Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routed IPSEC Unifi devices hit the default deny

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 460 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      baakie
      last edited by baakie

      Good day,

      Today I've replaced an aging firewall with a SG-5100 and everything went very smoothly.
      I've got 4 IPsec VTI routed connections with OSPF managing the dynamic routing.
      Everything works fine, all traffic is flowing due to an "Allow All" rule on the IPsec firewall Tab.

      When I look at the firewall log however: it's filled with connections from Ubiquiti Unifi products such as AP's and switches talking to the Unifi server on our main site (where the pfSense is).
      All AP's and switches connect fine to the Unifi server and we'renot experiencing any trouble whatsoever.
      It's just all those loglines in the firewall log that I want to get rid of.

      The culprit is (I think) the way Unifi devices make contact with the Unifi server.
      I've tried a "pass" rule at the top of the IPsec tab with logging enabled to see if I could make it hit a rule, but it doesn't.
      I've tried a couple of TCP flags options, but I don't really understand that.

      Does anybody know how I can get rid of all these loglines and/or what's causing them?
      Here are some log lines and some raw log lines (they aren't the same).

      71e112c4-47e5-484d-a3e8-7be449571a82-image.png

      <134>1 2021-07-06T14:57:11.256670+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10064,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:11.256609+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10063,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:11.256537+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10063,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:10.255314+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10062,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:10.255258+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10062,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:10.255198+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10061,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:10.255141+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10061,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:10.255081+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10060,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:10.255023+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10060,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:10.254964+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10059,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:10.254889+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10059,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:09.255509+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10058,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:09.255453+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10058,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
<134>1 2021-07-06T14:57:09.255393+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10057,1376,none,6,tcp,124,192.168.213.101,192.168.210.29,
<134>1 2021-07-06T14:57:09.255337+02:00 filterlog 96514 - - 8,,,1000000103,enc0,match,block,in,4,0x0,,63,10057,0,+,6,tcp,1396,192.168.213.101,192.168.210.29,45855,8080,1344,A,3107533259:3107534603,2524922705,913,,nop;nop;TS
      B 1 Reply Last reply Reply Quote 0
      • B
        baakie @baakie
        last edited by

        After some reading I think these are "out of state" connections and they are logged by the default deny rule.

        Question: how can I make a rule to filter out these "out of state" connections going to that one ip address?
        A rule with the option for logging turned of, so the packets don't hit the default deny.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.