• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Prevent log of port 10001 in firewall log

Scheduled Pinned Locked Moved Firewalling
18 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Felix 4
    last edited by Jan 22, 2023, 8:33 AM

    Hi,

    I have purchased a UniFi USW-Lite 8 port switch and am was looking forward to getting a good switch. As such, it also works fine, but I am being driven to the brink of all the Ubiquiti Device Discovery Service records that keep coming up in my PfSens log file. (port 10001)
    For the ports I do not want to see in the log file, as can be seen in the attached photo, I have created reject rules that stop it before they reach Block All Outbound Not Permitted Previously, which logs everything.
    I have tried in vain to make similar rules for port 10001, the ip address it comes from, both IPV4 and IPV6 regardless All IPV6 is total disconnected in my 4100 device, but nothing helps, they still appear continuously in the log file.
    I have tried to log in to the UniFi USW-Lite 8 with putty, and close discovery, as shown in the photo, since it is the only ubnt device I have, it does not work either.

    Is there anyone here who can help
    ;o)ipv4.jpg IPV6.jpg remove from log.png Ubnt.jpg

    N 1 Reply Last reply Jan 22, 2023, 8:40 AM Reply Quote 0
    • N
      NogBadTheBad @Felix 4
      last edited by NogBadTheBad Jan 22, 2023, 8:43 AM Jan 22, 2023, 8:40 AM

      @felix-4 create a block rule, set it to don’t log and place it above your pass rule.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      F 1 Reply Last reply Jan 22, 2023, 8:48 AM Reply Quote 0
      • F
        Felix 4 @NogBadTheBad
        last edited by Jan 22, 2023, 8:48 AM

        @nogbadthebad

        Thanks for reply,

        I have tried that, puts them at the very top, but it has no effect.

        N 1 Reply Last reply Jan 22, 2023, 8:51 AM Reply Quote 0
        • N
          NogBadTheBad @Felix 4
          last edited by Jan 22, 2023, 8:51 AM

          @felix-4 Try killing the firewall states

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          F 1 Reply Last reply Jan 22, 2023, 8:56 AM Reply Quote 0
          • F
            Felix 4 @NogBadTheBad
            last edited by Jan 22, 2023, 8:56 AM

            @nogbadthebad
            You can see the rule I've made in one of the photos I've attached, it's the one for IPV6, it should be ok, a similar one for IPv4 is also created, it didn't show up in my photo.
            During my tests, I have backed them up at the top, without effect.

            There are no stats from switch ip. I've tried rebooting PfSense after doing what you suggest, again to no avail. The firewall log is jammed with info about port 10001.

            N 1 Reply Last reply Jan 22, 2023, 10:06 AM Reply Quote 0
            • N
              NogBadTheBad @Felix 4
              last edited by NogBadTheBad Jan 22, 2023, 10:23 AM Jan 22, 2023, 10:06 AM

              @felix-4 You could try changing the global setting Status -> System Logs -> Settings -> Log firewall default blocks.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              F 3 Replies Last reply Jan 22, 2023, 10:51 AM Reply Quote 1
              • F
                Felix 4 @NogBadTheBad
                last edited by Jan 22, 2023, 10:51 AM

                @nogbadthebad

                I have disconnected a 4 - 5 sites that deal with IPV6, so all sites that deal with it are disconnected.

                I have tested unchecking Log Packets from Default Block Rules and it works. However, it apparently works too well, because the information and attacks on my WAN ip also disappear.
                It's a solution, but I'm puzzled by the discovery from ubnt, why can't it be blocked from the log, in a similar way as port 137-139 and similar.
                After I disconnect what you suggest my log does not update with WAN info. Then again, you could make a log rule about logging, but that is a major circumvention.

                1 Reply Last reply Reply Quote 0
                • F
                  Felix 4 @NogBadTheBad
                  last edited by Jan 22, 2023, 11:07 AM

                  @nogbadthebad

                  Your solution has if I configure what to log is a workaround. I would really like to know why you can't use the normal solution. The one you mentioned in the first place, and which I have also used until now, if there were irrelevant things in the log that needed to be removed from occurring.
                  What makes that switch so difficult to handle.

                  1 Reply Last reply Reply Quote 0
                  • F
                    Felix 4 @NogBadTheBad
                    last edited by Jan 22, 2023, 4:24 PM

                    @nogbadthebad

                    Nogbadthebad, thanks for your help today, it has provided a temporary solution to the problem. I am very happy for your help.

                    If someone comes across this thread who can see why normal rules for eliminating events in the firewall log do not work in this case, you are very welcome to write.
                    I'm not the kind of person who lets me put up with the fact, that now it's resolved, and I don't think about it anymore. I would like to get to the bottom of it, and know, what is at the root of the challenges in this case.

                    ;o)

                    J 1 Reply Last reply Jan 22, 2023, 4:43 PM Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @Felix 4
                      last edited by Jan 22, 2023, 4:43 PM

                      @felix-4 well block all Ipv6 is a rule that is hidden and evaluated early - which would explain why that is showing up.

                      That first rule doesn't show it was ever evaluated, see the 0/0 B on it - means nothing ever matched it.

