Incoming connections to pfsense box from Facebook?
-
@johnpoz So right now my internet is very slow again. I can't find anything in my traffic graph that uses up any speed. Since I am double natting I also disabled the WLAN of my fritzbox so no devices can use up bandwidth there. Still my speeds vary between 14 to 33mbit/s. After disabling my AP the speed went back to normal. But in the past when it happend and I turned off the AP it didn't do anything. There was also no bandwidth usage by the AP router.
Can the ISP be responsible for that issue?Also do you know what this means? At that time I was only in this forum and on Instagram and that IP leads to facebook
2 UDP Potentially Bad Traffic 157.240.253.63 443 192.168.178.42 5600 140:3 (spp_sip) URI is too longEDIT: I noticed when the graphs spike it doesn't show any IP uploading but the graph spikes. Or it says 2.0M up but on the left I see like 25kbit/s upload. Can there be a device hiding itself?
Or maybe I am reading it wrong. Does bandwith in = LAN (out)?
Also why is 192.168.1.255 showing up when it is not assigned?
In general I see a lot of spikes on the orange line which I feel like should be less than the blue one.
-
I saw a lot of strange IPs. A lot of Amazon servers.
Also 10.0.170.10 is an internal IP but that isn't assigned in my network was showing up for a second
Also this IP showed up and it leads to the Department of Defense in America??? Why in the hell would there be any upload in that direction?
https://www.abuseipdb.com/check/55.222.236.99
Am I going crazy or is this actually worrying?
Also noticed in the firewall log that there was a Destination shown to be a different ISP being blocked.Default deny rule IPv6 (1000000105) [fe80::563a:d6ff:feb9:4ab9]:43546 [2003:xxxxxxxxxx]:443 TCP:S -
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
Also 10.0.170.10 is an internal IP but that isn't assigned in my network was showing up for a second
On WAN ?
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
Also this IP showed up and it leads to the Department of Defense in America???
So, from you, your place ... to them ?
Defense uses IPv6 as it is more 'obscure'.@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
Default deny rule IPv6 (1000000105) [fe80::563a:d6ff:feb9:4ab9]:43546 [2003:xxxxxxxxxx]:443 TCP:S
AnIPv6 packet coming into the pfSense WAN and as it is using 'local' IPv6 addresses (they start with fe80) it originates from your upstream router, the fritz.
Frittz - or so other device connected to the LAN of Fritz, and it wants to connect to a https server, present on it's LAN, behind pfSense. The default WAN (IPv6) behavior is : block.
Yeah, that's awkward. -
@Gertjan said in Incoming connections to pfsense box from Facebook?:
So, from you, your place ... to them ?
Defense uses IPv6 as it is more 'obscure'.@Gertjan said in Incoming connections to pfsense box from Facebook?:
Yeah, that's awkward.
Yes it was mostly outgoing traffic
I was looking at my LAN under graphs showing local traffic and remote traffic aka "All"
But the IP shows here as DoD https://www.abuseipdb.com/check/55.222.236.99
What do you mean by awkward? I was looking at LAN traffic. But my ipv6 fe address was going to this public ipv6 that is not my ISP but a different one -
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
52.222.236.99
That's Amazon in Germany.
Look around you, your LAN, someone is doing some shopping with your connection.@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
I was looking at LAN traffic
Ah, didn't know what you were looking at, I was presuming WAN.
LAN isn't interesting as that concerns your own devices.
( you know what your own device do, right ?! )@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
But what about those ipv6 awkward connections?
The fe80 was also seen on LAN ?
-
@Gertjan said in Incoming connections to pfsense box from Facebook?:
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
52.222.236.99
That's Amazon in Germany.
Look around you, your LAN, someone is doing some shopping with your connection.Oh my god what simple typo can do. lmao Thank you
But what about those ipv6 awkward connections? -
@Gertjan said in Incoming connections to pfsense box from Facebook?:
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
52.222.236.99
That's Amazon in Germany.
Look around you, your LAN, someone is doing some shopping with your connection.@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
I was looking at LAN traffic
Ah, didn't know what you were looking at, I was presuming WAN.
