Weird info in the state table that isnt in the logs

General pfSense Questions
Log in to reply
  • O

    Hello everyone,

    i have started using pfsense 8 years ago and loved it ever since (however i had to stop for the last 4) and really like the community - just wanted to thank everyone on my first chance :)

    i have an issuse that is a bit annoying and i cant under stand it

    my lay out is

    internet –- DSL --- pfsense(static ip on wan 192.168.x.x) --- lab (4 lans)

    Latest stable version installed, no routing issues so far

    the DSL router/modem i have currently doesnt allow more than 2048 active connections per IP, so when you have mutliple vms laptops running behind the pfsense the DSL router/modem denies connections from pfsense (basically wan gateway goes offline).

    i know the issuee with the DSL and contacted the ISP, will get that fixed, but while debugging this issue and serching for temp-fix i noticed something

    when i go to "state summary" i can see all my clients which have a total of 1000 states tops, but my wan IP on pfsense hass 2-3 thousand states :/
    when i  look in detail these are usually (not always) states from wan ip to externel IPs on DNS port ?
    -some additional info:
    --pfsense is the only dns server, going to 8.8.8.8/4.4
    --all rules that allow traffic are logged

    when i look at the logs i dont see any out going DNS connections (that i see in state tables)
    the DSL modem/router show the same connections in states (it has at least one use)

    i am confused, where the hell is that traffic/states from ?

    any help is much appreciated

    0
  • J

    Do you possibly have your pfsense DNS server set to respond to requests on your WAN interface?  You might just want to set the interface to LAN only.

    0
  • D

    @jamesonp:

    Do you possibly have your pfsense DNS server set to respond to requests on your WAN interface?  You might just want to set the interface to LAN only.

    I was having a similar issue and this resolved my issue by only having my internal facing interfaces set to use my DNS forwarder. Packet traffic has greatly reduced along with cpu usage.

    0
  • O

    Thanks for the info guys, yes dns was listening on "all" but i am behind a home-type router, which doesnt allow anything in, and most importantly i dont have a rule allowing dns on wan (dindt do an nmap but guessing this should stop it, even if it was internet facing)

    i didt update the dns server settings still the same issue

    an example state:
    WAN udp 192.168.XX.XX:36681 -> 192.26.92.30:53 SINGLE:NO_TRAFFIC 1 / 0 68 B / 0 B

    0
  • J

    That looks like possible root zone traffic.  The IP /24 is registered to Verisign and the PTR returns to c.gtld-servers.net.

    0
  • O

    so a small update on the solution - a temp fix

    i changed pfsense from dns resolver to dns forwarder, this seem to drop the states significantly

    thanks for all the help

    0
  • D
    Banned

    RMA the shitty modem. Absurd.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy