Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Yes, you're right, in my setup this was the solution, disable Automatic outbound NAT rule generation, I removed the gateway in my dmz and is working as expected. Thank'you all for your help, what a great software is pfsense. Best regards 2008/8/20 Chris Buechler [EMAIL PROTECTED]: On Wed, Aug 20, 2008 at 5:55 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: People, here I attach you an image with my current settings and the migration, is just replace one firewall with pfsense, without changing anything else. Notice that my wan is a private /30 network only for connect with the isp, the public addresses are on the dmz net. Is this posible as it is wusing pfsense?? Yes, as you've been told 3 times now and this makes 4, just setup AON properly and it will work fine. Not sure what'll happen to traffic from your private network, if your ISP NATs your private /30 then you should be fine NATing that subnet to your WAN IP and not NATing your DMZ segment. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Found part of the problem, I installed a clean pfsense, and setup again the three interfaces. WAN-- Connected to our isp trought a /30 private newtork OP1-DMZ-- With the public range address assigned by our isp LAN- Private segent. Nothing configured, I mean, nat, bridge etc. Added to simple rules, one to allow any from Lan in Lan interface, and one to allow any from dmz interface. with this setup hosts on the dmz segment can't reach the outside world, this hosts are configured with public network addresses, if I disable the firewall they can do it, after thinking a little bit, I started the firewall again and configured in the dmz interface the gateway with is supposed to be blank since it should use my default gateway, the gateway of the wan I guess, only after I configure this gateway, the ip address on the other side of my isp, the hosts started reaching the outside world, I reproduced this many times, and this was the solution for the dmz segment with public address, I must configure gateway for this interface. Not tested on the Lan segement, but the lan doesn't have any option to set a gateway. Is this normal???, or I'm missing something??. Best regards 2008/8/19 Aliet Santiesteban Sifontes [EMAIL PROTECTED]: what it makes me thinks is pfsense firewall part, is the fact that if I disable the firewall stuff in pfsense everything starts working ok, I mean, Lan machines are able to go outside, if pfsense is running just as a routing platform, once I enable the firewall I loose the trafic on this hosts, I will try to go deep on this tomorrow, I will start with a fresh install, since there is a lot of rules on the wan interface and also many aliases, maybe some kind of typo on the aliases or rules, I will start at first steps, and I will try to reproduce this in a basic config, without so many rules, I'm lucky since I'm testing, I let you know the progress. Best regards 2008/8/19 Bill Marquette [EMAIL PROTECTED]: On Tue, Aug 19, 2008 at 7:03 PM, Bill Marquette [EMAIL PROTECTED] wrote: On Tue, Aug 19, 2008 at 4:07 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: What makes you think pfSense is blocking the traffic? Are the logs pointing to this? Have you tcpdump'd on the outside interface to show the traffic not leaving the firewall? Maybe it's not getting NAT'd correctly - are you expecting it to be NAT'd? Also, ASCII network diagrams rarely work properly for anyone using systems that render email with truetype fonts, can you provide an image with your layout (not that I suspect this is of issue, but since you provided one and it'd be helpful to understanding what it is you are trying to do, it'd be nice). Thanks --Bill BTW, hit send to early, but pftop is clearly showing that the state is getting inserted in the firewall state table. pfSense isn't blocking this. It may not be contributing to making it work, but that will likely be due to a misconfig, not due to the platform itself. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Wed, Aug 20, 2008 at 11:56 AM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Found part of the problem, I installed a clean pfsense, and setup again the three interfaces. WAN-- Connected to our isp trought a /30 private newtork OP1-DMZ-- With the public range address assigned by our isp LAN- Private segent. Nothing configured, I mean, nat, bridge etc. Added to simple rules, one to allow any from Lan in Lan interface, and one to allow any from dmz interface. with this setup hosts on the dmz segment can't reach the outside world, this hosts are configured with public network addresses, You have to use Advanced Outbound NAT to use public IPs on an internal network. Adding a gateway to this DMZ interface, unless it has an Internet connection and will be used as an additional WAN, is wrong. It disables the NAT configuration since it thinks it's a WAN interface, but that's wrong, you need to remove that and properly setup AON. