Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with Firewall Log

    Scheduled Pinned Locked Moved Firewalling
    43 Posts 6 Posters 11.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • QinnQ
      Qinn
      last edited by

      https://forum.pfsense.org/index.php?topic=92054.0

      Strange thing is I have Draytek Vigir 130 to. Mine is in PPPoA to PPPoE bridge mode so it's transperant.

      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
      Firmware: Latest-stable-pfSense CE (amd64)
      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Just capture on WAN with the port set to 4944. Leave the hosts as any.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • QinnQ
          Qinn
          last edited by

          @Derelict:

          Just capture on WAN with the port set to 4944. Leave the hosts as any.

          Only filled in the port and set the count to 1 waiting for over 10min still the capture is running, stopped it and the log file is empty? On the status/dashboard/firewall logs there are numerous counts of "em0 0.0.0.0  to 255.255.255.255:4944" (still don't understand why the log is mentioning em0 in stead of WAN).

          I still wanna analyze this strange log in the firewall, but just out of curiosity I unchecked the logging of block bogon networks (status/system logs/settings), but it doesn't help they are still in the logs?

          I tested a simple (so with default setting any-any) capture on the WAN and it's working fine, strangely but consistent, there are no captures on 0.0.0.0. in this file?

          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
          Firmware: Latest-stable-pfSense CE (amd64)
          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            wan is going to be assigned to an interface..  What are you interface assignments?  Can you post them.  Is your wan actually a vlan on top of em0?

            Use tcpdump directly with -i em0 and port udp 4944..  If you see the traffic then you can write it to a file and we can open it in wireshark.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • QinnQ
              Qinn
              last edited by

              @johnpoz:

              wan is going to be assigned to an interface..  What are you interface assignments?  Can you post them.  Is your wan actually a vlan on top of em0?

              Use tcpdump directly with -i em0 and port udp 4944..  If you see the traffic then you can write it to a file and we can open it in wireshark.

              NIC1 = em0 = WAN
              NIC2 = em1 = LAN
              on em1 I have assigned 2 VLAN's

              tcpdump -> wireshark thanks for pointing that one out to me!

              So I did a

              tcpdump -c  10 -w /tmp/port.4944.debug.txt -i em0 'port 4944'

              than I looked at it with wireshark. To my limited knowledge it seems it originates from the the PPPoA to PPPoE bridge (Draytek Vigor 130) which is between WAN(em0) and ISP as this ISP uses PPPoA and as far as I know this cannot be done by pfSense. I though this bridge should be transparent? I would like to know our opinion  insights, thanks for having a look in advance.

              Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
              Firmware: Latest-stable-pfSense CE (amd64)
              Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So did you go into your daytek and

                UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • QinnQ
                  Qinn
                  last edited by

                  @johnpoz:

                  So did you go into your daytek and

                  UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management

                  I will take a look at it and report back soon, at this time it is not possible to power it down. Not to be on hasty side, but I thought a Draytek Vigor 130 set into PPPoA to PPPoE and as so bridging between ISP and WAN was totally transparent.

                  btw if you have taken a look I remove the file as there's a mac address in there you can't be to carefull ;)

                  Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                  Firmware: Latest-stable-pfSense CE (amd64)
                  Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    why would you have to power it down?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • QinnQ
                      Qinn
                      last edited by

                      As I said settings it to bridge mode between PPPoA and PPPoe, to the best of my knowledge it has no IP (that's why I said it was transparent) so I don't know how to login on it, is there a way? The moment I disconnect it from the Internet it get's an IP (static).

                      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                      Firmware: Latest-stable-pfSense CE (amd64)
                      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        well my cable modem is "transparent" ie pfsense gets a public IP..  And I can still access the cable modem via 192.168.100.1 - I would assume daytek would have the same sort of default IP for management even when in "bridge" mode.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • QinnQ
                          Qinn
                          last edited by

                          http://just.draytek.com/index.php?option=com_k2&view=item&id=5617&Itemid=293&lang=en From what the specs say it seems that it could send DSl info (you are wright, still not checked it in the hardware though  ;) ), although I never checked this option and as I know not how to access it, I am still mandatory to power it down and connect it to my LAN as I don't know how to set an IP as It is on on the WAN side?

                          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                          Firmware: Latest-stable-pfSense CE (amd64)
                          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            well the IP by default is 192.168.1.1 I think - this might be the IP even when in bridge mode.

                            What IP you using on pfsense lan side?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • QinnQ
                              Qinn
                              last edited by

                              192.168.1.1 so they are the same I can change it, but I still don't understand that there can be a IP thats in the LAN range set on the WAN side  ???

                              Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                              Firmware: Latest-stable-pfSense CE (amd64)
                              Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                you can not.. if your pfsense lan is 192.168.1.0/24 then no you wouldn't be able to access your isp devices IP of 192.168.1.1 from devices on your lan.

                                Doesn't mean that device can not have that IP..

                                For example my cable modem is 192.168.100.1 my lan is 192.168.9.0/24 I can access it just fine without doing anything because pfsense send that traffic out its wan interface and the cable modem picks it up and answers.  Some devices might not do that - and you might have to setup a vip on your wan interface to be on the same network as your device, etc..

                                See the pfsense doc about accessing modem on wan, etc.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • QinnQ
                                  Qinn
                                  last edited by

                                  Thanks I wll look into it it seems according to these http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=196693 that it might be done I will report back also on the 0.0.0.0  port 4944 thanks (so far) for all your time, I am wiser now !!

                                  Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                  Firmware: Latest-stable-pfSense CE (amd64)
                                  Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                  1 Reply Last reply Reply Quote 0
                                  • QinnQ
                                    Qinn
                                    last edited by

                                    <off topic="">I see my Disk usage ( /mnt ) is  102% of 595MiB - ufs never saw that?</off>

                                    Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                    Firmware: Latest-stable-pfSense CE (amd64)
                                    Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      Nullity
                                      last edited by

                                      @Qinn:

                                      <off topic="">I see my Disk usage ( /mnt ) is  102% of 595MiB - ufs never saw that?</off>

                                      Did your tcpdump fill up /mnt?

                                      Please correct any obvious misinformation in my posts.
                                      -Not a professional; an arrogant ignoramous.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        There shouldn't be anything mounted on /mnt unless you're doing something funky.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • QinnQ
                                          Qinn
                                          last edited by

                                          @Derelict:

                                          There shouldn't be anything mounted on /mnt unless you're doing something funky.

                                          Yes I did stupid me  ;)

                                          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                          Firmware: Latest-stable-pfSense CE (amd64)
                                          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                          1 Reply Last reply Reply Quote 0
                                          • QinnQ
                                            Qinn
                                            last edited by

                                            @johnpoz:

                                            So did you go into your daytek and

                                            UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management

                                            Yes and unchecking "Broadcast DSL status to router in LAN" did the job, this option has been introduced in version 3.7.6.  Draytek mentions New features only in the release notes of the firmware and as I didn't update for long time (there was nothing worth updating IMO) I didn't knew it was there when I updated a week ago. So now I now (again) why you should always stay current with the lastest firmware.

                                            Thanks for your help!!

                                            Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                            Firmware: Latest-stable-pfSense CE (amd64)
                                            Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.