Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reachability problems via IPSEC

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crusader2004
      last edited by

      Is there some fuction which would prvent the reachability from one site from a site to site vpn to the other as long as there is no initiation from the other side?
      I have some strange problem: I've configures an ipsec site-to-site vpn. Configured a route from one network to the other with a specific route 192.168.51.20/24 via 10.0.0.254 on a 10.0.0.128/25 net and a 10.0.0.128/25 via 192.168.51.248.
      My problem now is when I try to reach the 10.0.0.161-166 from 192.168.51.20, 10.0.0.161 is reachable all the time as well as both vpn gateways, but from 162/3/6 I got no response at the first attempt.
      now 162/3 are working constantly but and 165/166 is still not reachable
      but as soon as I ping 166/165 from 192.168.51.248/10.0.0.254 or from 10.0.0.166 the 192.168.51.20 it does work but only as long as the ping is going on.
      As soon as I stop the other ping it take one minute and the ping stops again
      Can someone give me a hint how to find out what could be the problem
      I've tried tcpdump but I get no sensible information
      The icmp request just start from one side and just gots no response
      At first I thought it might have something to do with both sides being vm's on vmware basis but then I found out that specific systems which are not vm's are behaving the same way. Since 166 is a VM and 165 is physical.

      here are my routes:

      Host: 192.168.51.20
      Kernel IP routing table
      Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
      194.97.90.64    0.0.0.0        255.255.255.224 U    0      0        0 eth2
      10.0.0.128      192.168.51.248  255.255.255.128 UG    0      0        0 eth1
      192.168.51.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
      0.0.0.0        194.97.90.94    0.0.0.0        UG    100    0        0 eth2

      Host: 10.0.0.166
      Kernel IP routing table
      Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
      0.0.0.0        212.25.8.1      0.0.0.0        UG    2      0        0 eth0
      10.0.0.128      0.0.0.0        255.255.255.128 U    0      0        0 eth0
      127.0.0.0      127.0.0.1      255.0.0.0      UG    0      0        0 lo
      192.168.51.0    10.0.0.254      255.255.255.0  UG    2      0        0 eth0
      192.168.100.0  0.0.0.0        255.255.255.224 U    0      0        0 eth0
      212.25.8.0      0.0.0.0        255.255.255.128 U    0      0        0 eth0

      Route on pfsense 192.168.51.248:
      default 194.97.90.94 UGS 0 35428 1500 le1
      10.0.0.0/25 194.97.90.94 UGS 0 0 1500 le1
      10.0.0.128/25 194.97.90.94 UGS 0 758920 1500 le1
      127.0.0.1 link#5 UH 0 43 16384 lo0
      192.168.51.0/32 192.168.51.248 US 0 0 1500 le0 =>
      192.168.51.0/24 link#2 U 0 808815 1500 le0
      192.168.51.248 link#2 UHS 0 0 16384 lo0
      194.97.90.64/27 link#3 U 0 0 1500 le1
      194.97.90.69 link#3 UHS 0 0 16384 lo0
      195.30.94.149 194.97.90.94 UGHS 0 4090 1500 le1
      212.25.8.11 194.97.90.94 UGHS 0 738079 1500 le1

      Route Pfsense 10.0.0.254:
      default 212.25.8.1 UGS 0 153229 1500 le1
      10.0.0.128/25 10.0.0.254 US 0 4867740 1500 le0
      10.0.0.254 link#2 UHS 0 292843 16384 lo0
      127.0.0.1 link#6 UH 0 581 16384 lo0
      192.168.51.0/24 10.0.0.254 US 0 2599693 1500 le0
      194.97.90.69 212.25.8.1 UGHS 0 2637625 1500 le1
      212.25.8.0/25 link#3 U 0 138065 1500 le1
      212.25.8.11 link#3 UHS 0 0 16384 lo0

      I've configured a "any" to "any" firewall rule for each pfsense interface and box.
      Just to be sure it's no firewall thing.

