我使用高可用性 pfSense 2.6.0 集群,在使用 Discord 语音通道时,UDP 的行为很奇怪。事实上,discord 语音通道显示“无路由”,流量分析数据包流量似乎被丢弃。
pfSense 配置非常简单:
re0: WAN - 192.168.1.251/24 (CARP 192.168.1.253/24) Upstream GW : 192.168.1.254
Gateway 192.168.1.254 is Netgear device configured in router mode and DMZ to
192.168.1.253
ale0: LAN - 192.168.254.248/24 (CARP 192.168.254.254/24)
防火墙 / 规则 / WAN
States Proto Source Port Destination Port Gateway Queue Schedule Description
Block * RFC 1918 networks * * * * * Block private networks
Block * Reserved Not assigned by IANA * * * * * Block bogon networks
Pass IPv4/TCP * * 192.168.1.253 443 * * Temporary emergency rules
Block IPv4+6 * * * * * * * Deny all
防火墙 / 规则 / LAN
States Proto Source Port Destination Port Gateway Queue Schedule Description
Pass * * * LAN Address 443/80/22 * * Anti-Lockout Rule
Pass IPv4+6 * LAN net * * * * none Default allow LAN to any rule
防火墙 / NAT / 出站:混合出站 NAT
Interface Source Source port Destination Destination port NAT Address NAT Port Static port Description
WAN 192.168.254.0/24 * * * 192.168.1.253 * Randomize LAN to WAN
无浮动、端口转发、1:1、NPt 规则
在 192.168.254.12 计算机上的 Discord 应用程序上,当打开语音通道时,应用程序尝试连接到 35.214.218.172 上的端口 50007 UDP。在 WAN 接口上发送 Paquet 并接收响应,但从未在 LAN 接口上获取
防火墙无登录
WAN : tcpdump -nni re0 host 35.214.218.172
11:43:22.025432 IP 192.168.1.253.15185 > 35.214.218.172.50007: UDP, length 74
11:43:22.026410 IP 192.168.1.253.50139 > 35.214.218.172.50007: UDP, length 74
11:43:22.061369 IP 35.214.218.172.50007 > 192.168.1.253.50139: UDP, length 74
11:43:22.061444 IP 35.214.218.172.50007 > 192.168.1.253.15185: UDP, length 74
11:43:24.026405 IP 192.168.1.253.15185 > 35.214.218.172.50007: UDP, length 74
11:43:24.027475 IP 192.168.1.253.50139 > 35.214.218.172.50007: UDP, length 74
11:43:24.059259 IP 35.214.218.172.50007 > 192.168.1.253.50139: UDP, length 74
11:43:24.063869 IP 35.214.218.172.50007 > 192.168.1.253.15185: UDP, length 74
LAN : tcpdump -nni ale0 udp and host 192.168.254.12
11:43:22.025317 IP 192.168.254.12.55598 > 35.214.218.172.50007: UDP, length 74
11:43:22.025331 IP 192.168.254.12.55599 > 35.214.218.172.50007: UDP, length 74
11:43:24.025633 IP 192.168.254.12.55598 > 35.214.218.172.50007: UDP, length 74
11:43:24.025644 IP 192.168.254.12.55599 > 35.214.218.172.50007: UDP, length 74
任何想法 ?
编辑 :
尝试在防火墙/规则/WAN 中使用丑陋的规则进行新捕获
States Proto Source Port Destination Port Gateway Queue Schedule Description
Pass IPv4+6 UDP * * * * * none * Ugly temporary rule
tcpdump -nni ale0 udp and host 35.214.169.122
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ale0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:26:19.883042 IP 192.168.254.12.57442 > 35.214.169.122.50010: UDP, length 74
13:26:19.883053 IP 192.168.254.12.57443 > 35.214.169.122.50010: UDP, length 74
13:26:20.883026 IP 192.168.254.12.57442 > 35.214.169.122.50010: UDP, length 74
13:26:20.883038 IP 192.168.254.12.57443 > 35.214.169.122.50010: UDP, length 74
tcpdump -nni re0 udp and host 35.214.169.122
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:26:19.884054 IP 192.168.1.253.33273 > 35.214.169.122.50010: UDP, length 74
13:26:19.885125 IP 192.168.1.253.24817 > 35.214.169.122.50010: UDP, length 74
13:26:19.919506 IP 35.214.169.122.50010 > 192.168.1.253.24817: UDP, length 74
13:26:19.922135 IP 35.214.169.122.50010 > 192.168.1.253.33273: UDP, length 74
13:26:20.884084 IP 192.168.1.253.33273 > 35.214.169.122.50010: UDP, length 74
13:26:20.885025 IP 192.168.1.253.24817 > 35.214.169.122.50010: UDP, length 74
13:26:20.917825 IP 35.214.169.122.50010 > 192.168.1.253.24817: UDP, length 74
13:26:20.921016 IP 35.214.169.122.50010 > 192.168.1.253.33273: UDP, length 74
答案1
pfSense 2.6.0 在与强制门户一起使用时存在问题,并且不能正确地重新路由 UDP 数据包。
我通过以下方式解决问题: https://redmine.pfsense.org/issues/12834