Prevent log of port 10001 in firewall log

Felix 4 · Jan 22, 2023, 8:33 AM

Hi,

I have purchased a UniFi USW-Lite 8 port switch and am was looking forward to getting a good switch. As such, it also works fine, but I am being driven to the brink of all the Ubiquiti Device Discovery Service records that keep coming up in my PfSens log file. (port 10001)
For the ports I do not want to see in the log file, as can be seen in the attached photo, I have created reject rules that stop it before they reach Block All Outbound Not Permitted Previously, which logs everything.
I have tried in vain to make similar rules for port 10001, the ip address it comes from, both IPV4 and IPV6 regardless All IPV6 is total disconnected in my 4100 device, but nothing helps, they still appear continuously in the log file.
I have tried to log in to the UniFi USW-Lite 8 with putty, and close discovery, as shown in the photo, since it is the only ubnt device I have, it does not work either.

Is there anyone here who can help
;o)

NogBadTheBad · Jan 22, 2023, 8:43 AM

@felix-4 create a block rule, set it to don’t log and place it above your pass rule.

Felix 4 · Jan 22, 2023, 8:48 AM

@nogbadthebad

Thanks for reply,

I have tried that, puts them at the very top, but it has no effect.

NogBadTheBad · Jan 22, 2023, 8:51 AM

@felix-4 Try killing the firewall states

Felix 4 · Jan 22, 2023, 8:56 AM

@nogbadthebad
You can see the rule I've made in one of the photos I've attached, it's the one for IPV6, it should be ok, a similar one for IPv4 is also created, it didn't show up in my photo.
During my tests, I have backed them up at the top, without effect.

There are no stats from switch ip. I've tried rebooting PfSense after doing what you suggest, again to no avail. The firewall log is jammed with info about port 10001.

NogBadTheBad · Jan 22, 2023, 10:23 AM

@felix-4 You could try changing the global setting Status -> System Logs -> Settings -> Log firewall default blocks.

Felix 4 · Jan 22, 2023, 10:51 AM

@nogbadthebad

I have disconnected a 4 - 5 sites that deal with IPV6, so all sites that deal with it are disconnected.

I have tested unchecking Log Packets from Default Block Rules and it works. However, it apparently works too well, because the information and attacks on my WAN ip also disappear.
It's a solution, but I'm puzzled by the discovery from ubnt, why can't it be blocked from the log, in a similar way as port 137-139 and similar.
After I disconnect what you suggest my log does not update with WAN info. Then again, you could make a log rule about logging, but that is a major circumvention.

Felix 4 · Jan 22, 2023, 11:07 AM

@nogbadthebad

Your solution has if I configure what to log is a workaround. I would really like to know why you can't use the normal solution. The one you mentioned in the first place, and which I have also used until now, if there were irrelevant things in the log that needed to be removed from occurring.
What makes that switch so difficult to handle.

Felix 4 · Jan 22, 2023, 4:24 PM

@nogbadthebad

Nogbadthebad, thanks for your help today, it has provided a temporary solution to the problem. I am very happy for your help.

If someone comes across this thread who can see why normal rules for eliminating events in the firewall log do not work in this case, you are very welcome to write.
I'm not the kind of person who lets me put up with the fact, that now it's resolved, and I don't think about it anymore. I would like to get to the bottom of it, and know, what is at the root of the challenges in this case.

;o)

johnpoz · Jan 22, 2023, 4:43 PM

@felix-4 well block all Ipv6 is a rule that is hidden and evaluated early - which would explain why that is showing up.

That first rule doesn't show it was ever evaluated, see the 0/0 B on it - means nothing ever matched it.

I would just turn off the block all IPv6 to be honest, if your not running IPv6 and have no rules to allow it - its just going to create noise in your logs.

I don't see anything in those rules that would prevent the noise you posted. The block all IPv6 is early, which explains why your rule shows no evaluations.

I don't see any rule that would block but not log that traffic to broadcast 10001, your 2nd rules description doesn't list 10001 port.

Felix 4 · Jan 23, 2023, 11:26 AM

@johnpoz

Thanks for reply,

If you do not see a rule that prevents the "noise" that comes in the log as shown, both from and to an IPV6 address, and from and to an IPV4 address, then can you enrich with a proposal for a solution to the problem.
What would you suggest as a rule, to prevent that noise?

;o)

johnpoz · Jan 29, 2023, 4:20 PM

@felix-4 as I already said turn off the block all IPv6

Check this box

As to that 10001, port you need a rule that would match that.. You don't have such a rule, your 1st rule is a ipv6 source, which that is not, and your ipv6 block, blocks it before that rule is even evaluated anyway. your 2nd rule - add the 10001 port to your alias..

Felix 4 · Jan 29, 2023, 4:20 PM

@johnpoz
Many thanks johnpoz, now I have closed the ubnt spam in my log file.
I have been incredibly careful to disable all IPV6 everywhere in PfSense. This is because I don't know enough about it to take care of those setups. And handling IPV6 in general.
Is there anything security-wise I should be aware of now that I have allowed IPV6 based on your recommendation.
Otherwise, I'd rather buy another switch that doesn't cause those problems.

johnpoz · Jan 29, 2023, 4:26 PM

@felix-4 said in Prevent log of port 10001 in firewall log:

I'd rather buy another switch that doesn't cause those problems.

And why do you think a switch is causing this? None of your logging had anything to do with any switch.

Do you have any rules that allow IPv6? If not then its blocked. Did you setup IPv6 on your wan? Set it to none, did you setup IPv6 on your lan via track on your wan? Set it to none..

Felix 4 · Jan 29, 2023, 4:33 PM

@johnpoz

It started when I installed my new switch as described. It constantly broadcasts discovery on port 10001, and apparently it cannot be disabled on the model I have.

https://help.ui.com/hc/en-us/articles/204976244-EdgeRouter-Ubiquiti-Device-Discovery

johnpoz · Jan 29, 2023, 4:49 PM

@felix-4 Edge router - is not a "switch"

Broadcasting discovery has little to do with pfsense logging.. Yeah lots of stuff send out noise.. you should see the noise all my smart lightbulbs send out.. Its multicast so I block it at the switch, but also I don't log it..

That article you linked to directly says how to disable it ;) on the Edge router..

You prob want to turn this off in your controller, scan from devices..

https://community.ui.com/questions/Edgeswitchs-24-Lite-network-discovery-options-activate-on-their-own-after-deactivating-them/386aedf5-ad38-40d3-8470-db9d2a71ed21?page=1

Felix 4 · Jan 29, 2023, 5:13 PM

@johnpoz
Yes, my switch is not the type mentioned, it was more to show the problem. I have found several links like the one you found, and as you can see from my photo, I log into the switch directly, it seems to receive the command to disable discovery, it just doesn't work. I have examined all the settings in the UniFi NetWork Application that manages the switch, but have not found anything useful.
That's why I have to sweep it in PfSen's log, it's usually not a problem, but just in this case.
Noise must be removed so that relevant information relating to safety can be easily observed.

johnpoz · Jan 29, 2023, 5:38 PM

@felix-4 I concur its better to remove the noise from the network if possible.. But not logging it is simple as well..