Newbie Questions About What I'm Seeing

beremonavabi

I'm having trouble figuring out what I'm seeing in my firewall logs:


Apr 16 06:08:46	WAN	Block ULA networks from WAN block	  10.68.128.1	  224.0.0.1	IGMP
								Cannot resolve	all-systems.mcast.net	

Apr 16 06:08:20	WAN	 WAN: default block IPv4	  189.106.227.169:24116	  72.193.170.148:7547	TCP:S
							189-106-227-169.user.veloxzone.com.br	ip72-193-170-148.lv.lv.cox.net

Apr 16 06:08:17	VPN_LAN	 VPN_LAN: Default Reject IPv4	  192.168.20.3:44173	  192.168.20.1:9100	TCP:S
							RT-AC66U-3AD8.localdomain	Cannot resolve

Apr 16 06:07:46	WAN	Block ULA networks from WAN block	  10.68.128.1	  224.0.0.1	IGMP
							Cannot resolve	all-systems.mcast.net

Apr 16 06:07:34	WAN	 WAN: default block IPv4	  211.103.198.33:54819	  72.193.170.148:1433	TCP:S
								Cannot resolve	ip72-193-170-148.lv.lv.cox.net

Sorry for the formatting. I've attached a screenshot of what it actually looks like. Anyway, to my questions:

1. No problem with understanding the "Block ULA" part of lines 1 and 4. But, for those lines and lines 2 and 5, I don't understand what's happening with the traffic originating from the external world and having an external world endpoint. I could understand an external origin and a local endpoint. But, how is traffic going through my router both from and to the outside?

2. Line 3 is an odd one. 192.168.20.3 is my local computer physically wired through a switch to the pfSense box. Yet the resolved address shows the traffic prefixed with the name of my wireless access point (which is wired to that same switch into the pfSense box). I don't even have a wireless card in this computer. How is that traffic originating in the wireless access point?
![20170416 -- pfSense Firewall Oddities.PNG_thumb](/public/imported_attachments/1/20170416 – pfSense Firewall Oddities.PNG_thumb)
![20170416 -- pfSense Firewall Oddities.PNG](/public/imported_attachments/1/20170416 -- pfSense Firewall Oddities.PNG)

johnpoz

Huh?? What is the IP address of your WAN interface on pfsense? It would be that 72.193.x.x address would be my guess. As to why your blocking 9100.. What are you rules on that vpn_lan interface?

You use cox as your ISP and guessing lv stands for Las Vegas? So that is your public IP address ;) Yeah your going to normally see a shitton of noise to your public IP from the internet..

beremonavabi

:-[ Yep. 72.193.170.148 is my WAN IP. I should have figured that out. Thanks.

I'm not specifically blocking 9100. My rules are:

1. Allow ICMP traffic
2. Allow traffic to local subnets to approved local ports
3. Allow traffic to special case ips (currently empty) to approved local ports
4. Allow traffic to non-local IPs to approved outgoing ports
5. Reject non-local NTP traffic
6. Block DHCP Broadcasts and Announcements w/o logging (purely to keep them out of the log)
7. Reject all other IPv4 traffic
8. Reject all other IPv6 traffic

At least that's what I hope they do. I've attached a screen shot of the rules page.

And, yes. My ISP is Cox Las Vegas.

The interesting thing with that traffic going to my WAN IP is that they originated from Brazil and China as soon as I tried to log into my ISP account:

[url=http://private.dnsstuff.com/tools/whois.ch?ip=189.106.227.169&cache=off]http://private.dnsstuff.com/tools/whois.ch?ip=189.106.227.169&cache=off
http://private.dnsstuff.com/tools/whois.ch?ip=211.103.198.33&cache=off

And, the traffic from my wired local machine that looked like it came from my wireless access point doesn't seem to have happened again. Everything from that machine now looks like it's coming from its correct device name. Weird.

EDIT 1: Re 9100, it looks like that's for printing. I guess I should open that locally (though I hadn't tried printing at that time and haven't had any problems when I did). Thanks again.

EDIT 2: More embarrassment. 192.168.20.3 is NOT my computer. It is, in fact, my wireless access point's IP. So, of course it will have the WAP's hostname prepended. Sorry.

![20170416 -- VPN_LAN Firewall Rules.PNG](/public/imported_attachments/1/20170416 – VPN_LAN Firewall Rules.PNG)
![20170416 -- VPN_LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/20170416 -- VPN_LAN Firewall Rules.PNG_thumb)

johnpoz

What interface are those rules on?? Your vpn_lan ?

What is going to to trigger than allowed out wan rule? Do you have downstream networks? Do you have hosts that don't fall into your local subnets alias?

beremonavabi

Yes. Those are my firewall rules for my VPN_LAN interface.

As for what triggers the Allowed Out Ports WAN rules:

For rule 3 (Destination = the Selective Routing alias), that would get triggered if traffic needed to go to any specific IP that would normally be blocked on the ports I've allowed in the Allowed Out Ports WAN alias. Currently, the Selective Routing alias is empty and it's probable it will remain so. So, it doesn't get triggered.
For rule 4 (Destination = NOT the Local Subnets alias), that gets triggered with any traffic needing to go out to the world on my list of approved ports. The Local Subnets alias currently contains: 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.1.0/24

Yeah, I know those local subnets are weird. Subnet 10, 20, 30, 40, and 1 are off OPT1, OPT2, OPT3, OPT4, and LAN ports, respectively, on the back of the SG-4860. In general, everthing's hooked to a switch and the switch is plugged into OPT2 (the 20 subnet, i.e. VPN_LAN). If needed, those other ports (interfaces) give me various setups to use. So, unless I physically move a cable to one of those other ports (very rare), everything is on the same subnet.

EDIT: I also realize this setup is overkill for a home network (well, heck, the SG-4860 is too). But, I wanted an ability to quickly and easily switch from my normal VPN setup to a clearnet setup if the VPN ever stopped working. The best example of that I found was:

https://nguvu.org/pfsense/pfsense-2.3-setup/

So, I modified that as best I could with my limited understanding to match my physical setup (specifically, no managed switch).