Firewall block



  • Hello,
    I have a network 10.33.206.0/24 and a Cisco router 10.33.206.1.
    I want to add a pfsense in this network with only one interface (WAN) with the IP 10.33.206.44 (the pfsense FW has the Gateway 10.33.206.1) and i don't want to use other ip not in this range.
    I change the Gateway of computers to 10.33.206.44 on computers (10.33.206.1 to 10.33.206.44) and it works fine.
    Computers can go on internet and can go on servers…

    Now i want to enable the pfsense firewall (it was disable before).
    I have one rule : IPv4* * * * * * none
    I can ping my servers, i can go on internet by with strange problem.
    My problem are:
    If i try a speed test on internet the download test but the upload test doesn't works.
    When i go on internet pages are slow.
    If i go on a RDP server i can't click and i can't use the keyboard.
    Skype is disconnecting each 10 secondes
    My Outlook works then stop to works....

    If i disable the firewall (pfctl -d) everything works fine.
    If i enable it again there are many problems.

    My firewall rule allow everything so i don't understand why i have this strange problem.
    Can you help me please?

    Regards

    Packet tracert:
    18:38:53.913054 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 1460
    18:38:56.441500 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 1460
    18:38:58.713348 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 1460
    18:38:59.115946 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
    18:38:59.116027 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
    18:38:59.537607 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 0
    18:38:59.537694 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 0
    18:39:04.765285 IP 10.33.206.7.36907 > 10.33.252.61.3389: tcp 1460
    18:39:08.311851 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
    18:39:08.311975 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
    18:39:08.336953 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
    18:39:08.337033 IP 10.33.206.7.36904 > 10.33.252.61.3389: tcp 0
    18:39:08.378651 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
    18:39:08.378713 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
    18:39:08.403546 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
    18:39:08.403634 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 0
    18:39:08.404122 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 47
    18:39:08.404181 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 47
    18:39:08.435766 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 163
    18:39:08.435850 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 163
    18:39:08.464089 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 326
    18:39:08.464168 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 326
    18:39:08.496523 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 85
    18:39:08.496586 IP 10.33.206.7.36922 > 10.33.252.61.3389: tcp 85


    [2.1.3-RELEASE][admin@pfSense.localdomain]/root(2): pfctl -sa
    TRANSLATION RULES:
    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on em0 inet from 10.33.0.0/24 port = isakmp to any port = isakmp -> 10.33.206.44 port 500
    nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 10.33.206.44 port 500
    nat on em0 inet from 10.33.0.0/24 to any -> 10.33.206.44 port 1024:65535
    nat on em0 inet from 127.0.0.0/8 to any -> 10.33.206.44 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr-anchor "miniupnpd" all

    FILTER RULES:
    scrub on em0 all fragment reassemble
    anchor "relayd/" all
    anchor "openvpn/
    " all
    anchor "ipsec/" all
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = http label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! em0 inet from 10.33.206.0/24 to any
    block drop in inet from 10.33.206.44 to any
    block drop in on em0 inet6 from fe80::a00:27ff:fef5:7fe4 to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (em0 10.33.206.1) inet from 10.33.206.44 to ! 10.33.206.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/
    " all
    pass in log quick on em0 inet from any to <negate_networks>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in log quick on em0 route-to (em0 10.33.206.1) inet all flags S/SA keep state label "USER_RULE"
    anchor "tftp-proxy/*" all
    No queue in use

    STATES:
    em0 icmp 10.33.206.44:57130 -> 10.33.206.1      0:0
    em0 tcp 10.33.206.44:22 <- 10.33.206.7:37205      ESTABLISHED:ESTABLISHED
    em0 udp 10.33.252.70:137 <- 10.33.206.7:137      NO_TRAFFIC:SINGLE
    em0 tcp 10.33.206.44:80 <- 10.33.206.7:37225      FIN_WAIT_2:FIN_WAIT_2
    em0 udp 10.33.252.70:53 <- 10.33.206.7:59587      NO_TRAFFIC:SINGLE
    em0 udp 10.33.252.70:53 <- 10.33.206.7:61506      NO_TRAFFIC:SINGLE
    em0 udp 10.33.252.70:53 <- 10.33.206.7:58050      NO_TRAFFIC:SINGLE
    em0 udp 10.33.252.70:53 <- 10.33.206.7:55338      NO_TRAFFIC:SINGLE
    em0 tcp 10.33.252.68:80 <- 10.33.206.7:37231      CLOSED:SYN_SENT
    lo0 udp 127.0.0.1:36412 -> 127.0.0.1:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:53 <- 127.0.0.1:36412      SINGLE:MULTIPLE
    lo0 udp 127.0.0.1:33084 -> 127.0.0.1:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:53 <- 127.0.0.1:33084      SINGLE:MULTIPLE
    lo0 udp 127.0.0.1:13503 -> 127.0.0.1:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:53 <- 127.0.0.1:13503      SINGLE:MULTIPLE
    em0 tcp 10.33.252.61:3389 <- 10.33.206.7:37232      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.18.13:58664 <- 10.33.206.7:37233      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.17.14:55208 <- 10.33.206.7:37234      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37235      CLOSED:SYN_SENT
    em0 tcp 10.33.18.13:58664 <- 10.33.206.7:37236      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.17.14:55208 <- 10.33.206.7:37237      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37238      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37239      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.252.68:80 <- 10.33.206.7:37240      CLOSED:SYN_SENT
    em0 tcp 10.33.252.68:80 <- 10.33.206.7:37241      CLOSED:SYN_SENT
    em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37242      CLOSED:CLOSING
    em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37243      CLOSED:SYN_SENT
    em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37244      CLOSED:CLOSING
    em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37245      CLOSED:SYN_SENT
    em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37246      TIME_WAIT:TIME_WAIT
    em0 tcp 10.32.0.28:3128 <- 10.33.206.7:37247      CLOSED:CLOSING
    em0 tcp 10.33.252.61:3389 <- 10.33.206.7:37248      CLOSED:SYN_SENT
    em0 icmp 10.33.252.70:1 <- 10.33.206.7      0:0
    em0 tcp 10.33.252.70:3389 <- 10.33.206.7:37249      CLOSED:SYN_SENT
    em0 tcp 10.33.252.61:3389 <- 10.33.206.7:37250      CLOSED:SYN_SENT
    em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37251      TIME_WAIT:TIME_WAIT
    em0 tcp 10.33.9.13:49155 <- 10.33.206.7:37252      TIME_WAIT:TIME_WAIT

