Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UDP forwarding not working 2.2.2

    Scheduled Pinned Locked Moved NAT
    12 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Danonthelan
      last edited by

      I'm trying to port forward udp netflow traffic on port 9996 to a box on our local lan. I can see traffic coming in on the wan interface via tcpdump but none coming out the opt1 interface.

      The PFsense box is configured to route between our isp conection on vlan 3 to our office machines on vlan 2 (interface LAN, 10.1.0.0/24) and servers on vlan 4 (interface opt1, 10.0.0.0/24). This configuration has been working fine for our tcp forwarding, but not for this udp rule.

      The non-working rule is this:

      Interface: Wan
      Protocol: UDP
      Destination type: any
      Destination port range: 9996
      Redirect target IP: 10.0.0.10
      Redirect target port: (other) 9996
      NAT reflection:Use system default (system default set to Pure NAT)
      Filter rule association: Rule NAT

      We have a very similar rule using tcp that works just fine:

      Interface: Wan
      Protocol: TCP
      Destination type: any
      Destination port range: 20022
      Redirect target IP: 10.0.0.10
      Redirect target port: (other) 20022
      NAT reflection:Use system default (system default set to Pure NAT)
      Filter rule association: Rule NAT

      I read that pfsense has problems with UDP reflection, so I'm wondering whether this is even fixable on the current version.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        What do you mean, "Destination type: any"??? What's not working? The reflection or the port forward? Testing from where?

        1 Reply Last reply Reply Quote 0
        • D
          Danonthelan
          last edited by

          I mean under the destination heading, the type dropdown box is set to any. Rule is in this screenshot. http://i.imgur.com/0NNB1pg.png

          What's not working is that traffic is coming in, and traffic is not coming out. I'm not sure if it's due to the reflection as I'm running this in a single nic setup, and the tcp forwards didn't start working until I enabled "Pure NAT" reflection.

          Therefore, I think the port forward is failing to work due to the reflection not working. I could be completely off base here, but that's just my working theory.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Yeah, that should be your WAN address, not any. We still do not know where are you testing from and whether the issue is with the port forward (access from WAN) or reflection (access from LAN using WAN IP). Even though I explicitly asked. Sigh.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I can tell you for fact that udp forwarding works just fine with 2.2.2 since I have a box on my network as member of ntp pool, both ipv4 which is forwarded and ipv6 which is allowed.  And pool.ntp.org monitors the time on the server – if server is not available, or off by too much, etc.. then its pulled from the pool, so clearly its working - and I can watch all the udp queries to the time server from public and my server sending answers, etc.

              So is your issue with reflection or forwarding?

              Nat reflection is an abomination int he first place.. There is really never a valid reason to use it - its a crutch for lazy admins if you ask me ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                Danonthelan
                last edited by

                By doktornotor's definition, this would be a problem with port forwarding as I have traffic coming in from the wan, hitting the wan interface, and the packets are not being forwarded to our box on the lan. What I'm not sure of is whether all port forwarded packets count as being reflected since I'm running this with a single nic and routing between vlan interfaces on the pf box as seen in this diagram. http://i.imgur.com/POLPvDb.png

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  While that is a kind of mess and hairpinning like mad – its not a reflection..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • D
                    Danonthelan
                    last edited by

                    It's not exactly the prettiest setup, but with only one nic in the box we rigged up what we could. For some reason tcp works with this, but it seems there's something preventing udp from working correctly.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Yeah because a 2nd nic is so HIGH budget ;)  Could see how that sort of mess is worth it vs spending like $5 for a 100mbit nic or $10 for a gig nic…

                      So have you sniffed on the wan and see this udp traffic, and then on the lan interface of pfsense that it actually sent the traffic.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • D
                        Danonthelan
                        last edited by

                        I've sniffed the traffic on the wan interface and saw the udp traffic, then sniffed the lan interface and saw nothing.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          So post up your rules and and your sniffs and lets take a look.

                          What I can tell you for FACT is udp forwards work just fine in 2.2.2 for me..

                          So you can see sniff on top is done on wan interface - simple
                          tcpdump -n -i em0 port 123

                          then second window in that screenshot is done on lan interface em1
                          tcpdump -n -i em1 port 123

                          As you can see the traffic that hits wan is sent to lan ip 192.168.9.40, then traffic back and then sent back to requestor from my 24.13.x.x public IP.

                          udpworking.png
                          udpworking.png_thumb
                          natandfwrule.png
                          natandfwrule.png_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • D
                            Danonthelan
                            last edited by

                            At around 4:00AM Thursday something happened to the configuration and now I'm seeing an even weirder issue. I cranked up the amount of diffs to keep in config history, but it's a bit late for that. The traffic is flowing from our remote host properly, but there are no rules anywhere for the port forward.

                            Nothing shows for pfctl -sn | grep 9996, pfctl -sr | grep 9996, or grep 9996 /cf/conf/config.xml, but here's the tcpdumps(w.x.y.z being remote ip and a.b.c.d being our WAN ip):

                            [2.2.2-RELEASE][admin@pfSense.localdomain]/root: tcpdump -i bge0_vlan3 dst port 9996
                            tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                            listening on bge0_vlan3, link-type EN10MB (Ethernet), capture size 65535 bytes
                            14:06:58.109928 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.110272 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.110768 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.110951 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.111289 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.111784 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.112125 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.112284 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.571766 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            14:06:58.572108 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464
                            
                            [2.2.2-RELEASE][admin@pfSense.localdomain]/root: tcpdump -i bge0_vlan4 dst port 9996
                            tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                            listening on bge0_vlan4, link-type EN10MB (Ethernet), capture size 65535 bytes
                            14:07:03.110049 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.110200 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.110541 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.110723 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.111061 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.111402 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.111559 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.111898 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            14:07:03.112237 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464
                            
                            

                            Here are the states for the port:

                            bge0_vlan3 udp 10.0.0.10:9996 (a.b.c.d:9996) <- w.x.y.z:37625       NO_TRAFFIC:SINGLE
                            bge0_vlan4 udp w.x.y.z:37625 -> 10.0.0.10:9996       SINGLE:NO_TRAFFIC
                            

                            It's "working" now, but if the connection drops I don't think it will start back up again.

                            EDIT: Yeah, resetting states killed it. I re-added the rule with destination set to WAN address instead of any and it's working now. That's probably all it was.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.