      I hope someone can help me to find this problem.
      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • C
        crusader2004
        last edited by

        Here are some mor informations:

        PFSense on 192.168.51.0/24 side:

        pfctl -s all
        TRANSLATION RULES:
        no nat proto carp all
        nat-anchor "natearly/" all
        nat-anchor "natrules/
        " all
        nat on le1 inet from 10.0.0.0/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
        nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
        nat on le1 inet from 192.168.51.0 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
        nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
        nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
        nat on le1 inet from 10.0.0.0/25 to any -> 194.97.90.69 port 1024:65535
        nat on le1 inet from 10.0.0.128/25 to any -> 194.97.90.69 port 1024:65535
        nat on le1 inet from 192.168.51.0 to any -> 194.97.90.69 port 1024:65535
        nat on le1 inet from 192.168.51.0/24 to any -> 194.97.90.69 port 1024:65535
        nat on le1 inet from 127.0.0.0/8 to any -> 194.97.90.69 port 1024:65535
        no rdr proto carp all
        rdr-anchor "relayd/" all
        rdr-anchor "tftp-proxy/
        " all
        rdr-anchor "miniupnpd" all

        FILTER RULES:
        scrub on le0 all fragment reassemble
        scrub on le1 all fragment reassemble
        anchor "relayd/" all
        anchor "openvpn/
        " all
        block drop in log inet all label "Default deny rule IPv4"
        block drop out log inet all label "Default deny rule IPv4"
        block drop in log inet6 all label "Default deny rule IPv6"
        block drop out log inet6 all label "Default deny rule IPv6"
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
        block drop quick inet proto tcp from any port = 0 to any
        block drop quick inet proto tcp from any to any port = 0
        block drop quick inet proto udp from any port = 0 to any
        block drop quick inet proto udp from any to any port = 0
        block drop quick inet6 proto tcp from any port = 0 to any
        block drop quick inet6 proto tcp from any to any port = 0
        block drop quick inet6 proto udp from any port = 0 to any
        block drop quick inet6 proto udp from any to any port = 0
        block drop quick from <snort2c>to any label "Block snort2c hosts"
        block drop quick from any to <snort2c>label "Block snort2c hosts"
        block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
        block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
        block drop in quick from <virusprot>to any label "virusprot overload table"
        block drop in on ! le0 inet from 192.168.51.0/24 to any
        block drop in inet from 192.168.51.248 to any
        block drop in on ! le1 inet from 194.97.90.64/27 to any
        block drop in inet from 194.97.90.69 to any
        block drop in on le0 inet6 from fe80::250:56ff:fe97:4d8c to any
        block drop in on le1 inet6 from fe80::250:56ff:fe97:5e2a to any
        pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
        pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
        pass out route-to (le1 194.97.90.94) inet from 194.97.90.69 to ! 194.97.90.64/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
        pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
        pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
        pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
        anchor "userrules/" all
        pass in quick on le1 reply-to (le1 194.97.90.94) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
        pass in log quick on le0 inet from 192.168.51.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
        pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
        pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp"
        pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp"
        pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t"
        pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t"
        pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 212.25.8.11 keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto"
        pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 212.25.8.11 to any keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto"
        pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = isakmp keep state label "IPsec: Office FGN Munich - outbound isakmp"
        pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = isakmp keep state label "IPsec: Office FGN Munich - inbound isakmp"
        pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = sae-urn keep state label "IPsec: Office FGN Munich - outbound nat-t"
        pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = sae-urn keep state label "IPsec: Office FGN Munich - inbound nat-t"
        pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 195.30.94.149 keep state label "IPsec: Office FGN Munich - outbound esp proto"
        pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 195.30.94.149 to any keep state label "IPsec: Office FGN Munich - inbound esp proto"
        anchor "tftp-proxy/
        " all
        No queue in use

