Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this a firewall bug or am I doing something wrong?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      guardian Rebel Alliance
      last edited by

      Hope someone can help me… I am trying to keep entries like this:

      Apr 18 14:43:17 VLAN1 (1000002620)   172.16.0.4:5353   224.0.0.251:5353 UDP

      out of my logs.  There is a bug in the Cisco SG300 that doesn't allow me to turn off mDNS.

      The SG300 interface generates 1 log entry every 5 seconds.

      Apr 18 14:43:17 CORE FLOAT: QUIET: Block mDNS Noise from SG300 (1492536937)   172.16.50.254:5353   224.0.0.251:5353 UDP
      Apr 18 14:43:17 VLAN1 (1000002620)   172.16.0.4:5353   224.0.0.251:5353 UDP
      Apr 18 14:43:12 CORE FLOAT: QUIET: Block mDNS Noise from SG300 (1492536937)   172.16.50.254:5353   224.0.0.251:5353 UDP
      Apr 18 14:43:12 VLAN1 (1000002620)   172.16.0.4:5353   224.0.0.251:5353 UDP

      I created an alias:
      SG300_Interface 172.16.0.4, 172.16.50.254

      and a floating rule:
      States Protocol Source       Port Destination Port Gateway Queue Schedule
      IPv4 UDP SG300 Interface * 224.0.0.251 5353 * none

      As can be seen from the log, my rule traps 172.16.50.254 but not 172.16.0.4

      On inspection of /tmp/rules.debug

      The alias is being created correctly:
      table <sg300_interface>{  172.16.0.4  172.16.50.254 }

      and the block rule seems to be OK as well:

      User-defined rules follow

      anchor "userrules/*"
      …
      block log  quick  on {  em1  em1_vlan50  } inet proto udp  from $SG300_Interface to 224.0.0.251 port 5353 tracker 1492536937  label "USER_RULE: FLOAT: QUIET: Block mD
      NS Noise from SG300"

      The offending rule creating the log traffic is:

      antispoof log for $LAN tracker 1000002620

      Which is way further up in the rules, but there is a similar rule for the 172.16.50.X interface.

      antispoof log for $CORE tracker 1000007870

      just a few lines below rule 1000002620.

      Running pfSense Version:
      2.3.3-RELEASE (amd64)
      built on Thu Feb 16 06:59:53 CST 2017
      FreeBSD 10.3-RELEASE-p16

      Can anyone give me any idea why these two addresses behave differently?
      Have I found a bug or am I doing something wrong?
      How I can best work around this?</sg300_interface>

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        It's logging and blocking that traffic because it's matching the antispoof rule.

        Looks like it's coming into the VLAN interface from a IP that is in the LAN subnet. I assume the LAN in 172.16.0.4?

        That's the expected behaviour. https://www.openbsd.org/faq/pf/filter.html#antispoof

        Steve

        1 Reply Last reply Reply Quote 0
        • G Offline
          guardian Rebel Alliance
          last edited by

          @stephenw10:

          It's logging and blocking that traffic because it's matching the antispoof rule.

          Looks like it's coming into the VLAN interface from a IP that is in the LAN subnet. I assume the LAN in 172.16.0.4?

          That's the expected behaviour. https://www.openbsd.org/faq/pf/filter.html#antispoof

          Steve

          Thanks for the reply…  I didn't realize I had the IP address reconfigured.

          If you find my post useful, please give it a thumbs up!
          pfSense 2.7.2-RELEASE

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.