Forwarded port being blocked by firewall from SPECIFIC IPs



  • Hello, I have a strange issue since the update from 2.2.2 -> 2.2.4 and it stayed on 2.2.5.

    I have an OpenVPN server running on the pfsense at home to access my network and browse with squidGuard using my Laptop (Work Wi-Fi) and phone (mobile data plan).
    I have set up a rule on the WAN interface to export port 1194 (OpenVPN), or rather: the wizard did it for me. It all worked on 2.2.2 just fine.

    Now I am seeing this behavior:
    Connecting with my Laptop or Phone from my Work connection, neighbor, brother (all hard lines, Unitymedia and 1&1) is no problem. The traffic is passed by the firewall.
    Connecting over my mobile data plan (Base, aka: E-Plus / O²) however get's the connection attempt BLOCKED from the "Default Deny rule IPv4" (System->Logs->Firewall->Dynamic told me that). I therefore assume that it's the IP that is at fault, since that is the only thing different, at least as far as the firewall is concerned.

    Firewall rule:
    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv4 UDP * * WAN address 1194 (OpenVPN) * none OpenVPN VPN - Remote LAN wizard

    Firewall Log (when blocked):
    Nov 9 16:28:38 filterlog: 9,16777216,,1000000103,re1,match,block,in,4,0x0,,43,32164,0,+,17,udp,1300,176.0.101.zzz,www.xxx.yyy.zzz,45000,1194,1312
    Nov 9 16:28:36 filterlog: 9,16777216,,1000000103,re1,match,block,in,4,0x0,,43,32163,0,+,17,udp,1300,176.0.101.zzz,www.xxx.yyy.zzz,45000,1194,1312
    Nov 9 16:28:34 filterlog: 9,16777216,,1000000103,re1,match,block,in,4,0x0,,43,32162,0,+,17,udp,1300,176.0.101.zzz,www.xxx.yyy.zzz,45000,1194,1312
    Nov 9 16:28:32 filterlog: 9,16777216,,1000000103,re1,match,block,in,4,0x0,,43,32161,0,+,17,udp,1300,176.0.101.zzz,www.xxx.yyy.zzz,45000,1194,1312
    (176.0.101.zzz = Mobile IP, www.xxx.yyy.zzz = WAN address)

    I don't understand this behavior. The firewall rule clearly states that it does not matter from which IP the request is made and it even works from hard lines and even partially from mobile data plans (1&1 mobile D-network works fine too).

    Any help will be appreciated.

    EDIT:
    I masked my WAN IP because it's static and therefore a unique identifier.

    EDIT2:
    WORK network, working: 217.187.yyy.zzz (1&1 land line)
    Alternate, working mobile IP: 109.44.2.zzz (1&1,mobile  D-network)
    Alternate, not working mobile IP: 176.2.94.zzz (EPlus mobile, aka: Base / O²)

    FW Log of the connection attempt with IP 176.2.94.zzz (EPlus, aka: Base / O²):

    Nov 10 10:12:46 filterlog: 9,16777216,,1000000103,re1,match,block,in,4,0x0,,42,32132,0,+,17,udp,1300,176.2.94.zzz,www.xxx.yyy.zzz,44765,1194,1312
    Nov 10 10:12:45 filterlog: 9,16777216,,1000000103,re1,match,block,in,4,0x0,,42,32131,0,+,17,udp,1300,176.2.94.zzz,www.xxx.yyy.zzz,44765,1194,1312

    EDIT3:
    Apparently, the blocked IPs are from a network identified as a  'BOGON' network. (176.0.0.0/8)
    Could it be that my mobile data plan provider uses BOGON IPs? Or did the BOGON definition change and therefore should that network be removed from the blocked BOGON list of pfSense?
    The exhaust of IPv4 addresses causes a rapid decline of BOGON IPs anyway.

    Strike reason: Not a BOGON, not blocked because it's a BOGON.

    EDIT4:
    ~~It seems that pfSense either copied an old version of the BOGON definitions with 2.2.4, or that my Provider just began to use those IP's at roughly the same time I did the 2.2.4 upgrade.
    Anyways, the 176.0.0.0 /8 network was allocated by IANA to RIPE NCC (Europe):

    176/8 RIPE NCC 2010-05 whois.ripe.net https://rdap.db.ripe.net/ ALLOCATED

    which then assigned it to E-Plus with this range: 176.0.0.0 - 176.3.255.255

    So it's NOT a BOGON IP. (BOGON update frequency is weekly, and this issue persists over the last 2 weeks)~~
    Strike reason: Not a BOGON, not blocked because it's a BOGON.

    EDIT5:

    pfSense version:
    2.2.5-RELEASE (amd64)
    built on Wed Nov 04 15:49:37 CST 2015
    FreeBSD 10.1-RELEASE-p24

    Hardware info:
    CPU Type Intel(R) Atom(TM) CPU N550 @ 1.50GHz
    4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads


  • Banned

    Goddamnit, post a screenshot. Noone's interested in deciphering the raw logs… Also, there's a feature that shows you which rule blocks the traffic. Use it.


  • LAYER 8 Global Moderator

    I looked in the bogon when I first saw this.. And its not listed in bogon.. Check your pfsense bogon list..  But if that is what blocked it should say bogon vs default.

    http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

    Atleast not the 176.0 you listed – did you edit that??  176.101 is listed..

    I am with dok on the screenshot..  Would make it much easier to read, and would jump out if blocked on out of state vs Syn block, etc.



