pfSense LAN+NAT bereikt ExtraIP-range op VLAN niet volledig

Vraag

zondag 15 november 2020 19:46

Acties:

0 Henk 'm!

Topicstarter

Opgelost, zie de edits in deze en deze posts

Vanaf mijn LAN, dat geNAT wordt naar het "default" WAN-adres, kan ik geen hosts bereiken op een VLAN op dezelfde router met publieke IP's. Echter, als ik dit probeer zie ik wel TCP SYN richting de betreffende VLAN-hosts gaan én SYN-ACK teruggestuurd worden op de VLAN-interface, maar het komt niet door de pfSense router/firewall heen terug naar de LAN-machine. Van buitenaf zijn de publieke adressen normaal te bereiken, voor zover de firewall openstaat voor specifieke poorten.

Setup
Huidige setup, adressen zijn zoals ze op de interface staan. Niet-relevante delen heb ik weggehaald.

code:

router: pfSense 2.4.5-RELEASE-p1 op PCengines apu2e4, 3 fysieke poorten (2 in gebruik)

igb0:               213.124.174.x/25   "WAN"         (wan)
    `--- gif0:      2001:470:1f14:x    "HENETv6"     (opt1)
    `--- gre0:      5.255.x.x/30       "EXTRAIPV4"   (opt2)
    `--- gif1:      2a03:10c3:10:x     "EXTRAIPV6"   (opt4)
igb1:               10.33.8.1/24       "LAN"         (lan)
    `--- igb1.1337: 185.216.161.233/29 "EXTRAIPVLAN" (opt3)

(dit is overigens een flink afwijkende setup t.o.v. die van bijvoorbeeld Kragt-ICT. Ik zit dan ook niet te wachten op antwoorden met "heb je deze setup al geprobeerd?", want ik wil geen setup waar publiek routeerbare adressen achter NAT zitten

)

Ik heb 1 ISP die over ethernet levert (igb0/"WAN", DHCP). Daarover heb ik meerdere tunnels draaien. Twee daarvan zijn voor ExtraIP (gre0, gif1), één is voor Hurricane Electric (gif0). Mijn LAN-traffic (10.33.8.0/24) krijgt uitgaand NAT op het adres van igb0: 213.124.174.x, en de "Outbound NAT mode" op pfSense staat op 'Manual Outbound NAT'.

Ik heb een VM-hypervisor, Debian 10, KVM+QEMU, met 1 NIC op layer 2 verbonden met igb1 (kabel vanaf de machine naar een domme Netgear-switch naar de router). Deze NIC heeft geen IP-adressen ingesteld, maar wel een tagged VLAN-interface, met 185.216.161.234/29 als adres. Op deze hypervisor draait (op een losse bridge) een VM met adres 185.216.161.237/32, en een host-route naar 185.216.161.233 (config verderop). De firewall op de VM-hypervisor laat verkeer van/naar de VM's ongefilterd toe.

Ik heb een laptop, Arch Linux, met 1 NIC op layer 2 verbonden met igb1 en adres 10.33.8.12/24.

code:

VM-hypervisor:
# ip a
2: nic0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 44:37:e6:45:e2:d9 brd ff:ff:ff:ff:ff:ff
5: extraip@nic0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:23:42:aa:aa:aa brd ff:ff:ff:ff:ff:ff
    inet 185.216.161.234/29 brd 185.216.161.239 scope global extraip
       valid_lft forever preferred_lft forever
    inet6 2a03:10c3:x/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::223:42ff:feaa:aaaa/64 scope link 
       valid_lft forever preferred_lft forever

# ip r
default via 185.216.161.233 dev extraip proto static 
185.216.161.232/29 dev extraip proto kernel scope link src 185.216.161.234 
185.216.161.235 dev virbr-stoel proto static scope link 
185.216.161.237 dev virbr-klant proto static scope link 

VM:
# ip a
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:c9:e6:71 brd ff:ff:ff:ff:ff:ff
    inet 185.216.161.237/32 scope global enp1s0
       valid_lft forever preferred_lft forever
# ip r
default via 185.216.161.233 dev enp1s0 onlink

Tests
Ping vanaf een externe machine:

code:

