Tracerts not showing going through the firewall for some ip addresses
-
2.2-RC (amd64)
built on Sat Jan 10 03:54:06 CST 2015
FreeBSD 10.1-RELEASE-p3Having difficulty getting onto the dailymail.co.uk and theguardian.com in the last few days, very intermittent, yet no problem through various proxy services and sites like http://www.isup.me/ and http://www.isitdownrightnow.com/ report its all up so I must be having some sort of intermittemtn dns issue which seems odd.
I do a tracert from the win7 workstation but I get Request Time Out from the 1st entry onwards for dailymail & the guardian, I dont see the tracert reporting its going through the pfsense firewall like it should do and and I dont see the 2nd hop being my public ip address. (logs below)
I've checked the various w7 files in %SystemRoot%\System32\Drivers\Etc and there are no entries, its all default, I mention this as its one place you can add an hostname & ip address to reroute to eg to get google to loopback and fail I'd add the line below into one of those files.
www.google.co.uk 127.0.0.1
However, when I do a tracert to any other website which I can access like google.co.uk, www.mumsnet.co.uk or pfsense.org, I can tracert them and these all show the 1st hop going through the pfsense firewall, 2nd hope being my internet ip address, as expected.
The same is seen on ubuntu 14.04 and another win7 machine which has never surfed the net.Everything is standard in pfsense other than adding snort, and 2 port forwards for email on 25 & 465, and logging increased to the max number of entries allowed, all fw rules set to log including default rules.
ISP reports no problems.
The biggest mystery for me, is why the tracert does not even show the 1st and 2nd hop being my firewall and then public ip address.
Is it possible I have something wrong with pfsense or is this something else at fault?
TIA.
[dailymail dnsentry1_ipaddress.txt](/public/imported_attachments/1/dailymail dnsentry1_ipaddress.txt)
dailymail.txt
[dailymail dnsentry2_ipaddress.txt](/public/imported_attachments/1/dailymail dnsentry2_ipaddress.txt)
google.co.uk.txt
mumsnet.txt
theguardian.txt -
so your saying first hop shows up on other sites.. ie
C:>tracert -d www.pfsense.org
Tracing route to www.pfsense.org [208.123.73.69]
over a maximum of 30 hops:1 <1 ms <1 ms <1 ms 192.168.1.253
2 9 ms 9 ms 9 ms 24.13.snipped - isp gateway
3 9 ms 9 ms 9 ms 68.85.180.133Can you post an example of what your seeing.. And where your trying to go resolves correctly?
C:>tracert -d dailymail.co.uk
Tracing route to dailymail.co.uk [195.234.240.212]
over a maximum of 30 hops:1 <1 ms <1 ms <1 ms 192.168.1.253
2 16 ms 8 ms 8 ms 24.13.snipped
3 10 ms 9 ms 9 ms 68.85.180.133
4 14 ms 11 ms 11 ms 68.87.230.149edit: Just saw your attachements.
What does your box show for routes.. route print
IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.253 192.168.1.100 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.100 266
192.168.1.100 255.255.255.255 On-link 192.168.1.100 266
192.168.1.255 255.255.255.255 On-link 192.168.1.100 266
192.168.2.0 255.255.255.0 192.168.1.253 192.168.1.100 11
192.168.3.0 255.255.255.0 192.168.1.253 192.168.1.100 11
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 266You don't show anything for that network your trying to get too - and your default just points to pfsense.. I would think something on the host blocking access, security software? I would do a simple sniff to see where it is sending that first hop when you do the trace.
-
What does your box show for routes.. route print
Side note, would be nice if the forum software could let us use [q] & [/q] instead of .[.q.u.o.t.e.]. & .[./.q.u.o.t.e.]., in a similar way tinyurls are handy.
Microsoft Windows [Version 6.1.7601]
Copyright
2009 Microsoft Corporation. All rights reserved.C:\Users\admin>route
Manipulates network routing tables.
ROUTE [-f] [-p] [-4|-6] command [destination]
[MASK netmask] [gateway] [METRIC metric] [IF interface]-f Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the commands, the tables are
cleared prior to running the command.-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved
when the system is restarted. Ignored for all other commands,
which always affect the appropriate persistent routes. This
option is not supported in Windows 95.-4 Force using IPv4.
