Odd blocked traffic on Pfsense Azure appliance
-
Hello,
We are running the netgate pfsense azure appliance at work (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/netgate.netgate-pfsense-appliance)
For this to work we have 2 NICs (WAN, LAN) in our azure VM.
Out networks are,
LAN: 10.0.60.0/24, ip: 10.0.60.10, gateway: None
WAN: 10.0.50.0/24, ip: 10.0.50.10, gateway: 10.0.50.1 (Azure controls the gateway)This works good but periodically i get firewall block entries with info,
@53(1000001570) block drop in log on ! hn0 inet from 10.0.50.0/24 to any
@58(1000002620) block drop in log on ! hn1 inet from 10.0.60.0/24 to anyApr 12 08:56:38 LAN 10.0.50.10:65001 10.0.60.10:65000 TCP:SA Apr 12 08:56:38 LAN 10.0.50.10:65001 10.0.60.10:65000 TCP:SA Apr 12 08:54:07 WAN 10.0.60.10:65001 10.0.50.10:65000 TCP:SA Apr 12 08:54:07 WAN 10.0.60.10:65001 10.0.50.10:65000 TCP:SA
As far as i can tell this does not affect the stability and service of the firewall.
Do any one know why i get these connections from the pfsense WAN <-> LAN interfaces?
Or if i somehow can simply not show them in my firewall log. I tried adding Easy rules but they are never triggered.Thanks!
-
I'm seeing the same thing… did you figure anything out?
-
The rule it's hitting implies you have traffic coming in on the wrong interface. Like traffic from 10.0.60.0/24 hitting the WAN which should never happen.
Either that traffic it routed past pfSense somehow or maybe that subnet is in use somewhere else on the WAN side.
However since you're seeing that on both interfaces with seemingly identical traffic I suspect something in the infrastructure. Those port numbers appear to be used by the Azure load-balancer.
Steve
-
Hi,
had the same problem yesterday. It´s gone now, i have changed the topology a little bit.
New topology:
VNET: 10.17.0.0/22 (3 subnets) pfsense wan interface: 10.17.0.4/24 pfsense lan interface: 10.17.1.4/24 pfsense default gateway (azure): 10.17.0.1 pfsense lan gateway (azure): 10.17.1.1 client subnet: 10.17.2.0/24 pfsense static route: 10.17.2.0./24 --> 10.17.1.1 azure user defined routing (udr) bound to client subnet 10.17.2.0/24: 0.0.0.0/0 --> 10.17.1.4 10.17.0.0/22 --> 10.17.1.4
Regards,
Martin