "IPsec: Kaneda HOme - inbound esp proto"

    package manager late specific hook

    anchor "packagelate"

    anchor "tftp-proxy/*"

    anchor "limitingesr"

    uPnPd

    anchor "miniupnpd"
    –--------------------------------------------------------------------------

    Im getting really crazy with this, any help would be nice.</vpns></vpns></vpns></vpns></vpns></bogons></bogons></virusprot></sshlockout></snort2c></snort2c></direct_networks></vpns></voip></voip></servidor_web></servidor_web></red_local></red_local></red_dmz></red_dmz></correo></correo></virusprot></snort2c></sshlockout>


  • Rebel Alliance Developer Netgate

    Post screenshots of the GUI config for NAT and Firewall rules. Those would probably help more (at least initially) than the rules.debug file.



  • Thanks a lot Jimp
    If you cant find it nobody will be able to do it.
    Here are the screenshots
          ___________              ________________            ____________
    –---| LAN        |----------|Pfsense              | -------| Router Wan1|
          |____|              ||    ||
                                            |
          |_______________
                                          |DMZ                  |            | Router Wan2|
                                          |____|            ||

    IP Ended with .98 ->Public IP for mail server (VIP Proxy ARP) -> 10.0.0.22
    IP Ended with .100 ->Public IP for www server (VIP Proxy ARP) -> 10.0.0.30
    IP Ended with .101 ->Public IP for WAN INterface ->some ports redirected.

    I forgot to tell that one of the many tries that I have do to update, I changed fast the fist screen that is shown at the web interface at first logon after restore config, It says something like "Reinstalling ..." Like it where installing some modules, but the problem is that I have no one at 1.2.3 config, Just the dashboard from 2.0.

    That time It worked four hours, but when I applied the traffic shaping assistant for VOip it start blocking again (Firewall ruleset reconfiguration??) If I do the process normally it simply dont work.
    (6 tries with different x86 snapshots).

    Machine is ML110G6 with 3 added PCIe HP Nics GBe.

    Any info you need simply ask for it, I will provide it ASAP.
    Many thanks for the help, Im really lost.

    Kaneda






  • Firewall rules on WAN




  • Firewall rules on DMZ




  • Any idea?…
    Please tell me if you need any additional info.



  • I test with newer release and problem remains, but this time I had more time to test and debug, and I saw that the problem is only with host 10.0.0.22 which is the mail server.

    For this I have port Redirection on typical mail ports, http and Dns, all ports point from VIP(Proxy arp) called IP Publica1 at logs, the one that ends on 98 at screenshots.

    NAT Rules have NAT Reflection and Accept for fw.
    All port are redirected to 10.0.0.22 but 53UDP/TCP (DNS) redirects to 10.0.0.31.

    about 2 hours after leave it working It shuddenly stop working for vip ippublica1(.98), but the port redirections that goes to IpPublica3 (.100) works ok.

    ssh connection showing logs with 10 option hangs too, it shows somme lines, but in 2 or 3 minutes hangs and down show anything, a bit later putty says connection lost.

    Any idea???


Log in to reply