LAN blocking a Virtual IP on WAN?



  • I have a WAN address, everything is working great.  I added a virtual IP onto the PFSense of a server that used to have a WAN address from our ISP, it is one number higher in the 3rd octet > assigned the server a private IP > setup NAT port forwards to the server (mail, smtp, etc) and everything was working great all week then suddenly today I get everything being blocked.

    I ran:  pfctl -vvsr <– to show me in a raw way what the GUI was telling me (@53...blocking you blah blah blah)

    @53(1000001570) block drop in log on ! bge0 inet from xxx.xxx.xxx.240/29 to any
      [ Evaluations: 4193169  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 84228 State Creations: 18446735281997680688]

    That's the rule when triggering a block.  I don't know why it's doing this and why it suddenly happened.  It doesn't make sense to me.  I also killed all states on the firewall and reloaded the firewall filter set but nothing is working.

    bge0 = WAN but it keeps saying on the GUI that it's blocked on the LAN

    GUI looks like this:

    Dec 11 14:00:14 LAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x.243:25 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 75.134.106.94:61863 TCP:SA

    That's me trying to telnet to port 25 to the mail server on it's public .243 address.

    I'm scratching my head at the moment.  Can anyone help with some insight?

    All mail services are dead on the public side :-(



  • Click on the red X beside the entry and it will tell you the rule that caused the block.  Are you running pfBlocker or Snort by any chance?



  • I clicked the red x and it says the same thing as the command.

    It looks like it's some auto generated rule because it doesn't have a name by it like <spammers>which is an alias I have.

    The blocking rule makes no sense and I never put it in there.

    I also just did a restore from the backup prior to making any of the ip alias stuff and it's doing the same thing.

    This time I added a 1:1 nat rule form public IP > private IP.  Then I make a nat rule for SMTP and tested it.  It's almost like it's suggesting that the public IP resides on the LAN interface and it doesn't…it's an alias on the WAN.

    I'm still stuck.

    On the GUI it says:

    IF:  LAN
    Source:  x.x.x.243:443 <-- my virtual IP
    Destination:  some public IP address
    Proto:  TCP:SA

    Blocked:  @58(1000002620) block drop in log on ! em1 inet from 192.168.0.0/24 to any

    That's AFTER typing this out and changing the ALIAS from WAN to LAN just to see what it would do.</spammers>



  • So, this is what I have setup:

    cable modem >> pfsense (3 NICS, 1 WAN, 1 LAN, 1 OPT) >> virtual IP address on the WAN.

    When I ssh to my mail server on the private IP (LAN) I try to ping google.com and it resolves but doesn't go out.

    It would seem that there is an issue with the firewall letting the LAN address outbound and weird that it says the LAN interface is getting blocked but has the public IP address in the LAN spot instead of the private IP address which is 192.168.0.15.  It's got the public one in there.

    Everything else on the LAN is working fine.

    I'm almost tempted to say screw it and put it back on the WAN multi-homed at this point just to get things working again!


  • Banned

    Why people are not using and keep pasting the raw logs crap here goes beyond me.



  • I don't understand what you're asking really…it shows the same output just arranges it differently and the default view is what I'm used to not column view but here is the column view output.

    block/1000001570
    Dec 11 10:41:45 LAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List x.x.x..243:443 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 107.77.164.21:55780 TCP:SA
    (1000001570)

    I copied and pasted form the gui - it's not a screen shot.

    I think it's a configuration problem with the setup BUT this hasn't been happening all week and just suddenly today it happened.  No changes were made.

    I have another fw on 2.2.4 not 2.2.5 with the same setup and a lot more vip's - same config, etc and it works.  I've been comparing the two.  All the settings are the same but the only weird thing is the LAN section which shows the public VIP - that's not normal I don't htink.

    See above it says "LAN" then the icon to add to the block list easy rule, etc - that's my public IP or I can then add to the easy rule to pass the traffic of that 107...address.

    That seems like odd behavior and something I wouldn't expect.  The only LAN IP that should be there is a real LAN IP like the server's address of:  192.168.0.15 not the public x.x.x.243.


  • Banned

    I am asking to post a SCREENSHOT. Using the setting shown above, you will actually find the logs useful at a glance.



  • I didn't really want to post a screen shot but whatever.

    Here it is.

    Thanks!




  • See how the LAN and WAN are all screwed up?

    The LAN shows a public IP as the source and the WAN shows a private IP as the source.


  • Banned

    Post screenshots of

    • Interfaces - Assign
    • Firewall - Virtual IPs
    • Your 1:1 NAT/port forwards setup


  • See attached.

    My PFSense:  192.168.0.253 (lan address)

    My Linux Host's route table:

    root@mail:/etc/network# route
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    default        192.168.0.253  0.0.0.0        UG    0      0        0 eth0
    192.168.0.0    *              255.255.255.0  U    0      0        0 eth0

    Any other device on the network that doesn't have a virtual IP (because there is only 1 of course) can get out just fine and everything is normal.  It's only this one 192.168.0.15 host that has the virtual IP setup.

    I'm so stumped!





    ![1 to 1 nat.PNG](/public/imported_attachments/1/1 to 1 nat.PNG)
    ![1 to 1 nat.PNG_thumb](/public/imported_attachments/1/1 to 1 nat.PNG_thumb)



  • I didn't really want to post a screen shot but whatever.

    They are pretty much mandatory if you want assistance.  Too many people will describe what they think they did, as opposed to what they actually did, or will present the data in an unreadable format.  Screenshots don't lie.  Feel free to black out your WAN IP address.



  • That's understandable and why I posted them…if you need help; beggars can't be choosers :-)



  • So…no matter what I do I always get this:

    The rule that triggered this action is:
    
    @55(1000001570) block drop in log on ! bge0 inet from 173.162.48.240/29 to any
    

    This is frustrating to say the least.  I've deleted all the rules, vip's, arp cache, etc and reset everything back up but I get the same damn result.  This isn't how it was working yesterday!  I don't understand what the heck has happened and on top of that my other site that has more vip's than this one is working perfectly and is setup the same way.

    The only odd thing is that from the client machine I can't ping out, not even over the VPN - I can ping on the LAN but not over the WAN or VPN.

    This is just unbelievable and there seems to be no reason although the box thinks there is a reason!  If snort would block something the log files usually say <snort>, same with pfblockerNG it would show up in the log as such.

    I'm am ready to dial up pay for support on this!!!</snort>



  • Are you running pfBlocker or Snort by any chance?



  • OMG you know what it was?

    This is unbelievable!!!

    I had the cable provider soft reboot the router since I wasn't on site.  In an act of desperation I called a guy to walk over to the cable modem > pull power > plug power back in and boom, it started working again.

    I assume then that arp got all messed up somehow and it was reset on that cable modem device.

    Just unbelievable.


  • Banned

    Well, I just wanted to suggest to check that you have not swapped the cables by accident. :P


  • Moderator

    @pdrass:

    I have a WAN address, everything is working great.  I added a virtual IP onto the PFSense of a server that used to have a WAN address from our ISP

    I have a similar setup with a VIP for my second WAN…

    I see in your screenshot that you have /32 for the VIP CIDR... That CIDR should match the CIDR of the WAN network... See the help text on the VIP page....


Log in to reply