-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm tired and I'm making stupid mistakes. My claim that the fault was Windoze was incorrect. I still do not have proper packet forwarding.
I have more data. If I check the option under system_advanced labeled 'Disable the firewalls filter altogether', the icmp packets start to go thru (there is no reply because they are not NAT'd). I see this as an improvement. When I turn the firewall back on, the 'destination unreachable' response resumes. I'm using ~default~ firewall settings. No changes at all. I don't read pf very well; but I don't see a rule here that allows traffic from the LAN: # pfctl -s rules scrub on wi0 all fragment reassemble anchor "ftpsesame/*" all anchor "firewallrules" all anchor "loopback" all pass in quick on lo0 all label "pass loopback" pass out quick on lo0 all label "pass loopback" anchor "packageearly" all anchor "carp" all anchor "ftpproxy" all anchor "pftpx/*" all pass in quick on sis0 inet proto tcp from any to (lo0) port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on sis0 inet proto tcp from any to (lo0) port = ftp keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on wi0 inet proto tcp from any port = ftp-data to (wi0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection" anchor "dhcpserverlan" all pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN" pass in quick on sis0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps label "allow access to DHCP server on LAN" pass out quick on sis0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc label "allow access to DHCP server on LAN" block drop in log quick on wi0 inet proto udp from any port = bootps to 192.168.1.0/24 port = bootpc label "allow dhcp client out wan" pass in quick on wi0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan" block drop in on ! sis0 inet from 192.168.1.0/24 to any block drop in inet from 192.168.1.1 to any block drop in on sis0 inet6 from fe80::20d:b9ff:fe02:96cc to any anchor "spoofing" all block drop in log quick on wi0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block drop in log quick on wi0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block drop in log quick on wi0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block drop in log quick on wi0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" anchor "limitingesr" all anchor "firewallout" all pass out quick on wi0 all keep state label "let out anything from firewall host itself" pass out quick on sis0 all keep state label "let out anything from firewall host itself" anchor "anti-lockout" all pass in quick inet from 192.168.1.0/24 to 192.168.1.1 keep state label "anti-lockout web rule" block drop in log proto tcp from <sshlockout> to any port = ssh label "sshlockout" pass in quick on sis0 inet from 192.168.1.0/24 to any keep state label "USER_RULE: Default LAN -> any" block drop in log quick all label "Default block all just to be sure." block drop out log quick all label "Default block all just to be sure." I'm using BETA-2 on a wrap 2c. Thanks. Eric W. Bates wrote: > alan walters wrote: > >>>Ry pinging from the wan in the pfsense gui to the next hop maybe you >>>have a cable wrong or something else silly that we all do sometimes > > > Thanks for the thot. > If only that were true... > > The pfsense box can ping anything and everything. It can ping the > machine on the LAN. It can ping the gateway. It can ping random > machines on the Internet. So all the "cables" (one is a wireless link) > are in place and working. > > The machine on the LAN can ping the LAN interface on the pfsense box. It > can also ping the WAN interface on the pfsense box. It cannot ping > anything past the pfsense box. > > When I attach a tcpdump to the pfsense LAN interface you see the echo > request and an reply of unreachable. If I attach the tcpdump to the WAN > interface, I see no traffic at all. So for some reason or other, pfsense > is refusing to forward the packet > > > I figured out how to use pfctl to see the NAT rules; but I don't know > how to dump a state table to see whether the IP from the LAN box is > being mapped or not. But even if the NAT was not working, I would still > expect the machine to forward the packet with an unchanged src address > (so I think I'm just grasping at straw). > > >>>-----Original Message----- >>>From: Eric W. Bates [mailto:[EMAIL PROTECTED] >>>Sent: 10 April 2006 22:31 >>>To: support@pfsense.com >>>Subject: [pfSense Support] dumb routing question >>> >>>My pfsense box does not seem willing to forward any packets. >>> >>>Pretty much factory default. >>> >>>It has a non-routable subnet (10.128.10.1/24) on the LAN, and a legit IP >>>on the WAN. >>> >>>I presume NAT is configured; but unless I turn on advanced NAT, I don't >>>think I can see to confirm? >>> >>>The pfsense box has full connectivity/routing out. But if I merely try >>>to ping the very next hop from a machine on the LAN, the pfsense box >>>reports an ICMP unreachable. tcpdump attached to the WAN interface >>>doesn't see anything (i.e. the pfsense machine is not forwarding the >>>packets to the WAN interface, just bouncing them from the LAN >>>interface). >>> >>>sysctl reports that forwarding is on: >>>net.inet.ip.forwarding: 1 >>>net.inet.ip.fastforwarding: 1 >>> >>>The firewall log does not report that anything is being blocked (default >>>rule of allowing everything from the LAN side is in place). >>> >>>How do I look to see what the NAT config is? >>> >>>I can't think why else stuff is not working. >>> >>>Thanks. >>> >>>-- >>>Eric W. Bates >>>[EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > -- > Eric W. Bates > [EMAIL PROTECTED] - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - -- Eric W. Bates [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEOy9fD1roJTQ4LlERAoIgAJ4653Yap9OAzPv2dY8wvM14+qCG/ACfdSMQ JmVYAIN8M/14UQGrcKf2qU0= =OYu7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]