Lan multicast is being blocked by default rules
-
I would, instead, add a reject rule and disable logging on it if those logs really bother you. No reason to pass traffic that should not be passed.
-
The problem is that they flood the log, way more than anything else. Will see what happens with all blocked and will update if anything important crops up that may be of interest. Thank you very much.
-
The traffic is between hosts on the lan only,
Then pfSense has nothing to do with it. It only filters traffic between the LAN and WAN. Other than the DHCP function, you could remove it completely and you wouldn't see any difference for traffic between hosts on the LAN.
-
Some stupid host is probably sending that traffic to pfSense for processing - resulting in log spam.
-
169.254 should not be logged on lan side interface.. Unless he has bogon selected on the lan and set to log?
List in bogon table..
"169.254.0.0/16"PFsense should just ignore broadcast traffic on the lan.. My guess is he enabled bogon blocking on his lan interface..
-
Block private networks and block bogon for LAN has been off since day one. I agree this should not happen, still trying to figure it out. Here are examples of blocked (I added an easy rule but before that it was trapped by the default rule):
LAN Easy Rule: Passed from Firewall Log View (1510441518) 169.254.200.84:49152 239.255.255.250:1900 UDP
LAN Easy Rule: Passed from Firewall Log View (1510441518) 169.254.9.203:49152 239.255.255.250:1900 UDP
LAN Easy Rule: Passed from Firewall Log View (1510441518) 169.254.9.203:52613 224.0.144.1:52613 UDPAlso, according to ntopng it is on multiple devices, iPhones, watches, DirecTV receivers, Philiphs hue hub.
-
well yeah there is going to be a bunch of that noise.. I don't log default block which is prob why I am not seeing it.. I only turn that on if troubleshooting something. I setup a specific block rule that only blocks syn traffic. I don't care to see out of state blocks, or noise like that.
-
This is all new to me since my old router never displayed those in the logs. If this is normal I guess it's OK to let it pass. As for logging, I always looked at the log every day to see who is attacking. Right now I am puzzled why default rules should not log. But maybe when I add some tools like pfblockerng, suricata, etc. which I am still reading about they may take the place of logs. Thanks for the info.
-
"I always looked at the log every day to see who is attacking."
Noise on the internet is not attacking ;) I log the syn traffic.. But I don't want to see all the noise.. Out of state, UDP, etc.
Your off the shelf router wasn't logging shit ;)
-
It was a Zyxel USG100, it email thousands of blocks every midnight from the 2 WANs, I saw attempts from around the world lasting up to 48 hours trying different ports, I assume that's an attack. Pfsense seems to be catching (or logging) more things so it's clearly much better at blocking. Pfsense is great, I will never go back! Can't wait to figure what blocking packages to install.
-
"I always looked at the log every day to see who is attacking."
Noise on the internet is not attacking ;) I log the syn traffic.. But I don't want to see all the noise.. Out of state, UDP, etc.
John
Could you give an example of "just logging syn packets"
I suppose you have a specific block rule with logging enables , and ANY w. SYN ,
and then a block rule wo. logging or ??TIA
/Bingo
