Join Log in
Score:0
user5525652 avatar Server

Returns of UDP packets are discarded

ga flag
user5525652

I use High avaibility pfSense 2.6.0 cluster and I strange behavior with UDP when use Discord voice channel. In fact, discord voice channel display "No route" and traffic analysis paquets traffics seem be discarded.

The pfsense configuration is very simple :

re0: WAN - 192.168.1.251/24 (CARP 192.168.1.253/24) Upstream GW : 192.168.1.254
Gateway 192.168.1.254 is Netgear device configured in router mode and DMZ to
192.168.1.253

ale0: LAN - 192.168.254.248/24 (CARP 192.168.254.254/24)

Firewall / Rules / WAN

States  Proto       Source                          Port    Destination     Port        Gateway Queue   Schedule    Description
Block   *           RFC 1918 networks               *       *               *           *       *                   Block private networks
Block   *           Reserved Not assigned by IANA   *       *               *           *       *                   Block bogon networks
Pass    IPv4/TCP    *                               *       192.168.1.253   443         *       *                   Temporary emergency rules
Block   IPv4+6 *    *                               *       *               *           *       *                   Deny all

Firewall / Rules / LAN

States  Proto       Source                          Port    Destination     Port        Gateway Queue   Schedule    Description
Pass    *           *                               *       LAN Address     443/80/22   *       *                   Anti-Lockout Rule
Pass    IPv4+6 *    LAN net                         *       *               *           *       none                Default allow LAN to any rule

Firewall / NAT / Outbound : Hybrid Outbount NAT

Interface       Source              Source port     Destination     Destination port    NAT Address     NAT Port        Static port     Description
WAN             192.168.254.0/24    *               *               *                   192.168.1.253   *               Randomize       LAN to WAN

No floating, Port Forward, 1:1, NPt rules

On Discord app in 192.168.254.12 computer, when open voice channel, app try to connect on 35.214.218.172 on port 50007 UDP. Paquet is send and response is receive on WAN interface, but never fetched on LAN interface

No log in Firewall

WAN : tcpdump -nni re0 host 35.214.218.172
11:43:22.025432 IP 192.168.1.253.15185 > 35.214.218.172.50007: UDP, length 74
11:43:22.026410 IP 192.168.1.253.50139 > 35.214.218.172.50007: UDP, length 74
11:43:22.061369 IP 35.214.218.172.50007 > 192.168.1.253.50139: UDP, length 74
11:43:22.061444 IP 35.214.218.172.50007 > 192.168.1.253.15185: UDP, length 74
11:43:24.026405 IP 192.168.1.253.15185 > 35.214.218.172.50007: UDP, length 74
11:43:24.027475 IP 192.168.1.253.50139 > 35.214.218.172.50007: UDP, length 74
11:43:24.059259 IP 35.214.218.172.50007 > 192.168.1.253.50139: UDP, length 74
11:43:24.063869 IP 35.214.218.172.50007 > 192.168.1.253.15185: UDP, length 74

LAN : tcpdump -nni ale0 udp and host 192.168.254.12
11:43:22.025317 IP 192.168.254.12.55598 > 35.214.218.172.50007: UDP, length 74
11:43:22.025331 IP 192.168.254.12.55599 > 35.214.218.172.50007: UDP, length 74
11:43:24.025633 IP 192.168.254.12.55598 > 35.214.218.172.50007: UDP, length 74
11:43:24.025644 IP 192.168.254.12.55599 > 35.214.218.172.50007: UDP, length 74

Any idea ?

EDIT :

Try new capture with ugly rules in Firewall / Rules / WAN

States  Proto       Source                          Port    Destination     Port        Gateway Queue   Schedule    Description
Pass    IPv4+6 UDP  *                               *       *               *           *       none    *           Ugly temporary rule

tcpdump -nni ale0 udp and host 35.214.169.122
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ale0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:26:19.883042 IP 192.168.254.12.57442 > 35.214.169.122.50010: UDP, length 74
13:26:19.883053 IP 192.168.254.12.57443 > 35.214.169.122.50010: UDP, length 74
13:26:20.883026 IP 192.168.254.12.57442 > 35.214.169.122.50010: UDP, length 74
13:26:20.883038 IP 192.168.254.12.57443 > 35.214.169.122.50010: UDP, length 74

tcpdump -nni re0 udp and host 35.214.169.122
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:26:19.884054 IP 192.168.1.253.33273 > 35.214.169.122.50010: UDP, length 74
13:26:19.885125 IP 192.168.1.253.24817 > 35.214.169.122.50010: UDP, length 74
13:26:19.919506 IP 35.214.169.122.50010 > 192.168.1.253.24817: UDP, length 74
13:26:19.922135 IP 35.214.169.122.50010 > 192.168.1.253.33273: UDP, length 74
13:26:20.884084 IP 192.168.1.253.33273 > 35.214.169.122.50010: UDP, length 74
13:26:20.885025 IP 192.168.1.253.24817 > 35.214.169.122.50010: UDP, length 74
13:26:20.917825 IP 35.214.169.122.50010 > 192.168.1.253.24817: UDP, length 74
13:26:20.921016 IP 35.214.169.122.50010 > 192.168.1.253.33273: UDP, length 74
381
1 + 0
udp
Score:0
user5525652 avatar Server
ga flag
user5525652

pfSense 2.6.0 have issue when used with captive portal and not correclty reroute UDP paquets.

I fix issue by following : https://redmine.pfsense.org/issues/12834

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.