Reachability problems via IPSEC



  • Is there some fuction which would prvent the reachability from one site from a site to site vpn to the other as long as there is no initiation from the other side?
    I have some strange problem: I've configures an ipsec site-to-site vpn. Configured a route from one network to the other with a specific route 192.168.51.20/24 via 10.0.0.254 on a 10.0.0.128/25 net and a 10.0.0.128/25 via 192.168.51.248.
    My problem now is when I try to reach the 10.0.0.161-166 from 192.168.51.20, 10.0.0.161 is reachable all the time as well as both vpn gateways, but from 162/3/6 I got no response at the first attempt.
    now 162/3 are working constantly but and 165/166 is still not reachable
    but as soon as I ping 166/165 from 192.168.51.248/10.0.0.254 or from 10.0.0.166 the 192.168.51.20 it does work but only as long as the ping is going on.
    As soon as I stop the other ping it take one minute and the ping stops again
    Can someone give me a hint how to find out what could be the problem
    I've tried tcpdump but I get no sensible information
    The icmp request just start from one side and just gots no response
    At first I thought it might have something to do with both sides being vm's on vmware basis but then I found out that specific systems which are not vm's are behaving the same way. Since 166 is a VM and 165 is physical.

    here are my routes:

    Host: 192.168.51.20
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    194.97.90.64    0.0.0.0        255.255.255.224 U    0      0        0 eth2
    10.0.0.128      192.168.51.248  255.255.255.128 UG    0      0        0 eth1
    192.168.51.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
    0.0.0.0        194.97.90.94    0.0.0.0        UG    100    0        0 eth2

    Host: 10.0.0.166
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    0.0.0.0        212.25.8.1      0.0.0.0        UG    2      0        0 eth0
    10.0.0.128      0.0.0.0        255.255.255.128 U    0      0        0 eth0
    127.0.0.0      127.0.0.1      255.0.0.0      UG    0      0        0 lo
    192.168.51.0    10.0.0.254      255.255.255.0  UG    2      0        0 eth0
    192.168.100.0  0.0.0.0        255.255.255.224 U    0      0        0 eth0
    212.25.8.0      0.0.0.0        255.255.255.128 U    0      0        0 eth0

    Route on pfsense 192.168.51.248:
    default 194.97.90.94 UGS 0 35428 1500 le1
    10.0.0.0/25 194.97.90.94 UGS 0 0 1500 le1
    10.0.0.128/25 194.97.90.94 UGS 0 758920 1500 le1
    127.0.0.1 link#5 UH 0 43 16384 lo0
    192.168.51.0/32 192.168.51.248 US 0 0 1500 le0 =>
    192.168.51.0/24 link#2 U 0 808815 1500 le0
    192.168.51.248 link#2 UHS 0 0 16384 lo0
    194.97.90.64/27 link#3 U 0 0 1500 le1
    194.97.90.69 link#3 UHS 0 0 16384 lo0
    195.30.94.149 194.97.90.94 UGHS 0 4090 1500 le1
    212.25.8.11 194.97.90.94 UGHS 0 738079 1500 le1

    Route Pfsense 10.0.0.254:
    default 212.25.8.1 UGS 0 153229 1500 le1
    10.0.0.128/25 10.0.0.254 US 0 4867740 1500 le0
    10.0.0.254 link#2 UHS 0 292843 16384 lo0
    127.0.0.1 link#6 UH 0 581 16384 lo0
    192.168.51.0/24 10.0.0.254 US 0 2599693 1500 le0
    194.97.90.69 212.25.8.1 UGHS 0 2637625 1500 le1
    212.25.8.0/25 link#3 U 0 138065 1500 le1
    212.25.8.11 link#3 UHS 0 0 16384 lo0

    I've configured a "any" to "any" firewall rule for each pfsense interface and box.
    Just to be sure it's no firewall thing.

    I hope someone can help me to find this problem.
    Thank you in advance.



