Home / server / Questions / 715135
In Process
Chiggins
Asked: 2015-08-19 16:21:54 +0800 CST

pfSense not forwarding back packets

  • 772

I have a pfSense box setup where my WAN interface (em0) is set up in my local network (192.168.1.100) and my LAN interface (em1) is a private network of its own (10.0.0.1). The end goal is to have the 10.0.0.x network as private malware lab where devices on that network cannot talk to anything on the 192.168.1.x network directly. Though, I would like to punch holes in the pfSense firewall to allow traffic from 192.168.1.x network to access services in the private network, such as FTP, HTTP, SMB, SSH, etc. So if I FTP to 192.168.1.100 (WAN interface) then it'll route though to the FTP server running on a device internal to 10.0.0.x. Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.

enter image description here

And I can see some FTP traffic through pfSense with tcpdump.

enter image description here

Here's my NAT port forwarding rules (they also have an associated filter rule).

enter image description here

And also if it's helpful, my LAN firewall rules as well.

enter image description here

I thought that maybe there was an error with my blocking rules to block 192.168.1.x traffic from the 10.0.0.x network, but I have that rule disabled. I'm at a total loss and don't understand what is going wrong, so any help would be super appreciated!

nat

4 Answers

  1. The Wireshark screenshot on the FTP server is interesting -- the lack of a response suggests that it either can't (routing/NAT issues) or won't (firewall) respond. My ideas:

    • Does the FTP server have a local firewall (check with iptables -L -vn) dropping any traffic? If iptables's INPUT or OUTPUT chains have the DROP policy but you don't have rules allowing FTP traffic and related/established connections in and out, that would be a problem.
    • Does traffic to the SSH and HTTP ports (provided those services are running) suffer the same fate as FTP traffic? I'm no expert, but FTP often uses multiple ports (20 and 21), so it might be good to rule out weird behavior specific to FTP.
    • Can you get a TCP connection from another machine on the 10.0.0.x subnet to the FTP server? Can any traffic from the FTP server get out to the 192.168.1.x network? If traffic within the 10.0.0.x subnet is behaving properly but no traffic can get out, there may be an issue with routing, NAT, or firewall settings on the pfSense box.
    • 1
    1. Though you say you are receiving TCP SYN packet but i think you should have a firewall rule on WAN interface to allow port 21 (FTP) to go to the LAN interface i.e. em1.
    2. FTP server should have default gateway of 10.0.0.1.
    3. Also check if the outbound NAT rule is set on Automatic. If its not than you experience routing problem with packets returning from FTP.
    4. At pfsense > Diagnostics > ARP table should tell you whether FTP server is reachable via pfsense. Better start with allowing ICMP packets onto a device on private network and start tracing from there. Trace route should also help finding where your packets get lost.
    • 0

  3. pfSense has a special support for FTP protocol, which affects both active and passive modes. My experience is that it only complicates (otherwise usually simple) DNAT configuration for passive mode. I could only make passive mode working anyway, with the steps below.

    Go to System: Advanced: System Tunables (.../system_advanced_sysctl.php) page. Set 1 for debug.pfftpproxy option, to disable the pf FTP proxy handler. Now, setup your FTP server to use a specific ports range for data and forward these in addition to TCP/21.

    However, whenever possible, avoid FTP protocol at all. There're alternatives like SCP, more secure by nature (SSH based), allowing more authentication options and without all the active/passive/NAT/multiport burden.

    • 0

  4. Assuming the addressing provided is what you have in place - do you have block private networks enabled on the WAN interface (em0) ? I believe this is a default setting along with block bogan networks.

    http://i.stack.imgur.com/boREK.png

    • 0