Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv4 Rule added, Firewall still blocking

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 3 Posters 1.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      beachbum2021
      last edited by beachbum2021

      will do thank you very much, awesome advice! . I think its either Ring or Unifi, I will do a sniff and check back in.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        What unifi device? A camera?

        I have some shit devices that send out noise, directv devices loves to spew 169.254 multicast discovery nonsense.. I just block it at its switch port ;) with an acl. So it never actually enters the network at all, let alone reach pfsense.

        The plex software on nas also does dlna discovery nonsense, even when you disable it - also blocked at the switch port..

        If you can not turn it off at the device, if your switching allows for ACLs, you could prob stop it from actually entering the network.. Or if via wireless, block it from entering your network at the AP switch port.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        T 1 Reply Last reply Reply Quote 0
        • B Offline
          beachbum2021
          last edited by beachbum2021

          yes it has to be a crap device because that's all i have on that network. I did enable the APIPA but still broadcasting. I'm fine with supressing this alert if possible rather than wasting time on it. Everything seems to be working fine on that network regardless. I just cant find what is sending this out. I could disconnect 1 device at a time or perhaps wireshark ?

          09:07:49.199537 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:07:53.413804 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 380
          09:07:53.510319 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 364
          09:07:53.631861 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 321
          09:07:53.773669 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 312
          09:07:53.872557 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 380
          09:07:53.992901 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 364
          09:07:54.132317 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 321
          09:07:54.221984 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:07:54.234791 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 312
          09:07:54.355145 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 380
          09:07:54.492174 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 364
          09:07:54.595838 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 321
          09:07:54.716179 IP 169.254.161.196.1900 > 239.255.255.250.1900: UDP, length 312
          09:07:59.202412 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:08:11.201464 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:08:16.203651 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:08:21.212996 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:08:33.202489 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          09:08:38.207356 IP 169.254.161.196.50759 > 239.255.255.250.1900: UDP, length 155
          03dfcaa6-bb4a-4bc0-b5f8-67cc353b6e13-image.png

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            open the sniff you did on pfsense in wireshark, or up the verbosity so you can see the mac of the device.. Then can track which device it via its mac address, atleast look up what device maker it is..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            B 1 Reply Last reply Reply Quote 0
            • B Offline
              beachbum2021 @johnpoz
              last edited by beachbum2021

              @johnpoz looks like a TV to me. could be the comcast set top box.

              OPT1 172.16.1.17 64:12:36:9c:95:f9 Technicolor CH USA Inc. Tue Oct 13 08:55:13 2020

              169.254.161.196.50759 > 239.255.255.250.1900: [udp sum ok] UDP, length 155
              09:19:16.218208 64:12:36:9c:95:f9 > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 197: (tos 0x0, ttl 4, id 16039, offset 0, flags [DF], proto UDP (17), length 183)

              0b1075c4-36ac-4b08-927c-db7c27d6e1b6-image.png

              kinda odd, this mac has two ips and they are both active. They are connected to a r7500v2 netgear AP.
              OPT1 172.16.1.21 64:12:36:9c:95:f9 Technicolor CH USA Inc. Tue Oct 13 09:06:24 2020
              OPT1 172.16.1.17 64:12:36:9c:95:f9 Technicolor CH USA Inc. Tue Oct 13 08:55:13 2020

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yeah that is odd.. I take it connected wifi - is it some how connected to both 2.4 and 5 at the same time?

                Have you tried restarting it, and see if some of the noise resides.. Do you have it IP setup static?

                Hmmm - could it have gotten a lease, and then never actually stop using the IP, and then did a discover to get an other IP? do you or did you run more than 1 dhcp server on the same network..

                That is odd.. Can you reset the network settings on the device?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                B 1 Reply Last reply Reply Quote 0
                • B Offline
                  beachbum2021 @johnpoz
                  last edited by beachbum2021

                  @johnpoz Yeah, I disconnected it and cleared both leases and powered it back on. Only have 1 IP now and UDP 1900 traffic has stopped. Somehow it was mucked up but I am going to check the wifi settings. It's set to DHCP on wifi. it's one of those trash x1 tv boxes that came with my internet package. I barely use it.

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    tman222 @johnpoz
                    last edited by

                    @johnpoz said in IPv4 Rule added, Firewall still blocking:

                    What unifi device? A camera?

                    I have some shit devices that send out noise, directv devices loves to spew 169.254 multicast discovery nonsense.. I just block it at its switch port ;) with an acl. So it never actually enters the network at all, let alone reach pfsense.

                    The plex software on nas also does dlna discovery nonsense, even when you disable it - also blocked at the switch port..

                    If you can not turn it off at the device, if your switching allows for ACLs, you could prob stop it from actually entering the network.. Or if via wireless, block it from entering your network at the AP switch port.

                    @johnpoz - don't mean to hijack this thread, but just wanted to say thank you for the advice. I have a TV STB that has been spamming my firewall logs with 169.254.x.x. nonsense for over three years now (probably trying to look for other STB's). I never thought about setting up an ACL rule on the switch to block that traffic at the port level. Firewall logs look a lot cleaner now :).

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      @tman222

                      Glad it was helpful - that is the really the whole point of discussions vs just blanket Q:A sort of threads... You never know what what kind of great info you can glean from just discussing a specific issue..

                      Much rather the question kicks off a discussion on what doing, how doing it, what would you like to do exactly.. How else to skin the cat vs just

                      Q: How do I do X
                      A: Click here

                      X might not be the right way to do it in the first place, and 2nd discussing X might expose all kinds of other things that you can like Y and Z.. that the asking of X kicked off.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      B 1 Reply Last reply Reply Quote 0
                      • B Offline
                        beachbum2021 @johnpoz
                        last edited by beachbum2021

                        @johnpoz yessir, thanks for your help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.