Malformed wol packets

AceFloof · Oct 7, 2019, 2:56 PM

Hey everyone!

Well, after an hour of fiddeling around with the settings on my PC to try to get it workling with pfSense's integrated wake on lan functionallity
I found out (with wireshark) that the magic packages that pfsense sends are presumably invalid.

To confirm this I simply tried a generic wake on lan app on my phone and it instantly worked.

(192.168.5.1 is pfsense, .5.81 is the phone and .5.7 the PC)

So, something arrives at my PC every time I click on the wake button in pfsense, but it's malformed.

Can anyone confirm this, is it a known problem or is it just my system? Because I didn't find any info so far...
(When searching for wol problems with pfsense most results are about wrong settings on the target device)

Thanks in advance!

simon.lock · Dec 20, 2019, 11:11 PM

I'm experiencing exactly the same problem.

simon.lock · Dec 21, 2019, 8:24 PM

Did you get anywhere with this? I'm still experiencing the same problem. I raised a bug with pfsense but it was quickly rejected by Jim Pingle; stating it must be a problem with something on my local environment interfering. Perhaps we are using similar equipment? I'm using a unifi ap and unifi managed switches. However, I also receive corrupted packed when only using pfsense wired directly into my Windows 10 PC which should eliminate my unifi equipment. I think my pfsense may have become corrupt?

JKnott · Dec 22, 2019, 2:43 AM

@simon-lock

Try using Packet Capture to see what's being sent. Download the capture, so you can view it in Wireshark.

simon.lock · Dec 22, 2019, 8:57 AM

@JKnott
Thanks for your reply. I've already used Wireshark and I'm getting the same results as posted by @AceFloof .

When issuing a wol command from pfsense to a pc running wireshark (directly cabled and not via a switch) the corrupted message received displays the following:

protocol: ? KNX/IP Unknown service family
Info: ? Unkown service family

The same results results are obtained when doing a packet capture from pfsense itself.

NogBadTheBad · Dec 22, 2019, 11:30 AM

Same here but it is waking the remote host.

packetcapture.cap

NogBadTheBad · Dec 22, 2019, 11:43 AM

Disable KNX/IP in Wireshark.

The ethertype and port would appear to be wrong.

https://wiki.wireshark.org/WakeOnLAN

simon.lock · Dec 22, 2019, 11:52 AM

Thank you so much for your reply. Disabling KNX/IP in Wireshark then revealed correctly formed packets. So I guess my system isn't corrupted. Using the capture feature which is built into pfSense will always show malformed packets.

JKnott · Dec 22, 2019, 12:05 PM

@NogBadTheBad said in Malformed wol packets:

The ethertype and port would appear to be wrong.

WOL can be either UDP/IP or Ethertype 842. Either way it would use Ethernet II, not 802.3. However, the port is definitly wrong for UDP and wouldn't be used for Ethertype 842.

NogBadTheBad · Dec 22, 2019, 12:10 PM

@JKnott
Oops should have said or as per the wireshark capture filter:-

ether proto 0x0842 or udp port 9

AceFloof · Feb 28, 2020, 1:12 PM

The point is not that I get malformed packages in Wireshark, the point is that I can't wake up my PC with the the pfSense WOL feature. It works with (almost) every random WOL app on my phone, tablet and laptop (which obviously sends some different kind of package than pfSense does). So this is definitely a pfSense problem.

JKnott · Feb 28, 2020, 1:46 PM

@AceFloof

What happens with the wol command at the command prompt?

AceFloof · Feb 29, 2020, 1:11 AM

@JKnott
When I issue "wol -i 192.168.5.255 40:8d:5c:56:e1:24" on my pfsense box I get the exact same packet as shown in my first post.

AceFloof · Feb 29, 2020, 1:42 AM

@JKnott
Also, when I issue the "wakeonlan 40:8d:5c:56:e1:24" command on a debian machine I get the following correct packet in wireshark which actually wakes up my PC.

