Logging information / verbose / inner communication to world



  • Hello,
    i have a problem with logs and i dont know how to logging set correctly  for my purpose.
    I use pfsense 2.3.3-RELEASE-p1 for wifi gateway. Some inner user behind nat used torrents and i got warning from abuse.
    Is there any option, how to find inner user, when i know target port and date? Something like find inner ip addres which is comunicating to target port in time. In dhcp log find mac address. Based on mac address i am able to find user on wlc. But information about communication between inner user and target port iam not able findout.
    I am logging "everithing" to syslog server, both communications, allowed and blocked.
    Thx for your help



  • If you are running your WiFi using a "home WiFi router" device and have the "WAN" of that device connected up to the pfSense LAN then those individual WiFi users will be merged together by the NAT in the "home WiFi router". So, as you already see, all the pfSense logs will just point back to the IP and MAC address of the "home WiFi router" WAN.

    So change the setup of the "home WiFi router":

    1. Disable/turn off its DHCP to the WiFi clients
    2. Unplug the cable from the WAN port
    3. Plug a cable from 1 of the "home WiFi router" LAN ports into the pfSense LAN side (or a separate pfSense LAN-type interface if you have one)

    WiFi clients will get DHCP from pfSense and pfSense will "see" their individual MAC and IP addresses.



  • I am using dhcp on pfsense for wifi users. In logs i see for example DHCPACK on 10.0.12.123 to c4:b3:01:b1:9a:82 (Yasmin-Air) via 10.0.0.4, where 10.0.0.4 is address of wlc. So i need to find connection between reported port and internal user from dhcp.

    log example

    May  4 09:08:01 pfsense filterlog: 93,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,54061,0,none,17,udp,79,pfsense IP addres,193.108.88.0,61606,53,59
    
    May  4 09:07:07 pfsense filterlog: 9,16777216,,1000000103,igb1_vlan930,match,block,in,4,0x0,,64,21781,0,DF,6,tcp,40,10.0.15.28,54.164.63.33,49727,443,0,RA,375916832,3163213617,0,,
    

    vlan957 is outgoing interface
    vlan930 is wlc interface



  • Ok, now I understand what you mean by inner user.
    In the 2nd firewall log entry there is:

    10.0.15.28,54.164.63.33,49727,443
    

    So that gives you the source IP address 10.0.15.28 (with ephemeral port 49727) and the destination IP address 54.164.63.33 port 443. If that had been a "pass", that traffic would have gone out with pfSense WAN IP and some other source port determined by the NAT. But you do not care about the detail of that.

    You can trace back to 10.0.15.28. There should be a DHCP entry for that IP that will tell you its MAC address. Then of course you have the challenge to physically find that device.



  • I understand, what do you mean. But no entry in log match. Looking for inner addres, that comunicated on port 32306 on 3rd May about 13:53 (maybe two hours for timezone, but its seems that the log is in utc).
    When i grep all record including port 32306, i get records only with wan interface of pfsense. Nothing about inner ip, that can i find in dhcp.
    This is reason, that i thinking about wrong configuration of logging.

