Hi List,
I'm kind of stumped by this.
Situation:
pfSsense with 3 Interfaces
WAN: 192.168.0.161/24 (DHCP)
LAN: 192.168.133.1/24
OPT1 (renamed "DMZ"): 172.16.0.2/12
What I did:
1) fresh install of 2.1-RELEASE as virtual machine (KVM on Linux host),
with same virtual machine settings as for 2.0.3-RELEASE
2) enabled virtio network and disk devices as described on the wiki
3) loaded config of 2.0.3-RELEASE and changed interface/disk names as
required
What I did NOT do until the issue appeared:
change any firewall rules
Issue:
After upgrading, all TCPv4 connections (and possibly UDPv4 too) between
LAN and OPT1 (and vice versa) do not work
(Haven't tried IPv6 at all, since I don't have that configured)
What I'm trying is (as an example, http/proxy connections via
80/8080/3128 don't work, either):
ssh from 192.168.133.100 to 172.16.0.110
Firewall log shows that the connection is being attempted and allowed:
pass Dec 12 08:51:10 LAN 192.168.133.100:51876 172.16.0.110:22 TCP:S
Result: Nothing happens, connection silently times out
Same goes for the opposite direction, I try:
ssh from 172.16.0.110 to 192.168.133.100
Firewall log shows that the connection is being attempted and allowed:
pass Dec 12 09:02:55 DMZ 172.16.0.110:52172 192.168.133.100:22 TCP:S
Result: Nothing happens, connection silently times out
On 192.168.133.100, the source machine, netstat -rn gives:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br1
172.16.0.0 192.168.133.1 255.240.0.0 UG 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
192.168.133.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
On the pfSense box, netstat -rn gives:
netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGS 0 7611 vtnet0
127.0.0.1 link#4 UH 0 28 lo0
172.16.0.0/12 link#3 U 0 17787 vtnet2
172.16.0.2 link#3 UHS 0 0 lo0
192.168.0.0/24 link#1 U 0 7669 vtnet0
192.168.0.1 52:54:00:60:93:00 UHS 0 19408 vtnet0
192.168.0.161 link#1 UHS 0 0 lo0
192.168.133.0/24 link#2 U 0 2193 vtnet1
192.168.133.1 link#2 UHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%vtnet0/64 link#1 U vtnet0
fe80::5054:ff:fe60:9300%vtnet0 link#1 UHS lo0
fe80::%vtnet1/64 link#2 U vtnet1
fe80::5054:ff:fe60:9301%vtnet1 link#2 UHS lo0
fe80::%vtnet2/64 link#3 U vtnet2
fe80::5054:ff:fe60:9302%vtnet2 link#3 UHS lo0
fe80::%lo0/64 link#4 U lo0
fe80::1%lo0 link#4 UHS lo0
ff01::%vtnet0/32 fe80::5054:ff:fe60:9300%vtnet0
U vtnet0
ff01::%vtnet1/32 fe80::5054:ff:fe60:9301%vtnet1
U vtnet1
ff01::%vtnet2/32 fe80::5054:ff:fe60:9302%vtnet2
U vtnet2
ff01::%lo0/32 ::1 U lo0
ff02::%vtnet0/32 fe80::5054:ff:fe60:9300%vtnet0
U vtnet0
ff02::%vtnet1/32 fe80::5054:ff:fe60:9301%vtnet1
U vtnet1
ff02::%vtnet2/32 fe80::5054:ff:fe60:9302%vtnet2
U vtnet2
ff02::%lo0/32 ::1 U lo0
Funnily, when I ssh to 192.168.133.1 (the pfSense box), I can continue
to ssh to 172.16.0.110 just fine from there.
On 172.16.0.110, the destination machine, netstat -rn gives:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 172.16.0.2 0.0.0.0 UG 0 0 0
eth0
172.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0
eth0
Connections between OPT1/DMZ and WAN work just fine:
When I try:
ssh from 172.16.0.110 to 192.168.0.10
The firewall log shows:
pass Dec 12 09:19:50 DMZ 172.16.0.110:43745 192.168.0.10:22 TCP:S
And it connects just fine.
Since this is a test environment, I had no pain disabling all firewall
rules and adding a
"pass, log IPv4 * * * * * * none" at the top
of every interface ruleset.
This doesn't change a thing with regards to the TCP packages though (and
yes, I hit the "reload" button):
After making this change, I can Ping from anywhere to anywhere just fine.
SSH/HTTP/Proxy still doesn't work across interfaces.
So it seems only TCP (and possibly UDP) is affected by whatever is
causing this, while ICMP goes through (as long as there's no blocking rule).
My first thought was that "Block private networks" was enabled for one
of the interfaces, but the option is disabled for all.
All I'm blocking is "Bogon Networks" on WAN.
What has changed between 2.0.3-RELEASE and 2.1-RELEASE that causes this,
what am I doing wrong?
Or is virtio buggy and causing this?
I am confused. Please help me.
-Stefan
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list