  • First of all, thank you for your replies.
    I am used to text formatted with tab-stops from mailing lists I guess. Sorry about that, here are the screenshots:
    (In the second case though I am not sure why I screenshot would be better, but you got it anyway.)



    I used```
    pfctl -t bogons -T show

    
    (The second OpenVPN rule, on top, is deactivated, and was just there for testing this issue.)

  • Banned

    OMG why don't you set up the firewall logs display to some human readable format?! This shit ain't the default.



  • @doktornotor:

    OMG why don't you set up the firewall logs display to some human readable format?! This shit ain't the default.

    Ohhh yes it is. I updated this box from version I-don't-remember-anymore for years (4? 5? I think.) and didn't change anything in regards to the logging output.
    Oh and btw: A freshly set-up 2.2.4 and updated to 2.2.5 has the exact same output (I set it up for my brother a few weeks ago).

    Maybe you could enlighten me as to how one would change that output?


  • LAYER 8 Global Moderator

    So you have vpn port on 1194 forwarded into your lan or something? Why do you have 2 blocks there.. What is that block to, can not see what port?  Why do you have 2 rules for openvpn to the wan address, with 1 being disabled?  And then the bottom one enabled?

    That is a shit load of forwards.. Why would you have so many that are both tcp and udp..  Do you run a lot of different p2p clients?  Seems like a mess…  Also with dok, showing the logs in raw doesn't help vs your other text posting..  Just show them as normal, see my example attached..

    The allows on my wlan_psk are where my nest and harmony home go.. Like to keep an eye on their traffic and where they go and how often, etc..  So I log that traffic.  I also seem to see a lot of noise to telnet and ssh..  Stupid bots ;)

    edit you have it set for RAW, see my 2nd attachment..  Which is NOT the default that is for sure!!






  • @johnpoz:

    So you have vpn port on 1194 forwarded into your lan or something? Why do you have 2 blocks there.. What is that block to, can not see what port?  Why do you have 2 rules for openvpn to the wan address, with 1 being disabled?  And then the bottom one enabled?

    That is a shit load of forwards.. Why would you have so many that are both tcp and udp..  Do you run a lot of different p2p clients?  Seems like a mess…  Also with dok, showing the logs in raw doesn't help vs your other text posting..  Just show them as normal, see my example attached..

    The allows on my wlan_psk are where my nest and harmony home go.. Like to keep an eye on their traffic and where they go and how often, etc..  So I log that traffic.  I also seem to see a lot of noise to telnet and ssh..  Stupid bots ;)

    edit you have it set for RAW, see my 2nd attachment..  Which is NOT the default that is for sure!!

    Those are for a bunch of custom p2p clients, written in java. They are needed and haven't changed in… well.. 3 years.
    I wrote why there are 2 OpenVPN rules in my post:
    @show-p1984:

    (The second OpenVPN rule, on top, is deactivated, and was just there for testing this issue.)

    It was added after functionality broke for testing and just disabled, not deleted. (which shouldn't be a problem)

    About this logging: I don't know what you guys are talking about (seriously, I don't). I never saw that view you showed in your screenshot and I have no option to get it on the Firewall log page:


  • Banned

    Sir. For goddamn sake UNTICK the 'Raw Logs' checkbox on the 'Settings' tab. Noone wants to see this unreadable shit. Seriously.



  • @doktornotor:

    Sir. For goddamn sake UNTICK the 'Raw Logs' checkbox on the 'Settings' tab. Noone wants to see this unreadable shit. Seriously.

    Thank you for explaining. It is in the realm of possibility that I changed that years ago and forgot about it.
    I am not sure how this view differs from the earlier posted "Dynamic View" one, except the clickable buttons.

    Dynamic view posted earlier:



  • I am not sure how this view differs from the earlier posted "Dynamic View" one

    This view is much easier to read.  Btw you can embed images directly here without having to link to an external site.



  • @KOM:

    I am not sure how this view differs from the earlier posted "Dynamic View" one

    This view is much easier to read.  Btw you can embed images directly here without having to link to an external site.

    I do understand that about the raw logs. Which is why I included the Dynamic View, with click-popup on the blocked rule in the very first post I made (before any edits). Yet everybody seems to have overlooked it, and you also did, because in my last post I said that there isn't much difference between the Dynamic View and the not-raw, normal view. I even reposted the images, so one could see that there are nearly no additions. (Except buttons and the option to add the rule which blocked the traffic, which can be seen with the onclick popup in the Dynamic View too…)

    So I guess some people jumped at the chance to point out that they dislike thing a or b rather than properly reading and trying to help, which is more than frustrating.

    Anyways... I enabled the rule-feature in the normal view, tried to connect from the offending network and from a passing network (both are mobile connections). See @attachment

    Interesting thing:
    If I add a rule using the "Easy rule feature" (putting it below my already existing rule) and setting it to "any source ip" the first traffic from the offending network is passed by my original rule the OpenVPN wizard created, not the new Easy Rule. Subsequent traffic is still blocked and hence the OpenVPN connection failed. If I delete the Easy Rule, all traffic from the offending network is dropped. The Easy Rule has no effect on traffic from passing networks.




  • So I guess some people jumped at the chance to point out that they dislike thing a or b rather than properly reading and trying to help, which is more than frustrating.

    It's almost as frustrating as trying to help others who seem to lack common sense and go out of their way to not provide useful information, or expect it to be extracted much like a dentist extracts teeth.  I'm not saying that you're doing that here because you're not, but that's the reaction from some of the regulars.  It's not how I handle myself, but to each their own.  I feel that if your natural reaction is to yell at the people you're trying to help, then maybe you're burnt out and need a break.


Log in to reply