        STATES:
        all icmp 194.97.90.69:65334 -> 212.25.8.2      0:0
        all icmp 192.168.51.248:65334 -> 192.168.51.12      0:0
        all udp 194.97.90.69:500 -> 212.25.8.11:500      MULTIPLE:MULTIPLE
        all esp 194.97.90.69 <- 212.25.8.11      MULTIPLE:MULTIPLE
        all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED
        all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED
        all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED
        all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED
        all udp 194.97.90.69:500 -> 195.30.94.149:500      MULTIPLE:MULTIPLE
        all tcp 192.168.51.16:8443 <- 10.0.0.130:61331      FIN_WAIT_2:ESTABLISHED
        all tcp 10.0.0.130:61331 -> 192.168.51.16:8443      ESTABLISHED:FIN_WAIT_2
        all tcp 192.168.51.20:10051 <- 10.0.0.254:22576      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:22576 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.20:10051 <- 10.0.0.254:48475      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:48475 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.20:10051 <- 10.0.0.254:30376      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:30376 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.20:10051 <- 10.0.0.254:22875      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:22875 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.20:10051 <- 10.0.0.254:6412      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:6412 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.130:61383 -> 192.168.51.15:9084      SYN_SENT:CLOSED
        all tcp 192.168.51.20:10051 <- 10.0.0.254:4796      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:4796 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.248:44 <- 192.168.51.20:55212      ESTABLISHED:ESTABLISHED
        all tcp 192.168.51.20:10051 <- 10.0.0.254:27192      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:27192 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.15:9084 <- 10.0.0.130:61397      CLOSED:SYN_SENT
        all tcp 10.0.0.130:61397 -> 192.168.51.15:9084      SYN_SENT:CLOSED
        all udp 192.168.51.255:138 <- 192.168.51.149:138      NO_TRAFFIC:SINGLE

        INFO:
        Status: Enabled for 1 days 13:54:06          Debug: Urgent

        Interface Stats for le0              IPv4            IPv6
          Bytes In                      614602893            4032
          Bytes Out                      201370476              292
          Packets In
            Passed                        3017844              56
            Blocked                          2576                0
          Packets Out
            Passed                        3102562                4
            Blocked                              0                0

        State Table                          Total            Rate
          current entries                      30
          searches                        17825509          130.6/s
          inserts                          978951            7.2/s
          removals                          978921            7.2/s
        Counters
          match                            981606            7.2/s
          bad-offset                            0            0.0/s
          fragment                              0            0.0/s
          short                                  0            0.0/s
          normalize                              0            0.0/s
          memory                                0            0.0/s
          bad-timestamp                          0            0.0/s
          congestion                            0            0.0/s
          ip-option                              4            0.0/s
          proto-cksum                            8            0.0/s
          state-mismatch                        0            0.0/s
          state-insert                          0            0.0/s
          state-limit                            0            0.0/s
          src-limit                              0            0.0/s
          synproxy                              0            0.0/s
          divert                                0            0.0/s

        LABEL COUNTERS:
        Default deny rule IPv4 581824 1572 227481 1572 227481 0 0
        Default deny rule IPv4 580462 0 0 0 0 0 0
        Default deny rule IPv6 581824 0 0 0 0 0 0
        Default deny rule IPv6 290262 0 0 0 0 0 0
        Block snort2c hosts 580462 0 0 0 0 0 0
        Block snort2c hosts 580462 0 0 0 0 0 0
        sshlockout 580462 0 0 0 0 0 0
        webConfiguratorlockout 284694 0 0 0 0 0 0
        virusprot overload table 291562 0 0 0 0 0 0
        pass IPv4 loopback 291562 0 0 0 0 0 0
        pass IPv4 loopback 288900 0 0 0 0 0 0
        pass IPv6 loopback 0 0 0 0 0 0 0
        pass IPv6 loopback 0 0 0 0 0 0 0
        let out anything IPv4 from firewall host itself 580462 468378 291462249 226730 270976461 241648 20485788
        let out anything IPv6 from firewall host itself 288900 0 0 0 0 0 0
        let out anything from firewall host itself 288900 336 25536 168 12768 168 12768
        IPsec internal host to host 288900 2767605 162093472 1375851 80128734 1391754 81964738
        anti-lockout rule 580462 0 0 0 0 0 0
        anti-lockout rule 3 633 81468 219 15035 414 66433
        USER_RULE: Allow all on VM WAN 580461 1253 210217 1148 116626 105 93591
        USER_RULE: Default LAN -> any 579423 2769913 162655791 1394063 82527141 1375850 80128650
        USER_RULE 290017 468378 291462249 241648 20485788 226730 270976461
        IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp 290472 0 0 0 0 0 0
        IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp 209 0 0 0 0 0 0
        IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t 172 0 0 0 0 0 0
        IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t 172 0 0 0 0 0 0
        IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto 492 0 0 0 0 0 0
        IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto 320 0 0 0 0 0 0
        IPsec: Office FGN Munich - outbound isakmp 492 14842 1801228 7417 892976 7425 908252
        IPsec: Office FGN Munich - inbound isakmp 209 0 0 0 0 0 0
        IPsec: Office FGN Munich - outbound nat-t 172 0 0 0 0 0 0
        IPsec: Office FGN Munich - inbound nat-t 168 0 0 0 0 0 0
        IPsec: Office FGN Munich - outbound esp proto 492 1126 171152 0 0 1126 171152
        IPsec: Office FGN Munich - inbound esp proto 320 0 0 0 0 0 0

