problem with custom vpn settings
Posted: Wed Jan 17, 2018 6:27 pm
Hi guys,
I have a VPN with just authentication (no crypto for performance purpose ; thus i am just using ca.crt and a server.key, but no client.key/client.crt).
My ca.crt have been generated such as :
My server.key key have been generated such as:
I can connect to the server and each tun0 on each side is well set but i cannot ping each other...even if route seem to be okay.
Else, i would like first to redirect all my traffic from my client side (over a WIFI network interface : wlan0) but i have the following error :
NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
My client how a rooted android device and my server is hosted on public cloud. My android mobile is connected (wlan0 : 192.168.50.179/23) to the router using a WIFI AP then the router is connected to the Internet through an ISP gateway.
The problem is that my fraffic is not redirected throught the tunnel ; endpoint interfaces are not reachable by the ping command ; traceroute command doesn't go through the vpn. I have enabled ip_forward, add nat forward rule, and routes but still not working that's why i asking another external view from experts. I think there is something wrong but i am sure i am very close to the solution
! Thanks in advance !
--------------------------------------------------------------------------------------------------------------------------------------------------
1. My server setting is the following one :
I'm starting the service such as :
Here is the network setting :
--------------------------------------------------------------------------------------------------------------------------------------------------
2. My client setting is the following one :
I'am starting the VPN like this :
Here is the network setting :
But i cannot ping the remote endpoint :
And packets are not redirected to the tunnel (tun0) :
I have a VPN with just authentication (no crypto for performance purpose ; thus i am just using ca.crt and a server.key, but no client.key/client.crt).
My ca.crt have been generated such as :
Code: Select all
# ./build-ca
# cp ca.crt /etc/openvpn
Code: Select all
# openvpn --genkey --secret server.key
Else, i would like first to redirect all my traffic from my client side (over a WIFI network interface : wlan0) but i have the following error :
NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
My client how a rooted android device and my server is hosted on public cloud. My android mobile is connected (wlan0 : 192.168.50.179/23) to the router using a WIFI AP then the router is connected to the Internet through an ISP gateway.
The problem is that my fraffic is not redirected throught the tunnel ; endpoint interfaces are not reachable by the ping command ; traceroute command doesn't go through the vpn. I have enabled ip_forward, add nat forward rule, and routes but still not working that's why i asking another external view from experts. I think there is something wrong but i am sure i am very close to the solution

--------------------------------------------------------------------------------------------------------------------------------------------------
1. My server setting is the following one :
Code: Select all
/etc/openvpn# cat server.conf
# specify username/group for the openvpn daemon
user nobody
group nobody
;daemon
# Default's port
port 1194
# Specify tcp as protocol
proto tcp-server
# Enable compression
comp-lzo
# Use dynamic tun devices
dev tun
# 10.8.0.254 is our local VPN endpoint
# 10.8.0.1 is our remote VPN endpoint
ifconfig 10.8.0.254 10.8.0.1
# Make the link more resistent to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Push routes
push "route 10.8.0.0 255.255.255.0"
push "route 54.37.227.0 255.255.255.255"
route 54.37.227.0 255.255.255.255
