Tracerts not showing going through the firewall for some ip addresses



  • 2.2-RC (amd64)
    built on Sat Jan 10 03:54:06 CST 2015
    FreeBSD 10.1-RELEASE-p3

    Having difficulty getting onto the dailymail.co.uk and theguardian.com in the last few days, very intermittent, yet no problem through various proxy services and sites like http://www.isup.me/ and http://www.isitdownrightnow.com/ report its all up so I must be having some sort of intermittemtn dns issue which seems odd.

    I do a tracert from the win7 workstation but I get Request Time Out from the 1st entry onwards for dailymail & the guardian, I dont see the tracert reporting its going through the pfsense firewall like it should do and and I dont see the 2nd hop being my public ip address. (logs below)

    I've checked the various w7 files in %SystemRoot%\System32\Drivers\Etc and there are no entries, its all default, I mention this as its one place you can add an hostname & ip address to reroute to eg to get google to loopback and fail I'd add the line below into one of those files.

    www.google.co.uk 127.0.0.1

    However, when I do a tracert to any other website which I can access like google.co.uk, www.mumsnet.co.uk or pfsense.org, I can tracert them and these all show the 1st hop going through the pfsense firewall, 2nd hope being my internet ip address, as expected.
    The same is seen on ubuntu 14.04 and another win7 machine which has never surfed the net.

    Everything is standard in pfsense other than adding snort, and 2 port forwards for email on 25 & 465, and logging increased to the max number of entries allowed, all fw rules set to log including default rules.

    ISP reports no problems.

    The biggest mystery for me, is why the tracert does not even show the 1st and 2nd hop being my firewall and then public ip address.

    Is it possible I have something wrong with pfsense or is this something else at fault?

    TIA.

    [dailymail dnsentry1_ipaddress.txt](/public/imported_attachments/1/dailymail dnsentry1_ipaddress.txt)
    dailymail.txt
    [dailymail dnsentry2_ipaddress.txt](/public/imported_attachments/1/dailymail dnsentry2_ipaddress.txt)
    google.co.uk.txt
    mumsnet.txt
    theguardian.txt


  • LAYER 8 Global Moderator

    so your saying first hop shows up on other sites.. ie

    C:>tracert -d www.pfsense.org

    Tracing route to www.pfsense.org [208.123.73.69]
    over a maximum of 30 hops:

    1    <1 ms    <1 ms    <1 ms  192.168.1.253
      2    9 ms    9 ms    9 ms  24.13.snipped - isp gateway
      3    9 ms    9 ms    9 ms  68.85.180.133

    Can you post an example of what your seeing..  And where your trying to go resolves correctly?

    C:>tracert -d dailymail.co.uk

    Tracing route to dailymail.co.uk [195.234.240.212]
    over a maximum of 30 hops:

    1    <1 ms    <1 ms    <1 ms  192.168.1.253
      2    16 ms    8 ms    8 ms  24.13.snipped
      3    10 ms    9 ms    9 ms  68.85.180.133
      4    14 ms    11 ms    11 ms  68.87.230.149

    edit:  Just saw your attachements.

    What does your box show for routes.. route print

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.1.253    192.168.1.100    10
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.1.0    255.255.255.0        On-link    192.168.1.100    266
        192.168.1.100  255.255.255.255        On-link    192.168.1.100    266
        192.168.1.255  255.255.255.255        On-link    192.168.1.100    266
          192.168.2.0    255.255.255.0    192.168.1.253    192.168.1.100    11
          192.168.3.0    255.255.255.0    192.168.1.253    192.168.1.100    11
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.1.100    266
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.1.100    266

    You don't show anything for that network your trying to get too - and your default just points to pfsense..  I would think something on the host blocking access, security software?  I would do a simple sniff to see where it is sending that first hop when you do the trace.



  • What does your box show for routes.. route print

    Side note, would be nice if the forum software could let us use [q] & [/q] instead of .[.q.u.o.t.e.]. & .[./.q.u.o.t.e.]., in a similar way tinyurls are handy.

    Microsoft Windows [Version 6.1.7601]
    Copyright © 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\admin>route

    Manipulates network routing tables.

    ROUTE [-f] [-p] [-4|-6] command [destination]
                      [MASK netmask]  [gateway] [METRIC metric]  [IF interface]

    -f          Clears the routing tables of all gateway entries.  If this is
                  used in conjunction with one of the commands, the tables are
                  cleared prior to running the command.

    -p          When used with the ADD command, makes a route persistent across
                  boots of the system. By default, routes are not preserved
                  when the system is restarted. Ignored for all other commands,
                  which always affect the appropriate persistent routes. This
                  option is not supported in Windows 95.

    -4          Force using IPv4.

    -6          Force using IPv6.

    command      One of these:
                    PRINT    Prints  a route
                    ADD      Adds    a route
                    DELETE    Deletes a route
                    CHANGE    Modifies an existing route
      destination  Specifies the host.
      MASK        Specifies that the next parameter is the 'netmask' value.
      netmask      Specifies a subnet mask value for this route entry.
                  If not specified, it defaults to 255.255.255.255.
      gateway      Specifies gateway.
      interface    the interface number for the specified route.
      METRIC      specifies the metric, ie. cost for the destination.