        TIMEOUTS:
        tcp.first                  120s
        tcp.opening                  30s
        tcp.established          86400s
        tcp.closing                900s
        tcp.finwait                  45s
        tcp.closed                  90s
        tcp.tsdiff                  30s
        udp.first                    60s
        udp.single                  30s
        udp.multiple                60s
        icmp.first                  20s
        icmp.error                  10s
        other.first                  60s
        other.single                30s
        other.multiple              60s
        frag                        30s
        interval                    10s
        adaptive.start            5400 states
        adaptive.end              10800 states
        src.track                    0s

        LIMITS:
        states        hard limit    9000
        src-nodes    hard limit    9000
        frags        hard limit    5000
        tables        hard limit    3000
        table-entries hard limit  200000

        TABLES:
        snort2c
        sshlockout
        virusprot
        webConfiguratorlockout

        OS FINGERPRINTS:
        700 fingerprints loaded

        PFSense on 10.0.0.128/25 side:

        pfctl -s all
        TRANSLATION RULES:
        no nat proto carp all
        nat-anchor "natearly/" all
        nat-anchor "natrules/
        " all
        nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
        nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
        nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
        nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
        nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
        nat on le1 inet from 192.168.51.0/24 to any -> 212.25.8.11 port 1024:65535
        nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
        nat on le1 inet from 127.0.0.0/8 to any -> 212.25.8.11 port 1024:65535
        no rdr proto carp all
        rdr-anchor "relayd/" all
        rdr-anchor "tftp-proxy/
        " all
        rdr-anchor "miniupnpd" all

        FILTER RULES:
        scrub on le0 all fragment reassemble
        scrub on le1 all fragment reassemble
        anchor "relayd/" all
        anchor "openvpn/
        " all
        block drop in log inet all label "Default deny rule IPv4"
        block drop out log inet all label "Default deny rule IPv4"
        block drop in log inet6 all label "Default deny rule IPv6"
        block drop out log inet6 all label "Default deny rule IPv6"
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
        pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
        pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
        pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
        block drop quick inet proto tcp from any port = 0 to any
        block drop quick inet proto tcp from any to any port = 0
        block drop quick inet proto udp from any port = 0 to any
        block drop quick inet proto udp from any to any port = 0
        block drop quick inet6 proto tcp from any port = 0 to any
        block drop quick inet6 proto tcp from any to any port = 0
        block drop quick inet6 proto udp from any port = 0 to any
        block drop quick inet6 proto udp from any to any port = 0
        block drop quick from <snort2c>to any label "Block snort2c hosts"
        block drop quick from any to <snort2c>label "Block snort2c hosts"
        block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
        block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
        block drop in quick from <virusprot>to any label "virusprot overload table"
        block drop in on ! le0 inet from 10.0.0.128/25 to any
        block drop in inet from 10.0.0.254 to any
        block drop in on ! le1 inet from 212.25.8.0/25 to any
        block drop in inet from 212.25.8.11 to any
        block drop in on le0 inet6 from fe80::20c:29ff:fe3c:4258 to any
        block drop in on le1 inet6 from fe80::20c:29ff:fe3c:4262 to any
        pass in quick on le1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
        pass in quick on le1 inet proto udp from any port = bootpc to 212.25.8.11 port = bootps keep state label "allow access to DHCP server"
        pass out quick on le1 inet proto udp from 212.25.8.11 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
        pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
        pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
        pass out route-to (le1 212.25.8.1) inet from 212.25.8.11 to ! 212.25.8.0/25 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
        pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
        pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
        pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
        anchor "userrules/" all
        pass in log quick on le1 reply-to (le1 212.25.8.1) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
        pass in log quick on le0 inet from 10.0.0.128/25 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
        pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
        pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp"
        pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp"
        pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t"
        pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t"
        pass out on le1 route-to (le1 212.25.8.1) inet proto esp from any to 194.97.90.69 keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto"
        pass in on le1 reply-to (le1 212.25.8.1) inet proto esp from 194.97.90.69 to any keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto"
        anchor "tftp-proxy/
        " all
        No queue in use