-6 Force using IPv6.
command One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination.All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.If Dest contains a * or ?, it is treated as a shell pattern, and only
matching destination routes are printed. The '' matches any string,
and '?' matches any one char. Examples: 157..1, 157., 127., 224.Pattern match is only allowed in PRINT command.
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid.
(Destination & Mask) != Destination.Examples:
> route PRINT
> route PRINT -4
> route PRINT -6
> route PRINT 157* …. Only prints those matching 157*> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
If IF is not given, it tries to find the best interface for a given
gateway.
> route ADD 3ffe::/32 3ffe::1> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2
CHANGE is used to modify gateway and/or metric only.
> route DELETE 157.0.0.0
> route DELETE 3ffe::/32C:\Users\admin>route print
Interface List
13...xx xx xx xx xx xx ......Intel(R) WiFi Link 5300 AGN probably sensible.
10...xx xx xx xx xx xx ......Intel(R) 82567LM Gigabit Network Connection probably sensible.
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.21 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.10.0 255.255.255.0 On-link 192.168.10.21 276
192.168.10.21 255.255.255.255 On-link 192.168.10.21 276
192.168.10.255 255.255.255.255 On-link 192.168.10.21 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.21 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.21 276Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:5ef5:79fd:38ac:1c08:3f57:f5ea/128
On-link
12 306 fe80::/64 On-link
12 306 fe80::38ac:1c08:3f57:f5ea/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-linkPersistent Routes:
NoneC:\Users\admin>
pfsense, Diagnostics, Routes.
IPv4
default 89.243.216.1 UGS 49442 1492 pppoe0
78.151.235.4 89.243.216.1 UGHS 2070 1492 pppoe0
78.151.235.131 89.243.216.1 UGHS 1975 1492 pppoe0
89.243.216.1 link#7 UH 60032 1492 pppoe0
89.243.217.224 link#7 UHS 0 16384 lo0
127.0.0.1 link#4 UH 82 16384 lo0
192.168.10.0/24 link#1 U 314720 1500 em0
192.168.10.1 link#1 UHS 0 16384 lo0IPv6
::1 link#4 UH 0 16384 lo0
fe80::%em0/64 link#1 U 0 1500 em0
fe80::eea8:6bff:fef4:c775%em0 link#1 UHS 0 16384 lo0
fe80::%lo0/64 link#4 U 0 16384 lo0
fe80::1%lo0 link#4 UHS 0 16384 lo0
fe80::%ue0/64 link#6 U 0 1500 ue0
fe80::8eae:4cff:fefe:3a4b%ue0 link#6 UHS 0 16384 lo0
fe80::%pppoe0/64 link#7 U 0 1492 pppoe0
fe80::eea8:6bff:fef4:c775%pppoe0 link#7 UHS 0 16384 lo0
ff01::%em0/32 fe80::eea8:6bff:fef4:c775%em0 U 0 1500 em0
ff01::%lo0/32 ::1 U 0 16384 lo0
ff01::%ue0/32 fe80::8eae:4cff:fefe:3a4b%ue0 U 0 1500 ue0
ff01::%pppoe0/32 fe80::eea8:6bff:fef4:c775%pppoe0 U 0 1492 pppoe0
ff02::%em0/32 fe80::eea8:6bff:fef4:c775%em0 U 0 1500 em0
ff02::%lo0/32 ::1 U 0 16384 lo0
ff02::%ue0/32 fe80::8eae:4cff:fefe:3a4b%ue0 U 0 1500 ue0
ff02::%pppoe0/32 fe80::eea8:6bff:fef4:c775%pppoe0 U 0 1492 pppoe0I also did the old guardian domain (guardian.co.uk) as they changed over to theguardian.com a while back, to see if any differences showed up.
Hop 4 for the guardian tracerts is where I start to see the difference for 3 of the routes, but the main www.theguardian.com times out all together.
I dont know if its connected, but I'm also seeing snort blocks in the firewall log, but not seeing it in the snort alerts or snort blocks. I'm just checking for other instances atm to see what else I can find.
Edit.
Its looking like its snort blocking this, but I'm double checking the block offenders settings as I only have this on the wan to block the source, nothing should be blocking on the lan going out.
dailymail.co.uk_d.txt
guardian.co.uk_d.txt
theguardian.com_d.txt
www.dailymail.co.uk_d.txt
www.guardian.co.uk_d.txt
www.pfsense.org_d.txt
www.theguardian.com_d.txt -
"I'm also seeing snort blocks in the firewall log"
You really Should of mentioned you are running snort! This is not a default setup - disable snort and your problem will go away most likely!.. And as to [ q ] and [ / q ]
test of [ q ] and [ / q ] spaces removed of course
[q]test[/q]
Yeah that is odd.. guess have to us [ quote ]
edit: Maybe its just me.. But I don't understand why people don't clean up this nonsense..
