Default deny rule IPV4(1000000103)

larryjb

I've read over the other threads on this, and they appear to be caused by unique setup issues, or I don't understand the solution.

My router/firewall has been working well since I upgraded to the 23.09.1 release. But suddenly last night, around midnight, we lost internet completely. I could not access any website at all. The firewall logs are almost completely filled with this default deny rule. I have tried rebooting the router, rebooting the modem, loading a previous firewall configuration, resetting back to factory settings and setting up the firewall/router again. Nothing is working. I hooked up an old Netgear router and am able to get Internet.

Dashboard screenshot.jpg

Netgate firewall logs screenshot.jpg

larryjb

Quick update: I tried another factory reset and Internet is now back up. I will save this configuration and see if my old configuration will work.

larryjb

Further update:
Due to previous conflicts, I had had the LAN address for the Netgate set for 192.168.1.2. That has worked for years. Suddenly I had to change it to 192.168.1.1 and I cannot get an internet connection unless I have it set to .1. I don't know why this suddenly became an issue at midnight last night. I hope I don't get new surprises either.

Secondly, I was trying to uncheck the Block Private Networks under the WAN interface. Everytime I tried, I got the message that the switch port was already in use by another interface. I can't figure this one out either.

Gertjan

@larryjb said in Default deny rule IPV4(1000000103):

Due to previous conflicts, I had had the LAN address for the Netgate set for 192.168.1.2. That has worked for years. Suddenly I had to change it to 192.168.1.1 and I cannot get an internet connection unless I have it set to .1. I don't know why this suddenly became an issue at midnight last night. I hope I don't get new surprises either.

pfSense MAN IP 192.168.1.2 ?? Ok, maybe, but, as you saw, it should be 192.168.1.1/24 and that should works just fine.
Why moving it to 1.2 ?

If another interface already using 192.168.1.0/24 ?

What is the WAN IP ? RFC1918 or not ?

What are (were) your firewall rules ?
If there are no rules, then you'll hit the default "(1000000103)" block all rule.
When pfSense is installed, a default pass all rules will exist on LAN (and LAN only).

kmp

I'm also seeing this to some extent.

I'm new to pfSense; I just migrated my current environment over to a 4200 that arrived on Friday. (Previously, UBNT EdgeRouter, before that Cisco IOS).

I have done a few things: first, my addressing for IPv4 is 192.168.0.0/23, I replaced the previous router at 192.168.0.1 (changed the address on the router, yes). I've set up a few firewall rules, mostly to permit some external services in (those being rules on PORT1WAN). (I've also run IPv6 on this network for 10+ years.)

I will say that I screwed things up by initially setting up an inbound NAT with "PASS"; it took some doing to understand why firewall rules weren't being fired; I tore that stuff down and re-did it correctly.

However, I should emphasize that I'm seeing errors on PORT2LAN. For LAN interfaces, as I understand it, there is no default drop rule, the default is pass as initially most people won't want to deal with listing outbound permitted traffic on a home network (me, neither). I was getting a lot of these entries when I was playing with the initial setup, but now the mostly seem to be from one host:

The syslog message data for this event is:
4,,,1000000103,igc2,match,block,in,4,0x0,,64,17359,0,DF,6,tcp,83,192.168.0.26,142.251.40.106,33870,443,31,FPA,2329344322:2329344353,23041590,1681,,nop;nop;TS
I'm guessing without looking it up that the trailing TS might relate to TCP flags (the entry in the log viewer lists TCP-FA) and that that's a clue. The device in question is, by the way, an Apple TV box, so it might not be surprising that they are doing something "interesting" with their data; tracking down some IPv6 questions I found the Apple AirPorts seem to be IPv6 routers (sending out RAs), I hadn't had any reason to look at the network traffic for these in some time and was ... surprised.

I was about to dig into documentation of the message format, but figured I'd check the forums first and found that this has occurred a few times, so perhaps this additional information will be helpful or maybe relevant. But any ideas would be welcome.

Thanks!

Gertjan

@kmp said in Default deny rule IPV4(1000000103):

For LAN interfaces, as I understand it, there is no default drop rule,

The default behavior of pf, the firewall used by pfSEnse, is drop.
Try it out for yourself : remove all rules from LAN and see what happens.

There is one exception : if you have the DHCP server activated on an interface, pfSense will ad pass rules for port 67(68) UDP on that interface.

@kmp said in Default deny rule IPV4(1000000103):

the default is pass as initially

When installing pfSense, there will be a PASS ALL on the LAN, and only the LAN. If you assigned other (OPTx) interface during installation, all these interface will not allow incoming traffic. You have to add rules for all these interface yourself in the GUI.

Btw : because the WAN doesn't have any rules listed in the beginning, the WAN doesn't let any traffic in. This is what most users want.

@kmp said in Default deny rule IPV4(1000000103):

I will say that I screwed things up by initially setting up an inbound NAT with "PASS";

When you add a NAT rule, to things happen :
An address (and port) translation rule is inserted. This rule is listed under Firewall > NAT > Port Forward
When done, have a look at your WAN firewall rule : there is also a new firewall rule now.
This is, of course, a PASS rule.
At the bottom, you'll see

I would be best not to edit this rule, as it is maintained by the NAT rue listed under Firewall > NAT > Port Forward

@larryjb said in Default deny rule IPV4(1000000103):

Suddenly I had to change it to 192.168.1.1

Ok, nice, but do you mind what the 'suddenly' is about ,
It was written on the wall and you followed the advise ?

@larryjb said in Default deny rule IPV4(1000000103):

and I cannot get an internet connection unless I have it set to .1.

You can set any IP on your LAN as long as the LAN network is not the WAN network.
Golden rule number one : just keep the default 192.168.1.1/24 on LAN, connect the WAN to your upstream device or cable, and you'll be fine.
In the past, we all some modem type device, so the WAN interface obtained a 'real' Internet WAN IP (non RFC1918).
This changed the last decade or so, most use now a (modem)+router (so it can integrate VOIP functionality, VOD, and an Wifi access point). These ISP devices 'boxes' have often a switch integrated, and offer an RFC1918 LAN network, and because these devices do "NAT", you get a free firewall. This LAN network can be used with all your home devices. really nice, as now grandma can now set up here own home network without knowing nothing.
If this ISP device uses also 192.168.1.1/24, then you have a choice to make : change the ISP box default LAN network 192.168.1.1/24 to something else, like 192.168.2.1/24, or change the pfSense defayult LAN to something else, like, 192.168.10.1/24 (Ok to pick 192.168.10.15/24 but then I really have to ask you : why ????). Some like 192.68.10.254/24

My way of seeing things : because my ISP box is connected to nothing but pfSense, I change the ISP Box default network from 192.168.1.1/24 to 192.168.100.1/24 - the pfSense WAN IP becomes something like 192.168.100.x where x is something between 2 and 254, using the default DHCP client on it's WAN.
I've shut down the crappy Wifi of the ISP box, as I've my own dedicated APs, all behind pfSense LANs.

Btw :

you don't need these.
Keep the KIS process up and running : enter less info, simplify maintenance and possible issues :

and now you can access "the world".
I had zero DNS issues for the last 15 years of pfSense usage.