Allow MSN / Windows Live Messenger with pfSense v2 ?



  • Hi !

    I'm installing pfSense 2 at work, on a spare Internet connection.
    I use a PC for testing, with pfSense for gateway (without firewall on the machine).

    Before to add somes rules (SMTP, POP, WEB, etc.), I want to find how to allow MSN, because in the future, I will probably install a transparent proxy. This proxy will block MSN. So, I want to add a rule before the "web rule", for MSN, before pfSense is in production.
    (Yes, regrettably, we using MSN at work, and it's impossible to change this).

    I find topics on Internet, many informations, examples, etc. some are old.

    I can't use MSN with pfSense at this time.

    I created a rule that allow all address (except address with "*." because pfSense don't accept *) : http://support.microsoft.com/kb/927847
    I allow all port in first time.

    webmessenger.msn.com
    messenger.hotmail.com
    gateway.messenger.hotmail.com
    login.live.com
    2.20.211.235
    contacts.msn.com
    storage.msn.com
    c.msn.com
    messenger.msn.com
    g.msn.com
    crl.microsoft.com
    config.messenger.msn.com
    ows.messenger.msn.com
    rsi.hotmail.com
    sqm.microsoft.com
    edge.messenger.live.com
    relay.data.edge.messenger.live.com
    rad.msn.com
    appdirectory.messenger.msn.com
    images.messenger.msn.com
    spaces.live.com
    relay.voice.messenger.msn.com

    If anyone have an idea…

    thanks !


  • LAYER 8 Global Moderator

    out of the box with no special rules needed pfsense would not block anything outbound.

    I can assure you my kids use all the major chat things, msn, yahoo, etc. and have never had any issues with access behind pfsense.

    Is normal internet working?  There must be something else blocking it, because out of the box there is nothing you should have to special in pfsense to allow for msn, yahoo, googlechat, etc. etc.



  • Try to change your msn rule so that destination is any and protocol is msn. and like johnpoz said there should be no blocks from pfsense side by default



  • In pro environment, we "must" block all by default, and allow only that we need.
    The "allow all" rule must be disbaled. It's made in my company.

    So, I need to find how to allow MSN before enabled other rules (SMTP/POP, WEB, SSH/FTP to our servers, etc.) and use pfSence in production.

    "Try to change your msn rule so that destination is any and protocol is msn"
    It's not a good rule : MSN use 80, 443 and 1863 ports, + "any directions" = it's the ~same rule for allow WEB connections.

    Thanks for you help.


  • LAYER 8 Global Moderator

    Ok you want to block all others and allow only the one you want.  I can understand that for sure!!

    Question for you – I would put back the default rule.  Does it work then?

    If so then you just have something wrong in your rules.. But you really need to verify it works with the default allow any rule in place before you go tinkering with it.

    I would think it simple enough to do some sniffs of the application while its working, to know what rules you need to allow for.  Then you can remove the default allow any rule and put into place the rules you want to allow.



  • Question for you – I would put back the default rule.  Does it work then?
    Yes, with default rule (allow any), MSN work and connect to internet.

    I used a proxy DNS server to saw domains called when MSN client try to connect.
    I found many news domains and added in my MSN rule on pfSense. But it's doesn't work.

    I don't find the good rule.

    Anyone have already successfully allow MSN via pfSense ?

    I can't use pfSense in prod as long as I did not find for MSN.


  • LAYER 8 Global Moderator

    Why don't you just do a simple capture on pfsense to see what is used?

    When I get a chance I will give it a go, but did you take a look here?

    http://support.microsoft.com/kb/927847
    Network ports and URLs that are used by Windows Live Messenger

    Its a bit dated, but I would have to assume still applies?



  • @johnpoz:

    Why don't you just do a simple capture on pfsense to see what is used?

    When I get a chance I will give it a go, but did you take a look here?

    Not yet. I will for the next test.

    (you think Status > System Logs > Firewall ?)

    http://support.microsoft.com/kb/927847
    Network ports and URLs that are used by Windows Live Messenger

    Its a bit dated, but I would have to assume still applies?

    I already use this informations (see my first post).

    Thank a lot for your help !


Log in to reply