Incoming connections to pfsense box from Facebook?
-
@Gertjan I also saw this IP right now with in-and outbound traffic and it seems very sus https://www.abuseipdb.com/check/34.107.243.93
Also this IP shows up in my LAN traffic graph https://www.abuseipdb.com/check/40.113.103.199
Why is this not being blocked?Regarding the rules. I have these preconfigured rules. Do I need to add anything to them?
What can I do to block these malicious IPs from making connections to my network?
Also here you can see a bandwidth spike but it doesn't show any IP
-
Potentially Bad Traffic
If you have the Info rules enabled understand those are not intended for blocking.
If you have Snort running on WAN move it to LAN. On WAN it operates outside the firewall so anything hitting your WAN IP is scanned even if it will be dropped.
-
@SteveITS I am using pfsense out of the box except for snort. I have snort setup on WAN and LAN.
Where do I find the info rules? Snort wasn't even picking up those IPs. I just saw them pop up on the traffic graph for a second.
https://www.abuseipdb.com/check/34.107.243.93
https://www.abuseipdb.com/check/40.113.103.199How can I make sure this stuff gets picked up and blocked? And where can it come from if it is showing in the LAN traffic graph.
-
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
I have snort setup on WAN
You're lucky, you have a router front of your pfSense that is protecting it, so no illicit traffic can reach your pfSense. That is, I hope you've set it up like that.
If your pfSense's WAN interface did have your 'real' WAN IP, and you get yourself 'dossed', then every incoming packet 'not requested for' (wasn't a reply from what was requested from your LAN(s), then it gets dropped very (extremely) qyicky by the firewall.
With snort an WAN you said : I want every valid reply packet and also every illicit packet being scanned by snort. So, now every packet will cost you thousands of CPU cycles more.
In case of an incoming dos your CPU will go in overdrive, and this can even take down the system.
Exactly what the dosser wanted, and hew as counting on a bit of your help.Never ever scan (snort, suricata, etc) the WAN port, except if you have 'huge' resources.
Its a wast of time, power, comfort etc etc.
It's like installing that tictoc app so you can see if you can find pure BS .... -
@rasputinthegreatest there is no way some 34.x address is inbound into LAN interface as source.. Unless you were using that internally - of your have something forwarding traffic to your lan interface from some other connection..
To your upload being jammed - I would for starters disable snort.. That can have performance impact.. Does your issue go away?
internet -- wan pfsense lan -- your stuff
How would some internet IP 34.x ever be source of traffic inbound into your lan? Or even outbound for that matter.
How about you draw up how you have your stuff connected.. Because you must have your lan exposed to the public internet or connected is some odd way if you could ever see internet IPs inbound as source into your lan interface.. In a normal setup that would just be impossible.. Unless you were using 34.x something internally on your own networks.
-
@johnpoz The whole reason I got the pfsense box was because of my upload issues. At the moment my setup looks like this
my pfsense box is plugged into the 2.5gig port of my fritzbox
fritzbox goes into WAN port on pfsense box and Lan port from pfsense box goes to a switch where my devices are connected behind.
Where is the error in this setup? I followed Jim's garage setup.
Here are the WAN settings
And here LAN settings
Anything I am missing? Regarding the IP 34.x.x.x I was showing "Remote" in the traffic graph. Should I not be able to see any public IPs in the traffic?
-
Why did you keep the Fritzbox ?
-
@Gertjan It is provided by the ISP and doesn't support bridge mode afaik. So I am forced to double-nat
-
@rasputinthegreatest said in Incoming connections to pfsense box from Facebook?:
pfsense box was because of my upload issues.
So you had this issue before you put in pfsense.. Why would you think pfsense could magically fix something like that if you were having it before?
From that drawing there is no possible way for pfsense to see some 34.x as source into the lan - just not possible.. Unless you have somehow created that traffic on your lan, or have some other connection into your lan that would send the traffic on to pfsense lan.
You don't have any sort of bridge setup in pfsense do you?
So your running 2.5ge on your internal network, and is this 2.5ge connection on pfsense interface on lan, and wan I assume is only gig?
You can run into weirdness when you change speeds like that - there is currently a thread going on about 1ge, 2.5ge and 10ge with multiple connections not see full speed, etc.
