Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv4 Rule added, Firewall still blocking

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 3 Posters 1.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      The rule that is blocking that is the link-local rule, not your default block rule..

      linklocal.png

      Those are blocked by hidden rules way up in the list, before your rules are evaluated

      you can view them with pfctl -sr

      block drop in quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"

      You can turn those off in advanced, firewall & nat

      apiparules.png

      Just do a filter reload after checking that box.. Then look in your rules again with the pfctl -sr to make sure they are gone.

      Sorry didn't notice exactly what rule was blocking that in your first post.

      But again - prob best to try and turn off the generation of that noise at the device.. Do you know what device is sending that traffic? You can sniff on that interface to find the mac address of the device sending it, help you identify what it is.

      That 172.16.1.15 is sending to 169.254? Yeah this is junk ;) Stupid devices!!

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • B Offline
        beachbum2021
        last edited by beachbum2021

        will do thank you very much, awesome advice! . I think its either Ring or Unifi, I will do a sniff and check back in.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          What unifi device? A camera?

          I have some shit devices that send out noise, directv devices loves to spew 169.254 multicast discovery nonsense.. I just block it at its switch port ;) with an acl. So it never actually enters the network at all, let alone reach pfsense.

          The plex software on nas also does dlna discovery nonsense, even when you disable it - also blocked at the switch port..

          If you can not turn it off at the device, if your switching allows for ACLs, you could prob stop it from actually entering the network.. Or if via wireless, block it from entering your network at the AP switch port.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          T 1 Reply Last reply Reply Quote 0
          • B Offline
            beachbum2021
            last edited by beachbum2021

            yes it has to be a crap device because that's all i have on that network. I did enable the APIPA but still broadcasting. I'm fine with supressing this alert if possible rather than wasting time on it. Everything seems to be working fine on that network regardless. I just cant find what is sending this out. I could disconnect 1 device at a time or perhaps wireshark ?

            09:07:49.199537 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:07:53.413804 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 380
            09:07:53.510319 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 364
            09:07:53.631861 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 321
            09:07:53.773669 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 312
            09:07:53.872557 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 380
            09:07:53.992901 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 364
            09:07:54.132317 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 321
            09:07:54.221984 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:07:54.234791 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 312
            09:07:54.355145 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 380
            09:07:54.492174 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 364
            09:07:54.595838 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 321
            09:07:54.716179 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 312
            09:07:59.202412 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:08:11.201464 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:08:16.203651 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:08:21.212996 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:08:33.202489 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            09:08:38.207356 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
            03dfcaa6-bb4a-4bc0-b5f8-67cc353b6e13-image.png

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              open the sniff you did on pfsense in wireshark, or up the verbosity so you can see the mac of the device.. Then can track which device it via its mac address, atleast look up what device maker it is..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              B 1 Reply Last reply Reply Quote 0
              • B Offline
                beachbum2021 @johnpoz
                last edited by beachbum2021

                @johnpoz looks like a TV to me. could be the comcast set top box.

                OPT1 172.16.1.17 64:12:36:9c:95:f9 Technicolor CH USA Inc. Tue Oct 13 08:55:13 2020

                169.254.161.196.50759 > 239.255.255.250.1900: [udp sum ok] UDP, length 155
                09:19:16.218208 64:12:36:9c:95:f9 > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 197: (tos 0x0, ttl 4, id 16039, offset 0, flags [DF], proto UDP (17), length 183)

                0b1075c4-36ac-4b08-927c-db7c27d6e1b6-image.png

                kinda odd, this mac has two ips and they are both active. They are connected to a r7500v2 netgear AP.
                OPT1 172.16.1.21 64:12:36:9c:95:f9 Technicolor CH USA Inc. Tue Oct 13 09:06:24 2020
                OPT1 172.16.1.17 64:12:36:9c:95:f9 Technicolor CH USA Inc. Tue Oct 13 08:55:13 2020

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Yeah that is odd.. I take it connected wifi - is it some how connected to both 2.4 and 5 at the same time?

                  Have you tried restarting it, and see if some of the noise resides.. Do you have it IP setup static?

                  Hmmm - could it have gotten a lease, and then never actually stop using the IP, and then did a discover to get an other IP? do you or did you run more than 1 dhcp server on the same network..

                  That is odd.. Can you reset the network settings on the device?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  B 1 Reply Last reply Reply Quote 0
                  • B Offline
                    beachbum2021 @johnpoz
                    last edited by beachbum2021

                    @johnpoz Yeah, I disconnected it and cleared both leases and powered it back on. Only have 1 IP now and UDP 1900 traffic has stopped. Somehow it was mucked up but I am going to check the wifi settings. It's set to DHCP on wifi. it's one of those trash x1 tv boxes that came with my internet package. I barely use it.

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      tman222 @johnpoz
                      last edited by

                      @johnpoz said in IPv4 Rule added, Firewall still blocking:

                      What unifi device? A camera?

                      I have some shit devices that send out noise, directv devices loves to spew 169.254 multicast discovery nonsense.. I just block it at its switch port ;) with an acl. So it never actually enters the network at all, let alone reach pfsense.

                      The plex software on nas also does dlna discovery nonsense, even when you disable it - also blocked at the switch port..

                      If you can not turn it off at the device, if your switching allows for ACLs, you could prob stop it from actually entering the network.. Or if via wireless, block it from entering your network at the AP switch port.

                      @johnpoz - don't mean to hijack this thread, but just wanted to say thank you for the advice. I have a TV STB that has been spamming my firewall logs with 169.254.x.x. nonsense for over three years now (probably trying to look for other STB's). I never thought about setting up an ACL rule on the switch to block that traffic at the port level. Firewall logs look a lot cleaner now :).

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @tman222

                        Glad it was helpful - that is the really the whole point of discussions vs just blanket Q:A sort of threads... You never know what what kind of great info you can glean from just discussing a specific issue..

                        Much rather the question kicks off a discussion on what doing, how doing it, what would you like to do exactly.. How else to skin the cat vs just

                        Q: How do I do X
                        A: Click here

                        X might not be the right way to do it in the first place, and 2nd discussing X might expose all kinds of other things that you can like Y and Z.. that the asking of X kicked off.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        B 1 Reply Last reply Reply Quote 0
                        • B Offline
                          beachbum2021 @johnpoz
                          last edited by beachbum2021

                          @johnpoz yessir, thanks for your help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.