  • Here are some mor informations:

    PFSense on 192.168.51.0/24 side:

    pfctl -s all
    TRANSLATION RULES:
    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on le1 inet from 10.0.0.0/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
    nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
    nat on le1 inet from 192.168.51.0 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
    nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
    nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
    nat on le1 inet from 10.0.0.0/25 to any -> 194.97.90.69 port 1024:65535
    nat on le1 inet from 10.0.0.128/25 to any -> 194.97.90.69 port 1024:65535
    nat on le1 inet from 192.168.51.0 to any -> 194.97.90.69 port 1024:65535
    nat on le1 inet from 192.168.51.0/24 to any -> 194.97.90.69 port 1024:65535
    nat on le1 inet from 127.0.0.0/8 to any -> 194.97.90.69 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr-anchor "miniupnpd" all

    FILTER RULES:
    scrub on le0 all fragment reassemble
    scrub on le1 all fragment reassemble
    anchor "relayd/" all
    anchor "openvpn/
    " all
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! le0 inet from 192.168.51.0/24 to any
    block drop in inet from 192.168.51.248 to any
    block drop in on ! le1 inet from 194.97.90.64/27 to any
    block drop in inet from 194.97.90.69 to any
    block drop in on le0 inet6 from fe80::250:56ff:fe97:4d8c to any
    block drop in on le1 inet6 from fe80::250:56ff:fe97:5e2a to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (le1 194.97.90.94) inet from 194.97.90.69 to ! 194.97.90.64/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
    pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/" all
    pass in quick on le1 reply-to (le1 194.97.90.94) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
    pass in log quick on le0 inet from 192.168.51.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
    pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
    pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp"
    pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp"
    pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t"
    pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t"
    pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 212.25.8.11 keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto"
    pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 212.25.8.11 to any keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto"
    pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = isakmp keep state label "IPsec: Office FGN Munich - outbound isakmp"
    pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = isakmp keep state label "IPsec: Office FGN Munich - inbound isakmp"
    pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = sae-urn keep state label "IPsec: Office FGN Munich - outbound nat-t"
    pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = sae-urn keep state label "IPsec: Office FGN Munich - inbound nat-t"
    pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 195.30.94.149 keep state label "IPsec: Office FGN Munich - outbound esp proto"
    pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 195.30.94.149 to any keep state label "IPsec: Office FGN Munich - inbound esp proto"
    anchor "tftp-proxy/
    " all
    No queue in use

    STATES:
    all icmp 194.97.90.69:65334 -> 212.25.8.2      0:0
    all icmp 192.168.51.248:65334 -> 192.168.51.12      0:0
    all udp 194.97.90.69:500 -> 212.25.8.11:500      MULTIPLE:MULTIPLE
    all esp 194.97.90.69 <- 212.25.8.11      MULTIPLE:MULTIPLE
    all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED
    all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED
    all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED
    all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED
    all udp 194.97.90.69:500 -> 195.30.94.149:500      MULTIPLE:MULTIPLE
    all tcp 192.168.51.16:8443 <- 10.0.0.130:61331      FIN_WAIT_2:ESTABLISHED
    all tcp 10.0.0.130:61331 -> 192.168.51.16:8443      ESTABLISHED:FIN_WAIT_2
    all tcp 192.168.51.20:10051 <- 10.0.0.254:22576      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:22576 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.20:10051 <- 10.0.0.254:48475      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:48475 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.20:10051 <- 10.0.0.254:30376      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:30376 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.20:10051 <- 10.0.0.254:22875      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:22875 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.20:10051 <- 10.0.0.254:6412      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:6412 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.130:61383 -> 192.168.51.15:9084      SYN_SENT:CLOSED
    all tcp 192.168.51.20:10051 <- 10.0.0.254:4796      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:4796 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.248:44 <- 192.168.51.20:55212      ESTABLISHED:ESTABLISHED
    all tcp 192.168.51.20:10051 <- 10.0.0.254:27192      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:27192 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.15:9084 <- 10.0.0.130:61397      CLOSED:SYN_SENT
    all tcp 10.0.0.130:61397 -> 192.168.51.15:9084      SYN_SENT:CLOSED
    all udp 192.168.51.255:138 <- 192.168.51.149:138      NO_TRAFFIC:SINGLE

    INFO:
    Status: Enabled for 1 days 13:54:06          Debug: Urgent

    Interface Stats for le0              IPv4            IPv6
      Bytes In                      614602893            4032
      Bytes Out                      201370476              292
      Packets In
        Passed                        3017844              56
        Blocked                          2576                0
      Packets Out
        Passed                        3102562                4
        Blocked                              0                0