$ ip route get 185.216.161.237
185.216.161.237 via 116.202.83.56 dev enp1s0 src 178.63.116.169 uid 1000 
    cache 
$ ping -c1 185.216.161.237
PING 185.216.161.237 (185.216.161.237) 56(84) bytes of data.
64 bytes from 185.216.161.237: icmp_seq=1 ttl=56 time=20.2 ms

--- 185.216.161.237 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 20.154/20.154/20.154/0.000 ms

Ping vanaf mijn laptop:

code:

$ ip route get 185.216.161.237
185.216.161.237 via 10.33.8.1 dev enp0s25 src 10.33.8.12 uid 1000 
    cache 
$ ping -c1 185.216.161.237
PING 185.216.161.237 (185.216.161.237) 56(84) bytes of data.

--- 185.216.161.237 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Zet ik op mijn router een tcpdump open op de VLAN-interface, igb1.1337:

code:

: tcpdump -eni igb1.1337 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1.1337, link-type EN10MB (Ethernet), capture size 262144 bytes
18:46:34.869081 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 98: 178.63.116.169 > 185.216.161.237: ICMP echo request, id 4864, seq 1, length 64
18:46:34.869575 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 98: 185.216.161.237 > 178.63.116.169: ICMP echo reply, id 4864, seq 1, length 64

18:46:39.640046 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 98: 213.124.174.x > 185.216.161.237: ICMP echo request, id 38853, seq 1, length 64
18:46:39.640481 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 98: 185.216.161.237 > 213.124.174.x: ICMP echo reply, id 38853, seq 1, length 64

... dan zie je dat beide ICMP requests de betreffende machine bereiken, er een reply komt voor beide requests. De reply die naar 't WAN-ip wordt gestuurd komt echter niet terug op de laptop.

pfTop laat, tijdens het pingen vanaf de LAN-host het volgende zien (mocht iemand weten hoe je de interface-namen er ook bij krijgt, graag!):

Afbeeldingslocatie: https://tweakers.net/i/0FVN3zTp_Gzk_0I31_9bfsPZ6co=/800x/filters:strip_exif()/f/image/K3jCkcyxZV9TCYtqbH4dDMlF.png?f=fotoalbum_large

Diagnose
Waarschijnlijk mist pfSense iets om (in dit geval ICMP) correct terug te vertalen richting de geNAT-e laptop. Ik zou verwachten dat met de (enige) Outbound NAT-regel dit correct wordt terugvertaald... of dat een pass-firewall-regel op EXTRAIPVLAN benodigd is. Dat laatste heb ik ook onderzocht, door de default drop-regels ook te loggen, maar bij de terugkomende packets wordt geen drop hiervoor vermeld.

Ik ben benieuwd of jullie nog verhelderende inzichten hebben.

Beste antwoord (via MrNGm op 26-11-2020 08:32)

woensdag 25 november 2020 23:34

Kabouterplop01

chown -R me base:all

Nice!! Inderdaad als je het zo door L3 testen niet kan vinden, dan moet er ergens een rule zijn...

Alle reacties

dinsdag 17 november 2020 08:59

Acties:

0 Henk 'm!

Kabouterplop01

chown -R me base:all

Ik denk dat je een routering moet toevoegen op je pfsense; ik zie de routering die je laptop pakt, maar niet zoals pfsense hem moet pakken.

dinsdag 17 november 2020 09:38

Acties:

0 Henk 'm!

MrNGm

Topicstarter

Als ik de routetabel bekijk lijkt pfSense wel te weten waar 't heen zou moeten:

code:

: netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            213.124.174.1      UGS        igb0
5.255.x            link#9             UHS         lo0 # tunnel /30
5.255.x            link#9             UH         gre0 # tunnel /30
10.33.8.0/24       link#2             U          igb1
10.33.8.1          link#2             UHS         lo0 
127.0.0.1          link#4             UH          lo0 
185.216.x/x        213.124.174.1      UGS        igb0 # tunnel endpoint
185.216.x          213.124.174.1      UGHS       igb0 # tunnel endpoint
185.216.x/x        213.124.174.1      UGS        igb0 # tunnel endpoint
185.216.161.232/29 link#8             U      igb1.133
185.216.161.233    link#8             UHS         lo0 
213.124.174.0/x    link#1             U          igb0
213.124.174.x      link#1             UHS         lo0 # dit is wel vreemd, zou 't op igb0 verwachten
213.160.x          00:0c:42:a4:30:25  UHS        igb0 # DNS 
213.160.x          00:0c:42:a4:30:25  UHS        igb0 # DNS 
216.66.x           213.124.174.1      UGHS       igb0 # tunnel endpoint