        STATES:
        all icmp 10.0.0.254:28658 <- 10.0.0.253      0:0
        all icmp 10.0.0.254:50354 <- 10.0.0.252      0:0
        all carp 224.0.0.18 <- 212.25.8.26      NO_TRAFFIC:SINGLE
        all icmp 212.25.8.11:48441 -> 212.25.8.1      0:0
        all icmp 10.0.0.254:48441 -> 10.0.0.254      0:0
        all udp 212.25.8.11:500 <- 194.97.90.69:500      MULTIPLE:MULTIPLE
        all tcp 212.25.8.11:44 <- 195.30.94.149:29036      ESTABLISHED:ESTABLISHED
        all tcp 212.25.8.11:44 <- 195.30.94.149:30734      ESTABLISHED:ESTABLISHED
        all esp 212.25.8.11 -> 194.97.90.69      MULTIPLE:MULTIPLE
        all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED
        all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED
        all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED
        all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED
        all tcp 192.168.51.16:8443 <- 10.0.0.130:61186      TIME_WAIT:TIME_WAIT
        all tcp 10.0.0.130:61186 -> 192.168.51.16:8443      TIME_WAIT:TIME_WAIT
        all tcp 10.0.0.254:51664 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:32911 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 212.25.8.11:44 <- 195.30.94.149:52536      ESTABLISHED:ESTABLISHED
        all tcp 10.0.0.254:31106 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 192.168.51.15:9084 <- 10.0.0.130:61306      CLOSED:SYN_SENT
        all tcp 10.0.0.254:14321 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:19233 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:10051 <- 10.0.0.129:55623      FIN_WAIT_2:FIN_WAIT_2
        all tcp 10.0.0.254:38917 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
        all igmp 224.0.0.1 <- 212.25.3.137      NO_TRAFFIC:SINGLE
        all pfsync 10.0.0.252 <- 10.0.0.253      SINGLE:MULTIPLE
        all pfsync 10.0.0.253 -> 10.0.0.252      MULTIPLE:SINGLE
        all tcp 10.0.0.254:45545 -> 192.168.51.20:10051      ESTABLISHED:ESTABLISHED

        INFO:
        Status: Enabled for 2 days 18:33:13          Debug: Urgent

        Interface Stats for le0              IPv4            IPv6
          Bytes In                      400694979          398592
          Bytes Out                      615563169              256
          Packets In
            Passed                        6346568            1180
            Blocked                          1960            3832
          Packets Out
            Passed                        8598800                3
            Blocked                            270                0