    INFO:
    Status: Enabled for 0 days 00:02:07          Debug: Urgent

    Interface Stats for em0              IPv4            IPv6
      Bytes In                        9512583                0
      Bytes Out                        615880              292
      Packets In
        Passed                          18993                0
        Blocked                          2872                0
      Packets Out
        Passed                            1487                4
        Blocked                              0                0

    State Table                          Total            Rate
      current entries                      37
      searches                          23660          186.3/s
      inserts                              791            6.2/s
      removals                            754            5.9/s
    Counters
      match                              2476          19.5/s
      bad-offset                            0            0.0/s
      fragment                              0            0.0/s
      short                                  0            0.0/s
      normalize                              0            0.0/s
      memory                                0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                            0            0.0/s
      ip-option                              0            0.0/s
      proto-cksum                            0            0.0/s
      state-mismatch                      1187            9.3/s
      state-insert                          0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                              0            0.0/s
      divert                                0            0.0/s

    LABEL COUNTERS:
    Default deny rule IPv4 2458 1685 604669 1685 604669 0 0
    Default deny rule IPv4 2458 0 0 0 0 0 0
    Default deny rule IPv6 2458 0 0 0 0 0 0
    Default deny rule IPv6 77 0 0 0 0 0 0
    Block snort2c hosts 2458 0 0 0 0 0 0
    Block snort2c hosts 2458 0 0 0 0 0 0
    sshlockout 2458 0 0 0 0 0 0
    webConfiguratorlockout 2174 0 0 0 0 0 0
    virusprot overload table 2381 0 0 0 0 0 0
    pass IPv4 loopback 2381 152 10312 76 5156 76 5156
    pass IPv4 loopback 153 0 0 0 0 0 0
    pass IPv6 loopback 152 0 0 0 0 0 0
    pass IPv6 loopback 76 0 0 0 0 0 0
    let out anything IPv4 from firewall host itself 2458 402 26312 201 13156 201 13156
    let out anything IPv6 from firewall host itself 77 0 0 0 0 0 0
    let out anything from firewall host itself 77 0 0 0 0 0 0
    anti-lockout rule 2458 816 570292 311 40533 505 529759
    NEGATE_ROUTE: Negate policy routing for destination 2448 0 0 0 0 0 0
    USER_RULE 2295 18044 7976191 17768 7931650 276 44541

    TIMEOUTS:
    tcp.first                  120s
    tcp.opening                  30s
    tcp.established          86400s
    tcp.closing                900s
    tcp.finwait                  45s
    tcp.closed                  90s
    tcp.tsdiff                  30s
    udp.first                    60s
    udp.single                  30s
    udp.multiple                60s
    icmp.first                  20s
    icmp.error                  10s
    other.first                  60s
    other.single                30s
    other.multiple              60s
    frag                        30s
    interval                    10s
    adaptive.start                0 states
    adaptive.end                  0 states
    src.track                    0s

    LIMITS:
    states        hard limit    23000
    src-nodes    hard limit    23000
    frags        hard limit    5000
    tables        hard limit    3000
    table-entries hard limit  200000

    TABLES:
    bogons
    negate_networks
    snort2c
    sshlockout
    virusprot
    webConfiguratorlockout

    OS FINGERPRINTS:
    710 fingerprints loaded</negate_networks></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>



  • Why do you need cisco on the same network? Better change 10.33.206.1 to 10.33.205.1. And connect cisco to WAN port pfsense server.


Log in to reply