# Push DNS
push "dhcp-option "DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Redirect all network trafic to the vpn
;push "redirect-gateway"
;push "redirect-gateway def1"
push "redirect-gateway local def1"
;push "redirect-gateway def1 bypass-dhcp"
push "remote-gateway 10.8.0.254"
# maximum of 10 clients a time
max-clients 10
# verbosity
verb 3
# Our pre-shared static key
secret server.key
Code: Select all
# systemctl restart openvpn@server
# systemctl status openvpn@server
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-01-17 17:32:34 CET; 3s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 24650 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, status=0/SUCCESS)
Main PID: 24654 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─24654 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Jan 17 17:32:34 vps489397 ovpn-server[24654]: ROUTE_GATEWAY 54.37.224.1
Jan 17 17:32:34 vps489397 ovpn-server[24654]: TUN/TAP device tun0 opened
Jan 17 17:32:34 vps489397 ovpn-server[24654]: TUN/TAP TX queue length set to 100
Jan 17 17:32:34 vps489397 ovpn-server[24654]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 17 17:32:34 vps489397 ovpn-server[24654]: /sbin/ip link set dev tun0 up mtu 1500
Jan 17 17:32:34 vps489397 ovpn-server[24654]: /sbin/ip addr add dev tun0 local 10.8.0.254 peer 10.8.0.1
Jan 17 17:32:34 vps489397 ovpn-server[24654]: /sbin/ip route add 54.37.227.0/32 via 10.8.0.1
Jan 17 17:32:34 vps489397 ovpn-server[24654]: GID set to nobody
Jan 17 17:32:34 vps489397 ovpn-server[24654]: UID set to nobody
Jan 17 17:32:34 vps489397 ovpn-server[24654]: Listening for incoming TCP connection on [undef]
Code: Select all
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:a3:c4:56 brd ff:ff:ff:ff:ff:ff
inet 54.37.227.238/32 brd 54.37.227.238 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fea3:c456/64 scope link
valid_lft forever preferred_lft forever
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.254 peer 10.8.0.1/32 scope global tun0
valid_lft forever preferred_lft forever
Code: Select all
# ip route
default via 54.37.224.1 dev ens3
10.8.0.1 dev tun0 proto kernel scope link src 10.8.0.254
54.37.224.1 dev ens3 scope link
54.37.227.0 via 10.8.0.1 dev tun0
Code: Select all
# ip neigh
54.37.224.1 dev ens3 lladdr 5e:65:5a:9a:13:10 REACHABLE
Code: Select all
# cat /proc/sys/net/ipv4/ip_forward
1
Code: Select all
# iptables-save
# Generated by iptables-save v1.6.0 on Wed Jan 17 18:38:25 2018
*nat
:PREROUTING ACCEPT [4227:149246]
:INPUT ACCEPT [4227:149246]
:OUTPUT ACCEPT [228:17029]
:POSTROUTING ACCEPT [24:1584]
-A POSTROUTING -o ens3 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
COMMIT
# Completed on Wed Jan 17 18:38:25 2018
# Generated by iptables-save v1.6.0 on Wed Jan 17 18:38:25 2018
*filter
:INPUT ACCEPT [730298:1737365531]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [689200:3101554163]
COMMIT
# Completed on Wed Jan 17 18:38:25 2018
2. My client setting is the following one :
Code: Select all
# cat ./client1.ovpn
# Specify the remote ip / port
remote 54.37.227.238 1194
# Specify tcp as protocol
proto tcp-client
# Enable compression
comp-lzo
# Use dynamic tun devices
dev tun
# Static setting
# 10.8.0.1 is our local VPN endpoint
# 10.8.0.254 is our remote VPN endpoint
ifconfig 10.8.0.1 10.8.0.254
# Define route(s)
route 0.0.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
# Add static route
route-gateway 10.8.0.1
# Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN
redirect-gateway local
# verbosity
verb 3
# Our pre-shared static key
secret server.key
Code: Select all
# /system/bin/openvpn --config /data/client1.ovpn --route-gateway 10.8.0.1
Wed Jan 17 17:54:14 2018 OpenVPN 2.3.10 arm-unknown-linux-androideabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 20 2016
