Looking for some advice.



  • So my network is routed like this.

    DSL Modem which has four ports, 192-168.1.64-67

    Port One is a router for my Solar Panels(192.168.1.64) to communicate back to home. That router hands out IP addresses, 192.168.0.0/16.

    Port Two has the PFSense box(192.168.1.65), then an unmanaged switch, then a wireless access point. PFSense hands out the IP addresses on that network. 192.168.2.0/16.

    Port Three is my DirecTV boxes, (192.168.1.66-67).

    Port Four is not used.

    PFSense is in the DMZ so I can access when I am away.

    Why do I see the traffic for the other ports that doesn't go through the PFSense box, especially the link-local traffic for the DirecTV boxes, for which I have a suppress rule on the WAN side to suppress 169.254.0.0/16 traffic?

    Be gentle.
    ![Screenshot from 2017-09-15 12-54-35.png](/public/imported_attachments/1/Screenshot from 2017-09-15 12-54-35.png)
    ![Screenshot from 2017-09-15 12-54-35.png_thumb](/public/imported_attachments/1/Screenshot from 2017-09-15 12-54-35.png_thumb)


  • Rebel Alliance Global Moderator

    So your asking why your seeing broadcast/multicast traffic on your wan?

    Yeah that is how it works.. broadcast/multicast would be seen by all devices on the same layer 2 network.  The network behind your isp box is the same layer 2 network.



  • Even though on "separate" networks?

    Even with a suppress link-local rule in effect and to not log traffic?


  • Rebel Alliance Global Moderator

    where is this separate network??  Your wan is connected to this 192.168.1 network or 192.168/16 if you will..

    Where is this link-local rule that you have not to log?

    BTW you do understand your 2 networks over lap.. If the mask on your wan is 192.168.1/16 and your mask on your lan is 192.168.2/16 those are the same network.. And to be honest don't see how your even working at all..



  • Oh boy, I see the error of my ways.
    So all three of the ports I'm using are still layer 2. I thought that with different IP's, 192.168.0 and 192.168.1, etc, it was technically a different network.
    I have so much to learn.

    The link-local rules are located is located FirewallRulesWAN.
    I followed the howto listed somewhere on the forum thinking that it would suppress the 169.254.0.0/16 and I wouldn't see it in my firewall logs.

    I constantly see the following:

    Sep 15 14:18 WAN 169.254.85.49 239.255.255.250:1900
    Sep 15 14:18 WAN 192.168.1.66 239.255.255.250:1900
    Sep 15 14:18 WAN 169.254.223.111 239.255.255.250:1900
    Sep 15 14:18 WAN 192.168.1.67 239.255.255.250:1900

    So I probably don't have the rule set correctly, or I may not be able to suppress the alerts. Maybe, I don't know.

    ![Screenshot from 2017-09-15 14-15-36.png](/public/imported_attachments/1/Screenshot from 2017-09-15 14-15-36.png)
    ![Screenshot from 2017-09-15 14-15-36.png_thumb](/public/imported_attachments/1/Screenshot from 2017-09-15 14-15-36.png_thumb)


  • Rebel Alliance Global Moderator

    So what rules are on your wan other than that rule?  And If your blocking bogon on your wan - which if set to log would block that before it even sees your rule.  if you move your mouse over the X or click the X it should tell you what rule blocked that traffic..



  • There are 5 total.
    Wan access at the top, two different ban lists, openvpn and the link-local rule.
    And it was bogons. Once I unchecked that, the link-local stuff disappeared.
    I still see the DirecTV boxes(192.168.1.66-67) pinging 239.255.255.250:1900


  • Rebel Alliance Global Moderator

    "I still see the DirecTV boxes(192.168.1.66-67) pinging 239.255.255.250:1900"

    Yes you would.. this is from a private network.. Are you blocking private networks?  If not it would be blocked by the default rule, which is normally logged.  Again click on the X or move your mouse over it and you should see which rule blocked that specific traffic.  Please post a picture of your rules..

    What is a wan access rule??  You have port forwarded something?



  • If I block private networks, won't I be locked out?
    I have port 8080 forwarded so I can access pfsense from work in case if my family has an issue and can't access the internet.
    I have a feeling I am going to get educated, which by all means I need to be.