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Advanced Outbound NAT (Manual Outbound NAT) Menu...Firewall - NAT - Outbound You'll need to research this a bit but basically you will need to specify an interface in which the traffic will be NAT'd, the source network range, source ports (*) , Destination and Destination ports (*), the address in which it will be NAT'd as and what static mapping (usually * and NO). Hope that didn't confuse you too bad. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Aug 20, 2008 at 3:16 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: I don't understand, let give more info: Right now this is a running setup with checkpoint. I mean, I have a net with my isp only to connect the firewall to them is a /30 private range in the first nic1. I have another net on the other nic2 with hosts with public addresses configured, I mean this hosts have configured public addresses, and not use nat. I have another net on nic3 with a private LAN. Now, I'm changing the checkpoint with pfsense with a server with three nics, and I must keep the current setup. One net in nic1 with my isp, the other net in nic2 will have connected the current running hosts wich have configured a public range address and in the nic3 connect the running private lan. I don't want to use nat in the current running public net, I just need this net working(routing) trought pfsense, and be able to configure some filters in this network, this net is currently my op1 in pfsense, and the only way they routing to internet is when I configure the gateway of my isp. Any better solution to do this, without changig the currents nets, only the firewall??. My point us that I don't wanna change avery single host on this nets, just the firewall. best regards 2008/8/20 Chris Buechler [EMAIL PROTECTED]: On Wed, Aug 20, 2008 at 11:56 AM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Found part of the problem, I installed a clean pfsense, and setup again the three interfaces. WAN-- Connected to our isp trought a /30 private newtork OP1-DMZ-- With the public range address assigned by our isp LAN- Private segent. Nothing configured, I mean, nat, bridge etc. Added to simple rules, one to allow any from Lan in Lan interface, and one to allow any from dmz interface. with this setup hosts on the dmz segment can't reach the outside world, this hosts are configured with public network addresses, You have to use Advanced Outbound NAT to use public IPs on an internal network. Adding a gateway to this DMZ interface, unless it has an Internet connection and will be used as an additional WAN, is wrong. It disables the NAT configuration since it thinks it's a WAN interface, but that's wrong, you need to remove that and properly setup AON. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Yes, Advanced Oubound NAT, works fine for me too. I'd WAN,LAN and VPN interfaces. Using automatic NAT, the traffic stop flowing in the VPN interface (Bridging over LAN). But enabling Manual Outbound NAT, everything works. Best Regards, Luiz Vaz 2008/8/20 Curtis LaMasters [EMAIL PROTECTED] Advanced Outbound NAT (Manual Outbound NAT) Menu...Firewall - NAT - Outbound You'll need to research this a bit but basically you will need to specify an interface in which the traffic will be NAT'd, the source network range, source ports (*) , Destination and Destination ports (*), the address in which it will be NAT'd as and what static mapping (usually * and NO). Hope that didn't confuse you too bad. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Aug 20, 2008 at 3:16 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: I don't understand, let give more info: Right now this is a running setup with checkpoint. I mean, I have a net with my isp only to connect the firewall to them is a /30 private range in the first nic1. I have another net on the other nic2 with hosts with public addresses configured, I mean this hosts have configured public addresses, and not use nat. I have another net on nic3 with a private LAN. Now, I'm changing the checkpoint with pfsense with a server with three nics, and I must keep the current setup. One net in nic1 with my isp, the other net in nic2 will have connected the current running hosts wich have configured a public range address and in the nic3 connect the running private lan. I don't want to use nat in the current running public net, I just need this net working(routing) trought pfsense, and be able to configure some filters in this network, this net is currently my op1 in pfsense, and the only way they routing to internet is when I configure the gateway of my isp. Any better solution to do this, without changig the currents nets, only the firewall??. My point us that I don't wanna change avery single host on this nets, just the firewall. best regards 2008/8/20 Chris Buechler [EMAIL PROTECTED]: On Wed, Aug 20, 2008 at 11:56 AM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Found part of the problem, I installed a clean pfsense, and setup again the three interfaces. WAN-- Connected to our isp trought a /30 private newtork OP1-DMZ-- With the public range address assigned by our isp LAN- Private segent. Nothing configured, I mean, nat, bridge etc. Added to simple rules, one to allow any from Lan in Lan interface, and one to allow any from dmz interface. with this setup hosts on the dmz segment can't reach the outside world, this hosts are configured with public network addresses, You have to use Advanced Outbound NAT to use public IPs on an internal network. Adding a gateway to this DMZ interface, unless it has an Internet connection and will be used as an additional WAN, is wrong. It disables the NAT configuration since it thinks it's a WAN interface, but that's wrong, you need to remove that and properly setup AON. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
I probably shouldn't introduce any further issues here... but aren't there issues having a 192.168.1.0/30 and a 192.168.1.0/24 on the same router? If you ping 192.168.1.1 or 192.168.1.2 from your router, what interface will it route those requests to? Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: People, here I attach you an image with my current settings and the migration, is just replace one firewall with pfsense, without changing anything else. Notice that my wan is a private /30 network only for connect with the isp, the public addresses are on the dmz net. Is this posible as it is wusing pfsense?? 2008/8/20 Luiz Vaz [EMAIL PROTECTED]: Yes, Advanced Oubound NAT, works fine for me too. I'd WAN,LAN and VPN interfaces. Using automatic NAT, the traffic stop flowing in the VPN interface (Bridging over LAN). But enabling Manual Outbound NAT, everything works. Best Regards, Luiz Vaz 2008/8/20 Curtis LaMasters [EMAIL PROTECTED] Advanced Outbound NAT (Manual Outbound NAT) Menu...Firewall - NAT - Outbound You'll need to research this a bit but basically you will need to specify an interface in which the traffic will be NAT'd, the source network range, source ports (*) , Destination and Destination ports (*), the address in which it will be NAT'd as and what static mapping (usually * and NO). Hope that didn't confuse you too bad. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Aug 20, 2008 at 3:16 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: I don't understand, let give more info: Right now this is a running setup with checkpoint. I mean, I have a net with my isp only to connect the firewall to them is a /30 private range in the first nic1. I have another net on the other nic2 with hosts with public addresses configured, I mean this hosts have configured public addresses, and not use nat. I have another net on nic3 with a private LAN. Now, I'm changing the checkpoint with pfsense with a server with three nics, and I must keep the current setup. One net in nic1 with my isp, the other net in nic2 will have connected the current running hosts wich have configured a public range address and in the nic3 connect the running private lan. I don't want to use nat in the current running public net, I just need this net working(routing) trought pfsense, and be able to configure some filters in this network, this net is currently my op1 in pfsense, and the only way they routing to internet is when I configure the gateway of my isp. Any better solution to do this, without changig the currents nets, only the firewall??. My point us that I don't wanna change avery single host on this nets, just the firewall. best regards 2008/8/20 Chris Buechler [EMAIL PROTECTED]: On Wed, Aug 20, 2008 at 11:56 AM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Found part of the problem, I installed a clean pfsense, and setup again the three interfaces. WAN-- Connected to our isp trought a /30 private newtork OP1-DMZ-- With the public range address assigned by our isp LAN- Private segent. Nothing configured, I mean, nat, bridge etc. Added to simple rules, one to allow any from Lan in Lan interface, and one to allow any from dmz interface. with this setup hosts on the dmz segment can't reach the outside world, this hosts are configured with public network addresses, You have to use Advanced Outbound NAT to use public IPs on an internal network. Adding a gateway to this DMZ interface, unless it has an Internet connection and will be used as an additional WAN, is wrong. It disables the NAT configuration since it thinks it's a WAN interface, but that's wrong, you need to remove that and properly setup AON. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Wed, Aug 20, 2008 at 6:12 PM, Tim Nelson [EMAIL PROTECTED] wrote: I probably shouldn't introduce any further issues here... but aren't there issues having a 192.168.1.0/30 and a 192.168.1.0/24 on the same router? If you ping 192.168.1.1 or 192.168.1.2 from your router, what interface will it route those requests to? Ah yeah, I overlooked that - the LAN and WAN cannot even partially fall into the same subnet to ensure appropriate behavior. The LAN here needs to be something that is not inclusive of 192.168.1.0/30, maybe 192.168.2.0/24. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Wed, Aug 20, 2008 at 4:55 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: People, here I attach you an image with my current settings and the migration, is just replace one firewall with pfsense, without changing anything else. Notice that my wan is a private /30 network only for connect with the isp, the public addresses are on the dmz net. Is this posible as it is wusing pfsense?? It should be. How is your LAN reaching the Internet? Is the Checkpoint performing NAT on that? If so, what address space is it NAT'ing to? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Sorry, that was a typo, Wan and Lan are on differents private networks, really sorry about that, just let me repeat again something here I guess I have not been clear, current setup don't use NAT at all, the ISP just use /30 network to connect equipment, and they route all the public addresses on the dmz segment, to the /30 side of our firewall, and our default gateway use their ip address /30 on their side, so as a routing platform, without nat, the dmz network should go outside just as routed packages, and the traffic to the dmz is routed by the isp to our wan ip address, now the private segment is also routed to private networks on that side, I don't need to nat that lan, in short, I don't need NAT, since I just want pfsense to behave like a routing platform with firewalling capabilities for filtering. I will test your recommendations Best regards, and again sorry for the typo 2008/8/20 Chris Buechler [EMAIL PROTECTED]: On Wed, Aug 20, 2008 at 6:12 PM, Tim Nelson [EMAIL PROTECTED] wrote: I probably shouldn't introduce any further issues here... but aren't there issues having a 192.168.1.0/30 and a 192.168.1.0/24 on the same router? If you ping 192.168.1.1 or 192.168.1.2 from your router, what interface will it route those requests to? Ah yeah, I overlooked that - the LAN and WAN cannot even partially fall into the same subnet to ensure appropriate behavior. The LAN here needs to be something that is not inclusive of 192.168.1.0/30, maybe 192.168.2.0/24. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Aliet Santiesteban Sifontes wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: udp In 200.55.176.170:58829 192.58.128.30:53 NO_TRAFFIC:SINGLE 00:00:05 00:00:551 64 udp Out 200.55.176.170:58829 192.58.128.30:53 SINGLE:NO_TRAFFIC 00:00:05 00:00:551 64 udp In 200.55.176.170:30462 192.58.128.30:53 NO_TRAFFIC:SINGLE 00:00:03 00:00:571 64 udp Out 200.55.176.170:30462 192.58.128.30:53 SINGLE:NO_TRAFFIC 00:00:03 00:00:571 64 If I disable the firewall it works everything as expected, I saw this post googling: http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002260.html That's not related, you aren't going to have IP options fields in your DNS traffic. The only thing that legitimately uses IP options today is PIM and IGMP, as the person who posted that was using. What you're seeing though I'm not sure, if something as simple as DNS passing through 1.2.1 didn't work we would have heard about it long ago and I wouldn't be able to send this email. Are you seeing any drops in your firewall logs? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Let me give you more info: LAN Net: 200.x.x.x/29(Public Net) OP1: Net: 192.168.x.x/24(Private Net) || || PFSense | | Wan: Net: 192.168.x.x/30 only for connection to my isp OP1 link status is down, since I have it unplugged from network LAN and Wan link status ok. All the inbound rules in Wan are working as expected from outside. On Lan interface only one rule allowing any trafic from this net to any On opt1 interface only one rule allowing all trafic to any. Trafic from Lan can't reach outside world, this only is happening when the firewall is enabled, when I disable the firewall I can reach outside from Lan. I can't see any drops in logs. I'm not using vlans on the firewall, but one of the nets comes from a vlan configured switch. Best regards 2008/8/19 Chris Buechler [EMAIL PROTECTED]: Aliet Santiesteban Sifontes wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: udp In 200.55.176.170:58829 192.58.128.30:53 NO_TRAFFIC:SINGLE 00:00:05 00:00:551 64 udp Out 200.55.176.170:58829 192.58.128.30:53 SINGLE:NO_TRAFFIC 00:00:05 00:00:551 64 udp In 200.55.176.170:30462 192.58.128.30:53 NO_TRAFFIC:SINGLE 00:00:03 00:00:571 64 udp Out 200.55.176.170:30462 192.58.128.30:53 SINGLE:NO_TRAFFIC 00:00:03 00:00:571 64 If I disable the firewall it works everything as expected, I saw this post googling: http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002260.html That's not related, you aren't going to have IP options fields in your DNS traffic. The only thing that legitimately uses IP options today is PIM and IGMP, as the person who posted that was using. What you're seeing though I'm not sure, if something as simple as DNS passing through 1.2.1 didn't work we would have heard about it long ago and I wouldn't be able to send this email. Are you seeing any drops in your firewall logs? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
