Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [solved]Not sure what this is

    Firewalling
    2
    8
    117
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Actionhenk last edited by Actionhenk

      Hi,

      I recently switched over from hyper-v to esxi and rebuilt my pfsense. Imported a backup I made from the hyper-v setup. On esxi I have passthrough set on my lan and wan interfaces using an intel i350v2t2. Its all working well, seems to be slightly faster for me then on hyper-v. The box has suricata and pfblockerng-dev running on it.

      Since migrating over to esxi I keep seeing entries in the fw log such as the one here:

      f5388934-4ae3-433c-8d5a-d4178b8be943-image.png

      There are not much of them but enough for me to start scratching my head.. I cant figure out what the source of this traffic is.. It has this little "play" icon next to the interface it looks like the firewall self wants to send out data from the wan ip to an external ip as you can see in the picture (what does the play icon mean?).

      Have looked up a few of the addresses and some seem to be from a regular consumer line in the US a few to cloudflare, theres also a few going to google dns and im pretty sure I have not set 8.8.8.8 as dns anywhere since im using dns-tls (there are a few android devices on my network but the ips/dns are provided by dhcp). Is there a way I can find out what the source of this traffic is (suricata isnt picking up anything) ?

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        Looks like something is tying to start an HTTPS session with you but it's being blocked on WAN as expected. The Internet is full of bots constantly scanning for vulnerable services to exploit.

        1 Reply Last reply Reply Quote 0
        • A
          Actionhenk last edited by

          This traffic is originating from pfsense. The rule it is being blocked by is my cleanup rule, got a few more:

          25906918-b708-40f1-961b-a2870267d788-image.png

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            Do you have any NATs defined?

            1 Reply Last reply Reply Quote 0
            • A
              Actionhenk last edited by Actionhenk

              Yes, I do have a few port forward and outbound nat rules:

              port forward:
              96c23ab5-4405-4f29-9bfb-531494fbfbad-image.png

              outbound NAT:
              48284115-dcc1-4e08-aebf-0c40e44214e2-image.png

              I will look into the VPN got more entries when connected to it with my phone

              1 Reply Last reply Reply Quote 0
              • KOM
                KOM last edited by

                I suspect it's either suricata or pfB blocking these. No reason otherwise for incoming traffic to your NAT'd address to be blocked. It's hard to know for sure without seeing your WAN rules.

                1 Reply Last reply Reply Quote 0
                • A
                  Actionhenk last edited by Actionhenk

                  Only have 2 wan rules, 1 is the port forward in the picture of my previous post and the other is block all in (floating rule). From what ive seen with suricata (inline) blocked traffic doesnt show up on the fw log, i will disable suricata and pfblocker and check the results to see if the blocks dissappear. Thanks for your replies!

                  1 Reply Last reply Reply Quote 0
                  • A
                    Actionhenk last edited by

                    Think I found the cause, there was a floating rule with source this firewall which had a port alias configured with port 443 at the near top of the rule list. 😳

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post