I suspect you need to be looking not for anti-spoofing but for anti-bogon rules.
Can't remember what pfSense calls it offhand.
-Adam
On July 14, 2014 6:19:22 PM CDT, NetSys Pro <netsys...@live.com> wrote:
>Hello everyone,
>
>First of all, please note that I have already posted the question below
>
>on the pfSense forum (see
>https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week
>without any reply.
>Given the urgency of the matter, I decided to post to the mailing list,
>
>hoping for some here.
>
>BTW: I don't know if this will be of any help to obtain a reply, please
>
>note that I have a Gold membership subscription as well.
>
>So, regarding my question, I'll copy/paste from the forum as follows:
>
>
>I have 2 pfSense boxes (both version 2.1.4) connected via the Internet.
>
>Each one has 3 interfaces: LAN, WAN & OPT1.
>There is an IPsec VPN between the 2 pfSense boxes.
>A WAN optimisation (we'll call it WANOPT) appliance is connected to the
>
>OPT1 interface on each side.
>There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel
>goes inside the IPsec tunnel.
>I use PBR (as a LAN rule) to redirect traffic going to the remote LAN
>into the WANOPT appliance.
>
>This is what I've observed after starting to ping a remote LAN machine
>from a local LAN machine:
>1. On reaching the local LAN interface, the ICMP echo request is
>properly redirected to the WANOPT appliance.
>2. The ICMP request then goes inside the UDP tunnel.
>3. The UDP packets go into the IPsec tunnel.
>4. On the remote side, a tcpdump shows that the ICMP packet does come
>out of the WANOPT appliance and therefore the UDP tunnel.
>5. It then reaches the OPT1 interface of the remote firewall.
>6. However, it does NOT come out any interface!!!
>7. I have an "Allow all protocols from any to any" rule on both the
>IPsec and OPT1 interfaces, for testing purposes.
>8. There's nothing in the log saying that the packet was dropped. In
>fact, there's a log entry which says that the packet was actually
>allowed into the OPT1 interface!
>
>What has happened to the packet?
>
>NB:
>1. On the remote side, when the ICMP packet comes out of the UDP
>tunnel,
>its source IP is that of the local LAN machine and its destination is
>that of the remote LAN machine.
>2. Is this packet being considered a spoofed packet?
>
>I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
>2.1.4) to disable antispoofing on the OPT1 interface and rebooted both
>firewalls without any success.
>I confirmed that the file /tmp/rules.debug did not contain the
>antispoof
>directive for the OPT1 interface after reboot.
>RFC 1918 private IP addresses are not being blocked either.
>
>Thank you for any help.
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>List mailing list
>List@lists.pfsense.org
>https://lists.pfsense.org/mailman/listinfo/list
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
