Firewall all kinds of weird and spontaneous blocks on LAN
-
Interfaces/WAN2 (cable)
 -
Interfaces/LAN.
 -
Interfaces/VLAN40.
 -
Advanced/networking.
 -
System log settings.
 -
And, finally, the LAN rules in two parts (note the number of 'easy rules passed from firewall log view'. And even then they still aren't working, as the log is still flooded with IPv6 as shown in the first picture):
 -
LAN rules part 2:
 -
And finally, the multicast-alias in the LAN rules:
 -
So I will be feeling hugely indebted to everybody who can help me solve this, that goes without saying :P
(because it is driving me crazy, this flooding of logs which I am trying to fight with the firewall rules every day :-[).
Thank you in advance very much (really :-*),
Bye ;D
-
EDIT: I forgot one screenshot from the general system log. Errors 'finding Ipv6 gateway' (?) on both WAN and WAN2 (=opt4).
I should also add that I added this WAN2 a couple of days ago (I don't know exactly when anymore), and I also don't know if that is when the IPv6-flooding in the logs and the error in the attached picture began :-\
 -
Cry. WIFE is angry with me now :-[
This is happening as I was busy with my failover WAN:
 -
And this, floods of it:
 -
Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic. Can happen when you clear states or reboot pfsense. Can happen if you have devices that are in and out of the network, say wireless devices for example. I mostly see these in my logs from my sons phone. This sort of thing is common and will happen with any stateful firewall.
-
Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic. Can happen when you clear states or reboot pfsense. Can happen if you have devices that are in and out of the network, say wireless devices for example. I mostly see these in my logs from my sons phone. This sort of thing is common and will happen with any stateful firewall.
Thanks for your fast reply, John ;D
(I can't hit the 'thanks' button more than once in a thread and I apparently already did).
I will read the link you posted. But I think it doesn't cover everything. For example, the extreme IPv6-flooding, the 127.0.0.1 stuff that keeps coming up (this last one, might this be a squid-problem?), all that 'broadcasting' (224.x.x.x etc stuff)? Would you know how to get rid of that?
Thank you for your help, John: it is appreciated very much ;D
-
Like this :'( :'( :'(
 -
those from 127.0.0.1:3128 – I would assume squid from the port. Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.
as to 224 which would be multicast.. Don't see any of those in your past example. What interface are you seeing those on. Those would be easy enough to weed out with a rule.. Be it you want them or don't want to see them but block, etc. Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.
-
Your no showing the full states on those - post them from the full view of the log. If you having a issue with states then need to trouble shoot why.
And don't see any multicast in there either.
-
those from 127.0.0.1:3128 – I would assume squid from the port. Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.
as to 224 which would be multicast.. Don't see any of those in your past example. What interface are you seeing those on. Those would be easy enough to weed out with a rule.. Be it you want them or don't want to see them but block, etc. Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.
Thanks John ;D
No, you don't see them in the example as I followed your instruction of a couple of months ago and started anew. So the Alias in the pic comes from all the entries I added from the Easy Firewall Add, and consolidated into an alias since that was a mess after some time. They are on LAN, as I added the consolidated alias there.
As to the bold: could I ask what you mean exactly? How could I fix these?
Thank you :P
-
Your no showing the full states on those - post them from the full view of the log. If you having a issue with states then need to trouble shoot why.
And don't see any multicast in there either.
Thanks John ;D
The multicast was the previous alias-story. The attached picture contains the full states.
Thank you :D
 -
So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection. So when you get a packet that is not syn and no active state the firewall will block.
Now if your seeing a lot of it, then you might want to look into why. Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?
I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?
