Netgate SG-4860 blocking UDP broadcast?

ZappedC64

I have a Netgate SG-4860 running the latest build (2.4.2-RELEASE-p1) and a very simple and flat network layout with just one subnet.

I have these Ubiquiti wireless access points and they appear to broadcast on UDP 10001.  I can see that they are being blocked by the firewall:

Jan 14 11:56:39	LAN	Default deny rule IPv6 (1000000105)	  [fe80::822a:a8ff:xxxx:xxxx]:53536	  [ff02::1]:10001	UDP
Jan 14 11:56:42	LAN	Default deny rule IPv6 (1000000105)	  [fe80::822a:a8ff:xxxx:xxxx]:53171	  [ff02::1]:10001	UDP
Jan 14 11:56:43	LAN	Default deny rule IPv6 (1000000105)	  [fe80::822a:a8ff:xxxx:xxxx]:47947	  [ff02::1]:10001	UDP

I don't understand why because I have the default firewall rule that allows all IPv6, any port, any protocol on the LAN network. What's even more confusing is that if I create the "Easy Rule" by clicking on the blocked log entry, it creates a rule allowing that specific IPv6 address to send/broadcast to UDP 10001 and then I can see the Ubiquiti wireless access points.

What am I missing or doing wrong?

Thanks,
/Raj

ZappedC64

This is what the raw log entry looks like:

Jan 14 12:23:44	filterlog: 7,,,1000000105,igb0,match,block,in,6,0x00,0x00000,1,UDP,17,156,fe80::822a:a8ff:xxxx:xxxx,ff02::1,51392,10001,156
Jan 14 12:23:42	filterlog: 7,,,1000000105,igb0,match,block,in,6,0x00,0x00000,1,UDP,17,156,fe80::822a:a8ff:xxxx:xxxx,ff02::1,33758,10001,156
Jan 14 12:23:34	filterlog: 7,,,1000000105,igb0,match,block,in,6,0x00,0x00000,1,UDP,17,156,fe80::822a:a8ff:xxxx:xxxx,ff02::1,34439,10001,156

Gertjan

Hi,

Your Ubiquiti  devices are all on LAN ? other LAN (OPTx ?)
From what perspective do you want to see these devices ? Also from LAN ? OPT1 ? WAN ????

I use this simple rule myself : "broadcast messages do never go further as the first router" because they are not meant to leave the network segment.
This is my rule of course, I could be wrong  ;)

All kind of broadcast messages like DHCP (?) should never passed on to other networks - I guess the entire "Ethernet thing" would break if that happens.

Btw : I have many AP's on my OPT2 network interface (my second "LAN") I from my LAN I can connect just fine to them using a browser or SSH client. Logging from them - the AP's, using UDP to a syslog server device on LAN works fine.

ZappedC64

Hi Gertjan,

Yes, the Ubiquiti APs are all on the same LAN and one is even on the same physical switch. Unless I put in the manual rule above… I can't see the Ubiquiti APs. I think that this is a "bug" in pfSense where it is blocking UDP broadcasts on the LAN.

Thanks,
/Raj

Grimson

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Unfilterable_Traffic pfSense has nothing to do with traffic that stays in the same LAN segment.

kpa

It's not really a bug because pfSense is not interested in that traffic in any way, it's not supposed to cross routers so pfSense can do whatever it wants with it. You should turn off default logging at Status->System Logs->Settings->Log firewall default blocks and you won't see those log entries anymore. It's overall better to log only the traffic that you're interested in, the default logging logs all kinds of useless noise such as this case.

JKnott

@ZappedC64:

Hi Gertjan,

Yes, the Ubiquiti APs are all on the same LAN and one is even on the same physical switch. Unless I put in the manual rule above… I can't see the Ubiquiti APs. I think that this is a "bug" in pfSense where it is blocking UDP broadcasts on the LAN.

Thanks,
/Raj

As others have mentioned, unless those packets actually pass through pfSense, rules don't make any difference.

I use this simple rule myself : "broadcast messages do never go further as the first router" because they are not meant to leave the network segment.
This is my rule of course, I could be wrong  ;)

Not only that but those packets he lists are link local, which also never pass through a router.

BTW, on IPv6, there's no such thing as broadcast.  Multicast is used exclusively and some multicast packets may pass through routers, depending on their scope and router configuration.

NogBadTheBad

https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used

"UDP port 10001 (for AP discovery)"

Cloud Key :-

eth0    Link encap:Ethernet  HWaddr 80:2a:a8:f0:de:28 
          inet addr:172.16.1.10  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::822a:a8ff:fef0:de28/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1949368 errors:0 dropped:16672 overruns:0 frame:0
          TX packets:1183625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:885992030 (844.9 MiB)  TX bytes:568642389 (542.2 MiB)

AP :-

br0    Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          inet addr:172.16.1.11  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::822a:a8ff:fe96:9d8c/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:909145 errors:0 dropped:2792 overruns:0 frame:0
          TX packets:763336 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:53284095 (50.8 MiB)  TX bytes:147625369 (140.7 MiB)

BTW you'll only see the AP discovery packets during AP boot or if you switch off the Unifi controller.

johnpoz

"BTW, on IPv6, there's no such thing as broadcast. "

Not sure I like that wording to be honest.. even if technically correct ;)  If its the all host/node multicast, and its reserved that can not be used, etc.  then how is it not a "broadcast"  So you have these 2 addresses

FF02::1 (All host multicast), does this not communicate with every host on the network??  Ie broadcast ;)

These sure seem to be broadcast address to me… Per the rfc https://tools.ietf.org/html/rfc4291#section-2.7.1

If the client has to listen for it.. How is not really broadcast, be it you want to call it broadcast or not ;)

But as mentioned if you do not want to see that noise, there are a few ways to not log it..