Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN blocking a Virtual IP on WAN?

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 4 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pdrass
      last edited by

      I have a WAN address, everything is working great.  I added a virtual IP onto the PFSense of a server that used to have a WAN address from our ISP, it is one number higher in the 3rd octet > assigned the server a private IP > setup NAT port forwards to the server (mail, smtp, etc) and everything was working great all week then suddenly today I get everything being blocked.

      I ran:  pfctl -vvsr <– to show me in a raw way what the GUI was telling me (@53...blocking you blah blah blah)

      @53(1000001570) block drop in log on ! bge0 inet from xxx.xxx.xxx.240/29 to any
        [ Evaluations: 4193169  Packets: 0        Bytes: 0          States: 0    ]
        [ Inserted: pid 84228 State Creations: 18446735281997680688]

      That's the rule when triggering a block.  I don't know why it's doing this and why it suddenly happened.  It doesn't make sense to me.  I also killed all states on the firewall and reloaded the firewall filter set but nothing is working.

      bge0 = WAN but it keeps saying on the GUI that it's blocked on the LAN

      GUI looks like this:

      Dec 11 14:00:14 LAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.243:25 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 75.134.106.94:61863 TCP:SA

      That's me trying to telnet to port 25 to the mail server on it's public .243 address.

      I'm scratching my head at the moment.  Can anyone help with some insight?

      All mail services are dead on the public side :-(

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Click on the red X beside the entry and it will tell you the rule that caused the block.  Are you running pfBlocker or Snort by any chance?

        1 Reply Last reply Reply Quote 0
        • P
          pdrass
          last edited by

          I clicked the red x and it says the same thing as the command.

          It looks like it's some auto generated rule because it doesn't have a name by it like <spammers>which is an alias I have.

          The blocking rule makes no sense and I never put it in there.

          I also just did a restore from the backup prior to making any of the ip alias stuff and it's doing the same thing.

          This time I added a 1:1 nat rule form public IP > private IP.  Then I make a nat rule for SMTP and tested it.  It's almost like it's suggesting that the public IP resides on the LAN interface and it doesn't…it's an alias on the WAN.

          I'm still stuck.

          On the GUI it says:

          IF:  LAN
          Source:  x.x.x.243:443 <-- my virtual IP
          Destination:  some public IP address
          Proto:  TCP:SA

          Blocked:  @58(1000002620) block drop in log on ! em1 inet from 192.168.0.0/24 to any

          That's AFTER typing this out and changing the ALIAS from WAN to LAN just to see what it would do.</spammers>

          1 Reply Last reply Reply Quote 0
          • P
            pdrass
            last edited by

            So, this is what I have setup:

            cable modem >> pfsense (3 NICS, 1 WAN, 1 LAN, 1 OPT) >> virtual IP address on the WAN.

            When I ssh to my mail server on the private IP (LAN) I try to ping google.com and it resolves but doesn't go out.

            It would seem that there is an issue with the firewall letting the LAN address outbound and weird that it says the LAN interface is getting blocked but has the public IP address in the LAN spot instead of the private IP address which is 192.168.0.15.  It's got the public one in there.

            Everything else on the LAN is working fine.

            I'm almost tempted to say screw it and put it back on the WAN multi-homed at this point just to get things working again!

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Why people are not using and keep pasting the raw logs crap here goes beyond me.

              1 Reply Last reply Reply Quote 0
              • P
                pdrass
                last edited by

                I don't understand what you're asking really…it shows the same output just arranges it differently and the default view is what I'm used to not column view but here is the column view output.

                block/1000001570
                Dec 11 10:41:45 LAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x..243:443 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 107.77.164.21:55780 TCP:SA
                (1000001570)

                I copied and pasted form the gui - it's not a screen shot.

                I think it's a configuration problem with the setup BUT this hasn't been happening all week and just suddenly today it happened.  No changes were made.

                I have another fw on 2.2.4 not 2.2.5 with the same setup and a lot more vip's - same config, etc and it works.  I've been comparing the two.  All the settings are the same but the only weird thing is the LAN section which shows the public VIP - that's not normal I don't htink.

                See above it says "LAN" then the icon to add to the block list easy rule, etc - that's my public IP or I can then add to the easy rule to pass the traffic of that 107...address.

