Firewall blocks, Pfblocker, multicast

occamsrazor · Aug 31, 2018, 10:09 AM

Hi,

I'm running pfBlocker and my firewall logs are full of entries like these:

I run a flat 192.168.0.x network with a bunch of Apple devices/computers as well as other stuff like Chromecast etc. I have done some reading and seen some other posts referring to similar and understand this (I think) relates to multicast traffic originating from devices on my LAN, but what I don't really understand is:

Do I need to have this traffic blocked?
Is it being blocked from going around my LAN, or only being blocked from going out the WAN? Do I want it being blocked from going out the WAN?
Assuming I need this traffic to go around my LAN for device/service functionality, how can I keep the functionality but prevent the logs being full of this.

Thanks.

NogBadTheBad · Aug 31, 2018, 11:28 AM

Do I need to have this traffic blocked?

If you don't want it being gogged you do.

Is it being blocked from going around my LAN, or only being blocked from going out the WAN? Do I want it being blocked from going out the WAN?

Its local to the subnet.

Assuming I need this traffic to go around my LAN for device/service functionality, how can I keep the functionality but prevent the logs being full of this.

Create a firewall above the Pfblocker rule blocking multicast and set it not to log if you don't need multicast past your LAN interface.

https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml

occamsrazor · Aug 31, 2018, 10:59 AM

@nogbadthebad said in Firewall blocks, Pfblocker, multicast:

Create a firewall above the Pfblocker rule blocking multicast and set it not to log if you don't need multicast past your LAN interface.

Thanks. But still a little confused. So is the multicast traffic currently being blocked only multicast traffic that's trying to exit the WAN? Therefore I would want to block that but not log it.... is that correct?
pfBlocker rules live in the Floating firewall tab, is that where I would put your rule? Or on the WAN tab?

I should add I do also have OpenVPN TAP & TUN servers for remote access running on pfSense and think I would want multicast traffic to be allowed to those clients.

NogBadTheBad · Aug 31, 2018, 2:09 PM

@occamsrazor

Sorry was mid edit and the phone went :)

JKnott · Aug 31, 2018, 2:08 PM

@occamsrazor said in Firewall blocks, Pfblocker, multicast:

Thanks. But still a little confused. So is the multicast traffic currently being blocked only multicast traffic that's trying to exit the WAN?

Mulitcast has to specifically be configured for it to get through a router. This can be either manually or automatically, with multicast snooping/discovery. If you don't have either of those then those multicasts are notleaving your LAN.

JKnott · Aug 31, 2018, 2:09 PM

@nogbadthebad said in Firewall blocks, Pfblocker, multicast:

Sorry was mid edit and the phone went :)

That's OK, we didn't mind waiting.

BBcan177 · Aug 31, 2018, 2:13 PM

Better to view blocked events in the Alerts tab.

Do you use Firehol level 1 feed? That feed contains bogons and should not be used for outbound blocking.

occamsrazor · Aug 31, 2018, 2:58 PM

@jknott said in Firewall blocks, Pfblocker, multicast:

Mulitcast has to specifically be configured for it to get through a router. This can be either manually or automatically, with multicast snooping/discovery. If you don't have either of those then those multicasts are notleaving your LAN.

So basically there is no need for lists in pfBlocker to be blocking it anyway? There's no need for me to be blocking it for security purposes, and it's not being blocked from reaching my LAN devices... its merely a logging issue.

@bbcan177 said in Firewall blocks, Pfblocker, multicast:

Better to view blocked events in the Alerts tab.

Indeed, thanks. I've identified one list that was problematic, have now deleted that. But some of the blocks are showing "no match" as to where the block is coming from...

Do you use Firehol level 1 feed? That feed contains bogons and should not be used for outbound blocking.

No... I made that mistake once already :-) Never again...

I guess all this will be easier once I move over to the new version of your excellent blocker, but for now I think I have to wait until 2.4.4 stable is released as that's required for pfBlockerNG-devel right? Or can it safely be run on 2.4.3-RELEASE-p1?

JKnott · Aug 31, 2018, 3:00 PM

@occamsrazor said in Firewall blocks, Pfblocker, multicast:

So basically there is no need for lists in pfBlocker to be blocking it anyway? There's no need for me to be blocking it for security purposes, and it's not being blocked from reaching my LAN devices... its merely a logging issue.

Correct. However, if you want to be sure, run Wireshark or Packet Capture on the WAN port. I doubt you'll see those multicasts.

BBcan177 · Aug 31, 2018, 3:27 PM

@occamsrazor said in Firewall blocks, Pfblocker, multicast:

No... I made that mistake once already :-) Never again...
I guess all this will be easier once I move over to the new version of your excellent blocker, but for now I think I have to wait until 2.4.4 stable is released as that's required for pfBlockerNG-devel right? Or can it safely be run on 2.4.3-RELEASE-p1?

If you stay on 2.4.3, then you can goto pfBlockerNG-devel.

The issue people were having was when they were on 2.4.3, and the switched to the 2.4.4 devel branch and then went to pfBlockerNG-devel. This causes the PHPv7 to be installed in 2.4.3 which caused issues...

So for those who want to goto 2.4.4, they need to update pfSense first before installing pfBlockerNG-devel.

There is one of your feeds that contains a block on 224/3 which is not a good idea. The new devel has a Feeds management page with a list of Feeds from the original sources which should be better.

occamsrazor · Aug 31, 2018, 3:36 PM

@bbcan177 said in Firewall blocks, Pfblocker, multicast:

If you stay on 2.4.3, then you can goto pfBlockerNG-devel.

The issue people were having was when they were on 2.4.3, and the switched to the 2.4.4 devel branch and then went to pfBlockerNG-devel. This causes the PHPv7 to be installed in 2.4.3 which caused issues...

So for those who want to goto 2.4.4, they need to update pfSense first before installing pfBlockerNG-devel.

Thanks, I was kind of following that issue but then lost track. So on 2.4.3-RELEASE-p1 I can just disable pfblockerNG in its settings (but keep it around in case of any issues) and install pfBlockerNG-devel? Or does pfblockerNG need to be uninstalled as a package first before installing the pfBlockerNG-devel package?

BBcan177 · Aug 31, 2018, 3:39 PM

@occamsrazor said in Firewall blocks, Pfblocker, multicast:

Thanks, I was kind of following that issue but then lost track. So on 2.4.3-RELEASE-p1 I can just disable pfblockerNG in its settings (but keep it around in case of any issues) and install pfBlockerNG-devel? Or does pfblockerNG need to be uninstalled as a package first before installing the pfBlockerNG-devel package?

First make sure that "Keep Settings" is enabled.
Disable pfBlockerNG and Save
Then Uninstall pfBlockerNG
Then install pfBlockerNG-devel
Re-enable pfBlockerNG-devel and run a: Force Reload - All

occamsrazor · Aug 31, 2018, 3:41 PM

@bbcan177 said in Firewall blocks, Pfblocker, multicast:

First make sure that "Keep Settings" is enabled.
Disable pfBlockerNG and Save
Then Uninstall pfBlockerNG
Then install pfBlockerNG-devel
Re-enable pfBlockerNG-devel and run a: Force Reload - All

Awesome, thanks a lot, will give it a try.....