    State Table                          Total            Rate
      current entries                      30
      searches                        17825509          130.6/s
      inserts                          978951            7.2/s
      removals                          978921            7.2/s
    Counters
      match                            981606            7.2/s
      bad-offset                            0            0.0/s
      fragment                              0            0.0/s
      short                                  0            0.0/s
      normalize                              0            0.0/s
      memory                                0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                            0            0.0/s
      ip-option                              4            0.0/s
      proto-cksum                            8            0.0/s
      state-mismatch                        0            0.0/s
      state-insert                          0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                              0            0.0/s
      divert                                0            0.0/s

    LABEL COUNTERS:
    Default deny rule IPv4 581824 1572 227481 1572 227481 0 0
    Default deny rule IPv4 580462 0 0 0 0 0 0
    Default deny rule IPv6 581824 0 0 0 0 0 0
    Default deny rule IPv6 290262 0 0 0 0 0 0
    Block snort2c hosts 580462 0 0 0 0 0 0
    Block snort2c hosts 580462 0 0 0 0 0 0
    sshlockout 580462 0 0 0 0 0 0
    webConfiguratorlockout 284694 0 0 0 0 0 0
    virusprot overload table 291562 0 0 0 0 0 0
    pass IPv4 loopback 291562 0 0 0 0 0 0
    pass IPv4 loopback 288900 0 0 0 0 0 0
    pass IPv6 loopback 0 0 0 0 0 0 0
    pass IPv6 loopback 0 0 0 0 0 0 0
    let out anything IPv4 from firewall host itself 580462 468378 291462249 226730 270976461 241648 20485788
    let out anything IPv6 from firewall host itself 288900 0 0 0 0 0 0
    let out anything from firewall host itself 288900 336 25536 168 12768 168 12768
    IPsec internal host to host 288900 2767605 162093472 1375851 80128734 1391754 81964738
    anti-lockout rule 580462 0 0 0 0 0 0
    anti-lockout rule 3 633 81468 219 15035 414 66433
    USER_RULE: Allow all on VM WAN 580461 1253 210217 1148 116626 105 93591
    USER_RULE: Default LAN -> any 579423 2769913 162655791 1394063 82527141 1375850 80128650
    USER_RULE 290017 468378 291462249 241648 20485788 226730 270976461
    IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp 290472 0 0 0 0 0 0
    IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp 209 0 0 0 0 0 0
    IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t 172 0 0 0 0 0 0
    IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t 172 0 0 0 0 0 0
    IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto 492 0 0 0 0 0 0
    IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto 320 0 0 0 0 0 0
    IPsec: Office FGN Munich - outbound isakmp 492 14842 1801228 7417 892976 7425 908252
    IPsec: Office FGN Munich - inbound isakmp 209 0 0 0 0 0 0
    IPsec: Office FGN Munich - outbound nat-t 172 0 0 0 0 0 0
    IPsec: Office FGN Munich - inbound nat-t 168 0 0 0 0 0 0
    IPsec: Office FGN Munich - outbound esp proto 492 1126 171152 0 0 1126 171152
    IPsec: Office FGN Munich - inbound esp proto 320 0 0 0 0 0 0

    TIMEOUTS:
    tcp.first                  120s
    tcp.opening                  30s
    tcp.established          86400s
    tcp.closing                900s
    tcp.finwait                  45s
    tcp.closed                  90s
    tcp.tsdiff                  30s
    udp.first                    60s
    udp.single                  30s
    udp.multiple                60s
    icmp.first                  20s
    icmp.error                  10s
    other.first                  60s
    other.single                30s
    other.multiple              60s
    frag                        30s
    interval                    10s
    adaptive.start            5400 states
    adaptive.end              10800 states
    src.track                    0s

    LIMITS:
    states        hard limit    9000
    src-nodes    hard limit    9000
    frags        hard limit    5000
    tables        hard limit    3000
    table-entries hard limit  200000