JKnott · Mar 6, 2020, 8:08 PM

@AceFloof

Why are you including the broadcast IP address with the MAC? Whenever I used WoL, I just sent the MAC address. Here's the script I used to wake up a Netfinity server, which I just took to recycling this week.
/usr/bin/wol 00:02:55:47:E0:7B

BTW, I see you're using display filters in Wireshark, rather than capture filters. You may want to learn about capture filters, as they capture only the traffic of interest, where as display filters are used to select packets from what has been captured. If you don't use capture filters, you capture everything. I rarely use display filters, though I do have one to hide any packets containing the MAC of the computer I'm running Wireshark on. I do that to reduce the clutter.

alirz · Mar 5, 2020, 4:50 AM

i have no issues using WOL with my pfsense.
i have wol working for multiple PCs over LAN and WAN.

kiokoman · Mar 5, 2020, 8:54 AM

I haven't said anything so far, but wol work for me too on my pcs, sometimes i turn on my smart tv with that, the only thing that i'm unable to turn on with wol are virtual machine inside esxi. but that is another matter ..i have yet to investigate

AceFloof · Mar 6, 2020, 8:08 PM

@JKnott
that was just for testing purpose, usually I use the pfSense Webinterface (Services -> Wake-on-Lan) to issue the command but that leads to the same result.
I'm just wondering why my Windows Machine won't turn on when I send the WoL command from the pfSense box when it seems to work for everyone else here.
Also sending it from any other system/device in my network works fine for me (tested with my laptop and android phone). Everything but pfSense seems to be able to turn on my pc via WoL.

Also ty for the info, def. looking into capture filters :)

NRgia · Jun 23, 2020, 12:57 AM

@AceFloof said in Malformed wol packets:

@JKnott
Also, when I issue the "wakeonlan 40:8d:5c:56:e1:24" command on a debian machine I get the following correct packet in wireshark which actually wakes up my PC.

Hello @AceFloof ,

After trying to find what was 'knx/ip unknown service family' I was redirected to your post.

Currently I'm using pfSense 2.5.0-devel and I have the same problem as you, as you can see:

All other devices and applications sends the correct magic packet on the port 9, pfSense sends it on port 40000.

I have sent WOL packets from pfSense to Windows 10 and Manjaro Linux hosts, and none of them will wake up.

I have APs from Unifi and Netgear switches on my Network, among other IOT stuff, and also VLANs.

I'm trying to understand what we have in common, and if you solved the issue?

johnpoz · Jun 23, 2020, 1:34 AM

I just went over this not that long ago that pfsense sends out on 40k..

https://forum.netgate.com/post/912917

That you don't know how to use wireshark, doesn't mean the packet is malformed ;)

I can tell wireshark anything is what its not and its going to show up as messed up...

the correct magic packet on the port 9, pfSense sends it on port 40000.

Where did you come up with the idea that port 9 is the correct port? Port means NOTHING in a wol packet.. what port it gets sent out in doesn't mean anything.. Sure there are some common ports 0, 7, 9 etc.. 0 is just going to be a security nightmare and wouldn't normally be allowed out from a firewall at all.. 7 and 9 have their own issues because old clients could see those since its sent to broadcast address, etc.

Sure wireshark will see udp on 9 and think oh wol, and then decode it for that.. But again - what wireshark does for dissection of any given packet is ultimately up to the user using it.. If you say a packet is WOL and its NOT then it will show malformed, if you say its X when its Y, again malformed.. Wireshark tries and make a guess to what the data is - it quite often makes mistakes.. For example thinking your wol is knx..

First thing that jumps out at me looking at that sniff - is wtf, they using a /15 mask?? WHY??? Your broadcast is 172.19.255.255 and your coming from a 172.18.0.12 - that is a /15.. Why would you be using that??? My guess why something isn't working is you prob have issues with your mask on your devices..