Weird info in the state table that isnt in the logs
-
Hello everyone,
i have started using pfsense 8 years ago and loved it ever since (however i had to stop for the last 4) and really like the community - just wanted to thank everyone on my first chance :)
i have an issuse that is a bit annoying and i cant under stand it
my lay out is
internet –- DSL --- pfsense(static ip on wan 192.168.x.x) --- lab (4 lans)
Latest stable version installed, no routing issues so far
the DSL router/modem i have currently doesnt allow more than 2048 active connections per IP, so when you have mutliple vms laptops running behind the pfsense the DSL router/modem denies connections from pfsense (basically wan gateway goes offline).
i know the issuee with the DSL and contacted the ISP, will get that fixed, but while debugging this issue and serching for temp-fix i noticed something
when i go to "state summary" i can see all my clients which have a total of 1000 states tops, but my wan IP on pfsense hass 2-3 thousand states :/
when i look in detail these are usually (not always) states from wan ip to externel IPs on DNS port ?
-some additional info:
--pfsense is the only dns server, going to 8.8.8.8/4.4
--all rules that allow traffic are loggedwhen i look at the logs i dont see any out going DNS connections (that i see in state tables)
the DSL modem/router show the same connections in states (it has at least one use)i am confused, where the hell is that traffic/states from ?
any help is much appreciated
-
Do you possibly have your pfsense DNS server set to respond to requests on your WAN interface? You might just want to set the interface to LAN only.
-
Do you possibly have your pfsense DNS server set to respond to requests on your WAN interface? You might just want to set the interface to LAN only.
I was having a similar issue and this resolved my issue by only having my internal facing interfaces set to use my DNS forwarder. Packet traffic has greatly reduced along with cpu usage.
-
Thanks for the info guys, yes dns was listening on "all" but i am behind a home-type router, which doesnt allow anything in, and most importantly i dont have a rule allowing dns on wan (dindt do an nmap but guessing this should stop it, even if it was internet facing)
i didt update the dns server settings still the same issue
an example state:
WAN udp 192.168.XX.XX:36681 -> 192.26.92.30:53 SINGLE:NO_TRAFFIC 1 / 0 68 B / 0 B -
That looks like possible root zone traffic. The IP /24 is registered to Verisign and the PTR returns to c.gtld-servers.net.
-
so a small update on the solution - a temp fix
i changed pfsense from dns resolver to dns forwarder, this seem to drop the states significantly
thanks for all the help
-
RMA the shitty modem. Absurd.