... maar het verbaast me dat lo0 als interface wordt gebruikt, terwijl 't adres volgens ifconfig op igb0 staat:

code:

: ifconfig
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 00:0c:42:a4:30:25
    inet6 fe80::20c:42ff:fea4:3025%igb0 prefixlen 64 scopeid 0x1
    inet 213.124.174.x netmask 0xffffffx broadcast 213.124.174.x
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active

donderdag 19 november 2020 09:09

Acties:

0 Henk 'm!

Kabouterplop01

chown -R me base:all

Opzich niet vreemd; een loopback adres kan in theorie niet down gaan (behalve als de router down gaat)
Als je handmatig die routering verandert werkt dat dan?
(Ik weet niet of je hard ook de route van loopback moet verwijderen als je de route toevoegt naar de juiste interface)
edit: Kun je zien of je pfsense op een hogere laag het teruggaande verkeer filtert door een rule? (dat zou uiteraard ook nog kunnen en dan zoek je het in de verkeerde hoek)

[ Voor 23% gewijzigd door Kabouterplop01 op 19-11-2020 09:13 ]

zaterdag 21 november 2020 15:54

Acties:

+1 Henk 'm!

MrNGm

Topicstarter

Kabouterplop01 schreef op donderdag 19 november 2020 @ 09:09:
Als je handmatig die routering verandert werkt dat dan?
(Ik weet niet of je hard ook de route van loopback moet verwijderen als je de route toevoegt naar de juiste interface)

Ik ga er voorzichtig vanuit dat pfSense de instellingen vanaf de webinterface correct in het onderliggende systeem (FreeBSD) stopt. Het lijkt er in ieder geval op dat de notatie correct is, want de adressen van alle andere interfaces staan in de route-tabel ook op lo0.

offtopic:
Overigens, onder Linux doet een ip route get <ip-van-de-host> iets vergelijkbaars:

$ ip route get 10.33.8.12
local 10.33.8.12 dev lo src 10.33.8.12 uid 1000

Kabouterplop01 schreef op donderdag 19 november 2020 @ 09:09:
edit: Kun je zien of je pfsense op een hogere laag het teruggaande verkeer filtert door een rule? (dat zou uiteraard ook nog kunnen en dan zoek je het in de verkeerde hoek)

Ik heb in de webinterface de logging voor default pass/block regels aangezet:

code:

: tcpdump -eni pflog0 host 185.216.161.237 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
15:20:32.626261 rule 131/0(match): pass out on igb0: 213.124.174.x > 185.216.161.237: ICMP echo request, id 13517, seq 1, length 64
15:20:32.633102 rule 131/0(match): pass out on igb1.1337: 213.124.174.x > 185.216.161.237: ICMP echo request, id 13517, seq 1, length 64

bij het uitvoeren van:

code:

$ ping -c4 185.216.161.237
PING 185.216.161.237 (185.216.161.237) 56(84) bytes of data.

--- 185.216.161.237 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3043ms

Dat duidt er niet op dat er iets (impliciet) geblokkeerd wordt.

Ook $ telnet 185.216.161.237 80 vanaf dezelfde host levert geen impliciete blocks op:

code:

: tcpdump -eni pflog0 host 185.216.161.237 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
15:49:32.085820 rule 131/0(match): pass out on igb0: 213.124.174.x.57136 > 185.216.161.237.80: Flags [S], seq 1886878648, win 64240, options [mss 1460,sackOK,TS val 1634419196 ecr 0,nop,wscale 7], length 0
15:49:32.092742 rule 131/0(match): pass in on gre0: 213.124.174.x.57136 > 185.216.161.237.80: Flags [S], seq 1886878648, win 64240, options [mss 1460,sackOK,TS val 1634419196 ecr 0,nop,wscale 7], length 0
15:49:32.092776 rule 131/0(match): pass out on igb1.1337: 213.124.174.x.57136 > 185.216.161.237.80: Flags [S], seq 1886878648, win 64240, options [mss 1460,sackOK,TS val 1634419196 ecr 0,nop,wscale 7], length 0

maar de SYN+ACKs komen wel binnen op de VLAN-interface (EXTRAIPVLAN/opt3) van pfSense:

code:

: tcpdump -eni igb1.1337 host 185.216.161.237 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1.1337, link-type EN10MB (Ethernet), capture size 262144 bytes
15:50:28.938253 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 74: 213.124.174.x.57140 > 185.216.161.237.80: Flags [S], seq 2845639608, win 64240, options [mss 1460,sackOK,TS val 1634476041 ecr 0,nop,wscale 7], length 0
15:50:28.938716 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 74: 185.216.161.237.80 > 213.124.174.x.57140: Flags [S.], seq 1575386785, ack 2845639609, win 65160, options [mss 1460,sackOK,TS val 1744769427 ecr 1634476041,nop,wscale 7], length 0
15:50:29.944829 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 74: 213.124.174.x.57140 > 185.216.161.237.80: Flags [S], seq 2845639608, win 64240, options [mss 1460,sackOK,TS val 1634477048 ecr 0,nop,wscale 7], length 0
15:50:29.945281 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 74: 185.216.161.237.80 > 213.124.174.x.57140: Flags [S.], seq 1575386785, ack 2845639609, win 65160, options [mss 1460,sackOK,TS val 1744770434 ecr 1634476041,nop,wscale 7], length 0
15:50:30.961018 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 74: 185.216.161.237.80 > 213.124.174.x.57140: Flags [S.], seq 1575386785, ack 2845639609, win 65160, options [mss 1460,sackOK,TS val 1744771450 ecr 1634476041,nop,wscale 7], length 0

(en ik vind het hier dus gek dat ie via gre0 lijkt te gaan...)

zondag 22 november 2020 10:12

Acties:

+1 Henk 'm!

Kabouterplop01

chown -R me base:all

Het lijkt dynamisch te loadbalancen, maar waarom weet ik niet (misschien omdat die /30 v/d GRE more specific is)
i.i.g als de router dat doet probeert deze maar de beste weg te vinden.(ipv te weten waar het naar toe moet)

De route terug lijkt in ieder geval ok.

toch vreemd want je route tabel geeft:

code:

1	185.216.161.232/29 link#8 U igb1.1337

en dit is dus niet vreemd:

code:

1 2	213.124.174.0/x link#1 U igb0 213.124.174.x link#1 UHS lo0

het verkeer gaat eerst de fysieke interface in, BSD routeert het naar de l0 en vandaar naar de uitgaande interface (net zoals bij igb1.1337)

Ik probeer nog even te bedenken waarom het lijkt alsof er iets mist, of misgaat. de routering staat goed denk ik.

zondag 22 november 2020 15:26

Acties:

0 Henk 'm!

MrNGm

Topicstarter

Kabouterplop01 schreef op zondag 22 november 2020 @ 10:12:
Het lijkt dynamisch te loadbalancen, maar waarom weet ik niet (misschien omdat die /30 v/d GRE more specific is)

More specific, maar niet van hetzelfde subnet, dus dat lijkt me sterk. Ter info de instellingen van de GRE-tunnel:

Afbeeldingslocatie: https://tweakers.net/i/NIjcCyxJbTLSuPV5LYThTlHlabI=/800x/filters:strip_exif()/f/image/1cl6MjJw97wl5Mm690EpH13m.png?f=fotoalbum_large

Overigens heb ik eerder wel het /29-subnet op de GRE-interface geconfigureerd gehad, maar daar stond pfSense het niet toe om óók op de VLAN-interface een adres uit die /29 toe te wijzen (zodat hosts op het VLAN netjes in dat subnet zaten).

