On Tue, 11 Sep 2012 16:03:05 -0500 Chris Buechler <[email protected]> wrote:
> On Tue, Sep 11, 2012 at 12:03 PM, Theodor-Iulian Ciobanu > <[email protected]> wrote: > > Hello, > > > > I inherited a very old instance of pfsense (1.0.1) acting as a > > router and firewall between multiple DMZs and WAN (LAN is empty and > > unused). > > > > After updating to 1.2.3, outbound connections were working fine, > > but I was no longer able to connect to any of the servers from > > outside. Not wanting to have to reinstall 1.0.1 I hoped that this > > was maybe a bug/regression in the NIC driver (there's just one > > network card with just one port that is fed all the corresponding > > tagged VLANs) and applied the full update to 2.0.1 as well. > > Everything went fine, but the behavior persisted. So I started > > debugging it (or at least tried to), with wireshark on a client > > system and tcpdump on pfsense and one of the servers: > > > > When trying to ssh from the client to the server, I can see the TCP > > handshake. After the client sends it's ack, the server sends the SSH > > banner. I can see the packet in the dump from the server and on the > > firewall on both virtual interfaces (the one in the DMZ and the one > > in WAN). But the packet is never received on the client. > > > > What happens instead, is that the server receives a TCP RST packet, > > seemingly coming from the client. But none of the dumps on the > > client or pfsense show such a packet being sent. > > > > Add a -e to your tcpdump and see what MAC is sourcing that RST. That's > the source of your issue, and based on your description, it has > nothing to do with the firewall (if you're getting a RST on the server > that you don't see on the firewall, something other than the firewall > or the client has to be sending it). I already checked, the MAC is that of the firewall, although it doesn't show in the dump. Then, there's the case of the openssh banner that does show up in tcpdump on pfsense but doesn't make it to the client. -- Theo _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