LAN isn't interesting as that concerns your own devices.
( you know what your own device do, right ?! )@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
But what about those ipv6 awkward connections?
The fe80 was also seen on LAN ?
yes that fe80 was seen on LAN traffic graph. Same for that 10.0 IP which is not assigned in my internal network though. I know all my devices but that IP makes no sense. Only thing I could imagine it could be is my work VPN network. But that one is 10.232.x.x
-
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
Same for that 10.0 IP which is not assigned in my internal network though
Normally ( disregard the first rule ) :
which means that my LAN interface will accept only traffic 192.168.1.0/24 sourced (originates) traffic, as 192.168.1.0/24 is my pfSense LAN.
All other traffic will hit the hidden last rule(s) which look like this :#--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all ridentifier 1000000103 label "Default deny rule IPv4" block out log inet all ridentifier 1000000104 label "Default deny rule IPv4" block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6" block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6 ```" These are block all rules, present on all pfSense interfaces. This means that if you have a device that want's to use 10.1.2.3 on your LAN, it will go 'nowhere'. Even if it reaches some how your pfSense LAN interface, it will get dropped. You can see the "1000000105" rule which you already found as you've shown it in your post above. -
@Gertjan I also saw this IP right now with in-and outbound traffic and it seems very sus https://www.abuseipdb.com/check/34.107.243.93
Also this IP shows up in my LAN traffic graph https://www.abuseipdb.com/check/40.113.103.199
Why is this not being blocked?Regarding the rules. I have these preconfigured rules. Do I need to add anything to them?
What can I do to block these malicious IPs from making connections to my network?
Also here you can see a bandwidth spike but it doesn't show any IP
-
Potentially Bad Traffic
If you have the Info rules enabled understand those are not intended for blocking.
If you have Snort running on WAN move it to LAN. On WAN it operates outside the firewall so anything hitting your WAN IP is scanned even if it will be dropped.
-
@SteveITS I am using pfsense out of the box except for snort. I have snort setup on WAN and LAN.
Where do I find the info rules? Snort wasn't even picking up those IPs. I just saw them pop up on the traffic graph for a second.
https://www.abuseipdb.com/check/34.107.243.93
https://www.abuseipdb.com/check/40.113.103.199How can I make sure this stuff gets picked up and blocked? And where can it come from if it is showing in the LAN traffic graph.
-
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
I have snort setup on WAN
You're lucky, you have a router front of your pfSense that is protecting it, so no illicit traffic can reach your pfSense. That is, I hope you've set it up like that.
If your pfSense's WAN interface did have your 'real' WAN IP, and you get yourself 'dossed', then every incoming packet 'not requested for' (wasn't a reply from what was requested from your LAN(s), then it gets dropped very (extremely) qyicky by the firewall.
With snort an WAN you said : I want every valid reply packet and also every illicit packet being scanned by snort. So, now every packet will cost you thousands of CPU cycles more.
In case of an incoming dos your CPU will go in overdrive, and this can even take down the system.
Exactly what the dosser wanted, and hew as counting on a bit of your help.Never ever scan (snort, suricata, etc) the WAN port, except if you have 'huge' resources.
Its a wast of time, power, comfort etc etc.
It's like installing that tictoc app so you can see if you can find pure BS .... -
@rasputinthegreatest there is no way some 34.x address is inbound into LAN interface as source.. Unless you were using that internally - of your have something forwarding traffic to your lan interface from some other connection..
To your upload being jammed - I would for starters disable snort.. That can have performance impact.. Does your issue go away?
internet -- wan pfsense lan -- your stuff
How would some internet IP 34.x ever be source of traffic inbound into your lan? Or even outbound for that matter.
How about you draw up how you have your stuff connected.. Because you must have your lan exposed to the public internet or connected is some odd way if you could ever see internet IPs inbound as source into your lan interface.. In a normal setup that would just be impossible.. Unless you were using 34.x something internally on your own networks.
-
@johnpoz The whole reason I got the pfsense box was because of my upload issues. At the moment my setup looks like this
my pfsense box is plugged into the 2.5gig port of my fritzbox
fritzbox goes into WAN port on pfsense box and Lan port from pfsense box goes to a switch where my devices are connected behind.