Wed Jan 17 17:54:14 2018 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Wed Jan 17 17:54:14 2018 WARNING: file 'inmarsat-gw-server.key' is group or others accessible
Wed Jan 17 17:54:14 2018 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 17 17:54:14 2018 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 17 17:54:14 2018 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 17 17:54:14 2018 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 17 17:54:14 2018 Socket Buffers: R=[2097152->2097152] S=[524288->524288]
Wed Jan 17 17:54:14 2018 TUN/TAP device tun0 opened
Wed Jan 17 17:54:14 2018 TUN/TAP TX queue length set to 100
Wed Jan 17 17:54:14 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 17 17:54:14 2018 /system/bin/ip link set dev tun0 up mtu 1500
Wed Jan 17 17:54:14 2018 /system/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.254
Wed Jan 17 17:54:14 2018 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Wed Jan 17 17:54:14 2018 /system/bin/ip route add 0.0.0.0/24 via 10.8.0.1
Wed Jan 17 17:54:14 2018 /system/bin/ip route add 10.8.0.0/24 via 10.8.0.1
Wed Jan 17 17:54:14 2018 Attempting to establish TCP connection with [AF_INET]54.37.227.238:1194 [nonblock]
Wed Jan 17 17:54:15 2018 TCP connection established with [AF_INET]54.37.227.238:1194
Wed Jan 17 17:54:15 2018 TCPv4_CLIENT link local: [undef]
Wed Jan 17 17:54:15 2018 TCPv4_CLIENT link remote: [AF_INET]54.37.227.238:1194
Wed Jan 17 17:54:15 2018 Peer Connection Initiated with [AF_INET]54.37.227.238:1194
Wed Jan 17 17:54:16 2018 Initialization Sequence Completed
Code: Select all
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default
link/ether ee:3c:f8:27:eb:64 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether 72:63:72:9a:cb:3c brd ff:ff:ff:ff:ff:ff
inet6 fe80::7063:72ff:fe9a:cb3c/64 scope link
valid_lft forever preferred_lft forever
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/sit 0.0.0.0 brd 0.0.0.0
5: rmnet_ipa0: <UP,LOWER_UP> mtu 2000 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/[530]
6: rmnet_data0: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
7: rmnet_data1: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
8: rmnet_data2: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
9: rmnet_data3: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
10: rmnet_data4: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
11: rmnet_data5: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
12: rmnet_data6: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
13: rmnet_data7: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
14: r_rmnet_data0: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
15: r_rmnet_data1: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
16: r_rmnet_data2: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
17: r_rmnet_data3: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
18: r_rmnet_data4: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
19: r_rmnet_data5: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
20: r_rmnet_data6: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
21: r_rmnet_data7: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
22: r_rmnet_data8: <> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/[530]
23: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 3000
link/ether ac:37:43:4b:71:23 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.179/23 brd 192.168.51.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::ae37:43ff:fe4b:7123/64 scope link
valid_lft forever preferred_lft forever
24: p2p0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 3000
link/ether ae:37:43:4b:71:23 brd ff:ff:ff:ff:ff:ff
Code: Select all
# ip route
192.168.50.0/23 dev wlan0 proto kernel scope link src 192.168.50.179
Code: Select all
# ip neigh
192.168.50.1 dev wlan0 lladdr 00:03:2d:28:05:21 REACHABLE
Code: Select all
# cat /proc/sys/net/ipv4/ip_forward
1
Code: Select all
