OpenVPN strange IP
-
This is going to sound strange.
I found my firewall trying to make a connection from my outside interface to 12.166.84.3 on port 1194 every 10 seconds.
tcpdump:
18:26:54.113516 IP xx.xx.xx.xx.1194 > 12.166.84.3.34246: UDP, length 68
18:26:54.184279 IP 12.166.84.3 > xx.xx.xx.xx: ICMP 12.166.84.3 udp port 34246 unreachable, length 92
18:27:04.652174 IP xx.xx.xx.xx.1194 > 12.166.84.3.34246: UDP, length 68
18:27:04.652207 IP xx.xx.xx.xx > 12.166.84.3.34246: UDP, length 68
18:27:04.705128 IP 12.166.84.3 > xx.xx.xx.xx: ICMP 12.166.84.3 udp port 34246 unreachable, length 92
18:27:04.713316 IP 12.166.84.3 > xx.xx.xx.xx: ICMP 12.166.84.3 udp port 34246 unreachable, length 92OpenVPN log:
Mar 28 19:03:07 openvpn[21268]: UDPv4 link remote: 12.166.84.3:34246
Mar 28 19:03:07 openvpn[21268]: UDPv4 link local (bound): [undef]:1194
Mar 28 19:03:07 openvpn[21268]: Preserving previous TUN/TAP instance: tun0
Mar 28 19:03:07 openvpn[21268]: TCP/UDP: Preserving recently used remote address: 12.166.84.3:34246
Mar 28 19:03:07 openvpn[21268]: LZO compression initialized
Mar 28 19:03:07 openvpn[21268]: Re-using pre-shared static key
Mar 28 19:03:05 openvpn[21268]: SIGUSR1[soft,ping-restart] received, process restartingAfter seeing this, I added a rule to the WAN to block 12.166.84.3 both source and destination for all ports after the 2 default block rules.
I sniffed the internal interface and find nothing.
2 questions:
Where are these packets coming from?
Why doesn't the rule block these packets? -
I assume you're running an openVPN server and opened the ports to this server to the WAN.
pfSense isnt sending packets on its own. It's responding to a request from outside.1: Someone is trying to connect to your OpenVPN server.
2: Did you missconfigure your rules? Can you show screenshots? -
Thanks for the quick reply.
Yes, I do have an OpenVPN setup. Attached is a partial copy of the rules; it should be blocking and logging these packets.
I still don't think it is a host trying to get in. A couple of reasons, my outside interface is using port 1194 the 12.166.84.3 ip is using 34246. Wouldn't they be coming in on 1194? Also, I don't see any of these packets on the inside interface. If pfSense is was blocking them it should be logging them, therefore they must be originating on the outside interface, right?
 -
You missunderstand how the rules work.
http://forum.pfsense.org/index.php/topic,7001.0.htmlRules:
Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed by the rules you define on the LAN tab.A couple of reasons, my outside interface is using port 1194 the 12.166.84.3 ip is using 34246.
Each connection has a destination-port and a source-port.
Only the destination is 1194. The source can be something random between 1024+ ~ 65535.
