Incoming connections to pfsense box from Facebook?

johnpoz · Feb 16, 2025, 11:38 AM

@rasputinthegreatest Canonical is Ubuntu..

As to stuff like this

WAN Default deny rule IPv4 (1000000103) 157.240.251.35:443 192.168.178.42:62384 UDP

That is udp, the port 443 says its an answer from what you sent, ie QUIC traffic.. Why it was blocked is there was no state, return traffic would need a state to allow pfsense to send it on to who asked for it. No state - traffic yes would be blocked by the default deny.

SteveITS · Feb 16, 2025, 3:53 PM

@rasputinthegreatest
FYI https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
TL, DR: it’s benign, ignore it.

We turn off logging of the default block rules. It eliminates a lot of noise.

johnpoz · Feb 16, 2025, 4:10 PM

@SteveITS said in Incoming connections to pfsense box from Facebook?:

We turn off logging of the default block rules. It eliminates a lot of noise.

Same here - I log what I want to see.. Syn to my public IP, etc. and some common udp ports - just because curious.

@rasputinthegreatest new users to actual firewall that can actually log and present to the user everything that is dropped are normally surprised at the amount of noise on the internet. Because their little soho router did not present them with this info.

The internet is a very noisy place..

rasputinthegreatest · Feb 16, 2025, 8:45 PM

Thank you guys for the response. I already assumed it was benign but wanted to make sure.
One more question since it just came up in my snort log. This message sounds confusing

3 	TCP 	Not Suspicious Traffic 	2.19.225.3
   	443 	192.168.1.13
   	56712 	119:4
     	(http_inspect) BARE BYTE UNICODE ENCODING

3       TCP     Unknown Traffic 	192.168.178.1
   	80 	192.168.1.19
   	50127 	120:18
     	(http_inspect) PROTOCOL-OTHER HTTP server response before client request

It is an Akami server and I am on Linux system. Is this anything to worry about? The second thing is probably when I was accessing the webgui of my fritzbox router

johnpoz · Feb 16, 2025, 9:03 PM

@rasputinthegreatest IPS/IDS are prone to false positives - you would be the only one that would know if that traffic is normal for your network, and needs to be allowed.

IPS/IDS is not something you just turn on and hey your good - there is a lot of config and maint that goes into using IPS/IDS..

rasputinthegreatest · Feb 17, 2025, 6:43 AM

@johnpoz Yeah I guess. I can't really tell what traffic the Akami server would be when using Linux. That is a little sus.

The main reason I got myself a hardware firewall is to see what is going on in my network. Almost every day my upload speed tanks and doesn't recover until I do a reset of my router. Right now my upload is only 27mbit/s but it should be 50mbit/s
I checked pftop stats and saw this

pfTop: Up State 1-100/446, View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
tcp       In  192.168.1.21:50447            firmserver:10443           ESTABLISHED:ESTABLISHED  00:08:50  23:59:58    55951 30736104
tcp       Out 192.168.178.42:49400          firmserver:10443           ESTABLISHED:ESTABLISHED  00:08:50  23:59:58    55951 30736104
ipv6-icmp Out fe80::internal[265 fe80::internalfritzbox[265  NO_TRAFFIC:NO_TRAFFIC   09:37:54  00:00:09   131576  6447224
icmp      Out 192.168.178.42:26170          192.168.178.1:26170                     0:0            09:37:54  00:00:10   131554  3815066
tcp       In  192.168.1.12:47918            151.101.1.140:443             ESTABLISHED:ESTABLISHED  00:02:51  23:59:07     2859  2232062

There are lot of bytes used by ipv6-icmp with "no traffic"

In my firewall logs I see this IP a lot right now:
157.240.0.60
and it is marked as a portscan on here https://www.abuseipdb.com/check/157.240.0.60
but resolves to whatsapp-cdn
and another IP 157.240.0.13 resolves to edge-star facebook.com
Is this causing some sort of congestion? Do you have any idea what could cause this?

johnpoz · Feb 17, 2025, 8:19 AM

@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:

There are lot of bytes used by ipv6-icmp with "no traffic"

Not really.. that connection has been up for 9 something hours.. Its icmp why would you think it should have traffic?

Here is my version of that

ipv6-icmp Out 2001:470:snip::2[1838] 2001:470:snip::1[128] NO_TRAFFIC:NO_TRAFFIC 133:17:04 00:00:10 1887565 92490685

That is pfsense monitoring that it can talk to its gateway on my HE tunnel.