                That seems like odd behavior and something I wouldn't expect.  The only LAN IP that should be there is a real LAN IP like the server's address of:  192.168.0.15 not the public x.x.x.243.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  I am asking to post a SCREENSHOT. Using the setting shown above, you will actually find the logs useful at a glance.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pdrass
                    last edited by

                    I didn't really want to post a screen shot but whatever.

                    Here it is.

                    Thanks!

                    fw.log.pn.PNG
                    fw.log.pn.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • P
                      pdrass
                      last edited by

                      See how the LAN and WAN are all screwed up?

                      The LAN shows a public IP as the source and the WAN shows a private IP as the source.

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        Post screenshots of

                        • Interfaces - Assign
                        • Firewall - Virtual IPs
                        • Your 1:1 NAT/port forwards setup
                        1 Reply Last reply Reply Quote 0
                        • P
                          pdrass
                          last edited by

                          See attached.

                          My PFSense:  192.168.0.253 (lan address)

                          My Linux Host's route table:

                          root@mail:/etc/network# route
                          Kernel IP routing table
                          Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
                          default        192.168.0.253  0.0.0.0        UG    0      0        0 eth0
                          192.168.0.0    *              255.255.255.0  U    0      0        0 eth0

                          Any other device on the network that doesn't have a virtual IP (because there is only 1 of course) can get out just fine and everything is normal.  It's only this one 192.168.0.15 host that has the virtual IP setup.

                          I'm so stumped!

                          interfaces.assign.PNG
                          interfaces.assign.PNG_thumb
                          mail.server.PNG
                          mail.server.PNG_thumb
                          ![1 to 1 nat.PNG](/public/imported_attachments/1/1 to 1 nat.PNG)
                          ![1 to 1 nat.PNG_thumb](/public/imported_attachments/1/1 to 1 nat.PNG_thumb)

                          1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM
                            last edited by

                            I didn't really want to post a screen shot but whatever.

                            They are pretty much mandatory if you want assistance.  Too many people will describe what they think they did, as opposed to what they actually did, or will present the data in an unreadable format.  Screenshots don't lie.  Feel free to black out your WAN IP address.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pdrass
                              last edited by

                              That's understandable and why I posted them…if you need help; beggars can't be choosers :-)

                              1 Reply Last reply Reply Quote 0
                              • P
                                pdrass
                                last edited by

                                So…no matter what I do I always get this:

                                The rule that triggered this action is:
                                
                                @55(1000001570) block drop in log on ! bge0 inet from 173.162.48.240/29 to any
                                

                                This is frustrating to say the least.  I've deleted all the rules, vip's, arp cache, etc and reset everything back up but I get the same damn result.  This isn't how it was working yesterday!  I don't understand what the heck has happened and on top of that my other site that has more vip's than this one is working perfectly and is setup the same way.

                                The only odd thing is that from the client machine I can't ping out, not even over the VPN - I can ping on the LAN but not over the WAN or VPN.

                                This is just unbelievable and there seems to be no reason although the box thinks there is a reason!  If snort would block something the log files usually say <snort>, same with pfblockerNG it would show up in the log as such.

                                I'm am ready to dial up pay for support on this!!!</snort>

                                1 Reply Last reply Reply Quote 0
                                • KOMK
                                  KOM
                                  last edited by

                                  Are you running pfBlocker or Snort by any chance?

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pdrass
                                    last edited by

                                    OMG you know what it was?

                                    This is unbelievable!!!

                                    I had the cable provider soft reboot the router since I wasn't on site.  In an act of desperation I called a guy to walk over to the cable modem > pull power > plug power back in and boom, it started working again.

                                    I assume then that arp got all messed up somehow and it was reset on that cable modem device.

                                    Just unbelievable.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      doktornotor Banned
                                      last edited by

                                      Well, I just wanted to suggest to check that you have not swapped the cables by accident. :P

                                      1 Reply Last reply Reply Quote 0
                                      • BBcan177B
                                        BBcan177 Moderator
                                        last edited by

                                        @pdrass:

                                        I have a WAN address, everything is working great.  I added a virtual IP onto the PFSense of a server that used to have a WAN address from our ISP

                                        I have a similar setup with a VIP for my second WAN…

                                        I see in your screenshot that you have /32 for the VIP CIDR... That CIDR should match the CIDR of the WAN network... See the help text on the VIP page....

                                        "Experience is something you don't get until just after you need it."

                                        Website: http://pfBlockerNG.com
                                        Twitter: @BBcan177  #pfBlockerNG
                                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.