Confusion about LAN address on PFsense FW Log
-
Looks like the classic "out of state packets". PFSense will always drop packets if the states does not exist. PFSense is a stateful firewall and enforces proper TCP state build-up and tear-down. My guess is you have some mobile or tablet devices on your network.
-
Hi Harv,
It might be out of state, yet. but the thing is: there is no mobile device on the LAN 192.168.1.X. not a single (there is no AP on that Network).
anyway, my main concern is about the networks itself (and not about the drop packages).
I dont understand how PFsense got packages from 192.168.10.11 and 192.169.1.42.
any clues?
tks!
luis
-
your not natting?? Would be the first suggestion.. If you were natting then no there should be no 192.168.1,2,3 IPs that pfsense should see.
But to be honest in such a setup what point does the unifi router serve?? Why don't you just connect these network direct to pfsense?
-
Hi,
YES! there is a NAT there ??? that is also I found very weird!
I though about to connect everything directly to PFSense, but at the moment, PFSense is running on a brand new Atom525 build only for this, with only 2 NIC (from Intel).
Also the Ubiquiti router have PoE port that supply 24V to an Ubiquiti AP.I was thinking to disable NAT and have the router like as a PoE passthru only, once I found those packages "lost" there, so before I touch anything else I am trying to understand what is going on here…
I have no clue where to look further...
tks!
Luis
-
How do you have it wired? You sure pfsense is connected to WAN port of the unifi router… If your saying those other networks then your connected at layer 2, and or unifi is not natting..
Why don't you just use the unifi poe injector to supply power to your AP, or what model is that unifi router - does it have switch ports or just all interfaces for routing? Why not just get a normal switch or one of their switches if all you need poe.
-
Hi John,
I am deadly sure :)
the wires are exactly like show on the diagram that I previously attached.
Internet <– 1cable --> BT modem <-- 1 cable from BT modem to PFSense WAN --> PFSense <-- 1 cable from PFSense LAN to Router WAN --> router <-- 3 cables, 1 for each interface --> 3 different networks, with 3 different cables.
the router is the Edgerouter X.
the router config is eth 2 as WAN port, with DNS masquerade
eth 0, 1 and 3 as LAN port, each one with its own IP scheme.I had the switch before i built the PFsense, so it was used for that reason too.
I just dont understand those packages on the FW itself :( sound very weird to me.
thanks for any hints!
Luis
-
Well your blocks from 10.11 are just out of state packets..
But that traffic I agree with you from 192.168.1.42 be it in state out of state should not be there.. So you have problem with our unifi router not doing nat if its sending traffic out on the 192.168.10 network without natting it..
You should bring it up on the unifi forums.. Pfsense has nothing to do with that at all.
-
Hi John,
thank you very much!
I was looking for a second opinion, as I also believe it makes no sense.
I will open a thread on unifi!very appreciated! :)
Luis
-
Perhaps it would be making more sense to insert behind the pfSense a normal LAN Switch
likes the Cisco SG200 or SG300 series and set it up as normal and common. Why creating
a dual homed bastion host or router cascade if this is not really needed here?Also a smaller Switch with 5 GB LAN ports would be sufficient if it will be supporting VLANs.
Alternatively you could also do only SPI/NAT at the WAN port from the pfsense and disable NAT
at the "WAN" port at the UBNT router so that you are using plain routing there, then this problems
will be gone. -
In a home/smb setup it makes no sense to use a downstream router.. If you need more interfaces on pfsense then add them or use vlans. I just don't see the need for downstream routing or even worse double natting.
If you want to leverage your unifi router for its poe, ok sure I guess - just disable its nat feature and create your routers to your downstream router via a transit network.. But as mentioned a switch would be better choice.