UDP broadcast packets routing



  • Hi Guys,

    I am facing an issue with pfsense 1.2.2. While sniffing the traffic going out through the WAN interface I noticed that the UDP broadcast packets (originated from the LAN) are routed out. This is not good for me and I am trying to block this. Until now I couldn't find a solution. Can you help me with some hints?

    Thanks!



  • Actually i dont believe you that broadcast packets are routed.
    Can you show anything to support that? (screenshots)



  • This is about storm caused by multicast going to WAN.
    http://forum.pfsense.org/index.php/topic,15819.0.html

    I can send config.xml, tcpdumps  to you … you can easily reproduce it.



  • Please check the attached screenshot. I am pinging the broadcast on one network and you can see that the packet is routed and NATed on the other side of the firewall.
    The pfsense firewall is connected to 1 LAN and 2 WAN links (it is a test lab right now that is why you can see 192.168.1.x and 192.168.3.x ) and it doing load balancing between them. Only on one WAN connection is used NAT.
    I have a pretty serious issue because routing broadcast packages is causing massive broadcast storm. And it seems not only UDP is routed but all the broadcast…
    If you need more data please let me know.

    Thanks!




  • @roinar:

    Please check the attached screenshot. I am pinging the broadcast on one network and you can see that the packet is routed and NATed on the other side of the firewall.
    The pfsense firewall is connected to 1 LAN and 2 WAN links (it is a test lab right now that is why you can see 192.168.1.x and 192.168.3.x ) and it doing load balancing between them. Only on one WAN connection is used NAT.
    I have a pretty serious issue because routing broadcast packages is causing massive broadcast storm. And it seems not only UDP is routed but all the broadcast…
    If you need more data please let me know.

    Thanks!

    I bet you have loadbalancer in place! Because without loadbalancer pf does not route multicast/broadcast traffic.
    As a workaround I use simple rules (put it as first rules)
    block all from any to 224.0.0.0/4 - all multicast
    block all from any to 255.0.0.0/4 - broadcast
    block all from any to x.y.z.255/32 - broadcast, where x.y.z is subnet connected to this interface
    and make sure you do not have entries
    allow all from any to …. Instead 'from any' use 'from x.y.z.0/24 - your subnet"

    Edited:
    BTW http://redmine.pfsense.org/issues/show/9



  • Yes, I do have load balancer in place :) Thanks for the tip, I will try out your workaround although I want to see if 1.2.3RC1 release is having the same issue.
    I will keep you updated if you are interested.



  • @roinar:

    Yes, I do have load balancer in place :) Thanks for the tip, I will try out your workaround although I want to see if 1.2.3RC1 release is having the same issue.
    I will keep you updated if you are interested.

    It does have the same issue.



  • Confirmed! 1.2.3RC1 is also routing broadcast packets when load balancer is configured.


Locked