NAT und firewallrules mit pfsense

[georg]

Hallo zusammen,

Ich versuche meinen bestehenden firewall/gateway (desktop mit FBSD 4, ipfilter) durch eine WRAP mit pfsense zu ersetzen.

pfsense ist bereits auf dem WRAP installiert. Wenn ich den bestehenden desktop durch die pfsense-box ersetze komme ich nicht auf das Internet.

Die network-config sieht ungefähr so aus

(extip,stat)-[ADSLrouter]-192.168.1.1---192.168.1.3[pfsense]192.168.0.111]---lan(192.168.0.0/24)
Ich habe: Manual outbound NAT: Interface WAN - Source 192.168.0.0/2
und firewall-rule: Source: LAN net , Dest: any

Pingen kann ich von der pfsense box: ext_ip, 192.168.1.1, 192.168.1.3
Ich erreiche aber vom internen Netz keinen dnsserver oder webserver im Internet.
DNS-Server ist gesetzt und DNS forwarder enabled.

Was mach ich falsch?

Danke & Gruss

Georg

 

[mark05]

Hallo zusammen,

Ich versuche meinen bestehenden firewall/gateway (desktop mit FBSD 4, ipfilter) durch eine WRAP mit pfsense zu ersetzen.

pfsense ist bereits auf dem WRAP installiert. Wenn ich den bestehenden desktop durch die pfsense-box ersetze komme ich nicht auf das Internet.

Die network-config sieht ungefähr so aus

(extip,stat)-[ADSLrouter]-192.168.1.1---192.168.1.3[pfsense]192.168.0.111]---lan(192.168.0.0/24)
Ich habe: Manual outbound NAT: Interface WAN - Source 192.168.0.0/2
und firewall-rule: Source: LAN net , Dest: any

Pingen kann ich von der pfsense box: ext_ip, 192.168.1.1, 192.168.1.3
Ich erreiche aber vom internen Netz keinen dnsserver oder webserver im Internet.
DNS-Server ist gesetzt und DNS forwarder enabled.

Was mach ich falsch?

Danke & Gruss

Georg

ich wuerde sagen das die externe box kein nat macht oder beide kein nat ....

ist dieser ADSL router ein router oder ein modem ?

holger

 

[georg]

Hallo Holger,

Danke fuer Deine Antwort!

Die externe Box ist ein ADSL-Router, die macht ganz sicher NAT, da das ganze funktioniert, wenn ich den alten Gateway/Firewall wieder anstelle der pfsense-Box einsetze.

Ob die pfsense-Box, NAT macht?

pfSense:~# pfctl -v -s nat
nat-anchor "pftpx/*" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
nat-anchor "natearly/*" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
nat-anchor "natrules/*" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
nat on sis1 inet from 192.168.0.0/24 to any -> (sis1) round-robin
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
rdr-anchor "pftpx/*" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
rdr-anchor "slb" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
no rdr on sis0 proto tcp from any to <vpns> port = ftp
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
rdr on sis0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
[ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ]
rdr-anchor "imspector" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
rdr-anchor "miniupnpd" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]

und hier das Ergebnis von pfctl -v -s rules:
pfSense:~# pfctl -v -s rules
scrub all random-id fragment reassemble
[ Evaluations: 23969 Packets: 23969 Bytes: 0 States: 0 ]
anchor "ftpsesame/*" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "firewallrules" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop quick proto tcp from any port = 0 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop quick proto tcp from any to any port = 0
[ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ]
block drop quick proto udp from any port = 0 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop quick proto udp from any to any port = 0
[ Evaluations: 387 Packets: 0 Bytes: 0 States: 0 ]
block drop quick from <snort2c> to any label "Block snort2c hosts"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop quick from any to <snort2c> label "Block snort2c hosts"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "loopback" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on lo0 all label "pass loopback"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on lo0 all label "pass loopback"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
anchor "packageearly" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "carp" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass quick inet proto icmp from 192.168.1.3 to any keep state
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "dhcpserverlan" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis0 inet proto udp from any port = bootpc to 192.168.0.111 port = bootps label "allow access to DHCP server on LAN"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis0 inet proto udp from 192.168.0.111 port = bootps to any port = bootpc label "allow access to DHCP server on LAN"
[ Evaluations: 387 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on sis1 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
[ Evaluations: 387 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis1 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in on ! sis0 inet from 192.168.0.0/24 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in inet from 192.168.0.111 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in on sis0 inet6 from fe80::20d:b9ff:fe04:6364 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "spoofing" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "spoofing" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in on ! sis1 inet from 192.168.1.3 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in inet from 192.168.1.3 to any
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in on sis1 inet6 from fe80::20d:b9ff:fe04:6365 to any
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on sis1 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on sis1 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on sis1 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on sis1 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
anchor "limitingesr" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick from <virusprot> to any label "virusprot overload table"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
anchor "wanbogons" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on sis1 from <bogons> to any label "block bogon networks from wan"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis0 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis1 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis1 all keep state label "let out anything from firewall host itself"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
anchor "firewallout" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis1 all keep state label "let out anything from firewall host itself"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis0 all keep state label "let out anything from firewall host itself"
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on sis2 all keep state label "let out anything from firewall host itself"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out quick on enc0 all keep state label "IPSEC internal host to host"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
anchor "anti-lockout" all
[ Evaluations: 396 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis0 inet from any to 192.168.0.111 keep state label "anti-lockout web rule"
[ Evaluations: 396 Packets: 244 Bytes: 118432 States: 0 ]
block drop in log proto tcp from <sshlockout> to any port = ssh label "sshlockout"
[ Evaluations: 387 Packets: 0 Bytes: 0 States: 0 ]
anchor "ftpproxy" all
[ Evaluations: 387 Packets: 0 Bytes: 0 States: 0 ]
anchor "pftpx/*" all
[ Evaluations: 387 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis0 inet from 192.168.0.0/24 to any keep state label "USER_RULE: Default LAN -> any"
[ Evaluations: 387 Packets: 2797 Bytes: 418697 States: 1 ]
pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in quick on sis1 inet proto tcp from any port = ftp-data to (sis1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
anchor "imspector" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
anchor "miniupnpd" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick all label "Default block all just to be sure."
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop out log quick all label "Default block all just to be sure."
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]

Irgenwie vermisse ich sowas wie:

pass out pass out on sis1 all keep state (sis1 ist das externe interface)

Gruss

Georg

 

[georg]

solved: NAT und firewallrules mit pfsense

Das Problem ist gelöst. Es hatte weder mit den NAT-rules noch mit den Firewallregeln zu tun.

Nachdem ich beim WAN-Interface die MAC-Adresse des alten Gateways gespooft habe, ging die Verbindung auf einmal.

Gruss

Georg
--