Kabouterplop01 schreef op zondag 22 november 2020 @ 10:12:
i.i.g als de router dat doet probeert deze maar de beste weg te vinden.(ipv te weten waar het naar toe moet)

De route terug lijkt in ieder geval ok.

toch vreemd want je route tabel geeft:
code:
1
185.216.161.232/29 link#8             U      igb1.1337
en dit is dus niet vreemd:
code:
1
2
213.124.174.0/x    link#1             U          igb0
213.124.174.x      link#1             UHS         lo0
het verkeer gaat eerst de fysieke interface in, BSD routeert het naar de l0 en vandaar naar de uitgaande interface (net zoals bij igb1.1337)

Ik probeer nog even te bedenken waarom het lijkt alsof er iets mist, of misgaat. de routering staat goed denk ik.
toon volledige bericht

In ieder geval bedankt voor het meedenken

.

Ik kan de hele PF ruleset nog wel pasten als dat zou helpen; er is nog wel een kans dat policy routing roet in het eten gooit, maar ik heb dat proberen uit te sluiten door specifieke regels 'bovenaan' te zetten zodanig dat die eerder matchen (specifiek op het igb0 WAN-adres).

maandag 23 november 2020 21:18

Acties:

0 Henk 'm!

MrNGm

Topicstarter

Ter info, de licht-gecensureerde pfctl -sr:

code:

