pfsense 长 ping 到 google

pfsense 长 ping 到 google

我设置了一个 pfsense 盒子。发生的情况是我设置了一条规则,这样我就无法192.168.3.1从框中点击管理界面。

启用规则后

--- www.l.google.com ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 5080ms
rtt min/avg/max/mdev = 37.684/37.776/37.869/0.215 ms
root@bad-apple:/etc#

规则已禁用

--- www.l.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 42.064/44.104/46.144/2.040 ms

禁止导致它的规则。

ID  Proto   Source  Port    Destination     Port    Gateway     Queue   Schedule    Description     

        *   APPLESERVER net     *   192.168.3.1     *           *        none     

我不希望服务器能够访问管理界面,但想访问互联网来配置机器。以前有人遇到过这个问题吗?我在这条禁止规则下允许从 APPLESERVER NET 到 * 的所有内容,因为如果我将目标设置为 WAN 网络 dns 就会消失。

好吧,启用规则后,我 ping 会发生什么情况,大约每 5-10 秒就会出现一条线出现在 ssh 中。没有规则,它就像一台普通机器一样运行,非常快。这个问题不存在于我的 LAN 中,它们具有相同的各自的 dns 服务器并阻止 [pfsense]admin。 [一个 LAN 是管理 LAN,因此没有阻止规则] 我在 LAN2 上运行所有内容,并手动插入 LAN1 进行管理。

更新 - 添加了 /tmp/debug.config


#System aliases

loopback = "{ lo0 }"
WAN = "{ re0 }"
ADMIN = "{ re1 }"
LAN = "{ re2 }"
APPLESERVER = "{ re3 }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>

table <virusprot>

# User Aliases 
table <EasyRuleBlockHostsWAN> {   10.35.0.1/32 } 
EasyRuleBlockHostsWAN = "<EasyRuleBlockHostsWAN>"

# Gateways
GWOPT1GW = " route-to ( re2 192.168.1.1 ) "
GWWAN = " route-to ( re0 wan ip ) "


set loginterface re1
set optimization normal
set limit states 23000
set limit src-nodes 23000

set skip on pfsync0

scrub in on $WAN all    fragment reassemble
scrub in on $ADMIN all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $APPLESERVER all    fragment reassemble


no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules

# Subnets to NAT 
tonatsubnets    = "{ 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 24.220.153.106/32 port 500  
nat on $WAN  from $tonatsubnets to any -> 24.220.153.106/32 port 1024:65535  


# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
rdr pass on re2 proto udp from any to any port tftp -> 127.0.0.1 port 6969
table <negate_networks> { 24.220.152.0/23 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 }
# NAT Inbound Redirects
rdr on re0 proto { tcp udp } from any to any port 21 -> 192.168.2.3
rdr on re0 proto { tcp udp } from any to any port 5000:5050 -> 192.168.2.3
rdr on re0 proto { tcp udp } from any to any port 80 -> 192.168.3.2
rdr on re0 proto { tcp udp } from any to any port 443 -> 192.168.3.2
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
antispoof for re0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for re1
# allow access to DHCP server on ADMIN
pass in quick on $ADMIN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $ADMIN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $ADMIN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for re2
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for re3
# allow access to DHCP server on APPLESERVER
pass in quick on $APPLESERVER proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $APPLESERVER proto udp from any port = 68 to 192.168.3.1 port = 67 label "allow access to DHCP server"
pass out quick on $APPLESERVER proto udp from 192.168.3.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( re0 wan ip ) from 24.220.153.106 to !24.220.152.0/23 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on re1 proto tcp from any to (re1) port { 80 443  22 } keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
block  in  quick  on $WAN reply-to ( re0 wan ip )  from   $EasyRuleBlockHostsWAN to any  label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
pass   in  quick  on $WAN reply-to ( re0 wan ip )  proto { tcp udp }  from any to   192.168.2.3 port 21   label "USER_RULE: NAT "
pass   in  quick  on $WAN reply-to ( re0 wan ip )  proto { tcp udp }  from any to   192.168.2.3 port 4999 >< 5051   label "USER_RULE: NAT "
pass   in  quick  on $WAN reply-to ( re0 wan ip )  proto { tcp udp }  from any to   192.168.3.2 port 80   label "USER_RULE: NAT Rule for web 80"
pass   in  quick  on $WAN reply-to ( re0 wan ip )  proto { tcp udp }  from any to   192.168.3.2 port 443   label "USER_RULE: NAT ssl web "
block  in  quick  on $WAN reply-to ( re0 wan ip )  from any to any  label "USER_RULE"
block  in  quick  on $ADMIN  from any to any  label "USER_RULE"
block  in  quick  on $LAN  from any to   192.168.2.1  label "USER_RULE"
block  in  quick  on $LAN  from any to   192.168.1.1  label "USER_RULE"
block  in  quick  on $LAN  from any to   192.168.3.1  label "USER_RULE"
pass  in  quick  on $LAN  from 192.168.2.1/24 to any keep state  label "USER_RULE: Default allow OPT1 to any rule"
pass  in  quick  on $LAN  proto tcp  from any to 192.168.3.1/24 port 22  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $LAN  proto tcp  from any to 192.168.3.1/24 port 80  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $LAN  proto tcp  from any to 192.168.3.1/24 port 81  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $LAN  proto { tcp udp }  from any to   192.168.3.2 port 10000  keep state  label "USER_RULE"
pass  in  quick  on $LAN  proto tcp  from 192.168.2.1/24 to 192.168.3.1/24 port 443  flags S/SA keep state  label "USER_RULE"
block  in  quick  on $LAN  from any to any  label "USER_RULE"
block  in  quick  on $APPLESERVER  from any to 192.168.2.1  label "USER_RULE"
block  in  quick  on $APPLESERVER  proto { tcp udp }  from any to   192.168.3.1 port 80   label "USER_RULE"
block  in  quick  on $APPLESERVER  proto { tcp udp }  from any to   192.168.3.1 port 443   label "USER_RULE"
block  in  quick  on $APPLESERVER  proto { tcp udp }  from any to   192.168.3.1 port 22   label "USER_RULE"
block  in  quick  on $APPLESERVER  from any to 192.168.1.0/24  label "USER_RULE"
pass  in  quick  on $APPLESERVER  from 192.168.3.1/24 to any keep state  label "USER_RULE"

# VPN Rules
anchor "tftp-proxy/*"

我已经用 debug.config 文件更新了它。因此,我的修复方法是仅阻止 192.168.3.0/24 子网 [appleserver 子网] 中的 22,80,443。这解决了我的速度问题,但我不确定这是否是正确修复的好方法。

也许这可能是一个 dns 问题,但是在启用所有阻止规则作为域名路由的情况下,在远程计算机上输入 wan ip 需要大约相同[长]的时间。

相关内容