Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lan multicast is being blocked by default rules

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      I would, instead, add a reject rule and disable logging on it if those logs really bother you. No reason to pass traffic that should not be passed.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • M
        MarioG
        last edited by

        The problem is that they flood the log, way more than anything else. Will see what happens with all blocked and will update if anything important crops up that may be of interest. Thank you very much.

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott
          last edited by

          The traffic is between hosts on the lan only,

          Then pfSense has nothing to do with it.  It only filters traffic between the LAN and WAN.  Other than the DHCP function, you could remove it completely and you wouldn't see any difference for traffic between hosts on the LAN.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Some stupid host is probably sending that traffic to pfSense for processing - resulting in log spam.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              169.254 should not be logged on lan side interface.. Unless he has bogon selected on the lan and set to log?

              List in bogon table..
              "169.254.0.0/16"

              PFsense should just ignore broadcast traffic on the lan.. My guess is he enabled bogon blocking on his lan interface..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                MarioG
                last edited by

                Block private networks and block bogon for LAN has been off since day one. I agree this should not happen, still trying to figure it out. Here are examples of blocked (I added an easy rule but before that it was trapped by the default rule):

                LAN Easy Rule: Passed from Firewall Log View (1510441518)   169.254.200.84:49152   239.255.255.250:1900 UDP
                LAN Easy Rule: Passed from Firewall Log View (1510441518)   169.254.9.203:49152   239.255.255.250:1900 UDP
                LAN Easy Rule: Passed from Firewall Log View (1510441518)   169.254.9.203:52613   224.0.144.1:52613         UDP

                Also, according to ntopng it is on multiple devices, iPhones, watches, DirecTV receivers, Philiphs hue hub.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  well yeah there is going to be a bunch of that noise.. I don't log default block which is prob why I am not seeing it.. I only turn that on if troubleshooting something.  I setup a specific block rule that only blocks syn traffic.  I don't care to see out of state blocks, or noise like that.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • M
                    MarioG
                    last edited by

                    This is all new to me since my old router never displayed those in the logs. If this is normal I guess it's OK to let it pass. As for logging, I always looked at the log every day to see who is attacking. Right now I am puzzled why default rules should not log. But maybe when I add some tools like pfblockerng, suricata, etc. which I am still reading about they may take the place of logs. Thanks for the info.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "I always looked at the log every day to see who is attacking."

                      Noise on the internet is not attacking ;)  I log the syn traffic.. But I don't want to see all the noise.. Out of state, UDP, etc.

                      Your off the shelf router wasn't logging shit ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • M
                        MarioG
                        last edited by

                        It was a Zyxel USG100, it email thousands of blocks every midnight from the 2 WANs, I saw attempts from around the world lasting up to 48 hours trying different ports, I assume that's an attack. Pfsense seems to be catching (or logging) more things so it's clearly much better at blocking. Pfsense is great, I will never go back! Can't wait to figure what blocking packages to install.

                        1 Reply Last reply Reply Quote 0
                        • bingo600B
                          bingo600
                          last edited by

                          @johnpoz:

                          "I always looked at the log every day to see who is attacking."

                          Noise on the internet is not attacking ;)  I log the syn traffic.. But I don't want to see all the noise.. Out of state, UDP, etc.

                          John

                          Could you give an example of "just logging syn packets"
                          I suppose you have a specific block rule with logging enables , and ANY w. SYN ,
                          and then a block rule wo. logging or ??

                          TIA
                          /Bingo

                          If you find my answer useful - Please give the post a 👍 - "thumbs up"

                          pfSense+ 23.05.1 (ZFS)

                          QOTOM-Q355G4 Quad Lan.
                          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.