Hello Adam,Anything else I could try?
Thanks
Subject: Re: [pfSense] Disable antispoofing on an interface
From: athom...@athompso.net
Date: Mon, 14 Jul 2014 20:24:36 -0500
To: list@lists.pfsense.org; netsys...@live.com
I suspect you need to be looking not for anti-spoofing but for anti-bogon rules.
Can't remember what pfSense calls it offhand.
-Adam
On July 14, 2014 6:19:22 PM CDT, NetSys Pro <netsys...@live.com> wrote:
Hello everyone,
First of all, please note that I have already posted the question
below on the pfSense forum (see
https://forum.pfsense.org/index.php?topic=79081.0) since about 1
week without any reply.
Given the urgency of the matter, I decided to post to the mailing
list, hoping for some here.
BTW: I don't know if this will be of any help to obtain a reply,
please note that I have a Gold membership subscription as well.
So, regarding my question, I'll copy/paste from the forum as
follows:
I have 2 pfSense boxes (both version 2.1.4) connected via the
Internet. Each one has 3 interfaces: LAN, WAN & OPT1.
There is an IPsec VPN between the 2 pfSense boxes.
A WAN optimisation (we'll call it WANOPT) appliance is connected to
the OPT1 interface on each side.
There is a UDP tunnel between the 2 WANOPT appliances. This UDP
tunnel goes inside the IPsec tunnel.
I use PBR (as a LAN rule) to redirect traffic going to the remote
LAN into the WANOPT appliance.
This is what I've observed after starting to ping a remote LAN
machine from a local LAN machine:
1. On reaching the local LAN interface, the ICMP echo request is
properly redirected to the WANOPT appliance.
2. The ICMP request then goes inside the UDP tunnel.
3. The UDP packets go into the IPsec tunnel.
4. On the remote side, a tcpdump shows that the ICMP packet does
come out of the WANOPT appliance and therefore the UDP tunnel.
5. It then reaches the OPT1 interface of the remote firewall.
6. However, it does NOT come out any interface!!!
7. I have an "Allow all protocols from any to any" rule on both the
IPsec and OPT1 interfaces, for testing purposes.
8. There's nothing in the log saying that the packet was dropped. In
fact, there's a log entry which says that the packet was actually
allowed into the OPT1 interface!
What has happened to the packet?
NB:
1. On the remote side, when the ICMP packet comes out of the UDP
tunnel, its source IP is that of the local LAN machine and its
destination is that of the remote LAN machine.
2. Is this packet being considered a spoofed packet?
I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
2.1.4) to disable antispoofing on the OPT1 interface and rebooted
both firewalls without any success.
I confirmed that the file /tmp/rules.debug did not contain the
antispoof directive for the OPT1 interface after reboot.
RFC 1918 private IP addresses are not being blocked either.
Thank you for any help.
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