# iptables-save
# Generated by iptables-save v1.4.20 on Wed Jan 17 17:40:07 2018
*security
:INPUT ACCEPT [3624053:187737775]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3623964:186483169]
COMMIT
# Completed on Wed Jan 17 17:40:07 2018
# Generated by iptables-save v1.4.20 on Wed Jan 17 17:40:07 2018
*raw
:PREROUTING ACCEPT [974711:48924459]
:OUTPUT ACCEPT [978992:49189270]
:bw_raw_PREROUTING - [0:0]
:idletimer_raw_PREROUTING - [0:0]
:natctrl_raw_PREROUTING - [0:0]
:nm_mdmprxy_raw_pre - [0:0]
-A PREROUTING -j bw_raw_PREROUTING
-A PREROUTING -j idletimer_raw_PREROUTING
-A PREROUTING -j natctrl_raw_PREROUTING
-A bw_raw_PREROUTING -m owner --socket-exists
-A idletimer_raw_PREROUTING -i wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg 1
-A nm_mdmprxy_raw_pre -p tcp -m multiport --ports 5060 -j NOTRACK
-A nm_mdmprxy_raw_pre -p udp -m multiport --ports 5060 -j NOTRACK
COMMIT
# Completed on Wed Jan 17 17:40:07 2018
# Generated by iptables-save v1.4.20 on Wed Jan 17 17:40:07 2018
*nat
:PREROUTING ACCEPT [6168:540517]
:INPUT ACCEPT [656:103106]
:OUTPUT ACCEPT [1807447:108451729]
:POSTROUTING ACCEPT [1807447:108451729]
:natctrl_nat_POSTROUTING - [0:0]
:oem_nat_pre - [0:0]
-A PREROUTING -j oem_nat_pre
-A POSTROUTING -j natctrl_nat_POSTROUTING
COMMIT
# Completed on Wed Jan 17 17:40:07 2018
# Generated by iptables-save v1.4.20 on Wed Jan 17 17:40:07 2018
*mangle
:PREROUTING ACCEPT [974711:48924459]
:INPUT ACCEPT [974648:48921901]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [978992:49189270]
:POSTROUTING ACCEPT [978992:49189270]
:bw_mangle_POSTROUTING - [0:0]
:idletimer_mangle_POSTROUTING - [0:0]
:natctrl_mangle_FORWARD - [0:0]
:nm_mdmprxy_dl_ping6_marker - [0:0]
:nm_mdmprxy_icmp_pkt_marker - [0:0]
:nm_mdmprxy_mark_prov_chain - [0:0]
:nm_mdmprxy_mngl_post - [0:0]
:nm_mdmprxy_mngl_pre_ex - [0:0]
:nm_mdmprxy_mngl_pre_spi - [0:0]
:nm_mdmprxy_mngl_pre_tee - [0:0]
:nm_mdmprxy_pkt_forwarder - [0:0]
:nm_mdmprxy_pkt_marker - [0:0]
:nm_mdmprxy_pkt_skmark - [0:0]
:qcom_qos_filter_POSTROUTING - [0:0]
:qcom_qos_reset_POSTROUTING - [0:0]
-A INPUT -i wlan0 -j MARK --set-xmark 0x302b5/0xffffffff
-A FORWARD -j natctrl_mangle_FORWARD
-A POSTROUTING -j bw_mangle_POSTROUTING
-A POSTROUTING -j idletimer_mangle_POSTROUTING
-A POSTROUTING -j qcom_qos_reset_POSTROUTING
-A POSTROUTING -j qcom_qos_filter_POSTROUTING
-A bw_mangle_POSTROUTING -m owner --socket-exists
-A idletimer_mangle_POSTROUTING -o wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg 1
-A natctrl_mangle_FORWARD -p tcp -m tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu
-A nm_mdmprxy_mark_prov_chain -p tcp -m tcp --dport 32100:32600 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_mark_prov_chain -p udp -m udp --dport 32100:32600 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_mark_prov_chain -p tcp -m tcp --dport 40100:40150 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_mark_prov_chain -p udp -m socket --transparent --nowildcard --restore-skmark -j nm_mdmprxy_pkt_skmark
-A nm_mdmprxy_mark_prov_chain -p tcp -m socket --transparent --nowildcard --restore-skmark -j nm_mdmprxy_pkt_skmark
-A nm_mdmprxy_mngl_post -m mark --mark 0x9 -j MARK --set-xmark 0x0/0xffffffff
-A nm_mdmprxy_mngl_pre_ex -p tcp -m tcp --dport 50010:50060 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_mngl_pre_ex -p udp -m udp --dport 50010:50060 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_pkt_marker -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mark_prov_chain
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre_spi
-A nm_mdmprxy_pkt_marker -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_pkt_marker -p udp -m udp --dport 5060 -j MARK --set-xmark 0x9/0xffffffff
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre_ex
-A nm_mdmprxy_pkt_marker -m mark --mark 0x9 -j nm_mdmprxy_pkt_forwarder
