Unable to access internet from remote site

cmb · May 28, 2007, 9:52 PM

Yeah I would have suspected a NAT bug in 1.0.1, there are a few of those that have been fixed in 1.2b1.

Do you have advanced outbound NAT enabled?

PhatBot · May 28, 2007, 10:23 PM

Yes, advanced NAT enabled.

cmb · May 29, 2007, 12:01 AM

Then it's a problem with your advanced NAT rules. Do you need it for some reason? If not, just disable it and your problem goes away.

PhatBot · May 29, 2007, 7:31 AM

Changed to normal NAT.
Still same problem though.

Very odd.

Perry · May 29, 2007, 7:58 AM

Is there be anything special with that leased line?

10.58.202./24 comes in via a leased line through a router with IP 10.58.112.1

maybe do some trace with pftop or tcpdump ( just a though )

cmb · May 29, 2007, 8:25 PM

Yeah it's time to start capturing packets and seeing what's really happening.

PhatBot · May 29, 2007, 8:44 PM

Right… hehe... the thing is..... :-\

I havn't got a clue how to do that.???
Could someone give me some pointers?

Thanks!

Also. Thanks for the help on this subject. I really appreciate you guys taking your free time to help me. :)

PhatBot · May 31, 2007, 9:45 AM

Tried some TCPDUMP. Not really sure what to look for though.

The thing I find strange is that I'm able to ping hosts on the remote subnet from the pfsense box.
And the pfsense box also replies to pings from the remote subnet.
Feels like the data is flowing like it should in our internal network.
It just doesn't let me do nat for that subnet.

PhatBot · May 31, 2007, 10:39 AM

In the Webgui Diagnostics: Show States I see
ICMP 10.58.202.21:512 -> external-ip:35350 -> external-gw 0:0
ICMP external-gw:512 <- 10.58.202.21 0:0
when I try to ping from the host on the remote subnet to our ISP gateway.
This should indicate that NAT is working like it should right?

Perry · May 31, 2007, 11:22 AM

to check for a dns problem you could do something like this.

from shell tcpdump -i if2 dst port 21

from a client ftp://204.152.184.73/

By that your can see what happens on IF2 when you logon to a ftpserver

–--------------------------------------

http://your-pfsense-ip/status.php

you might find something under pfctl
–------ !! Warning this is written by someone sitting in the sun !! ------------

PhatBot · May 31, 2007, 11:14 AM

Tried some 1:1 NATing.
Worked like a charm for all our subnets except the remote subnet which we have the trouble with.
Starting to think that there must be something fishy with the router thats handling that subnet.

More info later.

PhatBot · May 31, 2007, 11:44 AM

Hi Perry,

Here's the result after dumping it to a file and then importing it into Etherreal.

Perry · May 31, 2007, 1:02 PM

did you try searching in http://your-pfsense-ip/status.php for 10.58.202.21 or 204.152.184.73 after the test, there must be some info there telling us what happens ::)

your can also use
Diagnostics -> Packet Capture
to trace ip's

PhatBot · May 31, 2007, 1:07 PM

Here is what I see in status.php during a attempt to connect to an external ftp site.
I've replaced real IP with "externa_ftp"

pass in log quick on bge0 inet from 10.58.202.21 to any keep state label "USER_RULE: Log all from 10.58.202.21"
self tcp 127.0.0.1:8021 <- external_ftp:21 <- 10.58.202.21:3530       SYN_SENT:ESTABLISHED
USER_RULE: Log all from 10.58.202.21 65739 49 2352
142 pass in log quick on bge0 inet from 10.58.202.21 to any keep state label "USER_RULE: Log all from 10.58.202.21"
tcp   I 10.58.202.21:3530     127.0.0.1:8021        2:4      4    29     4   192
tcp    In  10.58.202.21:3530      127.0.0.1:8021         external_ftp:21           SYN_SENT:ESTABLISHED  00:00:04  00:00:29       4     192     48 142
tcp       In  10.58.202.21:3530                     127.0.0.1:8021                          SYN_SENT:ESTABLISHED  00:00:05  00:00:28        4      192
142                  Pass     In  Log Q bge0             K       49     2352        1       inet from 10.58.202.21/32 to anycp    In  10.58.202.21:3530      127.0.0.1:8021               4     192    SYN_SENT:ESTABLISHED  00:00:05  00:00:28      38 142 external_ftp:21
tcp    In  10.58.202.21:3530      127.0.0.1:8021               4     192    SYN_SENT:ESTABLISHED  00:00:05  00:00:28      38 142 external_ftp:21
tcp    In  10.58.202.21:3530      127.0.0.1:8021              38     192    SYN_SENT:ESTABLISHED       4  00:00:05  00:00:28 142 external_ftp:21
May 31 14:57:12 gatekeeper1 pf: 88\. 107669 rule 142/0(match): pass in on bge0: 10.58.202.21.3444 > 127.0.0.1.8021: S 2654838692:2654838692(0) win 65535 <mss 1460,nop,nop,sackok="">
May 31 14:59:35 gatekeeper1 pf: 2\. 114729 rule 142/0(match): pass in on bge0: 10.58.202.21.3530 > 127.0.0.1.8021: S 3010410930:3010410930(0) win 65535 <mss 1460,nop,nop,sackok="">
pass in log quick on $lan from {  10.58.202.21 } to any keep state  label "USER_RULE: Log all from 10.58.202.21"</mss></mss>

Perry · May 31, 2007, 2:26 PM

For me it looks like it nat's to the wan instead of going out

tcp In 10.58.202.21:3530 127.0.0.1:8021 external_ftp:21
should be
tcp In 10.58.202.21:3530 127.0.0.1:8021 204.152.184.73:21

but since your running nat1:1 i could be completely wrong on how it should look

I'll Better let the dev's step in now ;)

PhatBot · May 31, 2007, 2:29 PM

1:1 NAT was only temporarily while testing.
Those rules were removed before getting this status. So it shouldn't do anything.