    TABLES:
    snort2c
    sshlockout
    virusprot
    webConfiguratorlockout

    OS FINGERPRINTS:
    700 fingerprints loaded

    PFSense on 10.0.0.128/25 side:

    pfctl -s all
    TRANSLATION RULES:
    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
    nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
    nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
    nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
    nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
    nat on le1 inet from 192.168.51.0/24 to any -> 212.25.8.11 port 1024:65535
    nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
    nat on le1 inet from 127.0.0.0/8 to any -> 212.25.8.11 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr-anchor "miniupnpd" all

    FILTER RULES:
    scrub on le0 all fragment reassemble
    scrub on le1 all fragment reassemble
    anchor "relayd/" all
    anchor "openvpn/
    " all
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! le0 inet from 10.0.0.128/25 to any
    block drop in inet from 10.0.0.254 to any
    block drop in on ! le1 inet from 212.25.8.0/25 to any
    block drop in inet from 212.25.8.11 to any
    block drop in on le0 inet6 from fe80::20c:29ff:fe3c:4258 to any
    block drop in on le1 inet6 from fe80::20c:29ff:fe3c:4262 to any
    pass in quick on le1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on le1 inet proto udp from any port = bootpc to 212.25.8.11 port = bootps keep state label "allow access to DHCP server"
    pass out quick on le1 inet proto udp from 212.25.8.11 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (le1 212.25.8.1) inet from 212.25.8.11 to ! 212.25.8.0/25 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
    pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/" all
    pass in log quick on le1 reply-to (le1 212.25.8.1) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
    pass in log quick on le0 inet from 10.0.0.128/25 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
    pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
    pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp"
    pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp"
    pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t"
    pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t"
    pass out on le1 route-to (le1 212.25.8.1) inet proto esp from any to 194.97.90.69 keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto"
    pass in on le1 reply-to (le1 212.25.8.1) inet proto esp from 194.97.90.69 to any keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto"
    anchor "tftp-proxy/
    " all
    No queue in use

    STATES:
    all icmp 10.0.0.254:28658 <- 10.0.0.253      0:0
    all icmp 10.0.0.254:50354 <- 10.0.0.252      0:0
    all carp 224.0.0.18 <- 212.25.8.26      NO_TRAFFIC:SINGLE
    all icmp 212.25.8.11:48441 -> 212.25.8.1      0:0
    all icmp 10.0.0.254:48441 -> 10.0.0.254      0:0
    all udp 212.25.8.11:500 <- 194.97.90.69:500      MULTIPLE:MULTIPLE
    all tcp 212.25.8.11:44 <- 195.30.94.149:29036      ESTABLISHED:ESTABLISHED
    all tcp 212.25.8.11:44 <- 195.30.94.149:30734      ESTABLISHED:ESTABLISHED
    all esp 212.25.8.11 -> 194.97.90.69      MULTIPLE:MULTIPLE
    all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED
    all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED
    all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED
    all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED
    all tcp 192.168.51.16:8443 <- 10.0.0.130:61186      TIME_WAIT:TIME_WAIT
    all tcp 10.0.0.130:61186 -> 192.168.51.16:8443      TIME_WAIT:TIME_WAIT
    all tcp 10.0.0.254:51664 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:32911 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 212.25.8.11:44 <- 195.30.94.149:52536      ESTABLISHED:ESTABLISHED
    all tcp 10.0.0.254:31106 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 192.168.51.15:9084 <- 10.0.0.130:61306      CLOSED:SYN_SENT
    all tcp 10.0.0.254:14321 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:19233 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:10051 <- 10.0.0.129:55623      FIN_WAIT_2:FIN_WAIT_2
    all tcp 10.0.0.254:38917 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
    all igmp 224.0.0.1 <- 212.25.3.137      NO_TRAFFIC:SINGLE
    all pfsync 10.0.0.252 <- 10.0.0.253      SINGLE:MULTIPLE
    all pfsync 10.0.0.253 -> 10.0.0.252      MULTIPLE:SINGLE
    all tcp 10.0.0.254:45545 -> 192.168.51.20:10051      ESTABLISHED:ESTABLISHED

    INFO:
    Status: Enabled for 2 days 18:33:13          Debug: Urgent

    Interface Stats for le0              IPv4            IPv6
      Bytes In                      400694979          398592
      Bytes Out                      615563169              256
      Packets In
        Passed                        6346568            1180
        Blocked                          1960            3832
      Packets Out
        Passed                        8598800                3
        Blocked                            270                0