11…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2Are you using those?? Unless you have specific use of ipv6, just disable it and those go away.. Or you can remove with netsh -- notice how much nice your ipconfig /all looks ;)
C:>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : i5-w7
Primary Dns Suffix . . . . . . . : local.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local.lanEthernet adapter Local:
Connection-specific DNS Suffix . : local.lan
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, January 01, 2015 12:45:57 PM
Lease Expires . . . . . . . . . . : Sunday, January 11, 2015 9:45:57 AM
Default Gateway . . . . . . . . . : 192.168.1.253
DHCP Server . . . . . . . . . . . : 192.168.1.253
DNS Servers . . . . . . . . . . . : 192.168.1.253
NetBIOS over Tcpip. . . . . . . . : DisabledC:>
-
You really Should of mentioned you are running snort! This is not a default setup - disable snort and your problem will go away most likely!
I did put the text below, 4th from the bottom line in the first post, but I'm guilty of skipping lines myself.
"Everything is standard in pfsense other than adding snort, and 2 port forwards for email on 25 & 465, and logging increased to the max number of entries allowed, all fw rules set to log including default rules. "
This is what I have discovered. I had (hold my hands up to this one, got a track by_dst, ip 1.2.3.4 on one of the http_inspects which caused it. But the different handling I was seeing in tracert threw me, and was due to some use of canonical names in the dns. I could not work out why an akamai.net ip address was being blocked when ever I tried to access the dailymail, but they are using canonical names to get some of the content provided.
What this exercise has exposed to me is a need to find a better way to keep the ip addresses snort blocks/allows more up to date with domain names.
Does anyone know of a way to keep track of dns entries which can be used to update snort?
On the IPv6 point, I dont normally use ipv6, but I do have to test some stuff to make sure it works over ipv6. Theres only so much you can gain from using a vm before you need to test on physical hardware as the cpu's can behave differently with vm's running, but thanks for the heads up budman! ;)
-
FYI-
https://doc.pfsense.org/index.php/Router_is_Missing_from_traceroute_Output -
Oh I see it now ;)
"other than adding snort"
Yeah that should be BOLD and first line.. Like
So pfsense using snort… would be how the post starts ;)
As to ipv6 I agree, I use it now and then for testing.. So as you saw in my ipconfig no ipv6, click and then ipv6, but still no nonsene teredo, 6to4, isatap ipv6 conversion stuff.. Why would anyone need so many ways to get to ipv6 from ipv4? Let them pick the one they want and install it.. You would of thought they learned their lesson many times over about protocols being enabled out of the box that can cause problems and security concerns by now ;)
-
I did notice when snort blocks, the tracert timeout's on hop1, but if snort is not blocking I can see the firewall on hop1, but I'm not on multiwan, just a single wan.
If I can setup a multi-wan sometime, I'll find out how the behaviour changes with snort blocks.
Might be worth having a packet sniff to see what the packets are doing to get a better idea of whats going on.
On the point of https://redmine.pfsense.org/issues/932, I did find the inconsistent behaviour threw me, when I couldnt explain why I couldnt see pfsense at all in some tracert's.
As to whether its a bug or feature, thats a difficult question! :D
I see pro's and cons's.
Thanks for the links though.
-
Oh I see it now ;)
"other than adding snort"
Yeah that should be BOLD and first line.. Like
So pfsense using snort… would be how the post starts ;)
Guilty as charged on that one.
As to ipv6 I agree, I use it now and then for testing.. So as you saw in my ipconfig no ipv6, click and then ipv6, but still no nonsene teredo, 6to4, isatap ipv6 conversion stuff.. Why would anyone need so many ways to get to ipv6 from ipv4? Let them pick the one they want and install it.. You would of thought they learned their lesson many times over about protocols being enabled out of the box that can cause problems and security concerns by now ;)
Its a balancing act between locking things down and providing the convenience of the OS experience. UPnP being one example, IE integrated into the OS as another, or in this case, default enabling new stuff they roll out, to help test it on a wide range of HW, not to mention all the problems that can follow.