Weird LAN/OPT1 blocks and default deny every second

throttlenerd · Aug 26, 2023, 11:17 AM

Hey guys, I've been very happy with my DIY pfSense 2.6.0 box, worked flawlessly for about 6 months and now I see some weird things I can't understand. I have two physical subnets, LAN and OPT1. LAN for WiFi and "home" devices, OPT1 for "work". My laptop is on static IP either on WiFi or OPT1. Sometimes I can't reach (ping) a server (and another OPT1 computer) on OPT1 when I'm on WiFi (now I even enabled default "LAN to any" rule for test purposes). And sometimes I can, but then all of a sudden it becomes unreachable again. But if I connect my laptop to OPT1 physically -- voila, all good (at all times, no exceptions). There is no blocking rule on OPT1, all traffic from LAN is allowed. The weirdest thing is: when (on WiFi) I ping that OPT1 server (or another computer) from pfSense web interface (Diagnostics > Ping), no matter which Source Address I select from the drop-down menu (Automatic/LAN/OPT1) -- still unreachable. But if I'm connected via cable to OPT1 -- ping works either from macOS terminal and pfSense webinterface. How could webinterface care where do I send the command from, WiFi or LAN? Webinterface command should come "from within the firefall, not from outside macos terminal app"! And when I'm wired to OPT1 and ping from pfsense -- even if I select LAN as "source address" -- all good. This is rather weird. But I'm not an IT guy, yeah )

And another strange thing, saw some like this in forums but didn't find a solution: my firewall logs are filled with this "every second" entry:

LAN | Default deny rule IPv4 (1000000103) | 0.0.0.0:11113 | 255.255.255.255:11111 | UDP

The only logged allow/block rules on LAN are for IP_Cameras alias, WAN rules are default (and not logged, afaik)

LAN and OPT1 settings for blocking private and bogon networks are default -- disabled.

Thank you so much guys!

johnpoz · Aug 26, 2023, 11:32 AM

@throttlenerd said in Weird LAN/OPT1 blocks and default deny every second:

LAN | Default deny rule IPv4 (1000000103) | 0.0.0.0:11113 | 255.255.255.255:11111 | UDP

Well 0.0.0.0 as source is not your "lan net" so yeah that would be blocked.. Even with a any any rule when source is lan net on the rule. That is odd traffic, off the top not sure what 11111 would be.. VCE, is what is listed for that port, but off the top of my head not sure what would be sending such traffic. I would look to see what is sending it, source of 0s doesn't make much sense. If you sniff the traffic you can get the mac address of what is sending it.

throttlenerd · Aug 26, 2023, 12:40 PM

Hi @johnpoz, thank you! Tried Diagnostics > Packet Capture with various settings, no trails of 0.0.0.0 or port 11111....

johnpoz · Aug 26, 2023, 12:57 PM

@throttlenerd well your not sniffing on the correct interface? If your seeing it in the logs that its blocked, then packet capture would capture it.

You sure the traffic is still being seen when your doing the capture - ie are you still logging those denies?