OpenVPN strange IP

CyberTiVo

This is going to sound strange.

I found my firewall trying to make a connection from my outside interface to 12.166.84.3 on port 1194 every 10 seconds.

tcpdump:
18:26:54.113516 IP xx.xx.xx.xx.1194 > 12.166.84.3.34246: UDP, length 68
18:26:54.184279 IP 12.166.84.3 > xx.xx.xx.xx: ICMP 12.166.84.3 udp port 34246 unreachable, length 92
18:27:04.652174 IP xx.xx.xx.xx.1194 > 12.166.84.3.34246: UDP, length 68
18:27:04.652207 IP xx.xx.xx.xx > 12.166.84.3.34246: UDP, length 68
18:27:04.705128 IP 12.166.84.3 > xx.xx.xx.xx: ICMP 12.166.84.3 udp port 34246 unreachable, length 92
18:27:04.713316 IP 12.166.84.3 > xx.xx.xx.xx: ICMP 12.166.84.3 udp port 34246 unreachable, length 92

OpenVPN log:
Mar 28 19:03:07 openvpn[21268]: UDPv4 link remote: 12.166.84.3:34246
Mar 28 19:03:07 openvpn[21268]: UDPv4 link local (bound): [undef]:1194
Mar 28 19:03:07 openvpn[21268]: Preserving previous TUN/TAP instance: tun0
Mar 28 19:03:07 openvpn[21268]: TCP/UDP: Preserving recently used remote address: 12.166.84.3:34246
Mar 28 19:03:07 openvpn[21268]: LZO compression initialized
Mar 28 19:03:07 openvpn[21268]: Re-using pre-shared static key
Mar 28 19:03:05 openvpn[21268]: SIGUSR1[soft,ping-restart] received, process restarting

After seeing this, I added a rule to the WAN to block 12.166.84.3 both source and destination for all ports after the 2 default block rules.

I sniffed the internal interface and find nothing.

2 questions:
Where are these packets coming from?
Why doesn't the rule block these packets?

GruensFroeschli

I assume you're running an openVPN server and opened the ports to this server to the WAN.
pfSense isnt sending packets on its own. It's responding to a request from outside.

1: Someone is trying to connect to your OpenVPN server.
2: Did you missconfigure your rules? Can you show screenshots?

CyberTiVo

Thanks for the quick reply.

Yes, I do have an OpenVPN setup. Attached is a partial copy of the rules; it should be blocking and logging these packets.

I still don't think it is a host trying to get in. A couple of reasons, my outside interface is using port 1194 the 12.166.84.3 ip is using 34246. Wouldn't they be coming in on 1194? Also, I don't see any of these packets on the inside interface. If pfSense is was blocking them it should be logging them, therefore they must be originating on the outside interface, right?

![Picture 1.png](/public/imported_attachments/1/Picture 1.png)
![Picture 1.png_thumb](/public/imported_attachments/1/Picture 1.png_thumb)

GruensFroeschli

You missunderstand how the rules work.
http://forum.pfsense.org/index.php/topic,7001.0.html

Rules:
Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).

Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed by the rules you define on the LAN tab.

A couple of reasons, my outside interface is using port 1194 the 12.166.84.3 ip is using 34246.

Each connection has a destination-port and a source-port.
Only the destination is 1194. The source can be something random between 1024+ ~ 65535.