: pfctl -sr
scrub on igb0 all fragment reassemble
scrub on igb1 all fragment reassemble
scrub on gif0 all max-mss 1420 fragment reassemble
scrub on gre0 all fragment reassemble
scrub on igb1.1337 all fragment reassemble
scrub on gif1 all max-mss 1420 fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard"
block drop in log quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
pass in log quick on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out log quick on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in log quick on igb0 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in log quick on igb0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
block drop in log on ! igb0 inet from 213.124.174.0/x to any
block drop in log inet from 213.124.174.x to any
block drop in log on igb0 inet6 from fe80::20c:42ff:fea4:3025 to any
block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on igb0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
block drop in log quick on igb1 from <bogons> to any label "block bogon IPv4 networks from LAN"
block drop in log quick on igb1 from <bogonsv6> to any label "block bogon IPv6 networks from LAN"
block drop in log on ! igb1 inet6 from 2001:470:1f15:x/64 to any
block drop in log on igb1 inet6 from fe80::20d:b9ff:fe56:adfd to any
block drop in log inet6 from 2001:470:1f15:x to any
block drop in log on ! igb1 inet from 10.33.8.0/24 to any
block drop in log inet from 10.33.8.1 to any
pass in log quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in log quick on igb1 inet proto udp from any port = bootpc to 10.33.8.1 port = bootps keep state label "allow access to DHCP server"
pass out log quick on igb1 inet proto udp from 10.33.8.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log quick on gif0 from <bogons> to any label "block bogon IPv4 networks from HENETV6"
block drop in log quick on gif0 from <bogonsv6> to any label "block bogon IPv6 networks from HENETV6"
block drop in log quick on gif0 inet from 10.0.0.0/8 to any label "Block private networks from HENETV6 block 10/8"
block drop in log quick on gif0 inet from 127.0.0.0/8 to any label "Block private networks from HENETV6 block 127/8"
block drop in log quick on gif0 inet from 172.16.0.0/12 to any label "Block private networks from HENETV6 block 172.16/12"
block drop in log quick on gif0 inet from 192.168.0.0/16 to any label "Block private networks from HENETV6 block 192.168/16"
block drop in log quick on gif0 inet6 from fc00::/7 to any label "Block ULA networks from HENETV6 block fc00::/7"
block drop in log quick on gre0 from <bogons> to any label "block bogon IPv4 networks from EXTRAIPV4"
block drop in log quick on gre0 from <bogonsv6> to any label "block bogon IPv6 networks from EXTRAIPV4"
block drop in log on ! gre0 inet from 5.255.x/30 to any
block drop in log inet from 5.255.x to any
block drop in log on gre0 inet6 from fe80::20c:42ff:fea4:3025 to any
block drop in log quick on gre0 inet from 10.0.0.0/8 to any label "Block private networks from EXTRAIPV4 block 10/8"
block drop in log quick on gre0 inet from 127.0.0.0/8 to any label "Block private networks from EXTRAIPV4 block 127/8"
block drop in log quick on gre0 inet from 172.16.0.0/12 to any label "Block private networks from EXTRAIPV4 block 172.16/12"
block drop in log quick on gre0 inet from 192.168.0.0/16 to any label "Block private networks from EXTRAIPV4 block 192.168/16"
block drop in log quick on gre0 inet6 from fc00::/7 to any label "Block ULA networks from EXTRAIPV4 block fc00::/7"
block drop in log quick on igb1.1337 from <bogons> to any label "block bogon IPv4 networks from EXTRAIPVLAN"
block drop in log quick on igb1.1337 from <bogonsv6> to any label "block bogon IPv6 networks from EXTRAIPVLAN"
block drop in log on ! igb1.1337 inet6 from 2a03:10c3:x/64 to any
block drop in log on igb1.1337 inet6 from fe80::20d:b9ff:fe56:adfd to any
block drop in log inet6 from 2a03:10c3:x::1 to any
block drop in log on ! igb1.1337 inet from 185.216.161.232/29 to any
block drop in log inet from 185.216.161.233 to any
block drop in log quick on igb1.1337 inet from 10.0.0.0/8 to any label "Block private networks from EXTRAIPVLAN block 10/8"
block drop in log quick on igb1.1337 inet from 127.0.0.0/8 to any label "Block private networks from EXTRAIPVLAN block 127/8"
block drop in log quick on igb1.1337 inet from 172.16.0.0/12 to any label "Block private networks from EXTRAIPVLAN block 172.16/12"
block drop in log quick on igb1.1337 inet from 192.168.0.0/16 to any label "Block private networks from EXTRAIPVLAN block 192.168/16"
block drop in log quick on igb1.1337 inet6 from fc00::/7 to any label "Block ULA networks from EXTRAIPVLAN block fc00::/7"
block drop in log quick on gif1 from <bogons> to any label "block bogon IPv4 networks from EXTRAIPV6"
block drop in log quick on gif1 from <bogonsv6> to any label "block bogon IPv6 networks from EXTRAIPV6"
block drop in log quick on gif1 inet from 10.0.0.0/8 to any label "Block private networks from EXTRAIPV6 block 10/8"
block drop in log quick on gif1 inet from 127.0.0.0/8 to any label "Block private networks from EXTRAIPV6 block 127/8"
block drop in log quick on gif1 inet from 172.16.0.0/12 to any label "Block private networks from EXTRAIPV6 block 172.16/12"
block drop in log quick on gif1 inet from 192.168.0.0/16 to any label "Block private networks from EXTRAIPV6 block 192.168/16"
block drop in log quick on gif1 inet6 from fc00::/7 to any label "Block ULA networks from EXTRAIPV6 block fc00::/7"
pass in log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out log inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out log route-to (igb0 213.124.174.1) inet from 213.124.174.x to ! 213.124.174.0/x flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out log route-to (gif0 2001:470:1f14:x) inet6 from 2001:470:1f14:x to ! 2001:470:1f14:x/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out log route-to (gre0 5.255.x) inet from 5.255.x to ! 5.255.x/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out log route-to (gif1 2a03:10c3:x) inet6 from 2a03:10c3:x to ! 2a03:10c3:x/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in log quick on igb1 proto tcp from any to (igb1) port = https flags S/SA keep state label "anti-lockout rule"
pass in log quick on igb1 proto tcp from any to (igb1) port = http flags S/SA keep state label "anti-lockout rule"
pass in log quick on igb1 proto tcp from any to (igb1) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
block return out log quick on igb0 inet from any to <RFC1918_private> label "USER_RULE: Block RFC1918 from exiting WAN"
block return out log quick on gre0 inet from any to <RFC1918_private> label "USER_RULE: Block RFC1918 from exiting WAN"
pass log quick inet from 185.216.161.232/29 to 213.124.174.x flags S/SA keep state (sloppy) label "USER_RULE: eip4-itt"
pass log inet from 213.124.174.x to 185.216.161.232/29 flags S/SA keep state label "USER_RULE: itt-eip4"
pass in quick on igb0 reply-to (igb0 213.124.174.1) inet proto icmp all keep state label "USER_RULE"
pass in quick on igb0 reply-to (igb0 213.124.174.1) inet proto tcp from any to 10.33.8.x port = ssh flags S/SA keep state label "USER_RULE: NAT ssh"
# [repeats]

