mDNS :5353 traffic swamping log file...

diyhouse

Hi Guys,.. trying to understand why ( and ) where my

	Nov 1 16:38:00	LAN1	  [fe80::d6f5:47ff:fe46:6d0a]:5353	  [ff02::fb]:5353	UDP
block bogon IPv6 networks from LAN1 (11004)
Nov 1 16:38:00	LAN1	  [fe80::d6f5:47ff:fe46:6d0a]:5353	  [ff02::fb]:5353	UDP
block bogon IPv6 networks from LAN1 (11004)
Nov 1 16:38:00	LAN1	  [fe80::d6f5:47ff:fe56:b44c]:5353	  [ff02::fb]:5353	UDP
block bogon IPv6 networks from LAN1 (11004)
Nov 1 16:38:00	LAN1	  [fe80::d6f5:47ff:fe56:b44c]:5353	  [ff02::fb]:5353	UDP
block bogon IPv6 networks from LAN1 (11004)
Nov 1 16:38:00	LAN1	  [fe80::22df:b9ff:fe5a:3da8]:5353	  [ff02::fb]:5353	UDP
block bogon IPv6 networks from LAN1 (11004)
Nov 1 16:38:00	LAN1	  [fe80::22df:b9ff:fe5a:3da8]:5353	  [ff02::fb]:5353	UDP

Log entries are coming from, and how to stop them logging.
I have tried to create a 'rule' so 5353 port activity on the LAN1 is not logging,. by not checking the last log box in the create rule form.

my Rules look as follows:-

I'm not sure it is required,. but for complete sharing these are my WAN rules:-
But I am at a loss as to why this activity is still being logging,.. let along to identify which item is the source of these mDNS requests... Is anyone able to offer some pointers that would be really helpful.
Or am I barking up the wrong tree with my assumptions that I need to block these 'requests' at all..?
Kind Regards to all...

SteveITS

@diyhouse
https://forum.netgate.com/topic/152194/solved-firewall-log-entries-flooded-for-ipv6-5353

Blocking bogons on an internal network is probably not necessary, unchevknthat on LAN.

johnpoz

@diyhouse said in mDNS :5353 traffic swamping log file...:

But I am at a loss as to why this activity is still being logging,

because the rule that is logging it is your bogon rule - it makes zero sense to block bogon on your local interfaces. Is above where you block it and don't log rule.

I would as suggested already by @SteveITS turn off the bogon on your local interface, other option would be to not log bogon. 3rd and best option (along with turning off the bogon rule on your local side interfaces) is to find out what is sending it and get it to stop.

Simple way to do that would be to sniff on lan 1 (packet capture) for 5353 to find the mac address - and then turn off that noise on that device. Quite possible you have multiple devices doing it, which just means more noise - just because you don't log the noise doesn't make the noise stop, just masks the problem.

If its wired and you have a smart switch from the mac no issues tracking down what it is - if wifi a bit harder, unless you run something like unifi with controller so you know every device your network, etc.

diyhouse

@johnpoz thankyou for you feedback guys,... have done some 'playing',.. and found that trying to disable logons on my local LAN is met with 'The Router Advertisement Server is active on this interface and can only be used with static Ipv6 config etc....

Should I disable this to override this setting,.. or will this disable to 'mickey mouse' checks pfsense does to protect users from themselves... ??

my WAN rules are now as follows:-
)

And my LAN rules are as follows:-

Now I am still getting

Nov 2 13:57:40	LAN1	[fe80::22df:b9ff:fe5a:3da8]	[ff02::16]	Options
Nov 2 13:57:40	LAN1	[fe80::2f6:20ff:fee7:be74]	[ff02::16]	Options
Nov 2 13:59:05	LAN1	[fe80::d6f5:47ff:fe46:6d0a]:5353	[ff02::fb]:5353	UDP
Nov 2 13:59:04	LAN1	[fe80::d6f5:47ff:fe56:b44c]:5353	[ff02::fb]:5353	UDP

I understand my rules are a little open on the LAN side,.. but even though the packets are being analysed, they do not evaluate as 'true',.. I assume ff02::16 and ff02::fb could be simplified to just ff02:: but as I am struggling to get a match,.. I have left as this,.. I appreciate the protocol will need to be UDP,.. but I am not even capturing it as *...

Trying to identify the source is another issue,.. but I suspect that is some ZigBee home automation devices on my network,.. but I will look as those later,.. as that is an issue to access them...

So what am I missing.. ( probably the obvious,.. )

Many Tx

johnpoz

@diyhouse said in mDNS :5353 traffic swamping log file...:

found that trying to disable logons on my local LAN is met with 'The Router Advertisement Server is active on this interface

What??? removing bogon blocking from your interface has ZERO to do with RA.

Go to your interface lan1 and uncheck this

SteveITS

@johnpoz Yes but saving an interface triggers checks like that. OP may need to disable RA, save LAN, and set it up again if desired.

johnpoz

'The Router Advertisement Server is active on this interface and can only be used with static Ipv6 config etc....

How does he have RA even on if he has no static ipv6 on his interface - yeah he should turn off RA if he is not going to actually set it up.. And he sure isn't going to be using it with link-local addresses, which is what he is logging.

diyhouse

@johnpoz
Tx Guys,...
Found this post which fixed my in-ability to disable bogon..
disable bogons

Have now turned off bogon,.. and see where we go now... and reverted back to no IPv6

Thanks for the pointers

diyhouse

That's it guys,... Thankyou,..

I now have a log file that has 'useful stuff' in it and will allow me to track the problem I was really trying to solve....