« previous next »
Pages: [1]

Author Topic: PFSense Firewall Discussion Thread  (Read 4240 times)

jonesbo

  • Newbie
  • *
  • Posts: 3
    • View Profile
PFSense Firewall Discussion Thread
« on: October 08, 2010, 12:49:18 AM »
Is anyone here using PFsense as their firewall? I have tried the current 1.2.3 release as well as the latest 2.0 Beta4 snapshot and for the life of me cannot get iCamSource to work with this firewall. Even after going as far as manually punching TCP AND UDP ports through NAT and the firewall itself in an any/any configuration it just will not work. I'd really like to use this product as my firewall because of the granular control it gives, not to mention the advanced reporting and bandwidth tracking, modular snap in support, etc. . . the feature list is untouchable by normal brick and mortar home firewalls. Its feature set is even more robust than dd-wrt and a lot more stable in a lot of aspects.

Has anyone else had success with getting iCamSource to work with PFSense? If so how did you get it to work?

If not I'd like to dedicate this thread to trouble shooting this issue and to try and garner support for making this work.

I guess the very first question I have to the devs is, I would like to ask can we get a packet by packet stepping of how this program works so I can do packet captures on the LAN and WAN side of my network and compare it to your stepping to see exactly in what step this process is failing?

Thanks,
Bobby
Logged

Stefan

  • Administrator
  • Hero Member
  • *****
  • Posts: 2358
    • View Profile
Re: PFSense Firewall Discussion Thread
« Reply #1 on: October 08, 2010, 12:28:38 PM »
Quote from: jonesbo on October 08, 2010, 12:49:18 AM
I guess the very first question I have to the devs is, I would like to ask can we get a packet by packet stepping of how this program works so I can do packet captures on the LAN and WAN side of my network and compare it to your stepping to see exactly in what step this process is failing?

What if you just capture the packets with the firewall off as well as with it on and then see what the difference is? iCam and the iCamSource communicate with each other and the iCam Broker Servers via UDP, so you don't need to look at any TCP traffic.
Logged

jonesbo

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: PFSense Firewall Discussion Thread
« Reply #2 on: November 11, 2010, 10:21:53 AM »
When I have everything configured standard. Here is what NAT-PMP reports on PFSense.

32776 keep state    udp    192.168.1.200    NAT-PMP 7369
32777 keep state    udp    192.168.1.200    NAT-PMP 7369

192.168.1.200 is the ip of the laptop running iCamSource in my test environment.

Now when my iPhone request a connection to the iCamSource instance the firewall logging reports the following and blocks.

Nov 11 11:04:51 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:52 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:53 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:54 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:55 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:56 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:57 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:58 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:04:59 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:05:00 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:05:01 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:05:02 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:05:03 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:05:04 WAN <MyiPhone3Gip>:23843 <MyExternalWANip>:51433 UDP
Nov 11 11:06:23 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:25 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:26 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:27 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:27 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:28 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:29 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:30 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:31 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:32 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:33 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:35 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:35 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:37 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:37 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:38 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:39 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:40 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:41 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:42 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:44 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:44 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:46 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:47 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:47 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:48 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:49 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:50 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:52 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:52 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP
Nov 11 11:06:53 WAN <MyiPhone3Gip>:25703 <MyExternalWANip>:51433 UDP

Now why in the world would iCamSource request ports 32776 and 32777 UDP on NAT-PMP yet have the connection come in from the iPhone on port 51433 UDP?

This I think is part of the problem.
Logged

Stefan

  • Administrator
  • Hero Member
  • *****
  • Posts: 2358
    • View Profile
Re: PFSense Firewall Discussion Thread
« Reply #3 on: November 11, 2010, 02:48:41 PM »
Do you have the Auto-Config Router checkbox checked in the iCamSource? If so, what is the UPnP or NAT-PMP status message that appears when you click the Start button?
Logged

Tidder

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: PFSense Firewall Discussion Thread
« Reply #4 on: February 05, 2013, 08:17:46 PM »
I know this is an old thread but pfSense 2.0.2 still has the same "problem", it's actually a security feature.

Anyone using pfSense should understand what I'm about to type out to get this working properly.

First, a run-down of the problem.  pfSense, by default, rewrites the source port on all outgoing connections.  What this means is even if icam and uPnP are both working on port 12000, pfSense will tell the iCam client (phone, tablet, whatever) that it's using port 55432 or something to that effect.

What needs to be done with pfSense is Advanced Outbound NAT needs enabled, and the icam server requires a static port setting.  More info here. Apparently I can't post links so you'll need to copy, paste, and fix this link: hxxp://doc.pfsense.org/index.php/Static_Port

I set up an AO NAT rule as well as manual port forwarding (I don't do uPnP, big security hole) for my iCamSource pc and don't have a single issue.
Don't forget to either clear the states or reboot pfSense after changing outbound NAT rules.

It's working beautifully for me with my pfSense router.
Logged
Pages: [1]
« previous next »