    All symbolic names used for destination are looked up in the network database
    file NETWORKS. The symbolic names for gateway are looked up in the host name
    database file HOSTS.

    If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
    (wildcard is specified as a star '*'), or the gateway argument may be omitted.

    If Dest contains a * or ?, it is treated as a shell pattern, and only
    matching destination routes are printed. The '' matches any string,
    and '?' matches any one char. Examples: 157.
    .1, 157., 127., 224.

    Pattern match is only allowed in PRINT command.
    Diagnostic Notes:
        Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
        Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
                The route addition failed: The specified mask parameter is invalid.
    (Destination & Mask) != Destination.

    Examples:

    > route PRINT
        > route PRINT -4
        > route PRINT -6
        > route PRINT 157*          …. Only prints those matching 157*

    > route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
                destination^      ^mask      ^gateway    metric^    ^
                                                            Interface^
          If IF is not given, it tries to find the best interface for a given
          gateway.
        > route ADD 3ffe::/32 3ffe::1

    > route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

    CHANGE is used to modify gateway and/or metric only.

    > route DELETE 157.0.0.0
        > route DELETE 3ffe::/32

    C:\Users\admin>route print

    Interface List
    13...xx xx xx xx xx xx ......Intel(R) WiFi Link 5300 AGN probably sensible.
    10...xx xx xx xx xx xx ......Intel(R) 82567LM Gigabit Network Connection probably sensible.
      1...........................Software Loopback Interface 1
    11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.10.1    192.168.10.21    20
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.10.0    255.255.255.0        On-link    192.168.10.21    276
        192.168.10.21  255.255.255.255        On-link    192.168.10.21    276
      192.168.10.255  255.255.255.255        On-link    192.168.10.21    276
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.10.21    276
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.10.21    276

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
    12    58 ::/0                    On-link
      1    306 ::1/128                  On-link
    12    58 2001::/32                On-link
    12    306 2001:0:5ef5:79fd:38ac:1c08:3f57:f5ea/128
                                        On-link
    12    306 fe80::/64                On-link
    12    306 fe80::38ac:1c08:3f57:f5ea/128
                                        On-link
      1    306 ff00::/8                On-link
    12    306 ff00::/8                On-link

    Persistent Routes:
      None

    C:\Users\admin>

    pfsense, Diagnostics, Routes.

    IPv4
    default 89.243.216.1 UGS 49442 1492 pppoe0
    78.151.235.4 89.243.216.1 UGHS 2070 1492 pppoe0
    78.151.235.131 89.243.216.1 UGHS 1975 1492 pppoe0
    89.243.216.1 link#7 UH 60032 1492 pppoe0
    89.243.217.224 link#7 UHS 0 16384 lo0
    127.0.0.1 link#4 UH 82 16384 lo0
    192.168.10.0/24 link#1 U 314720 1500 em0
    192.168.10.1 link#1 UHS 0 16384 lo0

    IPv6
    ::1 link#4 UH 0 16384 lo0
    fe80::%em0/64 link#1 U 0 1500 em0
    fe80::eea8:6bff:fef4:c775%em0 link#1 UHS 0 16384 lo0
    fe80::%lo0/64 link#4 U 0 16384 lo0
    fe80::1%lo0 link#4 UHS 0 16384 lo0
    fe80::%ue0/64 link#6 U 0 1500 ue0
    fe80::8eae:4cff:fefe:3a4b%ue0 link#6 UHS 0 16384 lo0
    fe80::%pppoe0/64 link#7 U 0 1492 pppoe0
    fe80::eea8:6bff:fef4:c775%pppoe0 link#7 UHS 0 16384 lo0
    ff01::%em0/32 fe80::eea8:6bff:fef4:c775%em0 U 0 1500 em0
    ff01::%lo0/32 ::1 U 0 16384 lo0
    ff01::%ue0/32 fe80::8eae:4cff:fefe:3a4b%ue0 U 0 1500 ue0
    ff01::%pppoe0/32 fe80::eea8:6bff:fef4:c775%pppoe0 U 0 1492 pppoe0
    ff02::%em0/32 fe80::eea8:6bff:fef4:c775%em0 U 0 1500 em0
    ff02::%lo0/32 ::1 U 0 16384 lo0
    ff02::%ue0/32 fe80::8eae:4cff:fefe:3a4b%ue0 U 0 1500 ue0
    ff02::%pppoe0/32 fe80::eea8:6bff:fef4:c775%pppoe0 U 0 1492 pppoe0

    I also did the old guardian domain (guardian.co.uk) as they changed over to theguardian.com a while back, to see if any differences showed up.

    Hop 4 for the guardian tracerts is where I start to see the difference for 3 of the routes, but the main www.theguardian.com times out all together.

    I dont know if its connected, but I'm also seeing snort blocks in the firewall log, but not seeing it in the snort alerts or snort blocks. I'm just checking for other instances atm to see what else I can find.

    Edit.