                      I would just turn off the block all IPv6 to be honest, if your not running IPv6 and have no rules to allow it - its just going to create noise in your logs.

                      I don't see anything in those rules that would prevent the noise you posted. The block all IPv6 is early, which explains why your rule shows no evaluations.

                      I don't see any rule that would block but not log that traffic to broadcast 10001, your 2nd rules description doesn't list 10001 port.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      F 1 Reply Last reply Jan 23, 2023, 11:26 AM Reply Quote 0
                      • F
                        Felix 4 @johnpoz
                        last edited by Jan 23, 2023, 11:26 AM

                        @johnpoz

                        Thanks for reply,

                        If you do not see a rule that prevents the "noise" that comes in the log as shown, both from and to an IPV6 address, and from and to an IPV4 address, then can you enrich with a proposal for a solution to the problem.
                        What would you suggest as a rule, to prevent that noise?

                        ;o)

                        J 1 Reply Last reply Jan 23, 2023, 11:29 AM Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator @Felix 4
                          last edited by johnpoz Jan 23, 2023, 11:32 AM Jan 23, 2023, 11:29 AM

                          @felix-4 as I already said turn off the block all IPv6

                          Check this box

                          checkbox.jpg

                          As to that 10001, port you need a rule that would match that.. You don't have such a rule, your 1st rule is a ipv6 source, which that is not, and your ipv6 block, blocks it before that rule is even evaluated anyway. your 2nd rule - add the 10001 port to your alias..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          F 1 Reply Last reply Jan 29, 2023, 4:20 PM Reply Quote 0
                          • F
                            Felix 4 @johnpoz
                            last edited by Jan 29, 2023, 4:20 PM

                            @johnpoz
                            Many thanks johnpoz, now I have closed the ubnt spam in my log file.
                            I have been incredibly careful to disable all IPV6 everywhere in PfSense. This is because I don't know enough about it to take care of those setups. And handling IPV6 in general.
                            Is there anything security-wise I should be aware of now that I have allowed IPV6 based on your recommendation.
                            Otherwise, I'd rather buy another switch that doesn't cause those problems.

                            J 1 Reply Last reply Jan 29, 2023, 4:26 PM Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator @Felix 4
                              last edited by Jan 29, 2023, 4:26 PM

                              @felix-4 said in Prevent log of port 10001 in firewall log:

                              I'd rather buy another switch that doesn't cause those problems.

                              And why do you think a switch is causing this? None of your logging had anything to do with any switch.

                              Do you have any rules that allow IPv6? If not then its blocked. Did you setup IPv6 on your wan? Set it to none, did you setup IPv6 on your lan via track on your wan? Set it to none..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              F 1 Reply Last reply Jan 29, 2023, 4:33 PM Reply Quote 0
                              • F
                                Felix 4 @johnpoz
                                last edited by Jan 29, 2023, 4:33 PM

                                @johnpoz

                                It started when I installed my new switch as described. It constantly broadcasts discovery on port 10001, and apparently it cannot be disabled on the model I have.

                                https://help.ui.com/hc/en-us/articles/204976244-EdgeRouter-Ubiquiti-Device-Discovery

                                J 1 Reply Last reply Jan 29, 2023, 4:49 PM Reply Quote 0
                                • J
                                  johnpoz LAYER 8 Global Moderator @Felix 4
                                  last edited by Jan 29, 2023, 4:49 PM

                                  @felix-4 Edge router - is not a "switch"

                                  Broadcasting discovery has little to do with pfsense logging.. Yeah lots of stuff send out noise.. you should see the noise all my smart lightbulbs send out.. Its multicast so I block it at the switch, but also I don't log it..

                                  That article you linked to directly says how to disable it ;) on the Edge router..

                                  You prob want to turn this off in your controller, scan from devices..

                                  https://community.ui.com/questions/Edgeswitchs-24-Lite-network-discovery-options-activate-on-their-own-after-deactivating-them/386aedf5-ad38-40d3-8470-db9d2a71ed21?page=1

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  F 1 Reply Last reply Jan 29, 2023, 5:13 PM Reply Quote 0
                                  • F
                                    Felix 4 @johnpoz
                                    last edited by Jan 29, 2023, 5:13 PM

                                    @johnpoz
                                    Yes, my switch is not the type mentioned, it was more to show the problem. I have found several links like the one you found, and as you can see from my photo, I log into the switch directly, it seems to receive the command to disable discovery, it just doesn't work. I have examined all the settings in the UniFi NetWork Application that manages the switch, but have not found anything useful.
                                    That's why I have to sweep it in PfSen's log, it's usually not a problem, but just in this case.
                                    Noise must be removed so that relevant information relating to safety can be easily observed.

                                    J 1 Reply Last reply Jan 29, 2023, 5:38 PM Reply Quote 0
                                    • J
                                      johnpoz LAYER 8 Global Moderator @Felix 4
                                      last edited by Jan 29, 2023, 5:38 PM

                                      @felix-4 I concur its better to remove the noise from the network if possible.. But not logging it is simple as well..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      18 out of 18
                                      • First post
                                        18/18
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        This community forum collects and processes your personal information.
                                        consent.not_received