    ![Screenshot from 2017-09-15 15-59-20.png](/public/imported_attachments/1/Screenshot from 2017-09-15 15-59-20.png)
    ![Screenshot from 2017-09-15 15-59-20.png_thumb](/public/imported_attachments/1/Screenshot from 2017-09-15 15-59-20.png_thumb)



  • The rule that blocks.

    ![Screenshot from 2017-09-15 16-06-37.png](/public/imported_attachments/1/Screenshot from 2017-09-15 16-06-37.png)
    ![Screenshot from 2017-09-15 16-06-37.png_thumb](/public/imported_attachments/1/Screenshot from 2017-09-15 16-06-37.png_thumb)
    ![Screenshot from 2017-09-15 16-06-37.png](/public/imported_attachments/1/Screenshot from 2017-09-15 16-06-37.png)
    ![Screenshot from 2017-09-15 16-06-37.png_thumb](/public/imported_attachments/1/Screenshot from 2017-09-15 16-06-37.png_thumb)


  • Rebel Alliance Global Moderator

    No blocking private you would not be locked out.. Unless you were trying to access from a private IP??

    But why do you have 8080 open to pfsense?  Not a good idea to open pfsense web gui to the public internet.. Its a really really really BAD idea!!  You have vpn setup, so if you want to access pfsense web gui then just VPN In..

    Yes that is being blocked by the default deny rule.. If you do not want to see those then create a block rule that does not log it.  Or turn off your default logging rule and create rules that log what you want to see that is blocked.



  • I thought that the 192.168 and the like were private IP's?
    I have it open as I can not figure out openvpn.


  • Rebel Alliance Global Moderator

    It is.. But that is not the internet that is a transit network between pfsense and your isp router.  But that is all moot anyway.  What is logging that block is your default deny.,

    openvpn is run the wizard, export your configuration and go.. It really is that simple!  if your trying to access from work - its possible work is blocking your UDP access?  If so setup openvpn to use tcp on a port that is open from say 443 is pretty always open, you can even bounce off a proxy if using tcp..



  • Johnpoz, thank you for your lessons today.
    I went into the modem, took the pfsense box out of the DMZ, disabled then deleted the wan access rule, and deleted the current openvpn rule. I will run the wizard again and see if I can figure it out.
    Work might have it blocked.

    And I finally figured out openvpn. I shut off my wifi on my phone and connected without issues. AWESOME! I feel much better and maybe a little smarter thanks to your input and guidance today johnpoz.


  • Rebel Alliance Global Moderator

    what we are here for - glad could help!



  • So all three of the ports I'm using are still layer 2. I thought that with different IP's, 192.168.0 and 192.168.1, etc, it was technically a different network.

    Everything on the local network is on the same layer 2 network, even with completely different address ranges.  Layer 2 (MAC addresses) refers to addressing on the local network, but layer 3 (IP addresses) can be world wide, though RFC 1918 are confined to local networks.


  • Rebel Alliance Global Moderator

    ^ yup, layer 2 is also LLC (logical link control) but that might getting a bit deeper than you need..

    Keep in mind that you can create different layer 2 networks via smart switch, or different physical hardware..  A router would have 2 layer 2 networks its connected to.. The wan side and the lan side.. Or more even if has multiple lan or wan interfaces, etc.

    The only reason rfc1918 addresses are confined to local network is they do not actually route over the internet..  If you traffic to your isp with destination of 192.168.14.100 for example.. It has no idea where to send that.. That network is not routed on the internet..

    btw: not sure where you came up with the /16 in your posts..  From your post your networks on pfsense are /24..  I think users still get hung up on class of IP ranges, which has really been meaningless since cidr.. Some 24 years ago..

    Yes the 192.168.0.0/16 space is defined as rfc1918 or local address space that does not route on the internet.  But /16 is the whole netblock that can be used - you would never actually use a /16 mask on network you create..  That space would allow for 65k addresses, you would never put 65k address on the same layer 2/broadcast domain..  Nobody would ever be able to send real data they would all be too busy listing to broadcasts ;)  The mask used to create the size of your network should be appropriate for the number of hosts you would be putting on that network.. /24 is very common because it allows for plenty of devices on that same network 254.. And it makes it very easy for humans to easy see what network it is – 192.168.X.0