Routing problems, IMAP & firewall rejection.
-
Recently I had inconsistent behaviour of IMAP services. Started investigation from IMAP servers, and discovered, that not all connections are available on IMAP server (without firewall settings on the server). I have a setup of several pfSense FW in chain (both pfSense).
FW-A doing routing without NAT between different routed subnets.
FW-B behind FW-A with NAT for LAN interfaces.I noticed a problem on FW-A, where there are rejected packets TCP:R, :F, :S and :A. If R would be ok, than A at least gives notice on possible Ack packets, which are rejected. FW-A all rules are on WAN interface. LAN interface - allow all from all. The most interesting part is that rejected packets are from LAN interface, where rule states - allow all from any. Why it is happening?
As to PF documentation, rules for packet filtering should be present on interface, where they appear. And in this case I turned my attention more for WAN packets, for now leaving LAN to allow any to any. Why firewall says, that it is blocking packets by default rule - block anything else? Probably this would be my issue for IMAP inconsistency too. Inconsistency - not all connections are blocked. But I can not judge for now percentage of allowed or blocked connections/packets.
The other wiered thing - blocked packets state destination of local non routable IP address, which is real destination of a server after FW-B does NAT-ing. And FW-A has static routes to move requests for this internal address from FW-A to FW-B. Route is defined on LAN of a FW-A, which basically means, that if packet appears on WAN interface, route them to FW-B via LAN interface. This explaines inception of LAN interface in functionality, but even adding specific allow rules for LAN interfaces including allow any to any, these packets are blocked by FW.
Please help me to understand these specifics.
-
Sounds like you have some asymmetric routing going on somehow; Packets are taking one path out and a different path back in, leading to a state mismatch and the traffic gets dropped.
Hard to say how that may be happening without a lot more detailed network diagram and related info (subnets involved, with fake addresses if need be as long as they are consistent), routes and where they are, what does NAT to where, etc.
-
I'll prepare diagram and post it to the forum, if that may help, but in FW-A, there is no NAT. Only manual routes to subnets (allready NATed) on FW-B. For now, here is textual representation of a process: For example let's assume, that 10.10.10.0/24 are routable addresses (real internet addresses) and 192.168.0.x/24 non-routable (e.g. local).
FW-A configuration involves 2 NICs:
WAN: 192.168.0.5/24 (I know, that this is non routable, but I switch internet subnets on another machine before here, and do not do NAT on this, just pure routing. And there everything works.
LAN: 10.10.10.1/24FW-B configuration involves several nics, from where one is WAN, the others - OPT for each individual VLAN, and NAT is involved here:
WAN: 10.10.10.2/24
LAN1: 192.168.1.1/24 - whole network here>
LAN2: 192.168.2.1/24 - whole network here>According to my understanding, if a packet comes in in FW-A looking for IP from FW-A LAN subnet, then it stays there, if WAN rules are OK. Because this packet anyway appears on WAN, rather LAN. And routing is done via simple transfering of data to relevant NIC port, as FW knows the subnet there.
In case packet should go to another subnet (via static routing), than for not to allow this packet go out again to FW-A WAN gateway, I direct them to FW-B WAN IP address, which is specified in static routes of pfSense. From here comes the process:
1. Packet arrives at FW-A WAN 192.168.0.5/24 looking for Reverse proxy for IMAP in DMZ for ex on IP 10.10.10.10/24
2. Due to specific WAN rule, this packet is allowed to go to this proxy, and connection is made
3. This proxy proxies this packet to IMAP server (according to DNS) in FW-B controlled subnet in specific VLAN, for ex 192.168.1.10/24
4. In this case packet from IMAP proxy arrives on LAN port of FW-A, as it comes out from LAN subnet 10.10.10.0/24. It comes in FW and understand, that there are no interfaces for subnet 192.168.1.0/24, and looks for record in static routes.
5. Static routes record says, that, if on FW-A LAN port packet asks for 192.168.1.0/24 subnet, route it to 10.10.10.2/24, which is on the same LAN port network, but actualy is WAN of a FW-B.
6. Afterwards FW-B takes care for NAT and routes exact packet to specific server.The problem arrise in fact, that in this case responses on FW-A LAN port are OK, but why are they blocked, if FW-A LAN rules say - allow any to any?
The second, when I experimented with NAT and rules, if I forward to 10.10.10.2/24, then nothing works, I have to make FW rules for exactly natted subnet, in my case 192.168.1.10/24. Why it is so?Hope this makes a little bit clearer the situation. Working on diagram.
[EDIT]: NAT is done on FW-B WAN port (Port Forward tab), stating, that if WAN port external IP (from 10.10.10.0/24, or specificly VIP on FW-B WAN port) with external ports are such and such, nat them to IP 192.168.1.0/24 with port numbers such and such. If I define FW rules for 10.10.10.0/24 IP address, nothing works at all. I have to define WAN rules for 192.168.1.0/24 LAN, despite fact, that it is not on WAN network port.