Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help : one machine bringing down the entire LAN subnet

    Firewalling
    3
    5
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iTris666
      last edited by

      Hi,

      My company is using a pfsense 1.2.3 machine as router and firewall. Everything used to work fine until recently, where all connectivity is lost on the LAN interface ( which is on a VLAN, if it matters ). After quite some time troubleshooting, I isolated the problem, if I connect one machine on the lan, the entire lan is no longer responsive. I can ping the default gateway, which is the lan interface of the pfsense machine, but the connectivity is so bad that I need to refresh the web page 10+ times to be able to see the pfsense admin. Nothing passes the router,  Unpluging the guilty machine resolves the problem instantly and nothing special appear in the pfsense system logs.

      The machine guilty of bringing everything down has been connected for long and was working fine until a few days.

      All the lan machines are connected to the pfsense machine through the same two switches.

      The only two thing that make this machine special on pfsense is that it has a fixed IP address association in the DHCP server, an outgoing access to three more ports than the others.

      Does anyone have a clue or a similar experience ?

      1 Reply Last reply Reply Quote 0
      • I
        inflamer
        last edited by

        Perhaps you should start a packet capture on pfSense and then connect this purticular computer to the network, to get an idea of what kind of traffic it's propagating and why this traffic would case issues on your pfSense device?

        Andreas

        1 Reply Last reply Reply Quote 0
        • I
          iTris666
          last edited by

          Thanks, that's actually a great suggestion. I did provide interesting results.

          The machine spams the network with requests on a specific IP address, belonging to a company selling DDOS protection, which seems legit. "Black Lotus Communications". The machine must have a backdoor installed used to perform DDOS attacks.

          1 Reply Last reply Reply Quote 0
          • I
            inflamer
            last edited by

            Glad to hear you managed to find the cause.

            It's a bit concerning however that the spam traffic from the affected computer seems to bring pfSense to more or less a halt.

            pfSense can't prevent the traffic from hitting its LAN interface by itself, but have you tried creating a firewall rule which denies this computer access to WAN altogether, to see if that helps, as this will at least stop pfSense from having to route this traffic?

            Andreas

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              If the machin is spamming to an suspect IP address cut it from the network, save all data on the mahcine, check them for viruses and trojans and then kill the machin and do a reinstallation.

              The problem ist not pfsense or your network - it is the maleware!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.