Ports being blocked even though they are open

Visseroth

I know this has been written in this forum before about ports being blocked and it has been said it is fine, they aren't actually being blocked but I beg to differ. I just setup this router to replace a POS Watchgaurd and I am unable to get VPN traffic to pass to the local server as it should. I have rules opened to allows all these rules to be passed but when i check the logs the firewall indicates that they are being blocked and I have managed to get it to pass the traffic like it should by modifying the rules and telling it to pass traffic from any interface but it seemed only temporary. Now it doesn't want to pass any traffic coming in from the outside world.

I have disabled snort though it logged to blocks and other things but nothing seems to help.

Does anyone have any ideas because I'm fresh out.

My setup is a dual T1 going to a cisco sr1004 which is sharing the internet to via a switch to 3 other areas in the building. PfSense is plugged into that switch with a static IP and is pulling internet as it should but is blocking ports.

cmb

what do your firewall logs look like exactly? And rules, NAT.

Visseroth

the logs stated that the source IP address was trying to access the distination address via port 500 or 1723 or 443 via wan. The destination address being the internal IP address that the port is supposed to be directed to.

rules and nat states that anything on the wan via the interface address requesting that port is supposed to be forwarded to the server on the network.

If you need I can take some screen shots.

Guest

If you are positive that your rules are correct, make sure you have expired any/all states pertaining to those connections.

cmb

That's not exact enough, which TCP flags? what exactly are your rules and NAT? Screenshots best

Visseroth

OK, so her are those screen shots. Sorry it took so long to get back but I haven't had time to bring the router back online and pull the screen shots that you guys need.

BTW, thank you so very much for helping out, I appreciate it, I'd much rather use PfSense than the stupid Watchgaurd Pile that we currently have here.

Anyhow, so after bringing it back online I tried to remote in using one of the client's machines that had been having problems and it won't connect to the VPN now with the PfSense box in place but it will when the WatchGaurd is in place.

Visseroth

and to throw in another twist it seems PfSense doesn't like her external IP address. If I try and remote in using a different privoder than either the remote location or the client I can connect without a hitch. If I try and connect from the client's machine I get blocked.

Any thoughts?

Visseroth

Well somehow I screwed up the first box that I setup by checking something that I shouldn't have so I replaced it with a PowerEdge 2850 and it is VERY snappy, but the proplem persists and the only thing I have configured is traffic shaping. I have installed no packages thus far.

cmb

Config is fine, I suspect you don't have functional DNS on the firewall itself which is causing its bogon updates to fail, and that 50.x IP is in an outdated copy of bogons you have on there as a result.

Check your DNS under System>General Setup, and ensure you can ping files.pfsense.org from Diag>Ping. Once that works, run:
/etc/rc.update_bogons.sh now

and check your system log to ensure that was successful.

Visseroth

OK, I ran the update though I got a strange message, I don't really understand what it means but here is the message.

May 6 21:01:47 root: rc.update_bogons.sh is sleeping for 44075
May 6 21:01:47 root: rc.update_bogons.sh is starting up.

I also ran the diagnostics and pinged files.pfsense.org and it replied without a hitch.

Any thoughts?

Visseroth

Well I checked on it this morning and all I saw in the logs was

May 7 14:13:11 kernel: arp: 192.168.0.254 moved from 00:18:8b:40:33:cc to 00:18:8b:40:33:ca on em0
May 7 14:13:11 kernel: arp: 192.168.0.254 moved from 00:18:8b:40:33:ca to 00:18:8b:40:33:cc on em0

Nothing about bogons updating and just received an email from the client this morning that she is unable to access the network because her vpn connection is being blocked.

Is there anything else I can do to make this work?.

cmb

You didn't specify the "now" as shown in my post if you got a sleep there. Which means you won't see it update for several hours, 44075 seconds is the random sleep yours picked.

Visseroth

oh, crap, didn't see that, ok, will try it again and watch the logs and report back. Thanks, I'll be back!  :P