IOT devices
-
Evening everyone, I’m new to pfsense and seem to be running into an issue where I have iot devices on another lan and I’m getting an out going block to an Amazon aws address on port 443. I have added rules to allow outgoing connections on port 443 and added the them to the whitelist in pfblockerng delve. I’m not sure what else to do to get those connections out. Has anyone ran into this issue?
-
@sfigueroa This is what I currently see
And this is the firewall rules in that category.
-
@sfigueroa are those syn blocks? What is flag on the block, its could be just out of state blocks..
On your firewall log - under the protocol column - does its show just a S, or does it show something else A, FA, R, SA, PA, etc.. unless its just a S (syn) then the block is because of lack of a state.. This can be quite common to see, when a client attempts to use an old session that has timed out, or was closed for some other reason, etc.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
-
@johnpoz Looks like it's TCP:FPA
-
-
@sfigueroa so a fin,ack with push flag.. Yeah that would scream out of state.. Could be the client tried to use the old session, didn't get an answer so sent a fin,ack
Those are not uncommon to see - if you were seeing blocks on S, then your rules are not allowing the traffic. Any other sort of flags are because there is not state to allow it. Why could be lots of reasons, asymmetrical traffic flow would be high on the list if you were seeing SA.. but something with a Fin normally just means firewall already closed it because it saw a fin, and the client is just retrans it because it didn't get an answer.. etc..
I wouldn't worry much about such blocks - if they bug you, you could turn off logging blocking default blocks and just setup your own rules to log only syn blocks, etc. If your seeing lots and lots of them - might be good to look into why.. Maybe your state table is getting reset because of loss of wan and setting to reset states when that happens, etc.
-
@johnpoz Yea thank you for your advice, I have sene you a lot around the forums! I will look at it but I am not seeing many of them when I do see a few it's possible because I have a lot of smart bulbs I mean... ALOT... but only see a few entries.
-
@johnpoz Do you have any advice on my firewall rules for the IOT area? Anything off that maybe I should be doing differently in the rules?
-
@sfigueroa why are you passing that ff02::/16 pfsense not really going to do anything with multicast - are you passing it along with pimd or something? Or you just don't want to see noise in your logs?
-
@johnpoz I didn’t want to see the noise in the logs.
-
You can block it without logging it instead.
-
I am also trying to activate dhcp6 on that interface. It works on wan just fine but all other interfaces the dhcp6 is showing as pending and unknown on the online section. Wan and Lan are showing just fine.
-
You're trying to enable the dhcpv6 server on the IOT interface?
Where exactly are you seeing that status?
-
@stephenw10 on the gateway tab
-
You enabled IOT as a dhcpv6 client? Is there another DHCv6 server on that subnet?
-
@stephenw10 No just the firewall, Im using my old router as an ap.
-
So what gateway are you looking at? pfSense should not have an IPv6 gateway on IOT unless there's some other router on there.
The IOT interface should not be a DHCPv6 client it should be either static or tracking some upstream interface, the same as LAN is. -
@stephenw10 Oh i understand now, ill take a look and let you know how it goes! thank you so much!
