Lots of blocked packets from LAN segment to WAN



  • Hi Guys,

    I'm sure this has been beat to death before, and I have read the stock answers about Out of State Packets, but I am seeing what seems to be an inordinate amount of blocked packets on the latest PF Sense install that I did.  The vast majority of the packets are DNS lookups, or SIP control packets going out to the VOIP provider.  Note that the VOIP system does seem to work, although call quality sometimes is a bit spotty.  I do have several LAN subnets set up as VLANs, but for the most part they are all just allowing everything out.

    PF Sense version: 2.4.1-RELEASE (amd64)
    built on Sun Oct 22 17:26:33 CDT 2017
    FreeBSD 11.1-RELEASE-p2

    WAN Firewall Rules:
      Block private networks,
      Block bogon networks,
      Allow all ICMP from anywhere to anywhere

    LAN Firewall Rules:
      Allow ipv4 anything from anywhere to anywhere

    So pretty basic config - other LAN subnets are configured the same, with a few specifically blocked from other VLANs.
    Where I am seeing the blocks are not subnet to subnet traffic, but outbound traffic (that should be unrestricted).

    Here's a little sampling of the firewall log:

    Nov 4 01:07:13 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:16 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:54699 64.132.94.250:53 UDP
    Nov 4 01:07:17 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:19 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:39434 4.2.2.2:53 UDP
    Nov 4 01:07:21 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:22 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:23 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:25 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:40104 216.136.95.2:53 UDP
    Nov 4 01:07:25 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:29 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:30 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:54699 64.132.94.250:53 UDP
    Nov 4 01:07:33 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:39434 4.2.2.2:53 UDP
    Nov 4 01:07:33 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:37 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:39 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:40927 216.136.95.2:53 UDP
    Nov 4 01:07:41 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:42 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:43 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:44 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:50883 64.132.94.250:53 UDP
    Nov 4 01:07:45 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:5060 69.54.92.156:5060 UDP
    Nov 4 01:07:47 VOIP_VLAN10 Default deny rule IPv4 (1000000103) 10.10.2.10:40146 4.2.2.2:53 UDP

    This is actually pretty light - I've seen it where there are 20-30 of these per second.  Things are quiet tonight :-)  10.10.2.10 is the Asterisk VOIP server.

    Thoughts?

    Bob


  • LAYER 8 Global Moderator

    Doesn't look like lan to me.. Looks clearly like VOIP_VLAN10

    Post up your Rules and you sure that this vlan is hitting the correct interface..

    That is UDP.. So is your allow rule only TCP?  Please post up screenshots of rules on interfaces.



  • I did post the rules.. the VOIP_VLAN10 is what I am calling the LAN… The firewall rules for VOIP_VLAN10 allows all protocols from anywhere out to anywhere. 
    And yes, I have verified this is the correct interface.

    Bob



  • Can we see the actual rules, like a screen shot, on VOIP_VLAN10?


  • LAYER 8 Global Moderator

    I don't see any posting of rules I see this

    LAN Firewall Rules:
      Allow ipv4 anything from anywhere to anywhere

    That doesn't mean anything.. That is your interpretation of what you believe is set, etc.  Whats the saying Pics or it didn't happen ;)



Log in to reply