weird reports for LAN and Guest blocks
-
Hi,
I see some weird reports in my pfBlockerNG-devl v3.1.0_16 on pfBlockerNG on 23.01 beta.
An IP from the normal LAN is blocked, which is correct.
But at the exact same time the report states, that an IP from the Guest also got blocked with the same destination. But on Guest there is no device accessing this destination.How is this possible???
-
@motivio said in weird reports for LAN and Guest blocks:
But on Guest there is no device accessing this destination
How do you know this for sure?
-
@michmoor said in weird reports for LAN and Guest blocks:
@motivio said in weird reports for LAN and Guest blocks:
But on Guest there is no device accessing this destination
How do you know this for sure?
Because I know the other IP and device on the Guest network. And it can't rund snapchat. ;-)
-
@motivio Clients don't have to have the app loaded in order to do any DNS queries for snapchat, right? So there is some commonality between clients. There is some reason they are querying for an address that's on the OISD block list you have loaded.
-
@michmoor said in weird reports for LAN and Guest blocks:
@motivio Clients don't have to have the app loaded in order to do any DNS queries for snapchat, right? So there is some commonality between clients. There is some reason they are querying for an address that's on the OISD block list you have loaded.
But the IP on the Guest net is currently a EV-Charger. I ready don't think this device will ever send DNS requests for Snapchat. There seams to be something else happening.
-
@motivio I would first correlate the IP and MAC to make sure it’s the charger.
-
@michmoor said in weird reports for LAN and Guest blocks:
@motivio I would first correlate the IP and MAC to make sure it’s the charger.
I did.
-
@motivio Then your device made a DNS query to snapchat.
If you really want to disprove me or even hunt down what your charger is doing, run a pcap off the pfsense interface specifically looking for dns queries.Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor Don't even need to do a packet capture if you're running unbound / DNS Resolver, add the following to the custom options and lookups will show in the logs:-
log-queries: yes
log-replies: yes
log-tag-queryreply: yesAndy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@NogBadTheBad yep you're absolutely right.
-
Here the results from the Log of the DNS Resolver and the report for the same time from pfBlockerNG.
The IP 192.168.100.99 did not send any DNS for snapchat. But in the report it's showing.
-
@motivio The second line shows 192.168.1.202 doing a lookup to a snapchat FQDN.
What is 192.168.1.202?
-
@nogbadthebad said in weird reports for LAN and Guest blocks:
@motivio The second line shows 192.168.1.202 doing a lookup to a snapchat FQDN.
What is 192.168.1.202?
That’s an iPhone of my kids. They are using Snapchat.
-
@motivio I'd just leave it logging for a while and check later.
Might even be a issue with the pfBlocker report.
-
@motivio lets get that pcap started on pfsense.
Not sure how often it's querying for snapchat but let it run until the alert in pfblocker comes up.
Make sure count is set to 0
Stop the capture
Download the capture
Open the capture
search for the string in the capture. Edit > Find Packet > Set to string
