Transmission wont start after OpenVPN and IPfw rules

[white_noise]

I setup my Transmission with Openvpn and IPfw rules from :

https://forums.freenas.org/index.ph...-a-jail-so-it-only-connects-to-the-vpn.18669/

The OpenVPN part and the firewall rules work however i am now finding that somewhere along the configuration the plugin is turned off.

There is not much information in the /var/log/messages but i will post that shortly, just a reference to not being able to reach the web address for Transmission.

I uninstalled the plugin and reinstalled it and then installed OpenVPN and placed the firewall rules just to double check and it shut the plugin down and its not able to come back.

 

[Joshua Parker Ruehlig]

I setup my Transmission with Openvpn and IPfw rules from :

https://forums.freenas.org/index.ph...-a-jail-so-it-only-connects-to-the-vpn.18669/

The OpenVPN part and the firewall rules work however i am now finding that somewhere along the configuration the plugin is turned off.

There is not much information in the /var/log/messages but i will post that shortly, just a reference to not being able to reach the web address for Transmission.

I uninstalled the plugin and reinstalled it and then installed OpenVPN and placed the firewall rules just to double check and it shut the plugin down and its not able to come back.

what happens when you run 'service transmission onestart' in the jail?

 

[Rilo Ravestein]

Probably need some more info, but to start, if you only enable OpenVPN, not the firewall, things keep running i guess?

 

[white_noise]

Just got home and was able to run some quick test.

1. Stopped both the Openvpn and removed the fw rules and the plugin starts on its own actually and runs fine.
2. Start up Openvpn and i can still see the plugin running and i can access the Transmission website no problem.
3. drop the firewall rules in it kills the page and the plugin goes funny and shows the plugin as off.
4. remove the firewall rules, almost instant everything is fine.

These are the 2 messages that pop up in the messages in the main freenas log, not from inside the jail:

Feb 23 15:31:44 freenas manage.py: [freeadmin.navtree:550] Couldn't retrieve http://192.168.199.144/plugins/transmission/1/_s/treemenu: timed out

Feb 23 15:38:04 freenas manage.py: [plugins.utils:92] Couldn't retrieve http://192.168.199.144/plugins/transmission/1/_s/status: No JSON object could be decoded

These are the rules:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01000 allow log udp from 192.168.199.0/24 to 8.8.8.8 dst-port 53 keep-state
01002 allow log udp from 192.168.199.0/24 to 206.248.154.170 dst-port 53 keep-state
01004 allow log udp from 192.168.199.0/24 to 8.8.4.4 dst-port 53 keep-state
01006 allow ip from 192.168.199.0/24 to 196.168.199.0/24 keep-state
02000 allow ip from 192.168.199.0/24 to xxx.xxx.xxx.xxx keep-state
04000 allow ip from 127.0.0.1 to any
05000 allow ip from 10.8.0.0/24 to any
05002 allow ip from any to 10.8.0.0/24
05003 allow ip from 10.9.0.0/24 to any
05004 allow ip from any to 10.9.0.0/24
65534 deny ip from any to any

 

[Rilo Ravestein]

you don't need any deny rules (200, 300, 400 & 500), because of 65534. You also (most probably) don't need any IPv6 rules for your home network. Also, rule 300 already blocks rule 4000, so you are blocking your localhost.

Remove 200 & 300 and try again.

 

[white_noise]

Thanks! I'll give that a try and report back. Those are the ones loaded when I started ipfw I didn't add them so I think they are default.

 

[white_noise]

I removed the 200 & 300 lines and the issue start happened.. Hmmm
Could it be something to do with that my VPN connection is using a TUN interface?

 

[Rilo Ravestein]

I would lose 400-1000. I do now see that you have two times rule 1000. Remove 400-1000, but keep the 2nd 1000.

Your vpn connection is always using a TUN interface. It's called a VPN tunnel.

 

[white_noise]

Tried that also didn't work.

Not sure what it is, grabbing at straws now, the only weird thing i notice is that i'm not able to ping via DNS name when the firewall rules are in place, i can ping the IP it resolves to.

I appreciate all the help

 

[Rilo Ravestein]

What's in /etc/resolve.conf of your jail? The DNS servers you allow in your firewall rules should be in there

 

[white_noise]

I'll check that tonight, I'm going to look up on how to run a packet capture inside the jail that would make life a lot easier to see whats happening.

 

[white_noise]

Fixed it!

I originally had : 01006 allow ip from 192.168.199.0/24 to 196.168.199.0/24 keep-state

So i fixed the typo on the IP address still didn't work, so i tried a shot in the dark and modified the following line to put one for udp and one for TCP and it seems to work perfect now.

01006 allow udp from 192.168.199.0/24 to 192.168.199.0/24 keep-state
01007 allow tcp from 192.168.199.0/24 to 192.168.199.0/24 keep-state

I put back the original rules 200 -1000 also for testing and with them in place it all still works fine so it was adding the TCP that fixed it.

 

[Rilo Ravestein]

Fixed it!
I originally had : 01006 allow ip from 192.168.199.0/24 to 196.168.199.0/24 keep-state

Wow.... I'm gonna facepalm myself for not seeing that earlier.

So i fixed the typo on the IP address still didn't work, so i tried a shot in the dark and modified the following line to put one for udp and one for TCP and it seems to work perfect now.

01006 allow udp from 192.168.199.0/24 to 192.168.199.0/24 keep-state
01007 allow tcp from 192.168.199.0/24 to 192.168.199.0/24 keep-state

I put back the original rules 200 -1000 also for testing and with them in place it all still works fine so it was adding the TCP that fixed it.

This makes no sense at all. I really hope someone has some explanation for this, because this is weird.