Yeah its chatty - but its not any sort of real data - its a ping! That is just your linklocal address the FE80 talking to what its connected to.

rasputinthegreatest · Feb 17, 2025, 11:07 AM

@johnpoz Thanks for sharing some insights. I just saw the amout of packets and bytes so I thought it is data being sent. It is quite chatty.
But is there a way to investigate what is causing my upload to get jammed after a while? It sometimes works for 3 days without issues, sometimes just 1 day. And there is no other remedy than restarting my router for the upload to go back to normal. It is very strange. I also have no services exposed to the internet. My ISP and technicians have checked the cable internet connection and everything looks perfect. On the outlet there is always full speed coming through so I am assuming it is something happening behind my fritzbox router. Also disabling devices one by one didn't help to get my upload speed back to normal. And I already changed my router. I am happy to provide more information :)

johnpoz · Feb 17, 2025, 3:13 PM

@rasputinthegreatest when you are having an upload issue - look to see who the top talker is with the traffic graphs.

rasputinthegreatest · Feb 17, 2025, 3:13 PM

@johnpoz Thanks again John. Really appreciate the help you give. I will keep an look on it and see if I can find the culprit.

johnpoz · Feb 17, 2025, 3:34 PM

@rasputinthegreatest it could just be your isp as well.. But normally a reboot wouldn't fix that, but it would break all current connections if something was uploading in the background.

Do you run any p2p software? Windows has the ability to share out updates - even to the public internet, you could look there.. But the traffic graphs can show top talking..

example - here I kicked off a speedtest so you could see example of showing top talking..

You can see when it was uploading, my 192.168.9.100 pc - my upload bandwidth is 50mbps..

The large orange portion was the download part of the speedtest.

The windows thing I mentioned

https://support.microsoft.com/en-us/windows/choose-network-sharing-options-for-delivery-optimization-368ac893-f551-f869-1771-f8a9fc0554b3

To it being your isp with issues with upload - I see it now and then.. Where not seeing my full 50mbps up.. Could be just in prime time and lots of people on same connection in your neighborhood.. A reboot shouldn't really fix that - but maybe if your ip changes and you use a different gateway in your isp maybe?

But yeah its a good idea to rule out just something of yours using up a chunk of the pipe.

rasputinthegreatest · Feb 17, 2025, 7:03 PM

@johnpoz Unfortunately I am not running any p2p software. I also have that Windows network sharing feature disabled. Often no device is even running but one computer or laptop when I am doing the speedtests. Only thing that is always connected is a FireTV stick, my smart TV and my phone. It also doesn't happen during prime time. Very often just after I get up in the morning I notice it around 6-7am on my work computer. I work from home and sometimes use a remote desktop connection to my workplace and it is very laggy. This is why I even noticed it in the first place. Since then I am doing multiple speedtests every day. But there is no real pattern. Sometimes it can happen around 12am. Then 7pm. My traffic stats in the fritzbox shows around 1/10th upload traffic compared to my download traffic. So nothing out of the ordinary. A restart fixes it for at least a day and sometimes longer. Since the ISP can't find any issues with the connection and I have replaced the cables and router it is very strange. I also have no unknown devices in my wifi and don't allow connections between my wifi devices that could share data between them. I'm in the dark and looking for any clues. When it happend this morning I checked the logs and just saw that Akami stuff but nothing else. But pfsense should block any malicious traffic shouldn't it? Maybe it has to do with me having a static public ipv4 that is getting attacked?

johnpoz · Feb 17, 2025, 7:47 PM

@rasputinthegreatest you would have to be seeing a large amount of inbound traffic to your wan to have effect on your upload to be honest.. I mean a large amount! That is hogging your pipe..

Typical noise on the internet would not come even close to a fraction of the traffic you would need to be seeing to cause you a problem.

you rdping to something at work - I would hope that is via a vpn.. Are you routing all your traffic through this vpn when you do a speed test? I would disconnect the vpn and test your speedtest.

rasputinthegreatest · Feb 17, 2025, 8:42 PM

@johnpoz Yes my company has their own VPN servers. But I think my upload issues are unrelated to that since it also happens when I am not using my work computer during weekends. It is actually very strange to pin it down on anything but it has to happen at the router or after it since my ISP is certain it is not their infrastructure. I will watch out what is hogging the pipe next time the issue comes up. I restarted the router in the morning and so far the upload seems fine. Could it be someone hijacking my router? But I had reset the router already. Before I reset my router I did a Wireshark capture directly on the Fritzbox WAN interface with its integrated tools and there was weird read request from a malicious IP. Since then I got a little worried about my security. But maybe it's just noise as well?
There were also a lot of ICMPv6 Neighbor Soliciation entries with my public ipv6 under "source" row but there was also a second ipv6 that was not from my ISP but a different ISP. In Wireshark when capturing WAN the "source" row is what is what is going out of my network or what is coming in? Could that be a sign of my traffic being rerouted somewhere else and that's why my upload is bad?

