Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is 1000000103 doing on my LAN

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 143 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      Felix 4
      last edited by

      I have had my lovely Netgate 4100 for several years now and have upgraded to 4200, and am super happy with it.

      Now a challenge has arisen for which I must have created an understanding. Hope you can help.

      I have set up my LAN based on the principle that everything is blocked, and only the ports described are allowed.

      TCP Ipv4/ LAN subnets (Mit lan)/ *all port/ *all destination/ “allowed ports” / *all gateway

      The same for UDP and ICMP, there are special permissions for DNS going to Pi Hole All the same general rules that tell which ports must be communicated on.

      The last line at the bottom Ipv4 LAN subnets * * * * Block All Outbound Not Permitted Previously The tracking ID for this rule is 0100000101

      Part of the story is that I have 2 VLANs in, one for the internet, and one for some LAN connections.
      Under system, routing, static routes I have 192.168.20.0/24 Next_Hop – 172.118.66.7 WAN80
      I then have an interface WAN80 where there are no rules, because I need to be able to access something but not the other way around, and it works fine.

      I now get a task to access something on port 7001 tcp that I don't have in my allowed ports. That is, from my internal LAN 192.168 77.6 to an ip of 192.168.20.25:7001. It doesn't work, forgot that 7001 is not allowed, and see in the log that rule 1000000101 has blocked as it should.
      I think just for this test I disable this rule and let everything pass freely. But then I get a block again from rule 1000000103. I don't understand that, 1000000103 it is normally shown as the block rule from the WAN side.

      So it only works if I add 7001 in my allowed tcp rules.

      Question: when I disable 1000000101 Block All Outbound Not Permitted Previously, there shouldn't there be free trafik from all ports, how does 1000000103 mix into this.?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @Felix 4
        last edited by

        @Felix-4 said in What is 1000000103 doing on my LAN:

        how does 1000000103 mix into this.?

        This is the default deny rule.

        You didn't add any matching pass rule to the LAN?
        If no pass rule matches the traffic it is blocked by the default deny rule, which can be considered as invisible at the end of the rule set. So this behavior might be normal.

        johnpozJ 1 Reply Last reply Reply Quote 1
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @viragomann
          last edited by johnpoz

          yup

          [25.07.1-RELEASE][admin@sg4860.home.arpa]/root: pfctl -vvsr | grep 1000000103
@4 block drop in inet all label "Default deny rule IPv4" ridentifier 1000000103
[25.07.1-RELEASE][admin@sg4860.home.arpa]/root:

          If you are logging default deny (which is default thing).. I do not log this rule than yeah any traffic that falls though the rule set on any interface without matching an allow or deny rule would be caught by this rule and logged.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          F 1 Reply Last reply Reply Quote 0
          • F Offline
            Felix 4 @johnpoz
            last edited by

            @johnpoz

            Thanks for the answer I have received,

            I had become a bit rusty in that area. I'll just outline my understanding of it and you can correct me if I'm wrong. When someone comes from outside the internet and wants to IN on my WAN port, it's 1000000103 that is shown in the Log, and when there is no permission on a defined port on my LAN and I send a packet IN to my LAN interface, it's 1000000103 that is active.
            Therefore, you can describe 1000000103 as a "catch-all" block for all traffic that does not meet the permitted conditions in the previously defined rules. And it's the one with IN in the interface that needs to be in place. Is that correct?

            1000000104 Default deny IPv4 (outbound) also played around in my head a bit, but you don't see it much.

            And johnpoz, you write, I do not log this rule, do you not care about following up a little on what and how your WAN port is being hit from the outside?

            GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @Felix 4
              last edited by

              @Felix-4 said in What is 1000000103 doing on my LAN:

              Is that correct?

              100 % 👍

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @Felix 4
                last edited by

                @Felix-4 said in What is 1000000103 doing on my LAN:

                little on what and how your WAN port is being hit from the outside?

                I said I don't log default deny, I have rule on my wan that logs syn packets and udp interested in.. Just no need to see every little thing.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                F 1 Reply Last reply Reply Quote 0
                • F Offline
                  Felix 4 @johnpoz
                  last edited by

                  @johnpoz

                  Thanks for the answer, I really appreciate being able to look this way if there is something really burning. As I said, I really like Netgate and my PFSense and feel best when I have a full overview of the machine room. I have noted "pfctl" and will study it, so I learn something new.
                  Regards ;o)

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @Felix 4
                    last edited by johnpoz

                    @Felix-4 I have been in this biz for too long I guess - I don't need to see every little thing.. Some stray SA is meaningless - its noise, or stray udp packets to any single port, etc.. Its just noise..

                    I have a rule at the end that blocks syn to my address and logs.. I have other rules that log specific senders, that I block from scanning my ports, etc. I log those, etc. But some stray packet hitting my ip is many times just noise that clutters up the log with stuff I don't want to see. If I am troubleshooting something and want/need to see everything its click of button to turn back on default deny logging ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.