Static IP Weirdness



  • Hi Everyone,

    Not sure if this is the right section to post, if it's not i apologize.

    I just configured pfsense 1.2.3 on a IBASE FWA7204 box, VIA C3 1GHz CPU w/ 256M of RAM and 2GB flash.

    Using one interface for LAN and one interface for WAN (ISP DHCP)
    Here's what the topology looks like:

    INTERNET >> WAN interface - pfsense fw - LAN interface >> Cisco Switch >> Linux Box
                                                                                            |
                                                                                        > Wifi router

    I'm using just one subnet for the LAN (10.10.171.32 /27)
    .33 being the pfsense fw
    .34 Cisco switch
    .35 wifi router
    .40 Linux box

    DHCP on pfsense has been setup to lease out addresses between 10.10.171.44 and 10.10.171.62

    All my clients behind the fw with dhcp leases can get on the web fine and/or browse network resources. The kicker comes in with statically assigned addresses.
    for instance the linux box (with the .40 static address) can neither:

    • ping an external address
    • ping default gw (pfsense)

    however, the linux box can:

    • ping cisco switch
    • ping wifi router

    and any other client on the network can:

    • ping linux box

    the fw rule for LAN is set to allow network 10.10.171.32/27

    Can someone point me in the right direction to troubleshoot as to what would be causing this behavior, I would really appreciate it

    Thanks in advance.



  • Do your pings specify a target hostname or IP address? What response do you get to the ping command?

    Do the systems with static IP address have the correct default gateway and DNS?

    @brokenflea:

    the fw rule for LAN is set to allow network 10.10.171.32/27

    The devil is in the detail: 10.10.171.32/27 as source address? destination address? ports? protocol? Is it before or after the default LAN rule? Do you even still have the default LAN rule?



  • Post your ifconfig and your fw rule.



  • Here's the fw rule from /tmp/rules.debug

    
    [1.2.3-RELEASE] [root@br01.fw.local]/tmp(2): cat rules.debug
    # System Aliases 
    loopback = "{ lo0 }"
    lan = "{ rl0  }"
    wan = "{ rl1   }"
    enc0 = "{ enc0 }"
    # User Aliases 
    
    set loginterface rl1
    set loginterface rl0
    set optimization normal
    
    set skip on pfsync0
    scrub all random-id  fragment reassemble
    
    nat-anchor "pftpx/*"
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    # FTP proxy
    rdr-anchor "pftpx/*"
    
    # Outbound NAT rules
    nat on $wan from 10.10.171.32/27 port 500 to any port 500 -> (rl1) port 500
    nat on $wan from 10.10.171.32/27 port 5060 to any port 5060 -> (rl1) port 5060
    nat on $wan from 10.10.171.32/27 to any -> (rl1) port 1024:65535
    
    #SSH Lockout Table
    table <sshlockout>persist
    
    # Load balancing anchor - slbd updates
    rdr-anchor "slb"
    
    # FTP Proxy/helper
    table <vpns>{   }
    no rdr on rl0 proto tcp from any to <vpns>port 21
    rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    
    # IMSpector rdr anchor
    rdr-anchor "imspector"
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "ftpsesame/*" 
    anchor "firewallrules"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # snort2c
    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    # loopback
    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"
    
    # package manager early specific hook
    anchor "packageearly"
    
    # carp
    anchor "carp"
    
    # NAT Reflection rules
    
    # allow access to DHCP server on LAN
    anchor "dhcpserverlan"
    pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
    pass in quick on $lan proto udp from any port = 68 to 10.10.171.33 port = 67 label "allow access to DHCP server on LAN"
    pass out quick on $lan proto udp from 10.10.171.33 port = 67 to any port = 68 label "allow access to DHCP server on LAN"
    
    # allow our DHCP client out to the WAN
    anchor "wandhcp"
    pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
    block in log quick on $wan proto udp from any port = 67 to 10.10.171.32/27 port = 68 label "block dhcp client out wan"
    
    # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
    antispoof for rl0
    
    anchor "spoofing"
    
    # block anything from private networks on WAN interface
    anchor "spoofing"
    antispoof for $wan
    block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    # Support for allow limiting of TCP connections by establishment rate
    anchor "limitingesr"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    anchor "wanbogons"
    table <bogons>persist file "/etc/bogons"
    block in log quick on $wan from <bogons>to any label "block bogon networks from wan"
    
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself"
    pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself"
    
    # tcp.closed 5 is a workaround for load balancing, squid and a few other issues.
    # ticket (FEN-857512) in centipede tracker.
    pass out quick on rl1 all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
    # pass traffic from firewall -> out
    anchor "firewallout"
    pass out quick on rl1 all keep state label "let out anything from firewall host itself"
    pass out quick on rl0 all keep state label "let out anything from firewall host itself"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"
    # make sure the user cannot lock himself out of the webGUI or SSH
    anchor "anti-lockout"
    pass in quick on rl0 from any to 10.10.171.33 keep state label "anti-lockout web rule"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    
    anchor "ftpproxy"
    anchor "pftpx/*"
    
    # User-defined aliases follow
    
    # User-defined rules follow
    pass in quick on $lan from 10.10.171.32/27 to any keep state  label "USER_RULE: Default LAN -> any"
    
    # VPN Rules
    
    pass in quick on rl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on rl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on rl1 inet proto tcp from port 20 to (rl1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    # enable ftp-proxy
    
    # IMSpector
    anchor "imspector"
    
    # uPnPd
    anchor "miniupnpd"
    
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log quick all label "Default deny rule"</sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout> 
    

    Here's the ifconfig

    
    [1.2.3-RELEASE] [root@br01.fw.local]/tmp(3): ifconfig
    rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:03:2d:05:40:dd
            inet 10.10.171.33 netmask 0xffffffe0 broadcast 10.10.171.63
            inet6 fe80::203:2dff:fe05:40dd%rl0 prefixlen 64 scopeid 0x1 
            media: Ethernet autoselect (none)
            status: no carrier
    rl1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:03:2d:05:40:dc
            inet6 fe80::203:2dff:fe05:40dc%rl1 prefixlen 64 scopeid 0x2 
            media: Ethernet autoselect (none)
            status: no carrier
    rl2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:03:2d:05:40:db
            media: Ethernet autoselect
            status: no carrier
    rl3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:03:2d:05:40:da
            media: Ethernet autoselect
            status: no carrier
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            inet 127.0.0.1 netmask 0xff000000 
            inet6 ::1 prefixlen 128 
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
            pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    pflog0: flags=100 <promisc>metric 0 mtu 33204</promisc></up,running></up,loopback,running,multicast></vlan_mtu></broadcast,simplex,multicast></vlan_mtu></broadcast,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast> 
    

    All the static clients are using the correct mask (255.255.255.224) , correct gateway (10.10.171.33), correct DNS (opendns 208.67.222.222, 208.67.220.220)

    10.10.171.32/27 as source network, this is the only rule in the fw for LAN.



  • i think i figured the issue out. I was following this url:
    [http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url]

    to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.

    Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?](http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url] <br /><br />to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.<br /><br />Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?<br /><br />)


Log in to reply