132533	60.378434	146.88.241.144	MY PUBLIC IP TFTP	68	Read Request, File: ay9mfwq7xxmd4w6cz, Transfer type: octet

johnpoz · Feb 18, 2025, 6:58 AM

@rasputinthegreatest its called NOISE!! a stray packet here is not going to cause your internet to slow down.. Quit looking at random noise on the internet and think its causing you a problem..

Your work computer - DO YOU DISCONNECT the vpn on the weekends.. If you do not disconnect the vpn - then if like every other work vpn on the planet, all traffic is routed through that - you want to go to the internet you go to through the vpn..

My work laptop is pretty much always connected to my companies vpn.. Guess what my internet access is slower than my normal 500/50 internet -- because its routing through the company network, etc. etc.. Its got added overhead of the vpn tunnel itself, etc.

If you want to know if pfsense or your isp is having issues with your upload speed your going to have to take the vpn out of the equation - if not then get with your work IT why their vpn is slow ;)

rasputinthegreatest · Feb 18, 2025, 6:58 AM

@johnpoz Sorry I might have been unclear. I have my personal computer and a work computer. After work hours the work computer is powered down. The VPN client is also only installed on this particular computer and not on a network level. So it is impossible for it to interfer with the rest of my network. And I do my speedtests on other devices unrelated to my work computer as well.

rasputinthegreatest · Feb 18, 2025, 9:24 AM

@johnpoz So right now my internet is very slow again. I can't find anything in my traffic graph that uses up any speed. Since I am double natting I also disabled the WLAN of my fritzbox so no devices can use up bandwidth there. Still my speeds vary between 14 to 33mbit/s. After disabling my AP the speed went back to normal. But in the past when it happend and I turned off the AP it didn't do anything. There was also no bandwidth usage by the AP router.
Can the ISP be responsible for that issue?

Also do you know what this means? At that time I was only in this forum and on Instagram and that IP leads to facebook

 2 	UDP 	Potentially Bad Traffic 	157.240.253.63   	443 	192.168.178.42   	5600  140:3     	(spp_sip) URI is too long

EDIT: I noticed when the graphs spike it doesn't show any IP uploading but the graph spikes. Or it says 2.0M up but on the left I see like 25kbit/s upload. Can there be a device hiding itself?
Or maybe I am reading it wrong. Does bandwith in = LAN (out)?

Also why is 192.168.1.255 showing up when it is not assigned?

In general I see a lot of spikes on the orange line which I feel like should be less than the blue one.

rasputinthegreatest · Feb 18, 2025, 11:16 AM

I saw a lot of strange IPs. A lot of Amazon servers.
Also 10.0.170.10 is an internal IP but that isn't assigned in my network was showing up for a second
Also this IP showed up and it leads to the Department of Defense in America??? Why in the hell would there be any upload in that direction?
https://www.abuseipdb.com/check/55.222.236.99
Am I going crazy or is this actually worrying?
Also noticed in the firewall log that there was a Destination shown to be a different ISP being blocked.

 	Default deny rule IPv6 (1000000105) 	[fe80::563a:d6ff:feb9:4ab9]:43546		[2003:xxxxxxxxxx]:443		TCP:S

Gertjan · Feb 18, 2025, 12:02 PM

@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:

Also 10.0.170.10 is an internal IP but that isn't assigned in my network was showing up for a second

On WAN ?

@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:

Also this IP showed up and it leads to the Department of Defense in America???

So, from you, your place ... to them ?
Defense uses IPv6 as it is more 'obscure'.

@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:

Default deny rule IPv6 (1000000105) [fe80::563a:d6ff:feb9:4ab9]:43546 [2003:xxxxxxxxxx]:443 TCP:S

AnIPv6 packet coming into the pfSense WAN and as it is using 'local' IPv6 addresses (they start with fe80) it originates from your upstream router, the fritz.
Frittz - or so other device connected to the LAN of Fritz, and it wants to connect to a https server, present on it's LAN, behind pfSense. The default WAN (IPv6) behavior is : block.
Yeah, that's awkward.

rasputinthegreatest · Feb 18, 2025, 12:08 PM

@Gertjan said in Incoming connections to pfsense box from Facebook?:

So, from you, your place ... to them ?
Defense uses IPv6 as it is more 'obscure'.

@Gertjan said in Incoming connections to pfsense box from Facebook?:

Yeah, that's awkward.

Yes it was mostly outgoing traffic

I was looking at my LAN under graphs showing local traffic and remote traffic aka "All"
But the IP shows here as DoD https://www.abuseipdb.com/check/55.222.236.99
What do you mean by awkward? I was looking at LAN traffic. But my ipv6 fe address was going to this public ipv6 that is not my ISP but a different one