Firewall / NAT / wrong interface



  • Hello Forum,
    I am still very new to pfSense, so please take it easy.. I am currently struggling to understand an issue I am being faced with and I am not sure whether it is firewall or NAT or anything else, thus my posting under the "General Questions" section. Mods: Please feel free to move somewhere more appropriate. Thanks.

    Let me start by describing how I currently understand my setup:
    Inernet <–> ISP <--> ADSL modem <--> pfSense <--> LAN

    The ADSL modem and the pfSense WAN interface [assigned to PPTP0(rl0)] are connected through PPTP as follows: WAN remote IP: 10.0.0.138, WAN local IP: 10.0.0.2.
    The connection from the ADSL modem to my ISP is negotiated through PPPoA - that's the modem's responsibility though. As a result of this the pfSense WAN interface (I guess through DHCP) receives the public IP address aaa.bbb.ccc.23 with a gateway address of aaa.bbb.ddd.1 and a subnet mask of 255.255.255.255 plus two DNS servers assigned from my ISP. The pfSense DNS forwarder prepends 127.0.0.1 to those two ISP provided DNS servers.

    For access to the modem I additionally had to add a MODEM interface [assigned to rl0] which is at 10.0.0.1. In order to be able to get through to the modem, I also had to add the first three Outbound NAT rules after disabling the automatic outbound NAT rule generation; the last three rules were automatically creatd after switching to Manual Outbound NAT rule generation; furthermore I have deleted the auto-generated rules for 10.0.0.0/24 as I didn't want to allow internet access from 10.0.0.0/24. The currently active Outbound NAT rules are therefore as follows:```

    source: 192.168.19.0/24, src port: *, destination: 10.0.0.138/32, dst port: *,  NAT address: MODEM address, NAT port: *,          Static Port: NO
    source: 10.0.0.1/32,    src port: *, destination: 10.0.0.138/32, dst port: *,  NAT address: NO NAT,        NAT port: *,          Static Port: NO
    source: 127.0.0.0/8,    src port: *, destination: 10.0.0.138/32, dst port: *,  NAT address: MODEM address, NAT port: *,          Static Port: NO
    source: 192.168.19.0/24, src port: *, destination: *,            dst port: 500, NAT address: WAN address,  NAT port: *,          Static Port: YES
    source: 192.168.19.0/24, src port: *, destination: *,            dst port: *,  NAT address: WAN address,  NAT port: *,          Static Port: NO
    source: 127.0.0.0/8,    src port: *, destination: *,            dst port: *,  NAT address: WAN address,  NAT port: 1024:65535, Static Port: NO

    
    The firewall rules for the **WAN interface** - over and above the standard "Block bogon networks" rule - is as follows (NOTE: The final rule with **RFC_1918** referring to an alias: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8 was required as I had to disable the standard "Block private networks" rule to be able to make the first three rules work; the **modem** entry for Gateway refers to an additional gateway defined under System->Routing->Gateways and refers to 10.0.0.2):```
    Proto: IPv4 UDP,  Source: 10.0.0.138, Port: *, Destination: 10.0.0.0/24, Port: 123 (NTP), Gateway: modem, Queue: none, Schedule
    Proto: IPv4 ICMP, Source: 10.0.0.138, Port: *, Destination: 10.0.0.0/24, Port: *,         Gateway: modem, Queue: none, Schedule
    Proto: IPv4 UDP,  Source: 10.0.0.138, Port: *, Destination: 10.0.0.0/24, Port: 123 (NTP), Gateway: modem, Queue: none, Schedule
    Proto: IPv4 *,    Source: RFC_1918,   Port: *, Destination: *,           Port: *,         Gateway: *,     Queue: none, Schedule
    

    For the other two interfaces (LAN and MODEM) both "Block private networks" and "Block bogon networks" are disabled.
    The LAN interface just has the standard autogenerated rules (Anti-Lockout rule, Default allow LAN to any rule for both IPv4 and IPv6).
    The MODEM interface has the following active rules:```
    Proto: IPv4 UDP,  Source: 10.0.0.138, Port: *, Destination: 10.0.0.0/24, Port: 123 (NTP), Gateway: *, Queue: none, Schedule
    Proto: IPv4 ICMP, Source: 10.0.0.138, Port: *, Destination: 10.0.0.0/24, Port: *,        Gateway: *, Queue: none, Schedule

    All rules involving 10.0.0.138 as the source (the 2 pass rules on the **WAN interface** and the 2 pass rules on the **LAN interface**) have "Log packets" enabled.
    
    Now on to where I struggle to understand pfSense:
    1) When I ping 10.0.0.1 from the telnet connected cli of the modem (10.0.0.138) the "Status->System Logs->Firewall" menu entry logs a passed packet from 10.0.0.138 but atributes this packet to the WAN interface when, from my understanding, it should clearly originate from the MODEM interface.
    
    2.) The same happens when the modem at 10.0.0.138 synchronizes with the pfSense NTP server at 10.0.0.1 - the System Logs entry again attributes the arriving UDP packet from 10.0.0.138 on port 123 to the WAN interface.
    
    Would I need to read this behaviour that the WAN interface is always involved (in that: every packet is routed through the WAN interface) even when it's only local traffic that does not (and is not intended to) go out to the internet through the WAN interface?
    I have also made the following test for ping: Without the pass rule on the WAN interface (i.e. those being disabled), the modem would not receive an echo reply. On the other hand, I am able to disable the rules under MODEM and the ping would still work (provided the rules for the WAN interface are still in place) indicating that the MODEM rules are not involved at all.
    
    I hope somebody is able to clear my confusion or tell me that my setup is completely screwed …
    
    Many thanks and regards Atom2
    
    P.S. I am more than happy to take on board any other comments regarding my setup as I am still pretty new to pfSense.