    State Table                          Total            Rate
      current entries                      28
      searches                        37303419          155.7/s
      inserts                          1665570            7.0/s
      removals                        1665542            7.0/s
    Counters
      match                            1675756            7.0/s
      bad-offset                            0            0.0/s
      fragment                              0            0.0/s
      short                                  0            0.0/s
      normalize                              0            0.0/s
      memory                                0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                            0            0.0/s
      ip-option                          3838            0.0/s
      proto-cksum                          21            0.0/s
      state-mismatch                        6            0.0/s
      state-insert                          0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                              0            0.0/s
      divert                                0            0.0/s

    LABEL COUNTERS:
    Default deny rule IPv4 1013104 55 2464 55 2464 0 0
    Default deny rule IPv4 1006863 0 0 0 0 0 0
    Default deny rule IPv6 1013104 5575 401400 5575 401400 0 0
    Default deny rule IPv6 513470 0 0 0 0 0 0
    Block snort2c hosts 1012438 0 0 0 0 0 0
    Block snort2c hosts 1012438 0 0 0 0 0 0
    sshlockout 1012438 0 0 0 0 0 0
    webConfiguratorlockout 484573 0 0 0 0 0 0
    virusprot overload table 505209 0 0 0 0 0 0
    allow access to DHCP server 22308 0 0 0 0 0 0
    allow access to DHCP server 194 388 176190 194 111744 194 64446
    allow access to DHCP server 514896 0 0 0 0 0 0
    pass IPv4 loopback 1008899 22059 1317735 11610 682668 10449 635067
    pass IPv4 loopback 2322 0 0 0 0 0 0
    pass IPv6 loopback 5667 0 0 0 0 0 0
    pass IPv6 loopback 1161 0 0 0 0 0 0
    let out anything IPv4 from firewall host itself 1012244 7232351 487832654 2400612 147667655 4831739 340164999
    let out anything IPv6 from firewall host itself 507229 0 0 0 0 0 0
    let out anything from firewall host itself 507229 8642 796952 4244 443326 4398 353626
    IPsec internal host to host 507229 795805 495094348 384978 459432413 410827 35661935
    anti-lockout rule 1012244 0 0 0 0 0 0
    anti-lockout rule 2309 0 0 0 0 0 0
    USER_RULE: Allow all on VM WAN 1012244 37420 17180593 18024 1765745 19396 15414848
    USER_RULE: Default LAN -> any 990970 154652 30724591 62193 16620611 92459 14103980
    USER_RULE 499094 4802251 290029335 2420598 144153657 2381653 145875678
    IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp 508445 0 0 0 0 0 0
    IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp 8409 0 0 0 0 0 0
    IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t 8357 0 0 0 0 0 0
    IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t 8357 0 0 0 0 0 0
    IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto 8409 0 0 0 0 0 0
    IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto 52 0 0 0 0 0 0

    TIMEOUTS:
    tcp.first                  120s
    tcp.opening                  30s
    tcp.established          86400s
    tcp.closing                900s
    tcp.finwait                  45s
    tcp.closed                  90s
    tcp.tsdiff                  30s
    udp.first                    60s
    udp.single                  30s
    udp.multiple                60s
    icmp.first                  20s
    icmp.error                  10s
    other.first                  60s
    other.single                30s
    other.multiple              60s
    frag                        30s
    interval                    10s
    adaptive.start            6000 states
    adaptive.end              12000 states
    src.track                    0s

    LIMITS:
    states        hard limit    10000
    src-nodes    hard limit    10000
    frags        hard limit    5000
    tables        hard limit    3000
    table-entries hard limit  200000

    TABLES:
    snort2c
    sshlockout
    virusprot
    webConfiguratorlockout

    OS FINGERPRINTS:
    700 fingerprints loaded

    Traceroutes from 10.0.0.165 and 10.0.0.166 to 192.168.51.20:

    traceroute 192.168.51.20
        traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
        1  10.0.0.165 (10.0.0.165)  3009.797 ms !H  3009.797 ms !H  3009.795 ms !H

    traceroute 192.168.51.20
        traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
        1  10.0.0.166 (10.0.0.166)  3018.811 ms !H  3018.809 ms !H  3018.806 ms !H</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>


Log in to reply