pfSense Part 3: Controlling Routes | Level One Techs

Tim_FreeD · April 30, 2017, 1:08pm

@Dexter_Kane How would you approach/troubleshoot with pfSense -- for example if you want CS:GO to run over WAN? What tools and methods in the firewall do you use to find blocked or wrong routed traffic?

comfreak · April 30, 2017, 1:08pm

Yes and you could use netcat or telnet to test TCP:

$ telnet www.example.com 80

Sea_Monkey · April 30, 2017, 4:04pm

When I set up block rules for MS telemetry quite a while ago, I followed a guide that also specified adding an alias and pass rule to ensure that Windows updates weren't being blocked. Here are the addresses specified:

download.windowsupdate.com
update.microsoft.com
sls.update.microsoft.com.akadns.net
vortex.data.microsoft.com
vortex-win.data.microsoft.com
fe2.update.microsoft.com.akadns.net
statsfe2.update.microsoft.com.akadns.net

mihawk90 · April 30, 2017, 4:57pm

Idk, if MS were smart they would just use their Update Domains for the Telemetry stuff and people couldn't block it independantly...

MS if you're reading this, I do take credit transfers...

(although they are probably doing that already)

Sea_Monkey · April 30, 2017, 5:32pm

Yeah, I assume that they probably do, and that blocking telemetry entirely is the not-so-simple matter of ditching Windows entirely, but I figure there's no harm in trying.

mzarrugh · April 30, 2017, 5:42pm

Could you you help me out with setting up squid in Debian with pfSense as a firewall.

Squid Transparent Proxy in Linux + pfSense Firewall (Help) Networking Software

Hey there, Here's my setup: Proxmox Server containing: pfSense KVM (Firewall + NAT) working fine as is no issue on that. Debian LXC (squid for caching) I don't want to use squid within pfSense because pfSense has a limitaion where squid can't work with gateway groups (which are fundamental for my setup). I created a network interface in pfSense called SQUID that has an IP address of 192.168.5.1/30 which runs on its own vlan VLAN3. The squid LXC in proxmox has a network adapter on VLAN3 with IP address 192.168.5.2/30 and gateway 192.168.5.1 I created a firewall rule on SQUID interface which allows SQUID_net to any through my specified gateway group. I created a firewall rule on LAN interface which allows LAN_net to SQUID_net. Everything is cool so far. squid has internet access. LAN has access to squid Now in my squid LXC vm: sudo apt update && sudo apt install squid3 I edited /etc/squid3/squid.conf Changed #http_access deny all to http_access allow all Changed http_port 3128 to http_port 3128 transparent sudo service squid3 restart In pfSense: In NAT portforwarding I added this: Interface: LAN Source: LAN_net Source port: any Destination: any Destiation port: 80 Redirect IP: 192.168.5.2 (squid) Redirect port: 3128 Right now I expect that http requests from my LAN clients (192.168.3.0/24) should be redirected to squid (192.168.5.2) on squid's port (3128). However, what I get when I try to access http websites on my LAN is an error message in chrome "ERR_EMPTY_RESPONSE". It is confirmed that pfSense is doing what it's supposed to do in forwarding the ports. The only issue as I see it is a miss-configuration on squid's side. Any help is highly appreciated.

eexodus · April 30, 2017, 7:34pm

My VPN is going from USA > Toronto via PIA. But that shouldn't matter because the 3rd LAN rule should catch Netflix destination traffic and route it out my ISP WAN.

mihawk90 · April 30, 2017, 9:06pm

Yeah, but that isn't working for you, or did I misunderstand that. I meant that it might be different domains for different regions. Guess in NA it should be the same though... mh

Dexter_Kane · April 30, 2017, 10:06pm

If you can't find the ports by googling then what I'd do is make the rules with the ports you do know and create a block all rule under that (make sure you enable logging on the block rule). Then run the game and look at the firewall log in pfsense, look for traffic from the machine running the game and add the destination ports from the blocked traffic to the rule until the game works.

But if you have a game that needs port 443 or some other shared port there is no way for pfsense to tell which application the traffic is coming from. So the only thing you can do is either manually enable and disable the rule as needed or set up a proxy server that uses the VPN and manually set the browser to use that. That way Web traffic from t he browser goes to the proxy server and then over the VPN and any other traffic will go over the wan.

You could use squid on pfsense for this but it lacks any options for setting a gateway, it just uses the default gateway. So if the VPN is the default gateway then it will work other wise it won't. One thing to keep in mind about using the VPN as the default gateway is that if the VPN goes down then it will automatically use the wan connection as that will become the new default gateway until the VPN comes back up, which is why it's always better to specify gateways in your rules with an internet destination.

