Help me understand logs
-
I am new to pfsense and trying to make sense of the logs I am seeing. I just have the default rules that are created upon a fresh install.
My lan ipv4 address is set to 192.168.1.1 /24
What I do not understand in the log is that the neither the sources or destinations are coming from a ip address on my network.
See attached image for logs
-
Those are APIPA addresses that are auto-assigned by DHCP clients that have not yet found a DHCP server to get a real IP address from.
-
Does this mean I have something on my network that is unable to get a DHCP lease from pfsense?
-
Perhaps. It's a Windows thing. Are you running a DHCP server, either pfSense or other? Are your clients set for DHCP or static IP?
-
I am using the pfsense dhcp server. Far as I know all clients are set to dhcp, but I am going through the house now making sure. I am giving things static ip's via the dhcp leases status page as I cross them off the list.
So far I have found a Brother MFC printer that had a setting in its network setup to turn APIPA on or off. It was set to on, so I turned that off. Still have a flood of constant blocked on the LAN, however now most of them are ipv6 addresses. My main concern is that it is generating so many per second that my logs will bloat and become crazy to analyze.
-
Those IPv6 logs look like DNS to me, not DHCP stuff.
-
Any idea how I could get them to stop?
I went around the house and turned off everything until I was left with just a linksys e4200 in bridge mode I use as a AP. The IPV6 entries in the log dropped off significantly after I powered off my Xbox one, but there were still some in there.
Once literally everything was off I got this entry in the logs repeating 20 times per second:
LAN source 169.254.6.5:49152 Destination 239.255.255.250:1900 UDP
Attached sceenshot of dashboard and another log. If this is a DNS issue how can I fix it?
-
Only the IPv6 stuff using port 5353 was DNS. Your latest logs are some APIPA device trying UPnP. Normally LAN has an Allow Any rule, so I'm not sure why you're seeing all this blocked traffic on LAN. Did you modify the LAN firewall rules? If so, could you post your LAN firewall rules please?
-
That is my concern, nothing should be blocked at all according to my rules, but my logs are filling up at a astounding rate with blocks.
I just installed the other day, should I start over with a fresh install?
-
Do you have UPnP enabled under Services - UPnP & NAT-PMP?
-
I do. I need it for my Plex server and gaming consoles.
-
I have tried everything I can think of so far. I disabled upnp and then turned off IPV6 for both WAN and LAN by setting IPv6 Configuration Type = none for both interfaces.
Rebooted the pfsense, cleared the log and refreshed it and instantly had what you see in the attachment.
How am I getting so many ipv6 alerts when I have it disabled? How is anything at all being blocked on the LAN when the only rules I have are to allow everything?
Thanks for the help :)
-
Is this article what is happening in my logs?
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
If so there is no mention of how to fix it or if a fix is even possible. It would not be bad if it was an ocassional log entry but this is many per second being logged.
Anyone have any ideas? I am going to try a fresh install tomorrow and see if they persist.
-
No that article is about out of state connections…
You have a device or devices that is using APIPA address or link-local space ipv6 that starts with fe80 are link local address, link local in ipv4 is 169.254 - also called APIPA..
https://en.wikipedia.org/wiki/Link-local_address
Your best best is to find the device.. and get it an address if you can, some devices always use APIPA.. My dvr does it for example with no way to turn it off..
I would sniff on your lan interface in pfsense - find the mac address of what is sending out the traffic... And then find it based up on that mac... From the mac you can look up who is the maker.. Or if you have a smart switch you can find it that way, etc.
If you can not turn it off - like in the case of my dvr, then you can set it up to not log that traffic.. By either turning off logging default blocks, or creating a rule that allows it or blocks it and don't log that traffic. So for example if your seeing traffic to udp 1900 and you don't want it in the logs.. Then create rule that blocks it but does not log and put it at the bottom of your rule set for the interface your seeing it on.