Where is the error in this setup? I followed Jim's garage setup.
Here are the WAN settings
And here LAN settings
Anything I am missing? Regarding the IP 34.x.x.x I was showing "Remote" in the traffic graph. Should I not be able to see any public IPs in the traffic?
-
Why did you keep the Fritzbox ?
-
@Gertjan It is provided by the ISP and doesn't support bridge mode afaik. So I am forced to double-nat
-
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
pfsense box was because of my upload issues.
So you had this issue before you put in pfsense.. Why would you think pfsense could magically fix something like that if you were having it before?
From that drawing there is no possible way for pfsense to see some 34.x as source into the lan - just not possible.. Unless you have somehow created that traffic on your lan, or have some other connection into your lan that would send the traffic on to pfsense lan.
You don't have any sort of bridge setup in pfsense do you?
So your running 2.5ge on your internal network, and is this 2.5ge connection on pfsense interface on lan, and wan I assume is only gig?
You can run into weirdness when you change speeds like that - there is currently a thread going on about 1ge, 2.5ge and 10ge with multiple connections not see full speed, etc.
So for example your pc if connected to that switch at 2.5ge says oh I can send data at 2.5, but then the connection to pfsense is only 1, so you can run in to buffering issues on the switch. flow control should normally take care of such issues..
To see if that could be possible contributing factor... I would set your interfaces to be the same across the board.. Pc to switch, switch to pfsense, etc.
-
@johnpoz I didn't think the pfsense would fix the issue with my upload speeds. It was rather a tool to investigate and see invidiual devices traffic since my Fritzbox doesn't allow that.
I don't have any bridge mode setup for sure. Under the Traffic Graph I had "LAN" and "Remote" enabled like in the screenshot above. And here it showed for example the external IP of my companies VPN server, Amazon connections and all sorts of public IPs.
If I am not supposed to see any of these things that is probably bad but I have no explanation for it. For now I removed the pfsense firewall and just went back to the Fritzbox only.
All interfaces are 2,5Gig throughout my network. Except my work computers NIC which is 1Gig. My personal computer is 2.5gig as well. The switch inbetween is a Trendnet 2.5Gig switch.
Can the issue be that my Fritzboxs network is 192.168.178.1. Then the WAN Port that goes into my pfsense box is assigned 192.168.178.42 through DHCP but the LAN Port hat goes into my switch is 192.168.1.1? I still don't see how anything could be exposed to the internet if my Fritzbox is still there in front?@johnpoz said in Incoming connections to pfsense box from Facebook?:
To see if that could be possible contributing factor... I would set your interfaces to be the same across the board.. Pc to switch, switch to pfsense, etc.
Like I said this is already the case
EDIT: @johnpoz Do you see any error in my diagram or config? I haven't changed anything inside pfsense from the most basic setup that would cause to expose my network to the internet
-
@rasputinthegreatest ah didn't catch the remote in your traffic graph. That will show you the remote IP your talking too.. You would of started the conversation.
Dude your chasing red herrings if you think a few stray packets or connections you don't understand at a few B or KBytes per second is causing your internet upload to suck.,
-
@johnpoz Ok so at least it was a misunderstanding then what we were looking at. The 34.x.x.x IP is Google CDN and shows up whenever I use Firefox apparently. Seems to be part of Firefox from what I can tell here https://www.reddit.com/r/cybersecurity_help/comments/1h3b0s5/i_have_an_established_connection_to_a_potentially/ and here https://support.mozilla.org/mk/questions/1352614
But coming back to what we talked about regarding the upload getting jammed. I was checking the graph and I didn't see any traffic while my upload speed was low. Only the traffic from the speedtest itself showed up and it wasn't able to reach 50mbit/s in the graph. I also tried a directl connection with Fritzbox and do a speedtest there and the result was still too low. So no switch or anything inbetween that could interfer. I also disabled Wifi on the Fritzbox for the speedtest and it still didn't improve. I can't make sense of it and my ISP is not able to help. When the technician measures the connection directly at the source it is always perfect.