So for example your pc if connected to that switch at 2.5ge says oh I can send data at 2.5, but then the connection to pfsense is only 1, so you can run in to buffering issues on the switch. flow control should normally take care of such issues..
To see if that could be possible contributing factor... I would set your interfaces to be the same across the board.. Pc to switch, switch to pfsense, etc.
-
@johnpoz I didn't think the pfsense would fix the issue with my upload speeds. It was rather a tool to investigate and see invidiual devices traffic since my Fritzbox doesn't allow that.
I don't have any bridge mode setup for sure. Under the Traffic Graph I had "LAN" and "Remote" enabled like in the screenshot above. And here it showed for example the external IP of my companies VPN server, Amazon connections and all sorts of public IPs.
If I am not supposed to see any of these things that is probably bad but I have no explanation for it. For now I removed the pfsense firewall and just went back to the Fritzbox only.
All interfaces are 2,5Gig throughout my network. Except my work computers NIC which is 1Gig. My personal computer is 2.5gig as well. The switch inbetween is a Trendnet 2.5Gig switch.
Can the issue be that my Fritzboxs network is 192.168.178.1. Then the WAN Port that goes into my pfsense box is assigned 192.168.178.42 through DHCP but the LAN Port hat goes into my switch is 192.168.1.1? I still don't see how anything could be exposed to the internet if my Fritzbox is still there in front?@johnpoz said in Incoming connections to pfsense box from Facebook?:
To see if that could be possible contributing factor... I would set your interfaces to be the same across the board.. Pc to switch, switch to pfsense, etc.
Like I said this is already the case
EDIT: @johnpoz Do you see any error in my diagram or config? I haven't changed anything inside pfsense from the most basic setup that would cause to expose my network to the internet
-
@rasputinthegreatest ah didn't catch the remote in your traffic graph. That will show you the remote IP your talking too.. You would of started the conversation.
Dude your chasing red herrings if you think a few stray packets or connections you don't understand at a few B or KBytes per second is causing your internet upload to suck.,
-
@johnpoz Ok so at least it was a misunderstanding then what we were looking at. The 34.x.x.x IP is Google CDN and shows up whenever I use Firefox apparently. Seems to be part of Firefox from what I can tell here https://www.reddit.com/r/cybersecurity_help/comments/1h3b0s5/i_have_an_established_connection_to_a_potentially/ and here https://support.mozilla.org/mk/questions/1352614
But coming back to what we talked about regarding the upload getting jammed. I was checking the graph and I didn't see any traffic while my upload speed was low. Only the traffic from the speedtest itself showed up and it wasn't able to reach 50mbit/s in the graph. I also tried a directl connection with Fritzbox and do a speedtest there and the result was still too low. So no switch or anything inbetween that could interfer. I also disabled Wifi on the Fritzbox for the speedtest and it still didn't improve. I can't make sense of it and my ISP is not able to help. When the technician measures the connection directly at the source it is always perfect.
-
Try connecting your work computer to the source. what do you get?
-
@Uglybrian That's what I did. Connected directly on Fritzbox. Same low speed when the upload is struggling. Also tried with a laptop. The device doesn't matter once it gets jammed for whatever reason.
-
@rasputinthegreatest not how you think throwing pfsense into the mix was going to help you sort out what is clearly an ISP issue or fritzbox issue. One thing pfsense shows you - is its not your client sucking up the pipe.. And its now any sort of inbound traffic..
Contact your isp.. Nobody is going to be able to help you fix an issue with your isp other than your isp.
-
@johnpoz I think I wrote before but they say everything is fine and no issue can be detected. Had 3 technicians here already. A restart usually solves the problem for a day or sometimes longer. Since the Fritzbox was replaced as well I don't think it is the box to be honest.
What do you mean it's inbound traffic when my upload is affected?
I got pfsense also for learning more about networking not just to check the upload issue. -
@rasputinthegreatest A restart of pfSense, or of the ISP router?
-
@SteveITS Sorry for the late response. Of the ISP router
-
@rasputinthegreatest well - then how is not their router issue then.. Something behind that is even pfsense still has to go through that device..
-
@johnpoz I don't know. I didn't have any upload issues for 4 days at this point and nothing changed since then.
