Problems with NAT-reflection (again)
-
Hey guys…
after accepting, traffic shaping with multiple WANs isn´t working properly yet, I found a strange error I can´t explain at all.
I do have a weave server running on my home server adressed via https. Syncing my Firefox at work (via WAN) is working fine but doing this at home via my external IP an unknown error is reported. So I did a packet capture for 192.168.1.100/31 and port 443:
pfSense: 192.168.1.1 Server: 192.168.1.100 Client: 192.168.1.101 External IP: 11.22.33.44 ... 22:37:33.081368 IP 192.168.1.101.53846 > 11.22.33.44.443: tcp 1173 22:37:33.081446 IP 11.22.33.44.443 > 192.168.1.101.53846: tcp 0 22:37:33.081550 IP 192.168.1.1.21588 > 192.168.1.100.443: tcp 1024 22:37:33.116078 IP 192.168.1.100.443 > 192.168.1.1.21588: tcp 0 22:37:33.116160 IP 192.168.1.1.21588 > 192.168.1.100.443: tcp 149 22:37:33.119189 IP 192.168.1.100.443 > 192.168.1.1.21588: tcp 0
It looks like the packet sent from the client is split in 2 packets. Never seen pfSense doing so. Is that behaviour corresponding to tcp-protocol?
By defining a forwarding rule explicit for LAN-adapter with destination on my WAN-adress (which normally should be covered by the rule for WAN + reflection) the weave-service is working locally but further services running at 443 are getting unavailable.
Thanks for your reply…
-
Can you show the generated /var/etc/inetd.conf
-
here we go
tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v 19000 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 80 19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 443 19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 22 19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.110 50498 19003 dgram udp nowait/0 nobody /usr/bin/nc nc -u -w 2000 192.168.1.110 50498 19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 64738 19004 dgram udp nowait/0 nobody /usr/bin/nc nc -u -w 2000 192.168.1.100 64738 19005 dgram udp nowait/0 nobody /usr/bin/nc nc -u -w 2000 192.168.1.100 9987 19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 10011 19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 30033 19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 2234 19009 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 2235 19010 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 2236 19011 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 2237 19012 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 2238 19013 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.100 2239
-
Sorry can you even post the contents of /tmp/rules.debug?
-
np at all - in the end I´m really glad, that there is some competent contact trying to help me ;)
http://pastebin.com/Zbe5pLxL
-
any ideas? or have you found any obvious, fatal errors in the posted info disposing you not to write any answer anymore?