random broadcast storms



  • hi
    i have 2 pfsense in a vmware environment, in a cluster.
    it's been working for over a year now. a few months ago, a random broadcast storms has started to appear. currently they are on the latest version. i've already re-installed the main unit to exclude any software problem, but something is still doing the storms. in order to "escape" the problem when it occurs, i'm restarting the main unit, clear the storm from the physical switches and the problem goes away until the next time. it happens on average 1-2 times in a 2 week time frame. different time each occurrence. how can i detect it when it happens? maybe a monitor i can use? a log i can search?

    thank you


  • LAYER 8

    switchports begin to spew out broadcast traffic onto the network when there is a hardware failure,
    a defected network card inside a pc was able to take down my network once,
    loops in switch ..
    packet capture or Wireshark can help you when you see broadcast storm



  • thank you. i've learned that one of the hosts is doing the flood. but i can't find the cause or how to block it. this host keeps pounding packets on the broadcast of the pfsense. it's destination is 192.168.104.255:138 or 192.168.104.255:137 all the time (the pfsense is 192.168.104.254)
    is there a way to block these packets so they wont be forwarded?


  • LAYER 8

    192.168.104.255:137 / 138

    it should be netbios from windows, file and printer sharing
    a broadcast storms from that is strange
    you can disable netbios from the network card settings if you don't need it

    • Open Network Connection Properties.
    • Select TCP/IP v4.
    • list itemClick Advanced, then select the WINS tab.
    • Select 'Disable NetBIOS over TCP/IP'.
    • Click OK and reboot the computer.

    maybe malwares?



  • @pfsenseuser2020 Looks like ports 137 and 138 are Netbios and/or Windows File Sharing CIFS ports. Do you maybe have a NAS or file server that's misbehaving, or infected?

    https://library.netapp.com/ecmdocs/ECMP1155586/html/GUID-4645E16A-6CB1-4A71-8420-05749894E857.html

    https://forum.netgate.com/topic/83433/log-flooded-with-port-137-138-udp

    But, I agree with @kiokoman, if possible, turn it off at the host's network card.

    Jeff


Log in to reply