Also, I'm not using, bridge or nat stuff 2008/8/19 Aliet Santiesteban Sifontes [EMAIL PROTECTED]: Let me give you more info: LAN Net: 200.x.x.x/29(Public Net) OP1: Net: 192.168.x.x/24(Private Net) || || PFSense | | Wan: Net: 192.168.x.x/30 only for connection to my isp OP1 link status is down, since I have it unplugged from network LAN and Wan link status ok. All the inbound rules in Wan are working as expected from outside. On Lan interface only one rule allowing any trafic from this net to any On opt1 interface only one rule allowing all trafic to any. Trafic from Lan can't reach outside world, this only is happening when the firewall is enabled, when I disable the firewall I can reach outside from Lan. I can't see any drops in logs. I'm not using vlans on the firewall, but one of the nets comes from a vlan configured switch. Best regards 2008/8/19 Chris Buechler [EMAIL PROTECTED]: Aliet Santiesteban Sifontes wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: udp In 200.55.176.170:58829 192.58.128.30:53 NO_TRAFFIC:SINGLE 00:00:05 00:00:551 64 udp Out 200.55.176.170:58829 192.58.128.30:53 SINGLE:NO_TRAFFIC 00:00:05 00:00:551 64 udp In 200.55.176.170:30462 192.58.128.30:53 NO_TRAFFIC:SINGLE 00:00:03 00:00:571 64 udp Out 200.55.176.170:30462 192.58.128.30:53 SINGLE:NO_TRAFFIC 00:00:03 00:00:571 64 If I disable the firewall it works everything as expected, I saw this post googling: http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002260.html That's not related, you aren't going to have IP options fields in your DNS traffic. The only thing that legitimately uses IP options today is PIM and IGMP, as the person who posted that was using. What you're seeing though I'm not sure, if something as simple as DNS passing through 1.2.1 didn't work we would have heard about it long ago and I wouldn't be able to send this email. Are you seeing any drops in your firewall logs? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Tue, Aug 19, 2008 at 4:07 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: What makes you think pfSense is blocking the traffic? Are the logs pointing to this? Have you tcpdump'd on the outside interface to show the traffic not leaving the firewall? Maybe it's not getting NAT'd correctly - are you expecting it to be NAT'd? Also, ASCII network diagrams rarely work properly for anyone using systems that render email with truetype fonts, can you provide an image with your layout (not that I suspect this is of issue, but since you provided one and it'd be helpful to understanding what it is you are trying to do, it'd be nice). Thanks --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Tue, Aug 19, 2008 at 7:03 PM, Bill Marquette [EMAIL PROTECTED] wrote: On Tue, Aug 19, 2008 at 4:07 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: What makes you think pfSense is blocking the traffic? Are the logs pointing to this? Have you tcpdump'd on the outside interface to show the traffic not leaving the firewall? Maybe it's not getting NAT'd correctly - are you expecting it to be NAT'd? Also, ASCII network diagrams rarely work properly for anyone using systems that render email with truetype fonts, can you provide an image with your layout (not that I suspect this is of issue, but since you provided one and it'd be helpful to understanding what it is you are trying to do, it'd be nice). Thanks --Bill BTW, hit send to early, but pftop is clearly showing that the state is getting inserted in the firewall state table. pfSense isn't blocking this. It may not be contributing to making it work, but that will likely be due to a misconfig, not due to the platform itself. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
what it makes me thinks is pfsense firewall part, is the fact that if I disable the firewall stuff in pfsense everything starts working ok, I mean, Lan machines are able to go outside, if pfsense is running just as a routing platform, once I enable the firewall I loose the trafic on this hosts, I will try to go deep on this tomorrow, I will start with a fresh install, since there is a lot of rules on the wan interface and also many aliases, maybe some kind of typo on the aliases or rules, I will start at first steps, and I will try to reproduce this in a basic config, without so many rules, I'm lucky since I'm testing, I let you know the progress. Best regards 2008/8/19 Bill Marquette [EMAIL PROTECTED]: On Tue, Aug 19, 2008 at 7:03 PM, Bill Marquette [EMAIL PROTECTED] wrote: On Tue, Aug 19, 2008 at 4:07 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: What makes you think pfSense is blocking the traffic? Are the logs pointing to this? Have you tcpdump'd on the outside interface to show the traffic not leaving the firewall? Maybe it's not getting NAT'd correctly - are you expecting it to be NAT'd? Also, ASCII network diagrams rarely work properly for anyone using systems that render email with truetype fonts, can you provide an image with your layout (not that I suspect this is of issue, but since you provided one and it'd be helpful to understanding what it is you are trying to do, it'd be nice). Thanks --Bill BTW, hit send to early, but pftop is clearly showing that the state is getting inserted in the firewall state table. pfSense isn't blocking this. It may not be contributing to making it work, but that will likely be due to a misconfig, not due to the platform itself. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]