[FUG-BR] pfsense load balance e algumas duvidas (apanhando do PF)
Manoel Alvares
msnehhumam em yahoo.com
Quarta Abril 20 11:04:49 BRT 2011
Ola pessoal ainda não consegui fazer o port forward funcionar
Já tenho quase plena certeza de que é alguma regra do firewall
que esta fazendo isso eu precisei trocar o IP da minha interface LAN
do pfsense de 192.168.1.1 para 192.168.0.1 e acho que isso tem haver também com o
bloqueio referido
não consegui fazer acesso ao webconfigurator de fora nem acesso aos servers VNC e a maquina de vigilância
resolvi postar as minhas regras de filtro para que os experts as analisem segue ;
alguém pode me dar uma luz
Obs. Existem mais regras para o servidor de câmera e outras de VNC mas eu as retirei somente nesta mensagem por serem repetitivas
pfctl -sr
-----------------------------------------------
scrub in on pppoe0 all fragment reassemble
scrub in on rl0 all fragment reassemble
scrub in on sis0 all fragment reassemble
anchor "relayd/*" all
block drop in log all label "Default deny rule"
block drop out log all label "Default deny rule"
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c> to any label "Block snort2c hosts"
block drop quick from any to <snort2c> label "Block snort2c hosts"
block drop quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts"
block drop quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts"
block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout"
block drop in log quick proto tcp from <webConfiguratorlockout> to any port = https label "webConfiguratorlockout"
block drop in quick from <virusprot> to any label "virusprot overload table"
block drop in log quick on pppoe0 from <bogons> to any label "block bogon networks from WAN"
block drop in on ! pppoe0 inet from 189.47.14.202 to any
block drop in inet from 189.47.14.202 to any
block drop in on pppoe0 inet6 from fe80::240:caff:fe99:90a5 to any
block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
block drop in on ! rl0 inet from 192.168.0.0/24 to any
block drop in inet from 192.168.0.1 to any
block drop in on rl0 inet6 from fe80::2e0:7dff:fee3:5d90 to any
block drop in log quick on sis0 from <bogons> to any label "block bogon networks from OPT1"
block drop in on sis0 inet6 from fe80::240:caff:fe99:90a5 to any
block drop in log quick on sis0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block drop in log quick on sis0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block drop in log quick on sis0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block drop in log quick on sis0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
pass in on sis0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out OPT1"
pass out on sis0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out OPT1"
pass in on lo0 all flags S/SA keep state label "pass loopback"
pass out on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (pppoe0 200.100.11.76) inet from 189.47.14.202 to ! 189.47.14.202 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on rl0 proto tcp from any to (rl0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on rl0 proto tcp from any to (rl0) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on rl0 proto tcp from any to (rl0) port = ssh flags S/SA keep state label "anti-lockout rule"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto icmp all keep state label "USER_RULE"
pass in quick on rl0 inet from 192.168.0.0/24 to <vpns> flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass in quick on rl0 route-to (pppoe0 200.100.11.76) inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.3 port = 5903 flags S/SA keep state label "USER_RULE: NAT Forwarding VNC WAN"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.4 port = 5904 flags S/SA keep state label "USER_RULE: NAT Forwarding VNC WAN"
pass in quick on sis0 inet proto tcp from any to 192.168.0.3 port = 5903 flags S/SA keep state label "USER_RULE: NAT Forwarding VNC OPT1"
pass in quick on sis0 inet proto tcp from any to 192.168.0.4 port = 5904 flags S/SA keep state label "USER_RULE: NAT Forwarding VNC OPT1"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.13 port = 2599 flags S/SA keep state label "USER_RULE: NAT Forwarding GEOVISION WAN"
pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.13 port = 6550 flags S/SA keep state label "USER_RULE: NAT Forwarding GEOVISION WAN"
pass in quick on sis0 inet proto tcp from any to 192.168.0.13 port = 2599 flags S/SA keep state label "USER_RULE: NAT Forwarding GEOVISION OPT1"
pass in quick on sis0 inet proto tcp from any to 192.168.0.13 port = 6550 flags S/SA keep state label "USER_RULE: NAT Forwarding GEOVISION OPT1"
anchor "tftp-proxy/*" all
anchor "miniupnpd" all
##### muito grato por qualquer ajuda
> Isso acontece na versão 1.2.3, na 2.0 você pode ter
> vários links pppoe.
>
> estou usando a versão 2.0 de tanto fuçar eu encontrei a
> solução para os links
>
> invertendo o Tie1 Tie2 nos grupos de WANs
>
> -----
> eu acho que a informação de que a versão aceita varios
> pppoe esta errada pois não vejo essa opção na WAN
> OPT...só existe DHCP para as OPTs WANs
>
> invertendo os Ties a WAN OPT assumiu como default e ela
> fica la até cair ou até o pfsense achar que a OPT
> esta sobrecarregada eu achei isso um pouco falho
> porque ele não percebe quando a conexão de um dos links
> esta ruim e sim o numero de maquinas ou sei lá...
> mas tambem isso não importa muito porque acaba tudo saindo
> por aqueles velhos back bone embratel oque significa
> que quando um link ta ruim o outro ta pior
>
> obrigado a todos pela ajuda
> ----------
> meu problema agora é outro
>
> ja tentei de tudo não consigo liberar o acessor admin
> remoto
> o port fowarding VNC e a cameras tambem
>
> eu sigo as instruções do manual crio as regras mas não
> funciona....
>
> estranhamente o SSH funciona remoto perfeitamente eu so
> precisei apontar a porta 22 na regra a LAN
>
> tentei inclusive criar essas regras de fowarding n LAN ao
> invez a WAN ou OPT mas não deu certo tambem
>
> parece algo simples mas por isso mesmo já não sei
> mais o que fazer.
>
> se o email não sair todo mexido o esqueminha abaixo
> explica oque eu quero fazer:
>
> WAN-------- pfsnse2.0 serv
> VNCn serv.camera
> OPTWAN ----192.168.1.1-----192.168.1.2 ------192.168.1.4
>
> sendo que o load balance dos links ja esta OK.
>
> eu só preciso de fora acessar as estações que estão com
> VNC
> o servidor de vigilancia e fazer a manutenção do pfsense
> por web
> porque por SSH já esta funcionando
>
> abrax
> Obrigado
> manoel
>
Mais detalhes sobre a lista de discussão freebsd