Hello Adam,
Thanks a lot for your reply.I unchecked "Block private networks" and "Block bog
on networks" on all interfaces. Then, I modified /etc/inc/filter.inc so that no
antispoof directives are generated on both pfSense boxes and rebooted them.I
checked /tmp/rules.debug and confirm that no bogon and antispoof directives
were generated.Result: The problem persists!
Anything else I could try?
Thanks
Date: Tue, 15 Jul 2014 08:23:23 +0400
From: netsys...@live.com
To: t...@diadeis.mu
Subject: Fwd: Re: [pfSense] Disable antispoofing on an interface
-------- Original Message --------
Subject:
Re: [pfSense] Disable antispoofing on an interface
Date:
Mon, 14 Jul 2014 20:24:36 -0500
From:
Adam Thompson <athom...@athompso.net>
To:
pfSense Support and Discussion Mailing List
<list@lists.pfsense.org>,NetSys Pro
<netsys...@live.com>
I suspect you need to be looking not for anti-spoofing but for
anti-bogon rules.
Can't remember what pfSense calls it offhand.
-Adam
On July 14, 2014 6:19:22 PM CDT, NetSys
Pro <netsys...@live.com> wrote:
Hello everyone,
First of all, please note that I have already posted the
question below on the pfSense forum (see
https://forum.pfsense.org/index.php?topic=79081.0)
since about 1 week without any reply.
Given the urgency of the matter, I decided to post to the
mailing list, hoping for some here.
BTW: I don't know if this will be of any help to obtain a
reply, please note that I have a Gold membership
subscription as well.
So, regarding my question, I'll copy/paste from the forum as
follows:
I have 2 pfSense boxes (both version 2.1.4) connected via the
Internet. Each one has 3 interfaces: LAN, WAN & OPT1.
There is an IPsec VPN between the 2 pfSense boxes.
A WAN optimisation (we'll call it WANOPT) appliance is
connected to the OPT1 interface on each side.
There is a UDP tunnel between the 2 WANOPT appliances. This
UDP tunnel goes inside the IPsec tunnel.
I use PBR (as a LAN rule) to redirect traffic going to the
remote LAN into the WANOPT appliance.
This is what I've observed after starting to ping a remote LAN
machine from a local LAN machine:
1. On reaching the local LAN interface, the ICMP echo request
is properly redirected to the WANOPT appliance.
2. The ICMP request then goes inside the UDP tunnel.
3. The UDP packets go into the IPsec tunnel.
4. On the remote side, a tcpdump shows that the ICMP packet
does come out of the WANOPT appliance and therefore the UDP
tunnel.
5. It then reaches the OPT1 interface of the remote firewall.
6. However, it does NOT come out any interface!!!
7. I have an "Allow all protocols from any to any" rule on
both the IPsec and OPT1 interfaces, for testing purposes.
8. There's nothing in the log saying that the packet was
dropped. In fact, there's a log entry which says that the
packet was actually allowed into the OPT1 interface!
What has happened to the packet?
NB:
1. On the remote side, when the ICMP packet comes out of the
UDP tunnel, its source IP is that of the local LAN machine and
its destination is that of the remote LAN machine.
2. Is this packet being considered a spoofed packet?
I modified the file /etc/inc/filter.inc (around line 3105 in
pfSense 2.1.4) to disable antispoofing on the OPT1 interface
and rebooted both firewalls without any success.
I confirmed that the file /tmp/rules.debug did not contain the
antispoof directive for the OPT1 interface after reboot.
RFC 1918 private IP addresses are not being blocked either.
Thank you for any help.
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
--
Sent from my Android device with K-9 Mail. Please excuse my
brevity.
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
