Newbie Puzzler 1: ANY doesn't mean ALL?



  • Newbie running pfSense 2.4.3. Simple network topology (LAN <–> pfSense <--> WAN), running dual stack IPv4 and IPv6. Running pfBlockerNG. My WAN gets an IPv6 address with prefix fe80: / 56 and my internal LAN is prefix 2600: / 64.

    Have firewall rules for the LAN side that passes all traffic on the LAN side for IPv4 and IPv6:

    While browsing the firewall logs, I noticed some traffic from my desktop computer (Windows 10) trying to access address ff02::1:3 on port 5355 – but it was being blocked by the "Default deny rule IPv6".  Yet I had the "pass all" rules?

    After some googling, I learn that address ff02::1:3 and port 5355 is used for Multicast DNS (see https://en.wikipedia.org/wiki/Multicast_DNS). (see also http://techgenix.com/ipv6-multicast-background-traffic-part1/)

    I decide I would like to pass this traffic. So I write an additional rule to pass this traffic:

    This works. The traffic is no long blocked by pfSense.

    The Puzzling Question

    Question:

    1. Why didn't the original "Pass All" rule also pass this traffic? I.e., the mDNS traffic to prot 5355?

    Here is the pass all IPv6 rule:

    If we look at the pull-down box for the "Protocol" field, it looks like this:

    Questions:

    1. Does "Any" only mean the protocols listed in the box?  That is, "Any" does not equal "All" or wildcard "*"?
    2. Since mDNS is not a listed protocol, it wouldn't be passed?

    Anyhow, I'm a pfSense newbie (and while technical, also not a networking expert). Be kind to my mistakes.


  • Rebel Alliance Developer Netgate

    Any does mean all, but there are other ways for that to happen.

    You didn't show what the firewall log entries look like. The source and destination are important factors there.

    It's possible that it doesn't match the rule because the source is not considered inside 'LAN Net', or for some other reason, but it won't be possible to tell without seeing the log entry.

    tl;dr is it was blocked because somehow it didn't match every part of that rule. Most likely the source address, but depending on the type of traffic maybe also the type of packet it is.



  • Ah, the source is the link-local IPv6 address of my Windows 10 desktop, in the fe80:: /10 block of addresses. Ports 59884 and 59876. The IPv6 address of the Windows 10 desktop has prefix 2600:8800:…

    The destination address is ff02::1:3, oort 5355.


  • Rebel Alliance Global Moderator

    5355 is LLMNR (Link-Local Multicast Name Resolution) traffic - I personally would just turn that crap off at the client.

    Its not dns - your thinking of 5353..

    You can enable it all you want on pfsense interface - its not going any where is link-local multicast.  All that traffic is to pfsense is noise..  If you don't want to log it, create a rule to not log it or turn off logging of default and create rules for what you do want to log.



  • I have the same question. I have 2 local nets LAN and OPT1. OPT1 is hooked to my wifi AP, and LAN is my wired switch to my pc, printers, etc.

    I cannot get my iPhone, apple tv, etc. to be able to see my printer, or my pc (iTunes). When I try to print, it says no "AirPrint Printers Found"

    In my firewall logs I am seeing being blocked?

      Apr 19 12:44:59 OPT1 [fe80::10f1:410d:211c:ccd0]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:56 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:50 OPT1 [fe80::4fb:d9da:aa2b:d598]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:50 OPT1 [fe80::10f1:410d:211c:ccd0]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:47 OPT1 [fe80::4fb:d9da:aa2b:d598]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:47 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:47 OPT1 [fe80::10f1:410d:211c:ccd0]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:46 OPT1 [fe80::4fb:d9da:aa2b:d598]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:46 OPT1 [fe80::10f1:410d:211c:ccd0]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:44 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:42 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:42 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:42 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:41 OPT1 [fe80::1420:4c77:5d63:3319]:5353 [ff02::fb]:5353 UDP
      Apr 19 12:44:15 OPT1 [::] [ff02::2] ICMPv6

    I tried turning on IGMP proxy but docs seem to assume you already know how to do it and don't need docs.
    I also tried installing avahi package.