        State Table                          Total            Rate
          current entries                      28
          searches                        37303419          155.7/s
          inserts                          1665570            7.0/s
          removals                        1665542            7.0/s
        Counters
          match                            1675756            7.0/s
          bad-offset                            0            0.0/s
          fragment                              0            0.0/s
          short                                  0            0.0/s
          normalize                              0            0.0/s
          memory                                0            0.0/s
          bad-timestamp                          0            0.0/s
          congestion                            0            0.0/s
          ip-option                          3838            0.0/s
          proto-cksum                          21            0.0/s
          state-mismatch                        6            0.0/s
          state-insert                          0            0.0/s
          state-limit                            0            0.0/s
          src-limit                              0            0.0/s
          synproxy                              0            0.0/s
          divert                                0            0.0/s

        LABEL COUNTERS:
        Default deny rule IPv4 1013104 55 2464 55 2464 0 0
        Default deny rule IPv4 1006863 0 0 0 0 0 0
        Default deny rule IPv6 1013104 5575 401400 5575 401400 0 0
        Default deny rule IPv6 513470 0 0 0 0 0 0
        Block snort2c hosts 1012438 0 0 0 0 0 0
        Block snort2c hosts 1012438 0 0 0 0 0 0
        sshlockout 1012438 0 0 0 0 0 0
        webConfiguratorlockout 484573 0 0 0 0 0 0
        virusprot overload table 505209 0 0 0 0 0 0
        allow access to DHCP server 22308 0 0 0 0 0 0
        allow access to DHCP server 194 388 176190 194 111744 194 64446
        allow access to DHCP server 514896 0 0 0 0 0 0
        pass IPv4 loopback 1008899 22059 1317735 11610 682668 10449 635067
        pass IPv4 loopback 2322 0 0 0 0 0 0
        pass IPv6 loopback 5667 0 0 0 0 0 0
        pass IPv6 loopback 1161 0 0 0 0 0 0
        let out anything IPv4 from firewall host itself 1012244 7232351 487832654 2400612 147667655 4831739 340164999
        let out anything IPv6 from firewall host itself 507229 0 0 0 0 0 0
        let out anything from firewall host itself 507229 8642 796952 4244 443326 4398 353626
        IPsec internal host to host 507229 795805 495094348 384978 459432413 410827 35661935
        anti-lockout rule 1012244 0 0 0 0 0 0
        anti-lockout rule 2309 0 0 0 0 0 0
        USER_RULE: Allow all on VM WAN 1012244 37420 17180593 18024 1765745 19396 15414848
        USER_RULE: Default LAN -> any 990970 154652 30724591 62193 16620611 92459 14103980
        USER_RULE 499094 4802251 290029335 2420598 144153657 2381653 145875678
        IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp 508445 0 0 0 0 0 0
        IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp 8409 0 0 0 0 0 0
        IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t 8357 0 0 0 0 0 0
        IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t 8357 0 0 0 0 0 0
        IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto 8409 0 0 0 0 0 0
        IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto 52 0 0 0 0 0 0

        TIMEOUTS:
        tcp.first                  120s
        tcp.opening                  30s
        tcp.established          86400s
        tcp.closing                900s
        tcp.finwait                  45s
        tcp.closed                  90s
        tcp.tsdiff                  30s
        udp.first                    60s
        udp.single                  30s
        udp.multiple                60s
        icmp.first                  20s
        icmp.error                  10s
        other.first                  60s
        other.single                30s
        other.multiple              60s
        frag                        30s
        interval                    10s
        adaptive.start            6000 states
        adaptive.end              12000 states
        src.track                    0s

        LIMITS:
        states        hard limit    10000
        src-nodes    hard limit    10000
        frags        hard limit    5000
        tables        hard limit    3000
        table-entries hard limit  200000

        TABLES:
        snort2c
        sshlockout
        virusprot
        webConfiguratorlockout

        OS FINGERPRINTS:
        700 fingerprints loaded

        Traceroutes from 10.0.0.165 and 10.0.0.166 to 192.168.51.20:

        traceroute 192.168.51.20
            traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
            1  10.0.0.165 (10.0.0.165)  3009.797 ms !H  3009.797 ms !H  3009.795 ms !H

        traceroute 192.168.51.20
            traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
            1  10.0.0.166 (10.0.0.166)  3018.811 ms !H  3018.809 ms !H  3018.806 ms !H</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.