    May  3 07:11:43 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,DF,6,tcp,52,psfense,13.107.4.50,45726,80,0,S,3393122137,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 07:16:52 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,8085,0,none,17,udp,76,psfense,13.107.3.1,32306,53,56
    May  3 07:30:42 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,none,17,udp,61,psfense,64.4.23.143,14024,40025,41
    May  3 07:31:07 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,81,psfense,216.239.36.10,6682,53,61
    May  3 07:47:33 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,85,psfense,205.251.192.105,64845,53,65
    May  3 08:40:13 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,40389,0,DF,6,tcp,64,psfense,17.248.147.140,32306,443,0,S,667388917,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
    May  3 08:56:09 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,38579,0,none,17,udp,95,psfense,205.251.197.227,32306,53,75
    May  3 09:00:46 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,9288,0,DF,6,tcp,52,psfense,104.127.49.102,32306,443,0,S,3163160674,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 09:22:01 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,74,psfense,195.113.48.2,36953,53,54
    May  3 09:59:45 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,115,psfense,205.251.193.161,44634,53,95
    May  3 10:24:33 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,31955,0,DF,6,tcp,52,psfense,195.113.89.1,32306,443,0,S,494394517,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 10:52:34 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,74,psfense,23.211.61.64,41534,53,54
    May  3 10:55:54 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,DF,6,tcp,52,psfense,151.101.37.108,35128,443,0,S,1572461919,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 10:56:03 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,DF,6,tcp,64,psfense,104.123.236.15,52900,443,0,S,1153590996,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
    May  3 11:06:30 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,56394,0,none,17,udp,122,psfense,216.239.38.10,32306,53,102
    May  3 11:24:25 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,31412,0,none,17,udp,71,psfense,104.156.84.32,32306,53,51
    May  3 11:32:30 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,DF,6,tcp,52,psfense,151.101.38.49,16935,80,0,S,3251382342,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 11:33:31 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,DF,6,tcp,52,psfense,216.58.201.106,24718,443,0,S,613622843,,65535,,mss;nop;wscale;nop;nop;sackOK
    May  3 11:40:04 psfense filterlog: 5,16777216,,1000000103,igb0_vlan957,match,block,in,4,0xa4,,235,60302,0,none,6,tcp,40,61.0.39.8,psfense,49863,23,0,S,32306,,14600,,
    May  3 11:46:30 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,DF,6,tcp,52,psfense,162.125.66.3,40789,443,0,S,1910533252,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 12:17:32 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,16589,0,DF,6,tcp,60,psfense,64.233.167.188,32306,5228,0,S,3575029777,,65535,,mss;sackOK;TS;nop;wscale
    May  3 12:17:51 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,19990,0,none,17,udp,77,psfense,205.251.197.113,32306,53,57
    May  3 12:18:54 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,DF,6,tcp,52,psfense,52.222.149.244,19716,443,0,S,226955115,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 12:22:58 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,8418,0,DF,6,tcp,52,psfense,31.13.64.17,32306,443,0,S,516362203,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 12:37:42 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,6606,0,DF,6,tcp,52,psfense,195.191.204.123,32306,443,0,S,1658037594,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 12:48:31 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,51910,0,DF,6,tcp,60,psfense,31.13.71.34,32306,443,0,S,268040560,,65535,,mss;sackOK;TS;nop;wscale
    May  3 12:50:41 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,DF,6,tcp,60,psfense,185.54.150.17,50755,80,0,S,2566927430,,65535,,mss;sackOK;TS;nop;wscale
    May  3 12:58:34 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,23427,0,DF,6,tcp,52,psfense,77.75.76.19,32306,443,0,S,1738018078,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 13:05:07 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,DF,6,tcp,64,psfense,162.125.66.3,34122,443,0,S,1534103729,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
    May  3 13:14:35 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,40627,0,DF,6,tcp,60,psfense,31.13.77.34,32306,443,0,S,124606230,,65535,,mss;sackOK;TS;nop;wscale
    May  3 13:18:02 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,76,psfense,205.251.192.81,27355,53,56
    May  3 13:27:05 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,46926,0,DF,17,udp,46,psfense,189.103.164.16,32306,21481,26
    May  3 13:34:48 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,7163,0,DF,6,tcp,52,psfense,46.166.139.124,32306,51900,0,S,3055832097,,64240,,mss;nop;wscale;nop;nop;sackOK
    May  3 13:37:44 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,99,psfense,205.251.193.160,41438,53,79
    May  3 13:48:06 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,40879,0,none,17,udp,74,psfense,109.201.133.194,32306,53,54
    May  3 13:54:49 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,73,psfense,205.251.192.27,59000,53,53
    May  3 13:55:49 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,23935,0,none,17,udp,79,psfense,2.16.60.22,32306,53,59
    May  3 14:01:32 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,12641,0,DF,6,tcp,52,psfense,93.184.220.29,32306,80,0,S,874853761,,8192,,mss;nop;wscale;nop;nop;sackOK
    May  3 14:03:57 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,127,32306,0,none,17,udp,1378,psfense,216.58.209.68,9135,443,1358
    May  3 14:19:58 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,5832,0,none,17,udp,71,psfense,162.159.5.6,32306,53,51
    May  3 14:24:22 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,DF,6,tcp,60,psfense,104.103.99.72,18350,443,0,S,2449556725,,65535,,mss;sackOK;TS;nop;wscale
    May  3 14:58:45 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,80,psfense,23.211.133.192,31321,53,60
    May  3 15:04:42 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,64,32306,0,none,17,udp,84,psfense,216.239.36.10,19095,53,64
    May  3 15:13:12 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,DF,6,tcp,64,psfense,95.213.11.139,16312,443,0,S,1766877858,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
    May  3 16:19:18 psfense filterlog: 90,16777216,,1000005911,igb0_vlan957,match,pass,out,4,0x0,,63,32306,0,DF,6,tcp,64,psfense,194.213.222.30,6088,80,0,S,3820048412,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
    

    Everywhere source ip is address of pfsense(wan)-interface vlan957. Nothing from vlan930.
    Missing something?
    Thx



  • Now I see more of the problem. I guess you have a report from upstream (ISP…) that says the "offender" had ephemeral source port 32306. I don't think there is any log record of the NAT mapping of the "inside" ephemeral source port to what was used for the outgoing on WAN.

    Ideas from others about how to trace this kind of thing are welcome...



  • So, in this case there isnt way how to find inner ip? Exist something like package for logging with this option and necessary information? Or pfsense isnt able to log it? Our previous system based on linux with iptables was capable for it.


Log in to reply