-A nm_mdmprxy_pkt_skmark -j RETURN
COMMIT
# Completed on Wed Jan 17 17:40:07 2018
# Generated by iptables-save v1.4.20 on Wed Jan 17 17:40:07 2018
*filter
:INPUT ACCEPT [217680:10997882]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [221436:11257831]
:bw_FORWARD - [0:0]
:bw_INPUT - [0:0]
:bw_OUTPUT - [0:0]
:bw_costly_shared - [0:0]
:bw_data_saver - [0:0]
:bw_happy_box - [0:0]
:bw_penalty_box - [0:0]
:fw_FORWARD - [0:0]
:fw_INPUT - [0:0]
:fw_OUTPUT - [0:0]
:fw_dozable - [0:0]
:fw_powersave - [0:0]
:fw_standby - [0:0]
:natctrl_FORWARD - [0:0]
:natctrl_tether_counters - [0:0]
:nm_mdmprxy_doze_mode_skip - [0:0]
:nm_mdmprxy_iface_pkt_fwder - [0:0]
:oem_fwd - [0:0]
:oem_out - [0:0]
:st_OUTPUT - [0:0]
:st_clear_caught - [0:0]
:st_clear_detect - [0:0]
:st_penalty_log - [0:0]
:st_penalty_reject - [0:0]
-A INPUT -j bw_INPUT
-A INPUT -j fw_INPUT
-A FORWARD -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j oem_fwd
-A FORWARD -j fw_FORWARD
-A FORWARD -j bw_FORWARD
-A FORWARD -j natctrl_FORWARD
-A FORWARD -s 10.8.0.0/24 -d 54.37.227.238/32 -i tun0 -j ACCEPT
-A OUTPUT -j oem_out
-A OUTPUT -j fw_OUTPUT
-A OUTPUT -j st_OUTPUT
-A OUTPUT -j bw_OUTPUT
-A bw_INPUT -m quota2 ! --name globalAlert --quota 2097152
-A bw_INPUT -m owner --socket-exists
-A bw_OUTPUT -m quota2 ! --name globalAlert --quota 2097152
-A bw_OUTPUT -m owner --socket-exists
-A bw_costly_shared -j bw_penalty_box
-A bw_data_saver -j RETURN
-A bw_happy_box -m owner --uid-owner 10012 -j RETURN
-A bw_happy_box -m owner --uid-owner 0-9999 -j RETURN
-A bw_happy_box -j bw_data_saver
-A bw_penalty_box -j bw_happy_box
-A fw_dozable -i lo -o lo -j RETURN
-A fw_dozable -p tcp -m tcp --tcp-flags RST RST -j RETURN
-A fw_dozable -m owner --uid-owner 0-9999 -j RETURN
-A fw_dozable -j DROP
-A fw_powersave -i lo -o lo -j RETURN
-A fw_powersave -p tcp -m tcp --tcp-flags RST RST -j RETURN
-A fw_powersave -m owner --uid-owner 0-9999 -j RETURN
-A fw_powersave -j DROP
-A fw_standby -i lo -o lo -j RETURN
-A fw_standby -p tcp -m tcp --tcp-flags RST RST -j RETURN
-A natctrl_FORWARD -j DROP
-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT --reject-with icmp-port-unreachable
-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN
-A st_clear_detect -p tcp -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_clear_detect -p udp -m u32 --u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN
-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0" -j st_clear_caught
-A st_clear_detect -p udp -j st_clear_caught
-A st_penalty_log -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_penalty_log -j NFLOG
-A st_penalty_reject -j CONNMARK --set-xmark 0x2000000/0x2000000
-A st_penalty_reject -j NFLOG
-A st_penalty_reject -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Jan 17 17:40:07 2018
Code: Select all
# ping 10.8.0.254
PING 10.8.0.254 (10.8.0.254) 56(84) bytes of data.
^C
--- 10.8.0.254 ping statistics ---
6 packets transmitted, [b]0 received[/b], 100% packet loss, time 5006ms
Code: Select all
# traceroute google.fr
traceroute to google.fr (216.58.208.195), 30 hops max, 46 byte packets
1 pfSense.localdomain (192.168.50.1) 0.114 ms 9.625 ms 2.616 ms
2 mal35-3-82-240-201-254.fbx.proxad.net (82.240.201.254) 52.267 ms 32.516 ms 32.946 ms
3 213.228.11.190 (213.228.11.190) 32.672 ms 36.042 ms 34.066 ms
4 p11-crs16-1-be1112.intf.routers.proxad.net (194.149.162.97) 46.632 ms 48.195 ms 47.081 ms
5 cbv-crs8-1.intf.routers.proxad.net (78.254.249.102) 46.853 ms 46.452 ms 47.150 ms
6 72.14.221.62 (72.14.221.62) 46.949 ms 48.282 ms 46.341 ms
7 108.170.244.161 (108.170.244.161) 46.411 ms 108.170.244.225 (108.170.244.225) 46.146 ms 108.170.244.161 (108.170.244.161) 49.303 ms
8 216.239.42.39 (216.239.42.39) 46.667 ms 216.239.42.37 (216.239.42.37) 122.027 ms 124.224 ms
9 par10s21-in-f3.1e100.net (216.58.208.195) 47.672 ms 46.594 ms 46.755 ms