block drop in quick on igb0 reply-to (igb0 213.124.174.1) inet proto udp from any to any port = 17500 label "USER_RULE: block Dropbox LAN sync"
block drop in log quick on igb1 inet from 10.33.8.48 to any label "USER_RULE: block WAN"
pass in quick on igb1 inet6 from 2001:470:x::/64 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on igb1 route-to (gif0 2001:470:1f14:x) inet6 from 2001:470:x/64 to any flags S/SA keep state label "USER_RULE: VPN uitgaand"
block return in log quick on igb1 inet from ! 10.33.8.0/24 to any label "USER_RULE: Reject non-local IPs"
block return in log quick on igb1 inet6 from ! 2001:470:1f15:x/64 to any label "USER_RULE: Reject non-local IPs"
pass in quick on igb1 route-to (gif0 2001:470:1f14:x) inet6 proto ipv6-icmp from any to 2001:470:1f15:x/64 keep state label "USER_RULE"
pass in quick on igb1 route-to (igb0 213.124.174.1) inet from 10.33.8.0/24 to ! 10.33.8.0/24 flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on igb1 route-to (gif0 2001:470:1f14:x) inet6 from 2001:470:1f15:x/64 to ! 2001:470:1f15:x/64 flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on igb1 inet6 from <HEnet> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on igb1 route-to (gif0 2001:470:1f14:x) inet6 from <HEnet> to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on igb1 inet from 10.33.8.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on gif0 reply-to (gif0 2001:470:1f14:x) inet6 proto ipv6-icmp all keep state label "USER_RULE: HE ICMPv6"
pass in quick on gif0 reply-to (gif0 2001:470:1f14:x) inet6 proto tcp from any to 2001:470:1f15:x port = ssh flags S/SA keep state label "USER_RULE: ssh"
# [repeats]

pass in quick on gif0 reply-to (gif0 2001:470:1f14:x) inet6 proto tcp from 2a01:4f8:x to 2001:470:1f15:x port = http flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on gif0 reply-to (gif0 2001:470:1f14:x) inet6 proto tcp from 2a01:4f9:x to 2001:470:1f15:x port = http flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on gre0 reply-to (gre0 5.255.x) inet proto icmp all keep state label "USER_RULE"
pass in quick on gre0 reply-to (gre0 5.255.x) inet proto tcp from ! 213.124.174.x to 185.216.161.237 flags S/SA keep state label "USER_RULE: allow klant"
pass in log quick on igb1.1337 inet from 185.216.161.232/29 to 213.124.174.x flags S/SA keep state label "USER_RULE: eipv4-itt"
pass in log quick on igb1.1337 inet proto tcp from ! 213.124.174.x to 185.216.161.237 flags S/SA keep state label "USER_RULE: allow to klant"
pass in quick on igb1.1337 route-to (gre0 5.255.x) inet from 185.216.161.232/29 to ! 213.124.174.x flags S/SA keep state label "USER_RULE"
pass in log quick on igb1.1337 inet6 from 2a03:10c3:x/64 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on igb1.1337 route-to (gif1 2a03:10c3:x) inet6 from 2a03:10c3:x/64 to any flags S/SA keep state label "USER_RULE: extraipv6 src net"
pass in log quick on igb1.1337 inet6 from <ExtraIPv6net> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on igb1.1337 route-to (gif1 2a03:10c3:x) inet6 from <ExtraIPv6net> to any flags S/SA keep state label "USER_RULE: extraipv6 src net"
pass in log quick on gif1 reply-to (gif1 2a03:10c3:x) inet6 proto ipv6-icmp all keep state label "USER_RULE: eip6-out-icmp"
anchor "tftp-proxy/*" all

Alles boven regel 135 (anchor "userrules/*" all) heb ik via de pfSense webinterface geen directe invloed op (los van de bogons/RFC1918-vinkjes bij elke interface)

maandag 23 november 2020 21:37

Acties:

+1 Henk 'm!

MrNGm

Topicstarter

Goed, opgelost.

