Messages

Hi,

thanks for investigating.

But that could become an issue for more users, perhaps this should considered a feature request.
Everyone using this in comercial / university environment would get such problems.

regards M.

Hi,

got it.
"modulate state" works only for tcp - when i use that i have to multiply my rules, one for tcp, one for udp, icmp ...

Will try to catch users within time period of access.
Also have installed IDS, but that seems to run not on openvpn interface, only on outside, so same problem - source allready natted.

thanks for clarification.

M.

Hi,

yes - it is outgoing.

I have added a Loging Rule on LAN, now.
Now i have 2 log entries.
LAN:
192.168.1.10:33333 => Target:443
WAN
ExternalIP:RANDOMPORT => Target:443

I have to combine the 2 log entries, and it does only work if RANDOMPORT is not reused in the same period, or after some seconds. Will help as workaround.

More satisfying would be the NAT rule logs the traffic, NAT stuff because it knows all about internal ports and external ports.
And why is there a LOG option in NAT rule when it is good for nothing?

M.

then it should work, no more ideas except some sort of typo. Source, Destination? IPv4 / IPv6 Stuff?
Sorry, without looking at the system ...  :-\

Hi,

you have a allow Rule on your ManagementVLAN that allows ManagementVLAN to any?

regards M.

Hi,

i am running same setup, openvpn with redirect gw, and it works on 20.7.5 ... no issues.
Must be something else ...

M.

Hi,

will try to describe more detailed.

Internal IP 192.168.1.10
Makes outbound connection to from source port 33333 to 1.1.1.1:80
External IP is 2.2.2.2

What i see in the log is a pass rule on wan interface:
pass 2.2.2.2:RANDOMPORT => 1.1.1.1:80

but what i need is 192.168.1.1:33333 NATTED to 2.2.2.2:RANDOMPORT => 1.1.1.1:80

Example:
75,,,0,bxe0,match,pass,out,4,0x0,,127,12270,0,DF,6,tcp,52,193.16.xxx.yyy,87.106.18.a,61996,443,0,S,2766616536,,65535,,mss;nop;wscale;nop;nop;sackOK

87.106.18.a Target running C&C Server on port 443
193.16.xxx.yyy my external IP.
bxe0 wan interface

Example Cert Information:
IP-Adresse:   193.16.xxx.yyy
Zuletzt gesehen            IP-Protokoll   Quellport          Ziel-IP    Zielport  Malware
------------------------------------------------------------------------------
2020-11-19T12:33:49+01:00                     17195    87.106.18.a        443  Gootkit
   occurences: 1, target_url: lbegardingstorque.com/rbody320

With that information i can not track which internal user did that connection.
What i need is the NAT information:
192.168.2.10:33333 was natted to 193.16.xxx.yyy Port 17195.

looks like NAT rule is executed bevor pass rule, and NAT rule does not log anything.

regards Martin

Hi,

anybody observing same issue?
Is there another way to solve the nat / internal issue? can i resolve external ip adresses/port/timestamp to internal ip bevor nat happens?

regards Martin

Hi,

i have a problem with NAT rules and logging.
That does not work as expected. I have configured a remote syslog server and send all logs that way. I receive all logs about block / pass rules but no information about NAT rules.

Background is, we have a VPN Gateway with some 1000 users which are natted to 4 IP adresses. If we have users with infected devices we get the information from our CERT, but they send us the external nadded ip, port and timestamp.
To get the real user i need the nat states, which internal IP triggered the CERT Rule for BOT/Virus/Worm traffic. Normally we geht the information with a 24-48h delay.

Nat RULE certainly has the Log option enabled. I also see the NAT State Rules unter Firewall/Diagnostics/pfInfo. But no logging.

Any ideas, is it a Bug?

regards Martin