FusionItalian · April 30, 2017, 10:25pm

I too am having an issue with the Netflix rule they mentioned, however I'm using IVPN and routing within the US.

ivesen · April 30, 2017, 10:36pm

I'm wondering, why do you say it's a bad idea to do more than 50 ports in one rule?
I'd think taking all the ports in the range 0-1023 and running them through the vpn would be a decent start at least, since that'd take all web and ssh and other such utilities through your vpn while leaving most game services untouched.

And yes, I know that range is way overkill, and you only need ports 20-30, 80, and 443 for the most common services.

Dexter_Kane · April 30, 2017, 10:45pm

They mean for a service that uses a bunch of ports in a range that that range will usually not be larger than 50 so making a rule with a range larger than thayb(if you don't specifically know which ports or range the service uses) may overlap with other services and cause problems.

You can make rules with as large a range as you like, it was more of a rule of thumb than any sort of technical limitation.

eexodus · May 1, 2017, 5:43am

Yea, the Netflix destination rule isn't working for me. To double-confirm I disabled my other custom LAN rules and rebooted the router, but it still doesn't work. Unless someone else can comment and confirm the rule works for them, I am going to guess that the domains no longer work from the time they shot to edited to uploaded the video.

Until I can get the Netflix destination rule working I've completely removed a few choice computers from the VPN gateway entirely and use those for Netflix. If anyone is curious about a workaround.

Dexter_Kane · May 1, 2017, 8:10am

These are the steam ports, I don't know if CS:GO needs any other ports:

TCP:
27014 - 27059

UDP:
27000 - 27015
27015 - 27030
4380
3478
4379
4380

Make an alias for the TCP ports and another for the UDP ports. Then go to the LAN firewall and make an allow rule for TCP with the machine you play CS:GO on as the source IP (or use any if it doesn't matter), leave source port as any. Set destination address to any and for destination port select other and type the name of the TCP alias you created. Then go to advanced and select your WAN gateway. Do the same for the UDP alias but obviously choose UDP as the protocol. Make sure these rules are above the default allow any to any rule or any other allow rule which would catch the traffic. Reset the state table to be sure and check if it works.

Tim_FreeD · May 1, 2017, 11:13am

Turns out you need NAT routing for the WAN gateway to work..(Firewall->NAT->Outbound)
Cloning the WAN_VPN rules for WAN fixed my issue.

@Jacobq11
Thank you @Dexter_Kane

Dexter_Kane · May 1, 2017, 11:21am

It's odd that you didn't have those WAN rules by default, usually you need to clone the WAN rules to get the VPN to work.

Tim_FreeD · May 1, 2017, 11:24am

My VPN stated to change the NAT Address instead of cloning.
( https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/ )

Dexter_Kane · May 1, 2017, 11:27am

I see, kind of makes sense as it prevents it from falling back to the WAN gateway if the VPN goes down. But I think there are better ways of doing that.

xkronusx · May 1, 2017, 9:00pm

Great video love to see pfsense content, people ask for openwrt but pfsense is one of the only groups that stays on top of security issues. I recall a while back there was a Defcon video that showed a security hole where you could act as if you were inside the network through a callback during a load. Pfsense was one of the only ones to patch the flaw.

By the way, I know this being a Linux video but I saw the debloat script in it a was wondering if Level1Techs could do a debloat windows video. I've noticed nerfing Cortana with group policies, disabling superfetch, turning off a ton of unnecessary services can really take back some needed performance. I notice it the most with i/o latency, windows 10 can be brutal with keyboard and mouse lag in game and disabling much junk as possible has yielded good results for me. Figured I should ask with the whole "Gaming mode" being in the creators update.

Cheers.

D328J · May 2, 2017, 12:35am

Just a heads up...

I applied the "cleaned up list" posted in this thread to block Windows 10 Telemetry, to an alias and added a block rule to my installation of pfsense and everything seemed to work fine....that is until my 5 year old couldn't get on YouTube through my XBOX One. Tried everything to troubleshoot it, cause it seemed to work everywhere else on my network, just not the xbox. In a Last ditch effort to get it to work, I disabled the firewall rule that i setup to block telemetery....and sucess.

Anyone have any idea which entry in that list is the issue? I looked, and there are no obvious references to youtube or xbox in the list. Needless to say, this firewall rule will stay disabled until I can narrow it down.