Er was een regel in de LAN-tab, vertaald in pf:

code:

1	pass in quick on igb1 route-to (igb0 213.124.174.1) inet from 10.33.8.0/24 to ! 10.33.8.0/24 flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

(dit bestond voordat de ExtraIP-configuratie actief was, is een generieke allow-regel voor LAN->WAN traffic. De enige Outbound NAT-regel (10.33.8.0/24->* masquerade naar WAN-adres 213.124.174.x) is ongewijzigd gebleven).

Dat deed me bedenken dat hier een expliciete gateway in staat, terwijl het een lokale route is. Firewallregel (in de webinterface) gedupliceerd, destination net naar de ExtraIP-reeks verwezen, policy-routing weggehaald, één positie hoger gezet dan de bestaande regel, en dat komt nu in pf als volgt:

code:

1	pass in log quick on igb1 inet from 10.33.8.0/24 to 185.216.161.232/29 flags S/SA keep state label "USER_RULE: LAN->ExtraIP"

En warempel:

code:

: tcpdump -eni igb1.1337 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1.1337, link-type EN10MB (Ethernet), capture size 262144 bytes
21:35:54.324387 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 74: 10.33.8.12.43412 > 185.216.161.237.80: Flags [S], seq 3978473074, win 64240, options [mss 1460,sackOK,TS val 3900598369 ecr 0,nop,wscale 7], length 0
21:35:54.324836 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 74: 185.216.161.237.80 > 10.33.8.12.43412: Flags [S.], seq 790268601, ack 3978473075, win 65160, options [mss 1460,sackOK,TS val 2984931456 ecr 3900598369,nop,wscale 7], length 0
21:35:54.325323 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 66: 10.33.8.12.43412 > 185.216.161.237.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 3900598370 ecr 2984931456], length 0

Helaas kan ik geen eigen posts als geaccepteerd antwoord aanvinken, dus de startpost maar aangepast

[ Voor 8% gewijzigd door MrNGm op 23-11-2020 21:43 ]

maandag 23 november 2020 21:52

Acties:

+1 Henk 'm!

MrNGm

Topicstarter

Hmm, het is opzich goed dat het werkt, behalve dat er niet geNAT wordt met het WAN-IP.

Ik ga nog even verder prutsen.

maandag 23 november 2020 22:02

Acties:

+1 Henk 'm!

MrNGm

Topicstarter

Regel toevoegen bij Firewall -> NAT -> Outbound fixt ook het laatste probleem:

- Interface: EXTRAIPVLAN
- Address family: IPv4
- Protocol: any
- Source: network: 10.33.8.0/24
- Destination: network: 185.216.161.232/29
Translation
- Address: Other Subnet (Enter below):
- Other subnet: 213.124.174.x/32
- Port: Static Port

code:

: tcpdump -eni igb1.1337 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1.1337, link-type EN10MB (Ethernet), capture size 262144 bytes
22:01:09.934943 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 74: 213.124.174.x.43554 > 185.216.161.237.80: Flags [S], seq 3145160928, win 64240, options [mss 1460,sackOK,TS val 3902113980 ecr 0,nop,wscale 7], length 0
22:01:09.935370 00:23:42:aa:aa:aa > 00:0d:b9:56:ad:fd, ethertype IPv4 (0x0800), length 74: 185.216.161.237.80 > 213.124.174.x.43554: Flags [S.], seq 246622207, ack 3145160929, win 65160, options [mss 1460,sackOK,TS val 1939811651 ecr 3902113980,nop,wscale 7], length 0
22:01:09.935851 00:0d:b9:56:ad:fd > 00:23:42:aa:aa:aa, ethertype IPv4 (0x0800), length 66: 213.124.174.x.43554 > 185.216.161.237.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 3902113981 ecr 1939811651], length 0

woensdag 25 november 2020 23:34

Acties:

Beste antwoord ✓
0 Henk 'm!

Kabouterplop01

chown -R me base:all

Nice!! Inderdaad als je het zo door L3 testen niet kan vinden, dan moet er ergens een rule zijn...

Pagina: 1

Reageer

Onderwerpen

Vraag

Beste antwoord (via MrNGm op 26-11-2020 08:32)

Alle reacties