Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network Analysis question - UDP

    Off-Topic & Non-Support Discussion
    3
    4
    319
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user2
      last edited by

      I am trying to better understand UDP on my network, and could use your help. I have a pfSense firewall that defaults to deny outbound traffic, and I routinely, sporadically, see denied traffic such as:
      UDP default deny: src:<workstation>:64756 dst:<my_external_IP>:28100

      In my case, <workstation> is: MacOS, connected via bridged WiFi to a netgate pfSense firewall (provides DHCP, NAT, DNS, and default GW to the workstation 1.x/24 network). Outside of the firewall is a Verizon FIOS router (also NAT, 5.x/24 network). uPnP is disabled on both networks.

      The IP destination is always my external IP address assigned by Verizon. UDP src ports and dst ports are random high port numbers. Why would my workstation be trying to connect to my external IP?

      Thoughts (probably lack of understanding) ... If pfSense is statefully inspecting UDP, would not this be allowed if it is associated with an established connection?

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Odd UDP ports like that to me would scream P2P.. Especially if they change all the time.

        Are you running P2P client anywhere on your network? Its always that same workstation?

        Sniff the traffic, then open it up in wireshark - this should give you some idea of what the traffic actually is.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          What rule is it blocked by? That would normally be passed by the default LAN rules.

          You have any port forwards setup? Anything that resolves to your WAN IP via dyndyns maybe?

          Steve

          U 1 Reply Last reply Reply Quote 1
          • U
            user2 @stephenw10
            last edited by

            @stephenw10 I appreciate your response, and there was a dyndns service enabled, so I disabled it! I also changed so many other things that I cannot confirm this was it, but plausible and I haven't had the symptom recently. Thanks again!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post