    Its looking like its snort blocking this, but I'm double checking the block offenders settings as I only have this on the wan to block the source, nothing should be blocking on the lan going out.

    dailymail.co.uk_d.txt
    guardian.co.uk_d.txt
    theguardian.com_d.txt
    www.dailymail.co.uk_d.txt
    www.guardian.co.uk_d.txt
    www.pfsense.org_d.txt
    www.theguardian.com_d.txt


  • LAYER 8 Global Moderator

    "I'm also seeing snort blocks in the firewall log"

    You really Should of mentioned you are running snort!  This is not a default setup - disable snort and your problem will go away most likely!..  And as to [ q ] and [ / q ]

    test of [ q ] and [ / q ] spaces removed of course

    [q]test[/q]

    Yeah that is odd.. guess have to us [ quote ]

    edit:  Maybe its just me.. But I don't understand why people don't clean up this nonsense..

    11…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

    Are you using those??  Unless you have specific use of ipv6, just disable it and those go away.. Or you can remove with netsh -- notice how much nice your ipconfig /all looks ;)

    C:>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : i5-w7
      Primary Dns Suffix  . . . . . . . : local.lan
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : local.lan

    Ethernet adapter Local:

    Connection-specific DNS Suffix  . : local.lan
      Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
      Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Thursday, January 01, 2015 12:45:57 PM
      Lease Expires . . . . . . . . . . : Sunday, January 11, 2015 9:45:57 AM
      Default Gateway . . . . . . . . . : 192.168.1.253
      DHCP Server . . . . . . . . . . . : 192.168.1.253
      DNS Servers . . . . . . . . . . . : 192.168.1.253
      NetBIOS over Tcpip. . . . . . . . : Disabled

    C:>



  • You really Should of mentioned you are running snort!  This is not a default setup - disable snort and your problem will go away most likely!

    I did put the text below, 4th from the bottom line in the first post, but I'm guilty of skipping lines myself.

    "Everything is standard in pfsense other than adding snort, and 2 port forwards for email on 25 & 465, and logging increased to the max number of entries allowed, all fw rules set to log including default rules. "

    This is what I have discovered. I had (hold my hands up to this one, got a  track by_dst, ip 1.2.3.4 on one of the http_inspects which caused it. But the different handling I was seeing in tracert threw me, and was due to some use of canonical names in the dns. I could not work out why an akamai.net ip address was being blocked when ever I tried to access the dailymail, but they are using canonical names to get some of the content provided.

    What this exercise has exposed to me is a need to find a better way to keep the ip addresses snort blocks/allows more up to date with domain names.

    Does anyone know of a way to keep track of dns entries which can be used to update snort?

    On the IPv6 point, I dont normally use ipv6, but I do have to test some stuff to make sure it works over ipv6. Theres only so much you can gain from using a vm before you need to test on physical hardware as the cpu's can behave differently with vm's running, but thanks for the heads up budman!  ;)


  • Rebel Alliance Developer Netgate


  • LAYER 8 Global Moderator

    Oh I see it now ;)

    "other than adding snort"

    Yeah that should be BOLD and first line.. Like

    So pfsense using snort… would be how the post starts ;)

    As to ipv6 I agree, I use it now and then for testing..  So as you saw in my ipconfig no ipv6, click and then ipv6, but still no nonsene teredo, 6to4, isatap ipv6 conversion stuff..  Why would anyone need so many ways to get to ipv6 from ipv4?  Let them pick the one they want and install it..  You would of thought they learned their lesson many times over about protocols being enabled out of the box that can cause problems and security concerns by now ;)




  • I did notice when snort blocks, the tracert timeout's on hop1, but if snort is not blocking I can see the firewall on hop1, but I'm not on multiwan, just a single wan.

    If I can setup a multi-wan sometime, I'll find out how the behaviour changes with snort blocks.

    Might be worth having a packet sniff to see what the packets are doing to get a better idea of whats going on.

    On the point of https://redmine.pfsense.org/issues/932, I did find the inconsistent behaviour threw me, when I couldnt explain why I couldnt see pfsense at all in some tracert's.

    As to whether its a bug or feature, thats a difficult question!  :D

    I see pro's and cons's.

    Thanks for the links though.



  • @johnpoz:

    Oh I see it now ;)

    "other than adding snort"

    Yeah that should be BOLD and first line.. Like

    So pfsense using snort… would be how the post starts ;)

    Guilty as charged on that one.

    As to ipv6 I agree, I use it now and then for testing..  So as you saw in my ipconfig no ipv6, click and then ipv6, but still no nonsene teredo, 6to4, isatap ipv6 conversion stuff..  Why would anyone need so many ways to get to ipv6 from ipv4?  Let them pick the one they want and install it..  You would of thought they learned their lesson many times over about protocols being enabled out of the box that can cause problems and security concerns by now ;)

    Its a balancing act between locking things down and providing the convenience of the OS experience. UPnP being one example, IE integrated into the OS as another, or in this case, default enabling new stuff they roll out, to help test it on a wide range of HW, not to mention all the problems that can follow.


Log in to reply