SHould I add a firewall rule to WAN
-
Hello,
Just sucessfully setup my first PFsense unit. Everything working fine and solid as a rock. But I have 2 questions that bother me:
-
I check my Diagnostic:System Log; Firewall and found tons of block from in out WAN due to default deny rule. More then 50 "@61 Block Drop…" error in less then 1/2 hrs. Is this normal. I later found out I can get rid of most if not all block by adding a catch all firewall rule to the wan interface as follow: * * * * * * . This goes after the 2 default rule to block private and bogon network. Shoud I do this? Or is there a better way.
-
Secondly, after connecting my comcast modem to pfsense router my download speed was cut in half from 16mbit to 8mbit. Later found out my download per thread was cut in half to max 4mbit per thread. Meaning I have to increase my download thread from 2 to 4 concurrent connection to reach my max download capacity of 16mbit. Previouly with my modem direct to PC connection I can easily max out my 16mbit cable connection with just 1 download thread. Question is does pfsense auto cap a download thread to 4mbit or less? How can I fix this?
Thank in advance.
-
-
If you care enough about security to have a separate firewall box you probably want to know about strangers who come knocking on your front door.
As to whether what you are seeing is normal: its hard to say because you don't provide anywhere near enough information. (A few log messages would be helpful to anyone wanting to form an opinion about normality.)
If you decide (after careful analysis) that this traffic is really harmless and you don't want to be informed about it you could add a carefully crafted block rule with no logging. (For example, the traffic might come from a single address or might have a consistent port number that you are pretty sure you won't want to use.)
Is your WAN IP address static or dynamic? If dynamic, you may be seeing traffic that was originally intended for the previous user of that address, in which case it may die away over time.
-
My WAN IP is DCHP provided by Comcast. The Pfsense unit is a standard build with nothing added beside the default setting for WAN (block Private network and Bogon) and LAN. Nothing special.
It seem no additional firewall rule is necessary for the WAN based on many Pfsense installation guide I'm seeing. Is this true? Under the Wan firewall rule it mentioned if no firewall rule are set for wan it would not pass anything. But how come I can still access internet from LAN to WAN?
Thus I'm slightly confused. SHould a firewall rule be needed for WAN to passed data or not.
Secondly, does Pfsense perform any trafffic shaping/QOS by default? I notice my comcast speed via speedtest.net was cut in half.
-
Okay attached is my Firewall Log.
Can anyone tell me why I have so many @61 block? Thanks
BTW, why on the WAN firewall there is a warning message to add a firewall rule? No installation guide mentioned I need to add a rule for WAN.
-
This is my Wan Firerule
-
and my Lan.
-
My understanding is that the firewall rules apply only to incoming traffic on an interface. And when a "connection" is "initiated" a kernel data structure is created for that connection effectively creating a new firewall rule allowing traffic that matches that connection.
Thus in the default configuration when the LAN side initiates a HTTP connection to the WAN side incoming data from the WAN side that matches that connection is temporarily allowed. If a system on the WAN side attempts to establish a HTTP connection to a system on the LAN side then it will fail because there isn't a firewall rule (in the default configuration) allowing it. -
With regard to the firewall log, a fair proportion of the logged traffic looks like its probably a DHCP request to assign an address.
Is your Internet connection over cable TV? I believe that type of medium is a broadcast medium so everyone potentially sees all the traffic from a number of users. Thus you will see the DHCP request traffic to the broadcast address. This traffic is probably of no interest to you and is probably not an indication of someone trying to break in so you could add a firewall rule on the WAN interface to block UDP traffic to the broadcast address (255.255.255.255) and port 68 with logging disabled. Let that run for a while and see what traffic is now logged.
-
BTW, why on the WAN firewall there is a warning message to add a firewall rule? No installation guide mentioned I need to add a rule for WAN.
What's the text of the message? What's the context - on what screen does it appear? (I don't see it on my system on Firewall -> Rules, WAN interface.)
-
Okay this is my new firewall rule for WAN. Seem to do the trick but is it setup correctly? Thanks
-
Okay this is my new firewall rule for WAN. Seem to do the trick but is it setup correctly? Thanks
Looks good to me. You might want to add something in the comment field to help you remember why you added it.
-
This link will be helpful….......I have 2 cable connections at 2 locations and had this same issue.
http://forum.pfsense.org/index.php/topic,14131.0.html
-
Thanks, that resolved most of my blocked log issues. Meanwhile, can anyone help with my second question from the 1st post. Do Pfsense by default also limit each download thread to 4mbit?