Weird info in the state table that isnt in the logs



  • Hello everyone,

    i have started using pfsense 8 years ago and loved it ever since (however i had to stop for the last 4) and really like the community - just wanted to thank everyone on my first chance :)

    i have an issuse that is a bit annoying and i cant under stand it

    my lay out is

    internet –- DSL --- pfsense(static ip on wan 192.168.x.x) --- lab (4 lans)

    Latest stable version installed, no routing issues so far

    the DSL router/modem i have currently doesnt allow more than 2048 active connections per IP, so when you have mutliple vms laptops running behind the pfsense the DSL router/modem denies connections from pfsense (basically wan gateway goes offline).

    i know the issuee with the DSL and contacted the ISP, will get that fixed, but while debugging this issue and serching for temp-fix i noticed something

    when i go to "state summary" i can see all my clients which have a total of 1000 states tops, but my wan IP on pfsense hass 2-3 thousand states :/
    when i  look in detail these are usually (not always) states from wan ip to externel IPs on DNS port ?
    -some additional info:
    --pfsense is the only dns server, going to 8.8.8.8/4.4
    --all rules that allow traffic are logged

    when i look at the logs i dont see any out going DNS connections (that i see in state tables)
    the DSL modem/router show the same connections in states (it has at least one use)

    i am confused, where the hell is that traffic/states from ?

    any help is much appreciated



  • Do you possibly have your pfsense DNS server set to respond to requests on your WAN interface?  You might just want to set the interface to LAN only.



  • @jamesonp:

    Do you possibly have your pfsense DNS server set to respond to requests on your WAN interface?  You might just want to set the interface to LAN only.

    I was having a similar issue and this resolved my issue by only having my internal facing interfaces set to use my DNS forwarder. Packet traffic has greatly reduced along with cpu usage.



  • Thanks for the info guys, yes dns was listening on "all" but i am behind a home-type router, which doesnt allow anything in, and most importantly i dont have a rule allowing dns on wan (dindt do an nmap but guessing this should stop it, even if it was internet facing)

    i didt update the dns server settings still the same issue

    an example state:
    WAN udp 192.168.XX.XX:36681 -> 192.26.92.30:53 SINGLE:NO_TRAFFIC 1 / 0 68 B / 0 B



  • That looks like possible root zone traffic.  The IP /24 is registered to Verisign and the PTR returns to c.gtld-servers.net.



  • so a small update on the solution - a temp fix

    i changed pfsense from dns resolver to dns forwarder, this seem to drop the states significantly

    thanks for all the help


  • Banned

    RMA the shitty modem. Absurd.


Log in to reply